locked
Network Isolation Loopback Restriction RRS feed

  • Question

  • In the Guidelines and checklist for network isolation documentation it states that “Using loopback for interprocess communication between applications on the local computer is a violation of network boundary isolation and can create security concerns... The system blocks all access by an app to loopback addresses for interprocess communication.”

    Does this limitation only apply to Metro apps or does it apply to desktop apps on Windows 8 also?

    If only Metro apps then why?

    What are the security concerns mentioned in the guidelines?

    Why shouldn't we be able to specify "localhost" instead of the computer name for a WCF TCP/IP connection if we want only a local client to be able to connect in some installations?

    Thursday, January 19, 2012 9:29 PM

Answers

  • The restriction applies only to Metro style apps, which are intended to be trusted not to affect the system in any way that wasn't specifically declared. Desktop apps are not under such an expectation or restriction.

    See John Hazen's comments in this thread as well.

    --Rob

    Thursday, January 19, 2012 10:44 PM
    Moderator

All replies

  • The restriction applies only to Metro style apps, which are intended to be trusted not to affect the system in any way that wasn't specifically declared. Desktop apps are not under such an expectation or restriction.

    See John Hazen's comments in this thread as well.

    --Rob

    Thursday, January 19, 2012 10:44 PM
    Moderator
  • The Metro app has declared that it uses Home/work networking.

    I don't see any difference from the Metro app's perspective as to how it affects the system based on whether it is communicating using WCF to a service on a remote computer or a service on the same computer on which it is running. With respect to the latter scenario I don't see any difference as to whether the WCF configuration specifies the computer name or localhost.

    I read John Hazen's comments and I still don't see how specifying localhost in this case violates what Microsoft is trying to accomplish with Metro style applications.

     

    Friday, January 20, 2012 2:56 PM