Secure ASP.NET
LANGUAGES: ALL
ASP.NET VERSIONS: 2.0
Proxy Settings Can Lead to Performance Problems
And Other Security News
By Don Kiely
It is critical to write applications that don t require full trust and that use lesser-privileged host accounts NETWORK SERVICE on Windows Server 2003 or ASPNET in earlier versions of Windows. That simple step gives you a lot of security, but sometimes it makes things harder than they should be. One problem that has surfaced is that if you don t change the default proxy settings in an ASP.NET app your pages might load way slower than they should.
The problem is that by default .NET 2.0 uses the default proxy settings defined by Internet Explorer. That works great for applications that run with full trust those apps can get at the proxy settings in the registry. But for a partially trusted app, that section of the registry is off limits, so .NET looks for the settings in various places. It fails, finally just tries to connect, and is finally successful. But that churns up a lot of time many seconds that make your app seem unresponsive.
Rich Stahl published the solution in his blog recently, Slow Http Client Calls from ASP.NET 2.0? Make Sure You Check your Proxy Settings! The solution is simple: two attributes control the automatic proxy detection. In your Web.config file tell .NET to bypass the proxy server when accessing local resources and to not use the system default proxy settings:
<configuration>
<system.net>
<defaultProxy>
<proxy bypassonlocal="true" usesystemdefault="false" />
</defaultProxy>
</system.net>
</configuration>
By the way, one of the nice things about .NET 2.0 is how there are classes that directly wrap these configuration settings. Check out the DefaultProxySection and ProxyElement classes in the System.Net.Configuration namespace if you have to access them programmatically.
Rick Stahl is fast becoming one of my favorite ASP.NET bloggers. Whenever I need to do some in-depth research on a topic, it s surprising how often Google leads me to his blog because he s already sweated through it and wrote an article-length post about it. Check out his blog at http://west-wind.com/weblog/ and read his discussion of the proxy server issue for partially trusted apps at http://west-wind.com/weblog/posts/3871.aspx.
ASP.NET Security News
Hopefully everyone knows about the nasty WMF vulnerability that became widely known on 27 December. What a nasty time for something like that to come up, when sysadmins were away or geared down for the holidays! One of the best, real-time sources of information about the problem, as well as other developing threats to the Internet, is the Internet Storm Center of the SANS Institute (SANS: SysAdmin, Audit, Network, Security). Covering all platforms, it has plenty of information about threats, and their blog is a must read for anyone interested in Internet security. Check them out at http://isc.sans.org/, and be sure to read up on the WMF vulnerability, which even this week has manifested itself with a new attack vector.
Channel 9, the Microsoft guys who roam around campus doing interviews with the people who make the software happen, has put up a great set of ASP.NET Security FAQs. It s a wiki, so feel free to jump in and add to the collective s knowledge. It s a great resource even though it s new. Check it out at http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.ASPNET2SecurityFAQs.
Dino Esposito s Programming Microsoft ASP.NET 2.0 Core Reference from Microsoft Press is out. It s not hardcore security, but the last chapter, named simply ASP.NET Security, is a very nice overview of the basics of securing a Web app using the new stuff in the framework. Even though the book is a core reference, I think this is one that I ll start over from the beginning and read the whole thing. Dino, forgive me for jumping ahead to the best part, the security stuff in chapter 15!
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.
