Checklist: Securing Remoting

Article
07/14/2010

Retired Content
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Applies to:

Remoting (.NET Framework version 1.1)

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

How to Use This Checklist Design Considerations Input Validation Authentication Authorization Configuration Management Sensitive Data Exception Management Auditing and Logging

How to Use This Checklist

This checklist is a companion to Chapter 13, "Building Secure Remoted Components." Use it to help you build secure components that use the Microsoft ® .NET remoting technology and as a snapshot of the corresponding chapter.

Design Considerations

Check	Description
	Remote components are not exposed to the Internet.
	The ASP.NET host and HttpChannel are used to take advantage of Internet Information Services (IIS) and ASP.NET security features.
	TcpChannel (if used) is only used in trusted server scenarios.
	TcpChannel (if used) is used in conjunction with custom authentication and authorization solutions.

Input Validation

Check	Description
	MarshalByRefObj objects from clients are not accepted without validating the source of the object.
	The risk of serialization attacks are mitigated by setting the typeFilterLevel attribute programmatically or in the application's Web.config file.
	All field items that are retrieved from serialized data streams are validated as they are created on the server side.

Authentication

Check	Description
	Anonymous authentication is disabled in IIS.
	ASP.NET is configured for Windows authentication.
	Client credentials are configured at the client through the proxy object.
	Authentication connection sharing is used to improve performance.
	Clients are forced to authenticate on each call (unsafeAuthenticatedConnectionSharing is set to "false").
	connectionGroupName is specified to prevent unwanted reuse of authentication connections.
	Plain text credentials are not passed over the network.
	IPrincipal objects passed from the client are not trusted.

Authorization

Check	Description
	IPSec is used for machine-level access control.
	File authorization is enabled for user access control.
	Users are authorized with principal-based role checks.
	Where appropriate, access to remote resources is restricted by setting rejectRemoteRequest attribute to "true".

Configuration Management

Check	Description
	Configuration files are locked down and secured for both the client and the server.
	Generic error messages are sent to the client by setting the mode attribute of the <customErrors> element to "On".

Sensitive Data

Check	Description
	Exchange of sensitive application data is secured by using SSL, IPSec, or a custom encryption sink.

Exception Management

Check	Description
	Structured exception handling is used.
	Exception details are logged (not including private data, such as passwords).
	Generic error pages with standard, user friendly messages are returned to the client.

Auditing and Logging

Check	Description
	If ASP.NET is used as the host, IIS auditing features are enabled.
	If required, a custom channel sink is used to perform logging on the client and the server.

Retired Content
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.