Secure
ASP.NET
LANGUAGES: ALL
ASP.NET VERSIONS: ALL
Security
Alert
Least
Privilege and Partially Trusted Code
By Don Kiely
Until
recently, Windows developers could stick their heads in the ground and ignore
security. But in these days of increasingly clever attacks and the new
development tools that support building secure applications, any developer who
remains clueless is putting at risk their software, its users, and even their
own career. In this new asp.netNOW column I'll be exploring the tools,
techniques, and skills that ASP.NET developers need to write secure software.
The bad news is that it's another set of technologies that we all have to
learn; the good news is that, although it initially seems overwhelming, it
really isn't that complex. Microsoft has done most of the hard work by
providing things like code access security right in the .NET Framework.
The
first thing you must do - today, right now - is stop running as a member of the
Administrators group on your development machine. I realize you have the
technical expertise to know how to wield administrative power wisely, but the
problem is that any time anyone is logged into the local machine as an admin a
hacker has a much easier time taking over that machine, and possibly the
network. And yes, this applies even for ASP.NET developers. You don't need to
have admin rights to develop Web applications, and you shouldn't have them!
Aaron
Margosis, a Microsoft employee, has a great blog entry that covers this in
detail, "Why you shouldn't run as admin..." (http://weblogs.asp.net/aaron_margosis/archive/2004/06/17/157962.aspx).
At the end of this column I've included links to other resources to help get
you started and avoid some of the pitfalls of running as a member of the Users
group, including some things you have to do to develop ASP.NET apps as a member
of the Users group.
By the
way, the Power User account is not a least privilege account. It is what I call
"admin-lite," a legacy group Microsoft includes for running legacy applications
- those built for Win9x - that require high privileges. You are nearly as
unsafe running as a Power User as running as an admin. You won't have nearly as
much pain, but you may as well just run as admin if you're going to run as a
Power User. 'Nuff said.
The Goal Is
Partially Trusted Applications
The
other thing you must do immediately is vow to never again develop an ASP.NET
application that requires full trust. Because ASP.NET apps are fully trusted by
default - an egregious violation of Microsoft's own principle of
secure-by-default - you have to explicitly change that in the web.config file
for all new Web sites:
<system.web>
<trust level="Medium"/>
</system.web>
There
are five trust levels available by default through your machine.config file:
Full, High, Medium, Low, and Minimal. Each level has decreasing levels of
permissions so that High is better than Full, Medium is better than High, and
so on. Low and Minimal probably aren't feasible for Web apps, so your goal
should be Medium.
But
don't limit your thinking to these five trust levels. The principle of least
privilege, which has been around since the first pioneers started thinking
about computer security, says that every user and every code snippet should
have the smallest set of permissions required to do their job. Even the Medium
trust level has permissions, such as PrintingPermission, SqlClientPermission,
and others, as you can see if you examine the default web_mediumtrust.config
file in the same location as your machine.config. If your app doesn't need to
print on the server or doesn't access a SQL Server database, then your app has
at least one permission too many that a hacker can exploit.
In
coming months I'll explore these issues more fully - and I'll assume that
you're writing partially trusted .NET apps. In the meantime, here are some
links to get you started:
Don Kiely is senior technology consultant
for Information Insights, a business and technology consultancy in Fairbanks,
AK. E-mail him at mailto:donkiely@computer.org.