COM(+) Security: Follow-up

COM(+) Security: Follow-up

Introduction

In my previous article [1], published atVB2TheMax site, I’ve described briefly how COM+ security and role-based securitywork. I promised you to discuss in the next article about web/IIS security;still I realized, briefly later the article was published, that some more infoabout role-based security and some general security design guide lines wererequired: these are actually the subjects of this article.

Addendum

I think there is a couple of details aboutCOM security settings that should have deserved more attention in the previousarticle. 

Authentication: Both client and serverdeclare (in a programmatic or a declarative way)  their Authorization levelpreferences. The DCOM run-time set up the communication choosing the highestlevel between the two settings.

Identity: Since this setting appearsas an option in the DCOMCNFG.EXE tool, I was mislead for a while about its realmeaning. VB programmers tend to think of security settingsas a server side problem only (I’m afraid to say that I’ve met some VBprogrammers that didn’t even know that something like COM security existed). Thereason for this lies on the fact that COM API functions like CoInitializeSecurityare not really VB friendly and DCOMCNFG.EXE is of no use to set upsecurity settings on a standard exe application (the procedure to do thisrequires to insert some registry keys in the registry manually).
This is why, atthe beginning, I thought that the identity setting went through the samenegotiation process of the authentication setting (hence the identity settingappearing in DCOMCNFG.EXE being the server side preference on this setting). This is notthe case, unlike the authentication setting, this setting is determined entirelyby the client (the identity option on a COM server in DCOMCNFG.EXE appears since aCOM server may act as a client when calling into other COM server). This is areasonable behavior: it’s actually up to the client decide “if andhow” the server can perform “security sensitive” operations usingthe client identity token.

DNA Security: Best Practices

As I said, there is quite a lot of work involved settingup delegation correctly; nevertheless, when all user permissions and COMsettings are set up properly, you still have only half of your work done; youneed to request delegation programmatically in your method implementation: spawna new thread (or pick it up from a thread pool) and ask the thread to impersonatethe caller.
This is not easy feasible (and in any case unsupported) in VB (and there is noway to ask to the MTS/COM+ surrogate process to do this for you), but youshouldn’t actually be worried at all since using delegation is considered a baddesign practice when implementing security in business objects. I know that the use ofimpersonation and delegation sounds tempting, but most times it provides youmore problems than benefits, exposing your application more easily to security holesand making them harder to maintain.
Impersonation and delegation fit only into some specific and low-leveldevelopment scenarios such as file servers or some NT services like IIS.
Think about it: delegation basically means “I don’t care about security, Idelegate security checks to someone else”. You are moving security checksaway from your business objects entry point, down to the next inner level ofyour application (file access and DB access permissions), demandingsecurity set up to system or DB administrators.
The recommended approach is exactly the opposite: 

  • Perform all access checks at the point at which client requests enter the middle tier
  • Use only role-based security and avoid lower level security API 

As Ted Pattison says in his book “ProgrammingDistributed Applications with COM+ and MS Visual Basic 6.0”, “Mostcompanies who’ve successfully deployed distributed applications on large scalehave found that this is the only sane approach.”

The advantages implied are: 

  • You can set permissions using business rule semantic (you cannot withdraw more then 100$ since you are not in the manager role)
  • Applications are easy to set up and maintain 
  • Applications are more scalable since you can use DB connection pooling only if you do not delegate to the DB security access checks.

Deep into Role-Based Security

There is still a couple of details about role-basedsecurity you have to be aware when designing your multi-tier application properly.
Both of these two details fit naturally into a security architecture where youfollow the DNA recommendations mentioned before.

  • Access checks within COM+ applications:
    Once a call into a COM object has passed role-based security using the caller identity, any file or database access (via the NT integrated security) that you require during a method execution is checked against the process identity, not the caller identity. 
  • Nested calls from COM+ application to COM+ application:
    Role-based access check is done against the process identity of the direct caller, not against the base client identity (original caller) that initiated the call chain.
    Example: Suppose a base client running under user A calls into a configured COM component named object 1, deployed in a COM+ application X. Application X runs under user B identity. During the method call execution, object 1 calls into object 2 deployed in application Y. Role-based access check in Application Y is done against user B, not against the original caller A.

Although not relevant to role-based security mechanism,MTS/COM+ maintains the identity chain while the logical thread of execution (activity)flows from one COM+ application to another. MTS users were limitedin identity flow discovery, having available only a few methods likeGetDirectCaller and GetOriginalCaller. In COM+ a new interface namedSecurityCallers  has been introduced. Using this interface you can enumerate the whole set ofidentities that have been involved in the activity. Remember that  suchinfo are made available for tracking and logging purposes only, not to set upsome kind of custom security checks.

Conclusions

I hope I have provided valuable information to set up yourdistributed application security effectively as long as you are concerned withstandard win32 clients.
As you know, you can call into a COM object from an ASP page, that is,basically, from an HTTP request. This poses a whole new bunch of security issuesrelated to the fact that, in most cases, the identity calling into a web servervia a browser request is not known inside the domain, hence it cannot beauthenticated. IIS must act then  as the base client when calling into the domainwhere middle-tier COM objects reside, still providing you someway to distinguishamong different internet users identity. What kind of security could you set upif all internet calls were seen as coming from the System account ? (theinetinfo.exe process runs under this account).

You will see in my next article how IIS behaves differentlythan a standard base-client, using impersonation and delegation to provide youdifferent ways to map internet users to domain identities.

Errata

There is a couple of errata in my previous article aboutCOM+ security (it’s likely they have been fixed by the time you read thisarticle): 

  • SSP stands for Security Support Provider, not Security Service Provider. 
  • Required user rights to set up Delegation: 
    The client account must have the “Account is Sensitive And Cannot Be Delegated” disabled.
    The server process identity must have the “trusted For Delegation” property enabled.

[1] Aguerrilla course on COM(+) security : Enrico Sabbadin  

 

 

devx-admin

devx-admin

Share the Post:
USA Companies

Top Software Development Companies in USA

Navigating the tech landscape to find the right partner is crucial yet challenging. This article offers a comparative glimpse into the top software development companies

Software Development

Top Software Development Companies

Looking for the best in software development? Our list of Top Software Development Companies is your gateway to finding the right tech partner. Dive in

India Web Development

Top Web Development Companies in India

In the digital race, the right web development partner is your winning edge. Dive into our curated list of top web development companies in India,

USA Web Development

Top Web Development Companies in USA

Looking for the best web development companies in the USA? We’ve got you covered! Check out our top 10 picks to find the right partner

Clean Energy Adoption

Inside Michigan’s Clean Energy Revolution

Democratic state legislators in Michigan continue to discuss and debate clean energy legislation in the hopes of establishing a comprehensive clean energy strategy for the

Chips Act Revolution

European Chips Act: What is it?

In response to the intensifying worldwide technology competition, Europe has unveiled the long-awaited European Chips Act. This daring legislative proposal aims to fortify Europe’s semiconductor

USA Companies

Top Software Development Companies in USA

Navigating the tech landscape to find the right partner is crucial yet challenging. This article offers a comparative glimpse into the top software development companies in the USA. Through a

Software Development

Top Software Development Companies

Looking for the best in software development? Our list of Top Software Development Companies is your gateway to finding the right tech partner. Dive in and explore the leaders in

India Web Development

Top Web Development Companies in India

In the digital race, the right web development partner is your winning edge. Dive into our curated list of top web development companies in India, and kickstart your journey to

USA Web Development

Top Web Development Companies in USA

Looking for the best web development companies in the USA? We’ve got you covered! Check out our top 10 picks to find the right partner for your online project. Your

Clean Energy Adoption

Inside Michigan’s Clean Energy Revolution

Democratic state legislators in Michigan continue to discuss and debate clean energy legislation in the hopes of establishing a comprehensive clean energy strategy for the state. A Senate committee meeting

Chips Act Revolution

European Chips Act: What is it?

In response to the intensifying worldwide technology competition, Europe has unveiled the long-awaited European Chips Act. This daring legislative proposal aims to fortify Europe’s semiconductor supply chain and enhance its

Revolutionized Low-Code

You Should Use Low-Code Platforms for Apps

As the demand for rapid software development increases, low-code platforms have emerged as a popular choice among developers for their ability to build applications with minimal coding. These platforms not

Cybersecurity Strategy

Five Powerful Strategies to Bolster Your Cybersecurity

In today’s increasingly digital landscape, businesses of all sizes must prioritize cyber security measures to defend against potential dangers. Cyber security professionals suggest five simple technological strategies to help companies

Global Layoffs

Tech Layoffs Are Getting Worse Globally

Since the start of 2023, the global technology sector has experienced a significant rise in layoffs, with over 236,000 workers being let go by 1,019 tech firms, as per data

Huawei Electric Dazzle

Huawei Dazzles with Electric Vehicles and Wireless Earbuds

During a prominent unveiling event, Huawei, the Chinese telecommunications powerhouse, kept quiet about its enigmatic new 5G phone and alleged cutting-edge chip development. Instead, Huawei astounded the audience by presenting

Cybersecurity Banking Revolution

Digital Banking Needs Cybersecurity

The banking, financial, and insurance (BFSI) sectors are pioneers in digital transformation, using web applications and application programming interfaces (APIs) to provide seamless services to customers around the world. Rising

FinTech Leadership

Terry Clune’s Fintech Empire

Over the past 30 years, Terry Clune has built a remarkable business empire, with CluneTech at the helm. The CEO and Founder has successfully created eight fintech firms, attracting renowned

The Role Of AI Within A Web Design Agency?

In the digital age, the role of Artificial Intelligence (AI) in web design is rapidly evolving, transitioning from a futuristic concept to practical tools used in design, coding, content writing

Generative AI Revolution

Is Generative AI the Next Internet?

The increasing demand for Generative AI models has led to a surge in its adoption across diverse sectors, with healthcare, automotive, and financial services being among the top beneficiaries. These

Microsoft Laptop

The New Surface Laptop Studio 2 Is Nuts

The Surface Laptop Studio 2 is a dynamic and robust all-in-one laptop designed for creators and professionals alike. It features a 14.4″ touchscreen and a cutting-edge design that is over

5G Innovations

GPU-Accelerated 5G in Japan

NTT DOCOMO, a global telecommunications giant, is set to break new ground in the industry as it prepares to launch a GPU-accelerated 5G network in Japan. This innovative approach will

AI Ethics

AI Journalism: Balancing Integrity and Innovation

An op-ed, produced using Microsoft’s Bing Chat AI software, recently appeared in the St. Louis Post-Dispatch, discussing the potential concerns surrounding the employment of artificial intelligence (AI) in journalism. These

Savings Extravaganza

Big Deal Days Extravaganza

The highly awaited Big Deal Days event for October 2023 is nearly here, scheduled for the 10th and 11th. Similar to the previous year, this autumn sale has already created

Cisco Splunk Deal

Cisco Splunk Deal Sparks Tech Acquisition Frenzy

Cisco’s recent massive purchase of Splunk, an AI-powered cybersecurity firm, for $28 billion signals a potential boost in tech deals after a year of subdued mergers and acquisitions in the

Iran Drone Expansion

Iran’s Jet-Propelled Drone Reshapes Power Balance

Iran has recently unveiled a jet-propelled variant of its Shahed series drone, marking a significant advancement in the nation’s drone technology. The new drone is poised to reshape the regional

Solar Geoengineering

Did the Overshoot Commission Shoot Down Geoengineering?

The Overshoot Commission has recently released a comprehensive report that discusses the controversial topic of Solar Geoengineering, also known as Solar Radiation Modification (SRM). The Commission’s primary objective is to

Remote Learning

Revolutionizing Remote Learning for Success

School districts are preparing to reveal a substantial technological upgrade designed to significantly improve remote learning experiences for both educators and students amid the ongoing pandemic. This major investment, which

Revolutionary SABERS Transforming

SABERS Batteries Transforming Industries

Scientists John Connell and Yi Lin from NASA’s Solid-state Architecture Batteries for Enhanced Rechargeability and Safety (SABERS) project are working on experimental solid-state battery packs that could dramatically change the

Build a Website

How Much Does It Cost to Build a Website?

Are you wondering how much it costs to build a website? The approximated cost is based on several factors, including which add-ons and platforms you choose. For example, a self-hosted