Securing Macromedia Flash Communication Server
Introduction
After development, the Macromedia Flash Communication Server application moves into production. At that time, it is important to properly configure the server. This should be done with security issues high on the priority list. Insecure server configurations can result in several negative situations, including unauthorized users who compromise information, steal server usage, cheat in games, disruptor, or even shut down the server.
Below is a checklist of security configuration settings (as well as a few"best practice" tips) that should be considered as you set up your server for real-time use by intranet or Internet users.This checklist will help in reviewing the many important security-related configuration settings at production time. During deployment, moreover, adjusting these settings properly can help to ensure that the Macromedia Flash Communication Server remains secure.
General administrative settings
 |
Set a secure user ID and password. Do not use "admin", "administrator" (and so forth) as the user name. Choose a password with at least 8 characters, including digits and punctuation. |
| |
Use the <Allow> and <Deny> tags in the Server.xml file to restrict which client computers can connect to the Admin application. |
| |
Set the Admin tool to bind to a port that is not available to the general public. Block access to this port with your firewall. |
Vhost.xml file settings
| |
Use the <Allow> and<Deny> tags in Vhost.xml to restrict what client computers can connect to the virtual host. These same settings can also be accomplished in the Server.xml file as described in the general administrative settings section above. |
| |
Set the <MaxStreams> value to zero in Vhost.xml if your applications do not create or use streams. |
| |
Turn the <RecordAccessLog> value on or off as desired in Vhost.xml. |
Other server administrator issues
| |
Check the<ResourceLimits> values in Server.xml to alter memory allocations, garbage collection frequency, or other similar settings. |
| |
Be sure to alter the <ServerDomain> tag in Server.xml if you are building server applications that connect between multiple computers. |
| |
Double check the<HostPortList> in Adaptor.xml (for all adaptors) to make certain the server is not listening on any extra ports. Confirm that the firewall has the proper ports open or blocked. |
| |
If certain applications are not open to the general public, use the<Allow> and <Deny> tags in Adaptor.xml to restrict domains and IP addresses that can connect to the applications. |
Writing applications
| |
Final, released Macromedia Flash applications should not allow users to specify application names, server addresses (and so forth) in text fields. These should be hard-coded in the source code and hidden from the user. |
| |
Make certain server-side scripts check the client referrer property when a user attempts to log on. This should be the SWF file from an expected URL, such as the web server. This will help prevent someone from writing their own client that logs on to your server using the same application name. |
| |
One can add some basic handshaking code in a Macromedia Flash movie to try to prevent rogue clients from connecting to a server. The client and server code might exchange some token or perform some basic calculations to try and confirm that the the proper client is connected to the proper server. While a Macromedia Flash movie byte code is not encrypted or fully secure, this makes it a bit harder for hackers to write rogue clients. |
| |
Check all server scripts (ASC files) and be certain to remove any debugging code, extra "trace" output (or other unnecessary code) that remains from development. |
| |
Be certain to remove any extra script files or older versions that are no longer used by the application. |
Application configuration
| |
Set the <AppsDir> value in Vhost.xml to point to where the applications can be found. This directory should not be accessible to normal outside clients using web browsing or file access (or any other type of access). |
| |
Remove any extra applications from the application directory. Only install the applications that are being made available to the end users. |
| |
Be certain to remove all the sample applications that install with the Macromedia Flash Communication Server. |
| |
Set the <Streams> value in Vhost.xml to point to the directory where streams are stored. This directory should not be accessible to normal outside client's web browsing, file access, and so forth. This can also be set in Application.xml. |
| |
Check the<ResourceLimits> values in Vhost.xml to allow the proper number of shared objects, and so forth. Some of these values are limited by the server license. |
| |
Adjust the <Allow> value in Vhost.xml if restricting the connections to that virtual host. |
| |
Under the <JSEngine> section in Application.xml, change the <MaxTimeOut> value to prevent a runaway script from executing endlessly. |
| |
Check all the values in Application.xml. This file provides the default settings for all applications on the virtual host. |
Web files
| |
Your web files (HTML, SWF, and so forth) should be installed in a web server's publicly available folders. If this is the same computer which has the Macromedia Flash Communication Server, keep the web files in a completely separate directory from the Flash Communication application files. |
| |
Remove any extra files from the web-accessible directories on the server. Make certain you haven't left the Macromedia Flash source files for your movies (the FLA files) where they could be read by the public. |
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
