Proxy Settings Can Lead to Performance Problems

SecureASP.NET

LANGUAGES: ALL

ASP.NET VERSIONS: 2.0

Proxy Settings Can Lead to Performance Problems

And Other Security News

By Don Kiely

It is critical to write applications that don t requirefull trust and that use lesser-privileged host accounts NETWORK SERVICE onWindows Server 2003 or ASPNET in earlier versions of Windows. That simple stepgives you a lot of security, but sometimes it makes things harder than theyshould be. One problem that has surfaced is that if you don t change thedefault proxy settings in an ASP.NET app your pages might load way slower thanthey should.

The problem is that by default .NET 2.0 uses the defaultproxy settings defined by Internet Explorer. That works great for applicationsthat run with full trust those apps can get at the proxy settings in theregistry. But for a partially trusted app, that section of the registry is offlimits, so .NET looks for the settings in various places. It fails, finallyjust tries to connect, and is finally successful. But that churns up a lot oftime many seconds that make your app seem unresponsive.

Rich Stahl published the solution in his blog recently, SlowHttp Client Calls from ASP.NET 2.0? Make Sure You Check your Proxy Settings! The solution is simple: two attributes control the automatic proxy detection.In your Web.config file tell .NET to bypass the proxy server when accessinglocal resources and to not use the system default proxy settings:

By the way, one of the nice things about .NET 2.0 is howthere are classes that directly wrap these configuration settings. Check outthe DefaultProxySection and ProxyElement classes in theSystem.Net.Configuration namespace if you have to access them programmatically.

Rick Stahl is fast becoming one of my favorite ASP.NETbloggers. Whenever I need to do some in-depth research on a topic, it ssurprising how often Google leads me to his blog because he s already sweatedthrough it and wrote an article-length post about it. Check out his blog at http://west-wind.com/weblog/ and readhis discussion of the proxy server issue for partially trusted apps at http://west-wind.com/weblog/posts/3871.aspx.

ASP.NET Security News

Hopefully everyone knows about the nasty WMF vulnerabilitythat became widely known on 27 December. What a nasty time for something likethat to come up, when sysadmins were away or geared down for the holidays! Oneof the best, real-time sources of information about the problem, as well asother developing threats to the Internet, is the Internet Storm Center of theSANS Institute (SANS: SysAdmin, Audit, Network, Security). Covering allplatforms, it has plenty of information about threats, and their blog is a mustread for anyone interested in Internet security. Check them out at http://isc.sans.org/, and be sure to read up onthe WMF vulnerability, which even this week has manifested itself with a newattack vector.

Channel 9, the Microsoft guys who roam around campus doinginterviews with the people who make the software happen, has put up a great setof ASP.NET Security FAQs. It s a wiki, so feel free to jump in and add to thecollective s knowledge. It s a great resource even though it s new. Check itout at http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.ASPNET2SecurityFAQs.

Dino Esposito s ProgrammingMicrosoft ASP.NET 2.0 Core Reference from Microsoft Press is out. It s nothardcore security, but the last chapter, named simply ASP.NET Security, is avery nice overview of the basics of securing a Web app using the new stuff inthe framework. Even though the book is a core reference, I think this is onethat I ll start over from the beginning and read the whole thing. Dino, forgiveme for jumping ahead to the best part, the security stuff in chapter 15!

DonKiely, MVP, MCSD, is a senior technology consultant, building customapplications as well as providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#,ASP.NET, and Microsoft Office. He writes regularly for several trade journals,and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and readhis blog at http://www.sqljunkies.com/weblog/donkiely/.