Developer Checks

Previous page
Table of content
Next page

Use the following checks if you build serviced components .

Authentication

Check

Description

Call-level authentication is used at minimum to prevent anonymous access. Serviced component assemblies include: 

 [assembly: ApplicationAccessControl(            Authentication = AuthenticationOption.Call)]

Authorization

Check

Description

Role-based security is enabled. Serviced component assemblies include: [assembly: ApplicationAccessControl(true)]

Component-level access checks are enabled to support component-level, interface-level, and method-level role checks. Serviced component assemblies include: 

 [assembly: ApplicationAccessControl(AccessChecksLevel=                 AccessChecksLevelOption.ApplicationComponent)]

Component-level access checks are enforced for all serviced components. Classes are annotated with: 

 [ComponentAccessControl(true)]

To support method-level security, the [SecurityMethod] attribute is used on classes or method implementations , or the [SecurityRole] attribute is used on method implementations.

Configuration Management

Check

Description

Server applications are configured to run with least-privileged accounts.

Server applications only run using the interactive user account during development.

Object constructor strings do not contain plain text secrets.

Sensitive Data

Check

Description

In the absence of IPSec encryption, RPC encryption is used to secure sensitive data over the network in the absence of an IPSec infrastructure. Serviced component assemblies that use RPC encryption include: 

 [assembly: ApplicationAccessControl(                 Authentication = AuthenticationOption.Privacy)]

Auditing and Logging

Check

Description

User transactions are logged to an event log. The audit record includes original caller identity from SecurityCallContext.OriginalCaller .

Deployment Considerations

Check

Description

Port ranges are defined if you use dynamic port range allocation OR static endpoint mapping is configured.

Secrets are not stored in object constructor strings. Secrets such as database connection strings are encrypted prior to storage.

The server application run-as account is configured as a least-privileged account.

Impersonation

Check

Description

The impersonation level is configured correctly. For ASP.NET clients , the impersonation level is configured in Machine.config on the <processModel> element.

For Enterprise Services client applications, the level is configured in the COM+ catalog.

Serviced component assemblies define the required impersonation level by using the ApplicationAccessControl attribute as shown below: 

 [assembly: ApplicationAccessControl(      ImpersonationLevel=ImpersonationLevelOption.Identify)]


Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
Project Management JumpStart
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Introduction to 80x86 Assembly Language and Computer Architecture
InDesign Type: Professional Typography with Adobe InDesign CS2
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy