ASP.NET VERSIONS: ALL
Least Privilege and Partially Trusted Code
By Don Kiely
Until recently, Windows developers could stick their heads in the ground and ignore security. But in these days of increasingly clever attacks and the new development tools that support building secure applications, any developer who remains clueless is putting at risk their software, its users, and even their own career. In this new asp.netNOW column I'll be exploring the tools, techniques, and skills that ASP.NET developers need to write secure software. The bad news is that it's another set of technologies that we all have to learn; the good news is that, although it initially seems overwhelming, it really isn't that complex. Microsoft has done most of the hard work by providing things like code access security right in the .NET Framework.
The first thing you must do - today, right now - is stop running as a member of the Administrators group on your development machine. I realize you have the technical expertise to know how to wield administrative power wisely, but the problem is that any time anyone is logged into the local machine as an admin a hacker has a much easier time taking over that machine, and possibly the network. And yes, this applies even for ASP.NET developers. You don't need to have admin rights to develop Web applications, and you shouldn't have them!
Aaron Margosis, a Microsoft employee, has a great blog entry that covers this in detail, "Why you shouldn't run as admin..." (http://weblogs.asp.net/aaron_margosis/archive/2004/06/17/157962.aspx). At the end of this column I've included links to other resources to help get you started and avoid some of the pitfalls of running as a member of the Users group, including some things you have to do to develop ASP.NET apps as a member of the Users group.
By the way, the Power User account is not a least privilege account. It is what I call "admin-lite," a legacy group Microsoft includes for running legacy applications - those built for Win9x - that require high privileges. You are nearly as unsafe running as a Power User as running as an admin. You won't have nearly as much pain, but you may as well just run as admin if you're going to run as a Power User. 'Nuff said.
The Goal Is Partially Trusted Applications
The other thing you must do immediately is vow to never again develop an ASP.NET application that requires full trust. Because ASP.NET apps are fully trusted by default - an egregious violation of Microsoft's own principle of secure-by-default - you have to explicitly change that in the web.config file for all new Web sites:
There are five trust levels available by default through your machine.config file: Full, High, Medium, Low, and Minimal. Each level has decreasing levels of permissions so that High is better than Full, Medium is better than High, and so on. Low and Minimal probably aren't feasible for Web apps, so your goal should be Medium.
But don't limit your thinking to these five trust levels. The principle of least privilege, which has been around since the first pioneers started thinking about computer security, says that every user and every code snippet should have the smallest set of permissions required to do their job. Even the Medium trust level has permissions, such as PrintingPermission, SqlClientPermission, and others, as you can see if you examine the default web_mediumtrust.config file in the same location as your machine.config. If your app doesn't need to print on the server or doesn't access a SQL Server database, then your app has at least one permission too many that a hacker can exploit.
In coming months I'll explore these issues more fully - and I'll assume that you're writing partially trusted .NET apps. In the meantime, here are some links to get you started:
- Don Kiely on DotNetRocks, Carl Franklin's Internet talk show, talking about least privilege development (http://www.franklins.net/fnetdotnetrocks/dotnetrocks.aspx?showid=79)
- Aaron Margosis is a Microsoft employee who blogs about least privilege, mostly from a user's perspective to help you run as a User, and has some great tools to make it easier (http://weblogs.asp.net/aaron_margosis/)
- "Developing Software in Visual Studio .NET with Non-Administrative Privileges" on MSDN, a compendium of adjustments you need to make, particularly for ASP.NET applications (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/tchdevelopingsoftwareinvisualstudionetwithnon-administrativeprivileges.asp)
- Keith Brown is a .NET security guru who has lots of good, low-level information about least privilege (http://www.pluralsight.com/keith/book/html/howto_runasnonadmin.html)
- Local Administrator/Power User Hall of Shame is a list of programs that require that the user be an admin without good reason (http://www.threatcode.com/)
- Michael Howard is one of Microsoft's security gurus who wrote about least privilege back in 2002, "The Challenge of Least Privilege" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure06112002.asp)
Don Kiely is senior technology consultant for Information Insights, a business and technology consultancy in Fairbanks, AK. E-mail him at mailto:[email protected].