Share via


Security Considerations

  Microsoft Speech Technologies Homepage

This topic describes security considerations when authoring speech-enabled ASP.NET Web applications. For information on security issues with deployed .NET speech applications see the topic Security Considerations in the MSS help file, MSS.chm.

Testing Applications

Microsoft strongly encourages developers to test their applications in server or network environments using varying levels of security in order to achieve a higher level of application security. Microsoft also encourages developers to test their applications using the latest versions of Microsoft software in order to ensure that their applications are compatible with the most secure versions of Microsoft software.

Using Secure Hypertext Transfer Protocol (HTTPS)

When calling pages on other servers from an application using HTTPS, ensure that the following requirements are met:

  • Ensure that pages on other servers are called using HTTPS. Otherwise, the call will fail.
  • Ensure that the Secure Sockets Layer (SSL) certificate for the server hosting the page is valid. Otherwise, the call will fail.
  • Ensure that the server referenced in the call is listed exactly as it appears on the SSL certificate. The client might call https://widgets/welcome.ssml, while the certificate is issued to widgets.msdn.microsoft.com. This call will fail.
  • Never issue a certificate to localhost, or reference localhost while making an HTTP/HTTPS request.
  • After receiving the SSL certificate, use Internet Explorer to verify the connection to the server, and verify that the certificate authority (CA) belongs to the certificate trust list. Use the Certificate Trust List Wizard in Microsoft Management Console to edit the certificate trust list if needed.

For information on obtaining a certificate from a CA and on configuring Internet Information Services to use HTTPS and SSL certificates, see the article HOW TO: Enable SSL for All Customers Who Interact with Your Web Site in Internet Information Services.

Encrypting Audio Streams

By default, audio streams are not encrypted. To encrypt audio streams, use the IP Security Protocol (IPSec) or PPTP (Point-to-Point Tunneling Protocol) to establish a Virtual Private Network (VPN) connection between the client and server. Typically, IPSec and PPTP are implemented and administered by system administrators. IPSec and PPTP settings cannot be controlled on a per-application basis.

  • To control and configure IPSec, use the IP Security Policy Management snap-in, within Microsoft Management Console (MMC).
  • To control and configure PPTP, open Control Panel, and then open Network Connections.

Loading Grammars Using UNC Paths

To avoid failure when loading a grammar from a network location using a Universal Naming Convention (UNC) path, ensure that the following Internet Explorer (IE) settings are specified for the zone in which the grammar resides:

  • All network paths (UNC) are included
  • The UNC path for the grammar is in the list of included sites
  • Active Scripting is enabled

The procedure to enable these settings may differ depending on your operating system. The basic steps are:

  1. Open Internet Explorer, and from the Tools menu, click Internet Options.
  2. Click the Security tab, and select the appropriate zone.
  3. Click Sites, and ensure that the Include all network paths (UNC) check box is checked.
  4. Click Advanced, and ensure that the UNC path for the grammar is in the sites list.
  5. On the Security tab, click the Custom Level button.
  6. Under Scripting, select the Enable option for Active scripting.

See Also

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication (MSDN) | Deploying IPSec (MSDN)