Imagine a .NET application designed using a Layered architecture.
Is it possible to use something like the trusted subsystem pattern when deploying all layers of an application to the same machine?
Is this design insecure by default?
A:
If all layers are deployed in the same process, then I'd say almost by definition you aren't using the trusted subsystem model.
You could (at least in theory) deploy different layers to the same physical machine while still using the trusted subsystem model, but of course it would be harder to guarantee the security of the middle tier. For example, your middle tier could be trusted web services running under IIS.
Joe
2008-12-07 18:14:07
+1
A:
It depends on how you're using the system and how your layers are deployed.
Let's say you have a machine where SQL Server is running in under one user account, your service layer is under another service account, and your users log in using a third account (without admin access, of course). Say the middle tier account is trusted to access the database, but no user account is. In this case, yes, this is basically your classical picture of a trusted subsystem model.
If you have a case, however, where the end-user account has access to the database AND the service layer, then you are indeed breaking the pattern and opening up a hole. If the end user is an admin and can somehow tamper with one of the layers, you are breaking the pattern. If the user has physical access to the machine and can tamper with IT, I'd even argue that you're breaking the pattern...
Dave Markle
2008-12-07 18:30:02