Re: Security issues with Asp.Net in Shared Hosting Environments

[Mark Burnett <mb () xato net>]

I have read several of your articles, e-mails, and usenet posts and 
while the facts are correct, I'm not really clear what you expect to 
happen.

> From what I understand, you want:

- Full trust features made available to web site operators in a shared 
hosting environment who are not fully trusted.

- Little or no extra effort on the developer's part to make it run in 
a partial trust environment.

- The developers shouldn't have to operate their own server to be able 
to run trusted code.

You state that the .NET framework does not allow the creation of 
secure hosting environments unless one is prepared to develop 
partially trusted web applications. This is true and precisely the 
reason Microsoft created the concept of partial trust. Of course you 
can't do everything with partial trust because the hosting company 
doesn't fully trust you. If a hosting company is willing to grant 
everyone full trust, that is their own security problem and certainly 
not a flaw of ASP.NET. It would be absurd if a hosting company running 
classic ASP allowed all customers to install their own COM objects and 
ISAPI applications. 

Further, many of the things you talk about can be restricted in other 
ways. When I run your ANSA application against any of my servers using 
my standard build procedure, ALL of the tests fail, not just because 
of my ASP.NET configuration, but because I take the proper steps in 
securing the file system, the registry, WSH, FSO WMI, etc. 

You really can't expect a hosting company to fully trust you. The real 
issue here is a balance of security vs. features and is one that 
exists for all platforms. The other issues are knowing how to properly 
secure a server and properly write code that will run on a secure 
server.

You have made several points in your articles, but it seems like you 
are shifting the burden of this onto Microsoft. But its not clear what 
you are asking them to do. What do you see as the solution to all 
this? Are you saying they have the wrong security/features balance?


Mark Burnett





On Thu, 30 Oct 2003 23:17:29 -0000, Dinis Cruz wrote:
> Hello
>
>
> Over the last couple of months I have posted several items in the
> official Asp.Net website (www.asp.net) related to the security
> problems that occur when Asp.Net is used in shared hosting
> environments (such as ISPs, Asp.Net developers and companies that
> manage/host several websites in their servers).
>
> The objective of this email is to consolidate all this information
> in one single point:
>
> 1) for us, it all started with our "Security guide for ISPs
> providing Windows-based Shared Hosting Services"
> (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624)
>
>
> 2) then we created and released an Open Source web application to
> test the security configuration of servers hosting Asp.Net websites
> - the Asp.Net Security Analyser (ANSA) - which is published in
> GotDotNet
> (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023)
>
> 3) Following the release of this tool, we started a public
> discussion on what we considered to be serious problems that needed
> to be addressed: a) "Asp.Net.Vulnerability: Full Trust (current
> security problems and possible solutions)"
> (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368663)
> b) "Asp.Net.Vulnerability: Win32 API calls (potential security
> problems)"
> (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368686)
> c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential
> security problems)"
> (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=369016)
>
>
> 4) When (as a reply to one of the "Asp.Net vulnerabilities" posts)
> we where advised to talk first to Microsoft before publishing this
> information publicly, we decided to write the story (so far) of our
> email exchange with several Microsoft employees and Microsoft
> Security Response Center: "When will Microsoft take Asp.Net
> Security seriously? "
> (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723)
>
> 5) Meanwhile we where continuing to work on a solution for the
> 'Full Trust' problem and posted:
>
> a) some ideas on how to tackle the problem: "Idea to solve the
> current shared hosting 'Full trust' issue."
> (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=371761)
>
>
> b) a 'proof of concept' example on one of the proposed solutions:
> "FSO in 'Medium trust' environments"
> (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380247)
>
>
> 6) Finally we wrote two articles (soon to be published) that
> explain these problems with more detail, and say what we think
> Microsoft should be doing to solve this problems and make Asp.Net a
> secure platform for the development of secure web applications
>
> a) "Microsoft must deliver 'secure environments' not tools to write
> 'secure code' - draft article"
> (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852)
>
>
> b) "'An 'Asp.Net' accident waiting to happen" - draft article"
> (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379837)
>
> Our next steps will be the release of a new version of ANSA and
> continue working on the proposed solution for the 'Full Trust'
> problem (when we have more solid data we will release a white paper
> called "living in a Asp.Net 'Partially Trusted' world'" which will
> provide more details about how this can be successfully achieved
> with the requirements of today's Asp.Net developers).
>
> Best regards
>
>
> Dinis Cruz
> .NET Security Consultant
> DDPlus (www.ddplus.net)
>
>
> Note: We also posted a query for 'real life' examples of web
> applications developed and deployed in 'Partially Trust'
> Environments ("examples of 'Medium' or 'high' trust Asp.Net
> applications" -
> http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380468),
> but haven't received any feedback. If you know of examples we would
> be very appreciated if you give provide us (and the Asp.Net
> community) feedback and 'real life' knowledge.