Tuesday, March 25, 2008

Building a Partially Trusted Web Application

I have created a new guide to demonstrate the process of configuring the Code Access Security policy for an ASP.NET web application using built-in ASP.NET policies. This guide has been a while in the works, and it is one of the primary inspirations for this blog. I put together a rather lengthy proof of concept for this and decided that it was entirely too much work to allow it to disapear without being documented somewhere. The information is inspired by Stefan Schackow's excellent book, Professional ASP.NET 2.0 Security, Membership, and Role Management. I highly recommend his book. My guide is, at best, a cheap cliff-note of one section of his book.
By default, Visual Studio (all versions through 2008) creates web applications that run as "Fully Trusted" .NET applications. A Fully Trusted application is one that bypasses all Code Access Security checks. This can be a security risk for a number of reasons. Conversely, a "Partially Trusted" application is one that reduces the attack surface of the application by reducing the available code that can be called by an application. As an extreme example, you can reduce the risk of SQL injection attack to near 0% (I'm not brave enough to use the word always) by making it impossible to make any type of data access calls in the first place.
If you have ever toyed around with Code Access Security policy, you know that it can be a bit of a daunting and counterintuitive task to intelligently configure a secured application. There are surprisingly easy steps that can be taken to bring a pretty significant level of security to an ASP.NET web application. One of Stefan's highest recommendations is to, at the very least, move a web application from a fully trusted application to "Highly Trusted" application. High Trust disables calls to the unmanaged Win32 API as well as calls to .NET components that are not decorated with the AllowPartiallyTrustedCallersAttribute. I will demonstrate going a step further and making the web application a "Medium Trust" application, which is more suited for internet facing applications or applications in shared environments.

Get the guide here, and the sample code here.

No comments: