TCP and HTTP channels must both utilize authentication and encryption. The Discussion is the same for TCP and HTTP.
Discussion: .NET remoting provides the capability to build widely distributed applications. The application components may reside all on one computer or they may be spread out across the enclave. .NET client applications can make remoting calls to use objects in other processes on the same computer or on any other computer that is reachable over the network. .NET remoting can also be used to communicate with other application domains within the same process. Remoting is achieved via the exposure of endpoints that can be used to establish remote connectivity.
Normally when application code attempts to access a protected resource, a stack walk is performed to ensure that all stack frames have permission to access the resource. However, with .Net 4.0, when a call is made on a remote object, this stack walk is not performed across the remoting boundary. The .Net remoting infrastructure requires FullTrust permission to execute on either the client or the server.
Due to the fact that FullTrust permission is required, Remoting endpoints should be authenticated and encrypted in order to protect the system and the data.
Microsoft provides 3 different "channels" that are used for remoting. They are HTTP, TCP and IPC.
Any unauthorized use of a remoting application provides unauthorized access with FullTrust permissions to the system. This can potentially result in a loss of system integrity or confidentiality.
Check Text: Check the machine.config and the [application executable name].exe.config configuration files for the typefilterlevel="Full" configuration parameter.
The machine.config file is contained in the folder
Microsoft specifies locating the application config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled. Therefore, if the config file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required.
Sample machine/application config file:
<activated type=“sample.my.object, myobjects”/>
<channel ref=“tcp server” port=“6134”/>
<provider ref="wsdl" />
<formatter ref="soap" typeFilterLevel="Full" />
<formatter ref="binary" typeFilterLevel="Full" />
Microsoft provides 3 "channels" that are used for remoting connectivity. They are the HTTP, TCP, and IPC channels. The channel that is used is specified via the <channels> element in the config file.
TCP channel example:
<channel ref=“tcp” port=“6134” secure="true"/>
The TCP Channel supports encryption and message integrity when the 'secure' flag is set to true as shown in the above example.
If encryption and message integrity are not used for the TCP remoting channel when the ServerProvider element typefilterlevel=”Full”, this is a finding.
Fix Text: Ensure encryption and message integrity are used for TCP remoting channels when the "typefilterlevel" element is set to "Full".
TCP remoting connections are protected via the secure=true configuration parameter.
<channel ref="tcp" secure="true" />
Include the secure="true" flag in the channel ref parameter of the machine.config and [application name].exe.config file if the [application name].exe.config file exists on the system.
The Altiris directory of the SMP was searched for .exe.config files that contained typeFilterLevel=”Full”. There is only 1 file for TCP Port 4010:
NOTE: Notepad++ was used for this search
File: XX:\Program Files\Altiris\Notification Server\Bin\AeXSvc.exe.config (2 hits) (where XX is the install drive)
<channel ref="tcp" port="4010" rejectRemoteRequests="true" >
<formatter ref="soap" typeFilterLevel="Full"/>
<formatter ref="binary" typeFilterLevel="Full"/>
This port is used for local activation of schedules, replication etc. This is restricted only to local calls as remote calls are disabled. You can't set it to secure mode without additional dev efforts. Mentioned functionality will stop working since if the "server side" is restricted, caller must be aware of it and perform additional configuration.
As additional Dev effort is required, we do not suggest making this change at this time.