[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | Windows NT |
| Notice: | See note 15.0 for HCL location |
| Moderator: | TARKIN::LIN�.com::FOLEY |
|
| Created: | Thu Oct 31 1991 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 6086 |
| Total number of notes: | 31449 |
6018.0. "ActiveX/RPC security issues" by BIGUN::nessus.cao.dec.com::Mayne (A wretched hive of scum and villainy) Tue May 20 1997 01:51
I'm writing a TCP/IP data server on Windows NT Server, where network clients can
access a server process, ask for data, and get the data sent back; a poor man's
ODBC, if you like. The server will be behind a packet filter, so I need only
allow through traffic I want to allow through.
There are (at least) two ways of doing this:
1) Use DCOM/ActiveX/RPC. Advantages: easy written and maintained, excellent
tools (VC++, VB5). Disadvantages: allowing RPC has unknown security
ramifications.
2) Use a UNIX-style server listening on a TCP/IP port. Advantages: Very secure,
because the server will listen to only one port, and only respond to given
queries; the server is effectively invisible except for this one server.
Disadvantages: harder to write and maintain.
I'd like to use DCOM/ActiveX, but not at the expense of security. If I use a
UNIX-style server (listening on port 2345, say), and use a packet filter to only
allow traffic to port 2345, I can be pretty sure that my server is safe.
However, if I use DCOM, and allow only port 111 traffic (RPC) through the
packetfilter, a client has access to all of the Windows NT RPC goodies.
Given that security is paramount, what must I do on the server to ensure that
the only code reachable via RPC is my ActiveX server, and thus rest assured that
any OS bugs won't even be reached, let alone exploited?
In other words, how can I lock down Windows NT so it only serves my ActiveX
code, and nothing else?
PJDM
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 6018.1 | | TECO::tecotoo.mro.dec.com::mayer | Danny Mayer | Tue May 20 1997 06:57 | 8 |
| > In other words, how can I lock down Windows NT so it only serves my ActiveX
> code, and nothing else?
Install the AltaVista Firewall? It does lock a lot of things down.
WARNING: If you install it, you may have to reinstall Windows NT from scratch
if you decide you want to remove the Firewall.
Danny
|
| 6018.2 | | CAMPY::ADEY | PC Server...now there's an oxymoron! | Tue May 20 1997 20:35 | 5 |
| re: Note 6018.0 by BIGUN::nessus.cao.dec.com::Mayne
You might consider a CORBA solution as well.
Ken....
|