RE: Web Service Implementation Security Question

From: JimM (JimM_at_noemail.nospam)
Date: 08/03/05 

Date: Wed, 3 Aug 2005 06:58:04 -0700

Steve,

The XMLSerialization seems to be used for both the Framework temporary
directory and the %windir%\temp directory. When the service was first placed
on the server I received the following exception:

System.Web.Services.Protocols.SoapException: Server was unable to process
request. ---> System.InvalidOperationException: Unable to generate a
temporary class (result=1). error CS2001: Source file
'C:\WINDOWS\TEMP\o8pdvxpb.0.cs' could not be found error CS2008: No inputs
specified at System.Xml.Serialization.Compiler.Compile(Assembly parent,
String ns, CompilerParameters parameters, Evidence evidence) at
System.Xml.Serialization.TempAssembly.GenerateAssembly(XmlMapping[]
xmlMappings, Type[] types, String defaultNamespace, Evidence evidence,
CompilerParameters parameters, Assembly assembly, Hashtable assemblies) at
System.Xml.Serialization.TempAssembly..ctor(XmlMapping[] xmlMappings, Type[]
types, String defaultNamespace, String location, Evidence evidence) at
System.Xml.Serialization.XmlSerializer.FromMappings(XmlMapping[] mappings,
Type type) at
System.Xml.Serialization.XmlSerializer.FromMappings(XmlMapping[] mappings) at
System.Web.Services.Protocols.SoapServerType..ctor(Type type, ProtocolsEnum
versionsSupported) at
System.Web.Services.Protocols.SoapServerProtocol.Initialize() at
System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type,
HttpContext context, HttpRequest request, HttpResponse response, Boolean&
abortProcessing)
--- End of inner exception stack trace --- System.Exception

Notice the location of the source file is the %windir%\Temp directory.

At this point I configured a test environment that mirrored the production
server settings for the %windir%\Temp directory. I received the same error.
Changing the permission setting on the %win%\Temp to allow my Application
Pool Identity access to the %windir%\Temp directory solved the
InvalidOperationException.

Now the system administrator on the server has a template/script for locking
down the security on the server, which caused changes to the permissions in
many directories and system objects. He has a problem with IIS and ASP.NET
using the %windir%\Temp directory as listed in the InvalidOperationException
above. So I set the compilation element’s tempDirectory attribute within my
web.config to point to another directory. Set the permissions such that only
the Application Pool’s Identity could used it. Now he states there is also
vulnerability with this. The only solution he will accept is untyped
Datasets. Hence my initial question. 

-- 
Jim
"Steven Cheng[MSFT]" wrote:
> Hi Jim,
> 
> Welcome to MSDN newsgroup.
> As for the security problems regarding on using TypedDAtaset in asp.net 
> webservice, based on my experience, those dynamically compiled assemblies 
> are the ones used for XmlSerialization. Since we return the typedDataset 
> over webservice, the runtime need to serialize it into xml stream which 
> will cause some temp classses( help to do the serialization work) being 
> generated. However, what makes me feel a bit strange is that you mentioned 
> the assemblies are generated under the %win%\temp dir?   As far as I know, 
> the asp.net runtime's temp assemblies should be reside in the 
> 
> %win%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\%app 
> specific dir%
> 
> Also, one thing I'm thinking about is whether the problem is related to the 
> specific application pool identity you specific? What's the behavior when 
> you switch back to use the default Network Service identity?  Also, on 
> IIS6/win2k3 box, when we want to clone a asp.net process identity (like the 
> Networkservice), we can just simply add the account into the local  IIS_WPG 
> group which is just for the IIS worker process identities.
> 
> Anyway, IMO, I don't think acessing the ASP.NET specific temp dir will 
> cause vulnerability, generally vulnerability only occurs when the IIS 
> server or asp.net app has been compromised or hacked which is rarely in 
> .net managed world
> 
> Thanks,
> 
> Steven Cheng
> Microsoft Online Support
> 
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no 
> rights.)
> 
> 
> 
> --------------------
> | Thread-Topic: Web Service Implementation Security Question
> | thread-index: AcWXrU2eKoxWNAjNR12bWC3v7J+OUg==
> | X-WBNR-Posting-Host: 155.148.26.103
> | From: "=?Utf-8?B?SmltTQ==?=" <JimM@noemail.nospam>
> | Subject: Web Service Implementation Security Question
> | Date: Tue, 2 Aug 2005 14:58:23 -0700
> | Lines: 90
> | Message-ID: <D8AFC9AE-2BD3-4FD7-89A4-0A25CCEC3F88@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | 	charset="Utf-8"
> | Content-Transfer-Encoding: 8bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.inetserver.iis.security
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.inetserver.iis.security:8114
> | X-Tomcat-NG: microsoft.public.inetserver.iis.security
> | 
> | THIS IS A RE-POST OF A PREVIOUS QUESTION, SO I GET MY MSDN RESPONSE.
> | 
> | I don’t know if this is the correct newsgroup for this question, but it 
> is 
> | about security and vulnerabilities.
> |  
> | I need to get the following questions answered in response to some 
> security 
> | issues raised about Web Services by my system administrator.  I know this 
> is 
> | long but bear with me.
> | 
> | First some basic background:
> | 
> | 1. The Web Service was implemented using Visual Studio 2003 and it uses 
> | strongly typed Datasets. Each Dataset contains multiple tables with one 
> or 
> | more rows and relationship defined.  The Dataset is the method’s return 
> | value. 
> | 
> | 2. The Web Service is installed on a Windows 2003 Server. 
> | 
> | 3. The Web Service is run within its own Application Pool with a unique 
> | Identity.
> | 
> | 4. When a service method returning a Dataset is called, the schema (XSD) 
> | file for the Dataset(s) is “compiled�or “re-compiled�(don’t 
> know if 
> | compiled is the correct term but I’ll use if for this topic) and the 
> | %windir%\Temp directory is used.
> | 
> | 5. The service uses Windows authentications and the code contains check 
> for 
> | authorizing methods based on User Groups.
> | 
> | My first questions are:
> | 
> | 1. Why is the Dataset’s XSD schema file “compiled�  Once the Web 
> Service is 
> | generated by VS 2003 the Class for the Dataset exists as a C# (CS) file.
> | 
> | 2. Is the XSD file “compiled�for each initial invocation of the Web 
> Service?
> | 
> | 3. Is there away, other than using untyped Datasets, from having the XSD 
> | file compiled?
> | 
> | Now the server where this Web Service is running is very tightly locked 
> | down.  The %windir%\Temp directory security is set such that the 
> compiling of 
> | the Dataset schema files fails with a 
> “System.InvalidOperationException: 
> | Unable to generate a temporary class (result=1)�  The system admin will 
> not 
> | enable the %windir%\Temp directory so the schema can compile. He states, 
> that 
> | write access to the Temp directory is a vulnerability with Web Services, 
> but 
> | it is not a problem with Web Pages.  I do not see a difference between 
> Web 
> | Page and Services.
> | 
> | Now my solution is to:
> | 
> | 1. Create the Web Service’s Application Pool Identity by copying the 
> NETWORK 
> | SERVICE built-in account in the User and Group admin utility.
> | 
> | 2. Have the process that “compiles�the schema files use another 
> directory 
> | path.  To do this the web.config file is modified on the 
> �compilation>�
> | element by adding a “tempDirectory�attribute, which points to a non 
> Virtual 
> | Directory file pate.  This prevents access from the Web Service URL.
> | 
> | 3. Set the security on the new path such that only the Identity for the 
> | Application Pool can access it.  The setting should mirror those of the 
> | NETWORK SERVICE‘s setting for the %windir%\Temp path. 
> | 
> | I have this configuration working on my test environment of two Windows 
> 2003 
> | servers, so I know it runs. 
> | 
> | My last questions are:
> | 
> | Are there any vulnerability with a Web Service and the temporary 
> | directories?  I do not see any.  The Web Service is authenticating the 
> user 
> | via Windows authentication so the user must be on our Intranet.  So 
> unless 
> | the domain is compromised Internet access is blocked.  The service is 
> running 
> | with its service account, which has minimal permissions and privileges.  
> So 
> | it the service account is compromised access is limited on resource 
> access. 
> | Bad information in the SOAP message is prevented using strong types.  If 
> a 
> | message is incorrect (buffer overrun) that is caught via the strong types 
> | causing exceptions.
> | 
> | If there is a problem what is it?  And is there a solution? 
> | 
> | The only acceptable solution I have been given by the administrators 
> | in-house is not to use strongly typed Datasets, thus avoiding the schema 
> file 
> | compile.  This I find unacceptable, all the information I have read leads 
> me 
> | to choose strongly typed Datasets!  Plus uptyped Datasets are a 
> collection of 
> | System.Objects, which accept anything as data.
> | 
> | Jim
> | 
> | 
> | -- 
> | Jim
> | 
> 
>

Relevant Pages

  • RE: WSE 2.0, smart client, Username authentication, no x.509
    ... web services WSE 3.0 hosts them without a web server for you (read the WSE ... To perform authentication, because your database does not contain user ... the implementation William Stacey has uses Security ... > server where my web service is ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Web Service Security problem
    ... The web service project should hav a web.config. ... Allowin that account access to lan resources would be a large security risk. ... > different username that is known to the domain server? ... > Another possible issue is the ASPNET account on the server. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • ADOMD.NET and Sharepoint
    ... I have a web service that uses ADOMD.NET. ... The Security ... the web service works on the server with sharepoint. ... mscorlib, Version=1.0.5000.0, Culture=neutral, ...
    (microsoft.public.sharepoint.portalserver.development)
  • Web Service Security problem
    ... I wrote a test web service using managed C++. ... failed logon attempt by user ASPNET every time I try to open the file. ... different username that is known to the domain server? ... I read somewhere that asp.net security does not apply to non .NET ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Permission Errors
    ... >a domain account so that it can be validated on the win2k server machine. ... However I have discovered that I can deploy the web service to the W2K ... domain server and there it runs with no problems, ... for me to decide that the new XP dev machine is up and usable. ...
    (microsoft.public.dotnet.general)