Enterprise Library Test Guide - Willy .Net
Enterprise Library Test Guide - Willy .Net
Enterprise Library Test Guide - Willy .Net
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
156<br />
<strong>Enterprise</strong> <strong>Library</strong> <strong>Test</strong> <strong>Guide</strong><br />
Design and Deployment Checklist<br />
Table 44 lists the design and deployment recommendations.<br />
Table 44: Design and Deployment Checklist<br />
Check<br />
Yes<br />
Yes<br />
Yes<br />
Yes<br />
Yes<br />
No<br />
Yes<br />
Yes<br />
Yes<br />
Yes<br />
Yes<br />
Yes<br />
Yes<br />
Description<br />
The design should address the scalability and performance criteria. Performance tests<br />
and stress tests demonstrate that the application block meets these criteria. The application<br />
block’s availability and ability to handle concurrent users should also be tested.<br />
Identify precautions that must be taken to satisfy the security requirements of the<br />
infrastructure and network (examples include operating system services, communication<br />
protocols, and firewalls). For example, the Logging Application Block should use a<br />
secure channel such as SSL or IPSEC, if it is logging sensitive data to a remote SQL<br />
Server or a remote message queue. The Caching Application Block does not encrypt<br />
data, so sensitive data logged to SQL store should be used over secured channel.<br />
Application blocks do not save sensitive data in the registry or in text files during installation.<br />
The application block respects the principle of least privilege. An application block does<br />
not need permissions from an administrator to run on ASP.NET, which requires only a<br />
network service account, or in Windows-based applications, which accepts any standard<br />
security context with the appropriate permissions to write to resources such as the<br />
event log and to use message queuing. The exact permissions depend on the application<br />
block.<br />
Secure configuration stores with the appropriate ACLs.<br />
Do not store sensitive information in plain text configuration files. An example of such<br />
information is a connection string that is used by the Data Access Application Block.<br />
Users should encrypt the configuration file. For more information, see Configuring the<br />
Application Blocks in the <strong>Enterprise</strong> <strong>Library</strong> documentation.<br />
The design identifies application trust boundaries.<br />
The design identifies the identities that are used to access resources across the trust<br />
boundaries.<br />
The design identifies service account requirements.<br />
The design identifies the mechanisms, such as SSL, IPSec, and encryption, to protect<br />
credentials when they are sent over a network.<br />
If SQL authentication is used, credentials are adequately secured over the network (with<br />
SSL or IPSec) and in storage (with DPAPI).<br />
The application blocks do not change the ACLs of the registry or of any files during<br />
installation or run time.<br />
The application blocks do not listen to unknown ports except for their internal use. An<br />
example of where this is acceptable is when the Logging Application Block uses the<br />
MSMQ Trace Listener.