RE: Web Service Implementation Security Question

• Previous message: David Wang [Msft]: "Re: IE6 to IIS6 form post authentication problem"
• In reply to: JimM: "Web Service Implementation Security Question"
• Next in thread: JimM: "RE: Web Service Implementation Security Question"
• Reply: JimM: "RE: Web Service Implementation Security Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 03 Aug 2005 12:24:24 GMT

Hi Jim,

Welcome to MSDN newsgroup.
As for the security problems regarding on using TypedDAtaset in asp.net
webservice, based on my experience, those dynamically compiled assemblies
are the ones used for XmlSerialization. Since we return the typedDataset
over webservice, the runtime need to serialize it into xml stream which
will cause some temp classses( help to do the serialization work) being
generated. However, what makes me feel a bit strange is that you mentioned
the assemblies are generated under the %win%\temp dir? As far as I know,
the asp.net runtime's temp assemblies should be reside in the

%win%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\%app
specific dir%

Also, one thing I'm thinking about is whether the problem is related to the
specific application pool identity you specific? What's the behavior when
you switch back to use the default Network Service identity? Also, on
IIS6/win2k3 box, when we want to clone a asp.net process identity (like the
Networkservice), we can just simply add the account into the local IIS_WPG
group which is just for the IIS worker process identities.

Anyway, IMO, I don't think acessing the ASP.NET specific temp dir will
cause vulnerability, generally vulnerability only occurs when the IIS
server or asp.net app has been compromised or hacked which is rarely in
net managed world

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| Thread-Topic: Web Service Implementation Security Question
| thread-index: AcWXrU2eKoxWNAjNR12bWC3v7J+OUg==
| X-WBNR-Posting-Host: 155.148.26.103
| From: "=?Utf-8?B?SmltTQ==?=" <JimM@noemail.nospam>
| Subject: Web Service Implementation Security Question
| Date: Tue, 2 Aug 2005 14:58:23 -0700
| Lines: 90
| Message-ID: <D8AFC9AE-2BD3-4FD7-89A4-0A25CCEC3F88@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 8bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.inetserver.iis.security
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.inetserver.iis.security:8114
| X-Tomcat-NG: microsoft.public.inetserver.iis.security
|
| THIS IS A RE-POST OF A PREVIOUS QUESTION, SO I GET MY MSDN RESPONSE.
|
| I don’t know if this is the correct newsgroup for this question, but it
is
| about security and vulnerabilities.
|
| I need to get the following questions answered in response to some
security
| issues raised about Web Services by my system administrator. I know this
is
| long but bear with me.
|
| First some basic background:
|
| 1. The Web Service was implemented using Visual Studio 2003 and it uses
| strongly typed Datasets. Each Dataset contains multiple tables with one
or
| more rows and relationship defined. The Dataset is the method’s return
| value.
|
| 2. The Web Service is installed on a Windows 2003 Server.
|
| 3. The Web Service is run within its own Application Pool with a unique
| Identity.
|
| 4. When a service method returning a Dataset is called, the schema (XSD)
| file for the Dataset(s) is “compiled�?or “re-compiled�?(don’t
know if
| compiled is the correct term but I’ll use if for this topic) and the
| %windir%\Temp directory is used.
|
| 5. The service uses Windows authentications and the code contains check
for
| authorizing methods based on User Groups.
|
| My first questions are:
|
| 1. Why is the Dataset’s XSD schema file “compiled�? Once the Web
Service is
| generated by VS 2003 the Class for the Dataset exists as a C# (CS) file.
|
| 2. Is the XSD file “compiled�?for each initial invocation of the Web
Service?
|
| 3. Is there away, other than using untyped Datasets, from having the XSD
| file compiled?
|
| Now the server where this Web Service is running is very tightly locked
| down. The %windir%\Temp directory security is set such that the
compiling of
| the Dataset schema files fails with a
“System.InvalidOperationException:
| Unable to generate a temporary class (result=1)�? The system admin will
not
| enable the %windir%\Temp directory so the schema can compile. He states,
that
| write access to the Temp directory is a vulnerability with Web Services,
but
| it is not a problem with Web Pages. I do not see a difference between
Web
| Page and Services.
|
| Now my solution is to:
|
| 1. Create the Web Service’s Application Pool Identity by copying the
NETWORK
| SERVICE built-in account in the User and Group admin utility.
|
| 2. Have the process that “compiles�?the schema files use another
directory
| path. To do this the web.config file is modified on the
�?compilation>�?
| element by adding a “tempDirectory�?attribute, which points to a non
Virtual
| Directory file pate. This prevents access from the Web Service URL.
|
| 3. Set the security on the new path such that only the Identity for the
| Application Pool can access it. The setting should mirror those of the
| NETWORK SERVICE‘s setting for the %windir%\Temp path.
|
| I have this configuration working on my test environment of two Windows
2003
| servers, so I know it runs.
|
| My last questions are:
|
| Are there any vulnerability with a Web Service and the temporary
| directories? I do not see any. The Web Service is authenticating the
user
| via Windows authentication so the user must be on our Intranet. So
unless
| the domain is compromised Internet access is blocked. The service is
running
| with its service account, which has minimal permissions and privileges.
So
| it the service account is compromised access is limited on resource
access.
| Bad information in the SOAP message is prevented using strong types. If
a
| message is incorrect (buffer overrun) that is caught via the strong types
| causing exceptions.
|
| If there is a problem what is it? And is there a solution?
|
| The only acceptable solution I have been given by the administrators
| in-house is not to use strongly typed Datasets, thus avoiding the schema
file
| compile. This I find unacceptable, all the information I have read leads
me
| to choose strongly typed Datasets! Plus uptyped Datasets are a
collection of
| System.Objects, which accept anything as data.
|
| Jim
|
|
| --
| Jim
|

• Previous message: David Wang [Msft]: "Re: IE6 to IIS6 form post authentication problem"
• In reply to: JimM: "Web Service Implementation Security Question"
• Next in thread: JimM: "RE: Web Service Implementation Security Question"
• Reply: JimM: "RE: Web Service Implementation Security Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]