Network Isolation Loopback Restriction

Question

In the Guidelines and checklist for network isolation documentation it states that “Using loopback for interprocess communication between applications on the local computer is a violation of network boundary isolation and can create security concerns... The system blocks all access by an app to loopback addresses for interprocess communication.”

Does this limitation only apply to Metro apps or does it apply to desktop apps on Windows 8 also?

If only Metro apps then why?

What are the security concerns mentioned in the guidelines?

Why shouldn't we be able to specify "localhost" instead of the computer name for a WCF TCP/IP connection if we want only a local client to be able to connect in some installations?

Answer 1

The restriction applies only to Metro style apps, which are intended to be trusted not to affect the system in any way that wasn't specifically declared. Desktop apps are not under such an expectation or restriction.

See John Hazen's comments in this thread as well.

--Rob

Answer 2

The Metro app has declared that it uses Home/work networking.

I don't see any difference from the Metro app's perspective as to how it affects the system based on whether it is communicating using WCF to a service on a remote computer or a service on the same computer on which it is running. With respect to the latter scenario I don't see any difference as to whether the WCF configuration specifies the computer name or localhost.

I read John Hazen's comments and I still don't see how specifying localhost in this case violates what Microsoft is trying to accomplish with Metro style applications.