I’ve found some limitations in securing a Flex app that uses the outdated Flash Media Server 2.0. The best way would appear to use the Access DLL Module that is part of FMS 2.0 on the server side, but I literally could not find any mention of it in any Adobe documentation. In any case, the ways to secure it would be as follows:
- Access DLL Module
This module is mentioned in the docs, but does not exist anywhere. It does not come right out of the box for FMS, but seems something that one has to modify and tweak via Visual C++.
“The module can be configured to initiate a query of the organization’s database of users and passwords to determine if a connection should be allowed, and if it is allowed, the connection is accepted and the database updated with a record of the user’s access to Flash Media Server.”-
More on this mythical DLL: http://blog.lib.umn.edu/mcfa0086/discretecosine/055223.html
- Confirm location of client SWF
This is what I would recommend, for an additional layer of security. This will prevent one from creating their own SWF and putting it on their own server to record and stream from our server. With this change in the main.asc, FMS will only record and stream if the SWF is located on your FMS server.
Nonetheless, a user could still pass custom flashvars into the SWF on your servers, however, them passing their own flashvars into their own SWF using our FMS is more of a threat.
- Server-Side Validation:
Pass encrypted username/password to main.asc and main.asc authenticates for valid, then connects.
Using other secure development practices (page 232 of flashmediaserver_managing.pdF):
“You might not want to use SSL in all your applications because of the additional processing time required to encrypt data over a secure connection. You can use other effective strategies to help protect all your media applications, regardless of what protocol is used for connections.”
When you deploy a Flash Media Server –
http://livedocs.adobe.com/fms/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00000117.html – “use a server-side script to verify that connecting SWF files are coming from the location you expect (and not from an unknown computer). You can do this by checking the client.referrer property of the client object before the server accepts the connection. For more information about writing server-side scripts, see Developing Media Applications.”
Use server-side script precautions
In server-side scripts do not use procedures that can be called by a malicious application, which could then fill a hard disk, consume the processor, or do other damage. Procedures attached to client objects are particularly vulnerable. Procedures to be aware of include writing to the hard disk without checking the quantity of data being written, procedures that can be infinitely looped, and so on.