Microsoft Corporation
February 2004
Summary: Chapter 4 presents the steps for successful deployment and important security threats as well as countermeasures you need to consider.
Contents
After you have developed and tested an application based on the Offline Application Block, the application can be deployed in a production environment. This chapter discusses how to do this by configuring the application for various providers. It also discusses security threats and countermeasures to consider when deploying the application in production environment.
Deployment Requirements
Before deploying applications that use the Offline Application Block, make sure that the target computers have the following software components installed:
- Microsoft® Windows® XP Professional operating system
- Microsoft .NET Framework version 1.1
In addition, if you want to use the providers that ship with the Offline Application Block, you must install the following software:
- Microsoft Message Queuing (MSMQ) for the queue storage provider
- Microsoft SQL Server™ Desktop Engine (MSDE) for the queue/cache storage provider
Configuration
Providers are defined in the App.config file that you create in a Microsoft Visual Studio® .NET development system project. The file has a section for each type of provider:
- ConnectionManagerProviders–This section contains the configuration information for the strategies used to detect the physical connection state of the application. This block ships with a connection-detection provider that uses the Windows networking API (WinInet) to detect the presence or absence of the network.
- QueueManagerProviders–This section contains the configuration information for the providers used to store the messages, including the MSMQQueueStorageProvider, MSDEQueueStorageProvider, IsolatedStorageQueueStorageProvider, and InMemoryQueueStorageProvider.
- CryptographicSettings–This section contains the configuration information for the cryptographic provider settings.
- CacheManagerSettings–This section contains the configuration information for the Caching Application Block. For more information about the Caching Application Block, see the Caching Application Block documentation. The Offline Application Block ships the Isolated Storage cache provider as an additional provider for caching.
The "ConnectionManagerProviders" and "QueueManagerProviders" sections each have an element called <providers>, which contains the strategies for Connection Management and Message Data Management subsystems. Each strategy or provider has a corresponding child element under the <providers> section. Each provider has the common set of attributes listed in Table 4.1.
Table 4.1 Common Provider Attributes
| Attribute name | Description | Required | Default Value |
|---|---|---|---|
| name | Friendly name for the provider. | Yes | None |
| type | Fully qualified type name of the class corresponding to the provider. | Yes | None |
| enabled | Specifies which provider in the configuration file is enabled. You must set only one of these providers to true for the offline functionality to work properly. | No | False |
The custom properties required for each provider are expressed as child elements.
ConnectionManagerProviders
The following configuration file extract shows how the ConnectionManagersProviders section is defined in App.config:
... <configuration> <configSections> <section name="ConnectionManagerProviders" type="Microsoft.ApplicationBlocks.SmartClient.Offline.MultiProviderConfigHandler,Microsoft.ApplicationBlocks.SmartClient.Offline,Version=1.0.0.0,Culture=neutral,PublicKeyToken=null" /> </configSections> </configuration> ...
The following configuration file extract shows the details of the ConnectionManagerProviders section:
... <ConnectionManagerProviders> <provider name="connectionDetectionStrategy" enabled="true" type= "Microsoft.ApplicationBlocks.SmartClient.Offline.WinINetDetectionStrategy, Microsoft.ApplicationBlocks.SmartClient.Offline.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"> <pollingInterval>2</pollingInterval> </provider> </ConnectionManagerProviders> ...
Table 4.2 describes the settings for the ConnectionManagerProviders attributes in the order in which they appear in the configuration file.
Table 4.2: Default Settings for ConnectionManagerProviders Attributes
| Attribute/child element | Description | Default Value |
|---|---|---|
| name | Specifies the name of the provider. | None |
| enabled | Specifies which provider in the configuration file is enabled. Acceptable values are true or false. You must set only one of these providers to true for the offline functionality to work properly. | false |
| type | Specifies the fully qualified name of the provider. | None |
| pollingInterval | Specifies how frequently the Connection Manager detects the connection state. This attribute must be set. The recommended setting is two (2) seconds. | None |
The Offline Application Block provides ConnectionDetectionStratergy, which uses the Windows API WinINetDetectionStrategy class for detecting connectivity to the network.
QueueManagerProviders
The following providers are available for queue storage:
- InMemoryQueueStorageProvider–This provider stores the queue data in an in-memory data structure. Because the data stored is lost when the application is closed, this provider is not suitable for storing persistent data.
- MSDEQueueStorageProvider–This provider stores the queue data in Desktop Engine. The custom property, Connection String, defines the connection string used to connect to the MSDE database.
- MSMQQueueStorageProvider–This provider stores the queue data in Message Queuing. This provider allows the name of the message queue to be specified in the configuration file, and it will attempt to open a queue of that name. If it cannot, it will then attempt to create a private queue with the given name. During deployment of an application based on this block, you should create the message queue manually through administrative means (by using a Microsoft Management Console [MMC] snap-in) to allow for its security permissions to be configured correctly. Note that this block assumes that the message queue used will be a private queue. The custom property, queueName, defines the name of the queue.
- IsolatedStorageQueueStorageProvider–This provider stores the queue data of one user and protects it from other users.
The following configuration file extract shows how the QueueManagerProviders section is defined in the App.config file:
... <configuration> <configSections> <section name="QueueManagerProviders" type="Microsoft.ApplicationBlocks.SmartClient.Offline.MultiProviderConfigHandler,Microsoft.ApplicationBlocks.SmartClient.Offline,Version=1.0.0.0,Culture=neutral,PublicKeyToken=null" /> </configSections> </configuration>
The following configuration file extract shows the details of the QueueManagerProviders section:
... <QueueManagerProviders> <provider name="queueManagerStorageProvider" enabled="false" type="Microsoft.ApplicationBlocks.SmartClient.Offline.IsolatedStorageQueueStorageProvider,Microsoft.ApplicationBlocks.SmartClient.Offline.Providers,Version=1.0.0.0,Culture=neutral,PublicKeyToken=null" encrypted="false" signed="false" cryptoProvider="default" /> <provider name="queueManagerStorageProvider" enabled="true" type="Microsoft.ApplicationBlocks.SmartClient.Offline.InMemoryQueueStorageProvider,Microsoft.ApplicationBlocks.SmartClient.Offline.Providers,Version=1.0.0.0,Culture=neutral,PublicKeyToken=null" encrypted="false" signed="false" cryptoProvider="default"/> <provider name="queueManagerStorageProvider" enabled="false" type="Microsoft.ApplicationBlocks.SmartClient.Offline.MSMQQueueStorageProvider,Microsoft.ApplicationBlocks.SmartClient.Offline.Providers,Version=1.0.0.0,Culture=neutral,PublicKeyToken=null" encrypted="false" signed="false" cryptoProvider="default"> <queueName>InsuranceClaimsClientQueue</queueName> </provider> <provider name="queueManagerStorageProvider" enabled="false" type="Microsoft.ApplicationBlocks.SmartClient.Offline.MSDEQueueStorageProvider,Microsoft.ApplicationBlocks.SmartClient.Offline.Providers,Version=1.0.0.0,Culture=neutral,PublicKeyToken=null" encrypted="false" signed="false" cryptoProvider="default"> <applicationName>Insurance Claims Client</applicationName> <connectionString>Initial Catalog=QueueDatabase;Data Source=[MsdeServerName]\[MsdeInstanceName];Integrated security=true</connectionString> </provider> </QueueManagerProviders> ...
Table 4.3 describes the settings for the QueueManagerProviders attributes in the order in which they appear in the configuration file.
Table 4.3: Default Settings for QueueManagerProviders Attributes
| Attribute/child element | Description | Default Value |
|---|---|---|
| Name | Specifies the name of the provider. | None |
| enabled | Specifies which provider in the configuration file is enabled. Acceptable values are true or false. You must set exactly one of these providers to true for the offline functionality to work properly. | false |
| type | Specifies the fully qualified name of the provider. | None |
| encrypted | Specifies whether the data should be encrypted before it is written and decrypted before it is read. | false |
| signed | Specifies whether the data is signed before it is written and that it is verified before it is read. | None |
| cryptoProvider | Sets the name of the provider. In this case, the cryptographic provider is set to default. | Default provider |
The cryptoProvider attribute is discussed more completely in the following section, "Cryptographic Settings."
CryptographicSettings
Each provider node in the configuration file for queue storage providers has a cryptoProvider attribute associated with it that specifies which cryptoProvider to use. There is another section in the configuration file called crytpographicSettings where it is possible to define a number of different cryptographic providers, implement different cryptographic algorithms, and different public keys. Each of these crypto providers is identified by a name, and the cryptoProvider attribute in each QueueStorageProviders element identifies which cryptographic provider to use for that QueueStorageProvider.
IMPORTANT It is important to change the key frequently to prevent malicious or unauthorized users from gaining access to the key and gaining unlawful entry to your network.
To generate your own symmetrical keys
- Open ValidationKeyGeneration.sln in Visual Studio .NET 2003. The key is included with the offline solutions and QuickStarts and is located at <installation location>\Offline\QuickStarts\Utility\ValidationKeyGeneration. Alternatively, you can access Validation Key Generation as follows: click Start, click All Programs, click Microsoft Application Blocks for .NET, Offline, and click Validation Key Generation.
- Build the solution.
- Run ValidationKeyGeneration.exe.
- Click the Generate button. A new key appears in the text box.
- Copy the key from the text box, and use it in your configuration file.
For more information about cryptography, refer to the following articles:
- Cryptography on the Microsoft Research website (http://research.microsoft.com/crypto/)
- Cryptography and Secure Communications on TechNet (http://www.microsoft.com/technet/security/topics/crypto/default.mspx)
- Cryptography on MSDN (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/cryptography_portal.asp)
Using Queue Providers With Cryptography to Help Secure Data
Using queue providers helps you to store data more securely. The following configuration file extract shows how the cryptographicSettings section is defined in the App.config file:
... <configuration> <configSections> <section name="crytpographicSettings" type="Microsoft.ApplicationBlocks.Common.Crypto.CryptographicConfigurationHandler, Microsoft.ApplicationBlocks.Common,Version=1.0.0.0,Culture=neutral,PublicKeyToken=null" />... </configSections> </configuration>
The following configuration file extract shows the details of QueueManagerProviders section:
... <crytpographicSettings> <cryptographicInfo name="default" type="Microsoft.ApplicationBlocks.Common.Crypto.DPAPIProvider, Microsoft.ApplicationBlocks.Common, Version=1.0.0.0 Culture=neutral, PublicKeyToken=null" validationKey= "Create a new validation key using the validation key generation utility and place here" validation="SHA1"/> </crytpographicSettings>...
For more information about configuration files and their settings, refer to the Configuration Management Application Block on MSDN (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/cmab.asp).
Note For complete configuration settings, see the App.config file for the Insurance Claims QuickStart.
CacheManagerSettings
The Offline Application Block uses four cache providers: IsolatedStorageCacheStorage (provided by the Offline Application Block), SingletonCacheStorage, SQLServerCacheStorage (provided by MSDE), and MmfCacheStorage.
In the <StorageInfo> element under the <CacheManagerSettings> section, you must specify the following two attributes of the Isolated Storage Provider:
- AssemblyName–The name of the assembly in which the provider class is located: Microsoft.ApplicationBlocks.Offline.Providers.
- ClassName–The name of the class corresponding to the provider: Microsoft.ApplicationBlocks.Offline.Providers.IsolatedStorageCache.
The following configuration file extract shows how the CacheManagerSettings section is defined in the App.config file:
... <configuration> <configSections> <section name="CacheManagerSettings" type="Microsoft.ApplicationBlocks.Cache.CacheConfigurationHandler, Microsoft.ApplicationBlocks.Cache,Version=1.0.0.0,Culture=neutral, PublicKeyToken= null" />... </configSections> </configuration>
The following configuration file extract shows the details of CacheManagerSettings section:
... <CacheManagerSettings> <DataProtectionInfo AssemblyName="Microsoft.ApplicationBlocks.Cache, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" ClassName="Microsoft.ApplicationBlocks.Cache.DataProtection.DefaultDataProtection" ValidationKey="Create a new validation key using the validation key generation utility and place here" Validation="SHA1" /> <StorageInfo AssemblyName="Microsoft.ApplicationBlocks.SmartClient.Offline.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" ClassName="Microsoft.ApplicationBlocks.SmartClient.Offline.IsolatedStorageCacheStorage" Mode="InProc" Validated="false" Encrypted="false" /> <ScavengingInfo AssemblyName="Microsoft.ApplicationBlocks.Cache, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" ClassName="Microsoft.ApplicationBlocks.Cache.Scavenging.LruScavenging" MemoryPollingPeriod="60" UtilizationForScavenging="80" MaximumSize="100" /> </CacheManagerSettings> ...
For more information about the SingletonCacheStorage, SQLServerCacheStorage (MSDE), and MmfCacheStorage, refer to the Caching Application Block documentation at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/CachingBlock.asp.
Exception Management
Exceptions in the Offline Application Block are logged using the Exception Management Application Block (EMAB). The events are logged in the Windows Event Log, which is the default destination for all of the log events logged by EMAB. If you want the events logged to other stores—such as SQL Server, Message Queuing, or Windows Management Instrumentation (WMI)—you can use the Logging Application Block, which offers a more robust and extensible model for logging. For more information, see the Logging Application Block on MSDN at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/Logging.asp?frame=true.
Security Considerations
The Offline Application Block has many assets that must be protected from unauthorized access or malicious attacks. These assets include:
- Cached data
- Queued data
- Credentials used to access the cache and the queue
- User credentials
- User data that travels over the network
- Deployed assemblies
In addition, the system on which the smart client application runs, as well as any Web services it uses, may also be vulnerable. Three of the most common types of attacks are spoofing, luring, and replay.
Spoofing Attacks
Spoofing attacks can assume several forms. In general, the attacker creates a misleading situation to trick the target into revealing sensitive information. One example of a spoofing attack is IP spoofing. This occurs when an attacker outside the network pretends to be a trusted user, either by using an IP address that is within the network's IP address range, or by using a trusted external IP address which has access to specific resources on the network. Also, if the attacker can access IP Security (IPSec) security parameters, the attacker can masquerade as a remote user authorized to connect to the corporate network. Other examples of spoofing attacks include Transmission Control Protocol (TCP) spoofing, where Internet packets are sent with forged addresses, and Domain Name Server (DNS) spoofing, where the attacker forges information about which computer names correspond to which network addresses.
Luring Attacks
Luring attacks are illegal elevations of privilege. Trusted code is fooled into making a call into the attacking code, which then acquires the legitimate code's privileges. For example, you might receive a program through e-mail that you don't trust. Since you are suspicious of the program's origins, you add a new local account to your computer that has normal, restricted user privileges rather than your own high-level privileges. You then use the secondary logon service to run the program under the restricted account. The code executes without any problems, so you assume it is legitimate.
The next day, you receive e-mail from people complaining that you've sent them spam. There are also new files added to the System32 directory. This is the result of a luring attack, launched by the program you thought you had made safe. When the program started, it checked to see if it was running in a privileged security context. Finding that it was not, it assumed that the actual user would be logged in with more privileges. By calling some functions in User32.dll, it simulated an actual user, tricking Windows Explorer into starting a new copy of the program. When the new program started, it inherited a copy of the Windows Explorer token. Because the user was logged in with high privileges, the program inherited them and was able to compromise files, e-mail, and the operating system.
Replay Attacks
A replay attack fools an authentication system by recording and replaying previously sent valid messages (or parts of messages). Any constant authentication information, such as a password, can be recorded and used later to forge messages that appear to be authentic.
Threats and Countermeasures
The following table lists the possible security threats and the associated countermeasures to Offline Application Block assets, systems running the smart client applications, and the Web services used by an application that uses the Offline Application Block. For more information about threats and countermeasures, see Improving Web Application Security: Threats and Countermeasures on MSDN at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp.
Table 4.4: Security Threats and Countermeasures
| Threat | Target | Risk | Attack Techniques | Countermeasures |
|---|---|---|---|---|
| Attacker obtains access to the cache. | User data in the cache | Sensitive user data is compromised. | Attacker accesses the cache data by directly bypassing the offline block infrastructure. | Encrypt the data and protect the credentials needed to access the cache. |
| Attacker obtains access to the queue and populates it with messages. | The queue | Messages can contain malicious data that can disrupt, or even bring down, the service. | Attacker can directly populate the queue by bypassing the offline block infrastructure. | Ensure that access to the queue is restricted through appropriate credentials and that the credentials are protected, preferably by using the Data Protection Application Interface (DPAPI). |
| Attacker gains access to credentials used to access the queue and the cache. | Credentials to the queue and the cache | Credentials can be compromised. | If the data stored in the configuration is unencrypted then it is available to privileged users. | Use DPAPI or an equivalent API to store sensitive information. |
| Attacker obtains access to user credentials. | User credentials stored in the application on the client | User credentials can be compromised when the application encounters an error and records it in the log, or when the computer is hacked. | The computer is hacked and, as part of the error report, the user credentials are stored in the log, which is accessible to a privileged user. | Use the CredentialCache class, which is part of the .NET Framework, to store credentials, even in memory. |
| Attacker spoofs business capability service. | User and application data | User and application data sent to the application is compromised. | Network sniffing | Verify that the proxy generated for the service has valid end points. |
| Attacker obtains access to data while in transport to the Web service. | Data | Data can be compromised. | Network sniffing | Use a secure transport such as SSL or IPSec and encrypt the data before sending it over the wire. |
| Attacker spoofs download assemblies or deploys malicious assemblies. | The system | The system on which the application is running can be compromised. | Possible attacks include spoofed assemblies and malicious assemblies in the deployment server. | To prevent spoofed assemblies, use a trusted third-party certification service such as VeriSign. To prevent malicious assemblies on the deployment server, encrypt and digitally sign the assemblies stored there and validate the assemblies on download at the client. |
| Attacker deploys malicious assemblies on the client. | The system and user data | User data can be compromised as well as the system on which the application is running. | Malicious assemblies are deployed on the client. | Apply declaratively to all assemblies that are part of the application, and use SecurityAction.FullDemand so that all assemblies in the call stack are verified for the public key StrongNameIdentityPermission(SecurityAction.FullDemand, PublicKey=""). |
| Attacker accesses unmanaged resources | The system | The system on which the application is running can be compromised | Luring attacks, if the code that is using the unmanaged resources has the required permissions. | Demand SecurityPermission to access unmanaged resources in the class that is interacting with unmanaged resources. |
| Attacker uses reflection for creating class instances. | The system and user data | Privileged code can be run by malicious assemblies, compromising both the system and user data. | Luring attacks | Demand ReflectionPermission on all code that uses reflection. |
| Attacker uses replay attacks. | The service providing the business capability | Business capability can be compromised. | The data is sniffed while being transmitted. | Use a secure transport such as SSL or IPSec, and use encryption and digital signatures for the messages. |
| Attacker gains access to the event log. | The system and user data | Possible risks include: the attacker can bring down the system using malicious log messages; a large number of error messages can mask the audit trail because the log becomes too large to analyze; depending on the log's configuration, valid data may be overwritten. | The attacker, using the infrastructure for error logging, records large numbers of messages into the log. | Possible countermeasures include: demand the correct permissions when accessing the log to read it or write to it; for the Windows Event Log, use EventLogPermission only to write into the log, unless the component supports both read and write; do not provide permissions to update or delete the log; configure the log to issue an error when it is full rather than overwrite itself. |
| Attacker uses luring attacks. | The system and user data | The system and user data can be compromised. | A malicious assembly invokes trusted assemblies to perform actions on its behalf. | Use StrongNameIdentityPermission and SecurityAction.FullDemand to ensure that all the assemblies in the call stack are from the signer. |
Summary
To deploy the Offline Application Block, configure your providers and decide what security measures you will put into place. Use the App.config file to configure connection-detection providers, queue manager providers, cryptographic settings, and cache settings. Review the security considerations outlined in this chapter and determine which countermeasures are applicable to your environment. Finally, test your deployment of the application to ensure that it meets the security and performance needs of your environment.
浙公网安备 33010602011771号