Remoting

Do You Pass Objects as Parameters?

If you use the TcpChannel and your component API accepts custom object parameters, or if custom objects are passed through the call context, your code has two security vulnerabilities.

• If the object passed as a parameter derives from System.MarshalByRefObject , it is passed by reference. In this case, the object requires a URL to support call backs to the client. It is possible for the client URL to be spoofed, which can result in a call back to an alternate computer.

• If the object passed as a parameter supports serialization, the object is passed by value. In this instance, check that your code validates each field item as it is deserialized on the server to prevent the injection of malicious data.

To prevent custom objects being passed to your remote component either by reference or by value, set the TypeFilterLevel property on your server-side formatter channel sink to TypeFilterLevel.Low .

To locate objects that are passed in the call context, search for the "ILogicalThreadAffinative" string. Only objects that implement this interface can be passed in the call context.

Do You Use Custom Authentication and Principal Objects?

If you use custom authentication, do you rely on principal objects passed from the client? This is potentially dangerous because malicious code could create a principal object that contains extended roles to elevate privileges. If you use this approach, check that you only use it with out-of- band mechanisms such as IPSec policies that restrict the client computers that can connect to your component.

How Do You Configure Proxy Credentials?

Review how your client code configures credentials on the remoting proxy. If explicit credentials are used, where are those credentials maintained ? They should be encrypted and stored in a secure location such as a restricted registry key. They should not be hard-coded in plain text. Ideally, your client code should use the client process token and use default credentials.