RE: Web Service Implementation Security Question
From: Steven Cheng[MSFT] (stcheng_at_online.microsoft.com)
Date: 08/04/05
- Next message: Anbu: "Problem in Web Site initiation"
- Previous message: atwork17_at_hotmail.com: "Re: WEBDAV Authentication"
- In reply to: JimM: "RE: Web Service Implementation Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 04 Aug 2005 02:10:47 GMT
Thanks for your response Jim,
After some further research, I think you're right, the %win%\temp dir did
be used by the ASP.NET , and as I've mentioned, it's used for .net
webservice to generate proxy classes(those temp classes) for serialization.
Also, the read, write, delete permission is nesessary for the ASP.NET's
process Identity , we can found it in the following msdn reference:
#How To: Create a Custom Account to Run ASP.NET
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/SecNetHT01.asp
It demonstarte the security requirement for the IIS5's process identity , I
think IIS6's remain the same and by default the IIS_WPG group will have all
these permissions. So currently if your server admin really prevent you
from granting the asp.net process identity sufficient access to %win%\temp
dir, I'm afraid the ASP.NET webservice won't be able to correctly do any
xml serialization for our custom Classes(not only typed dataset).
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| Thread-Topic: Web Service Implementation Security Question
| thread-index: AcWYM16IwJ4jF3+vRq6++EGohgcQGw==
| X-WBNR-Posting-Host: 155.148.26.103
| From: "=?Utf-8?B?SmltTQ==?=" <JimM@noemail.nospam>
| References: <D8AFC9AE-2BD3-4FD7-89A4-0A25CCEC3F88@microsoft.com>
<3mKbOZCmFHA.2700@TK2MSFTNGXA01.phx.gbl>
| Subject: RE: Web Service Implementation Security Question
| Date: Wed, 3 Aug 2005 06:58:04 -0700
| Lines: 234
| Message-ID: <6BDC1465-723C-4096-A4EE-57132FEAC021@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 8bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.inetserver.iis.security
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.inetserver.iis.security:8120
| X-Tomcat-NG: microsoft.public.inetserver.iis.security
|
| Steve,
|
| The XMLSerialization seems to be used for both the Framework temporary
| directory and the %windir%\temp directory. When the service was first
placed
| on the server I received the following exception:
|
| System.Web.Services.Protocols.SoapException: Server was unable to process
| request. ---> System.InvalidOperationException: Unable to generate a
| temporary class (result=1). error CS2001: Source file
| 'C:\WINDOWS\TEMP\o8pdvxpb.0.cs' could not be found error CS2008: No
inputs
| specified at System.Xml.Serialization.Compiler.Compile(Assembly parent,
| String ns, CompilerParameters parameters, Evidence evidence) at
| System.Xml.Serialization.TempAssembly.GenerateAssembly(XmlMapping[]
| xmlMappings, Type[] types, String defaultNamespace, Evidence evidence,
| CompilerParameters parameters, Assembly assembly, Hashtable assemblies)
at
| System.Xml.Serialization.TempAssembly..ctor(XmlMapping[] xmlMappings,
Type[]
| types, String defaultNamespace, String location, Evidence evidence) at
| System.Xml.Serialization.XmlSerializer.FromMappings(XmlMapping[]
mappings,
| Type type) at
| System.Xml.Serialization.XmlSerializer.FromMappings(XmlMapping[]
mappings) at
| System.Web.Services.Protocols.SoapServerType..ctor(Type type,
ProtocolsEnum
| versionsSupported) at
| System.Web.Services.Protocols.SoapServerProtocol.Initialize() at
| System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type,
| HttpContext context, HttpRequest request, HttpResponse response, Boolean&
| abortProcessing)
| --- End of inner exception stack trace --- System.Exception
|
| Notice the location of the source file is the %windir%\Temp directory.
|
| At this point I configured a test environment that mirrored the
production
| server settings for the %windir%\Temp directory. I received the same
error.
| Changing the permission setting on the %win%\Temp to allow my Application
| Pool Identity access to the %windir%\Temp directory solved the
| InvalidOperationException.
|
| Now the system administrator on the server has a template/script for
locking
| down the security on the server, which caused changes to the permissions
in
| many directories and system objects. He has a problem with IIS and
ASP.NET
| using the %windir%\Temp directory as listed in the
InvalidOperationException
| above. So I set the compilation element’s tempDirectory attribute
within my
| web.config to point to another directory. Set the permissions such that
only
| the Application Pool’s Identity could used it. Now he states there is
also
| vulnerability with this. The only solution he will accept is untyped
| Datasets. Hence my initial question.
| --
| Jim
|
|
| "Steven Cheng[MSFT]" wrote:
|
| > Hi Jim,
| >
| > Welcome to MSDN newsgroup.
| > As for the security problems regarding on using TypedDAtaset in asp.net
| > webservice, based on my experience, those dynamically compiled
assemblies
| > are the ones used for XmlSerialization. Since we return the
typedDataset
| > over webservice, the runtime need to serialize it into xml stream which
| > will cause some temp classses( help to do the serialization work) being
| > generated. However, what makes me feel a bit strange is that you
mentioned
| > the assemblies are generated under the %win%\temp dir? As far as I
know,
| > the asp.net runtime's temp assemblies should be reside in the
| >
| > %win%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\%app
| > specific dir%
| >
| > Also, one thing I'm thinking about is whether the problem is related to
the
| > specific application pool identity you specific? What's the behavior
when
| > you switch back to use the default Network Service identity? Also, on
| > IIS6/win2k3 box, when we want to clone a asp.net process identity (like
the
| > Networkservice), we can just simply add the account into the local
IIS_WPG
| > group which is just for the IIS worker process identities.
| >
| > Anyway, IMO, I don't think acessing the ASP.NET specific temp dir will
| > cause vulnerability, generally vulnerability only occurs when the IIS
| > server or asp.net app has been compromised or hacked which is rarely in
| > .net managed world
| >
| > Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| >
| >
| > --------------------
| > | Thread-Topic: Web Service Implementation Security Question
| > | thread-index: AcWXrU2eKoxWNAjNR12bWC3v7J+OUg==
| > | X-WBNR-Posting-Host: 155.148.26.103
| > | From: "=?Utf-8?B?SmltTQ==?=" <JimM@noemail.nospam>
| > | Subject: Web Service Implementation Security Question
| > | Date: Tue, 2 Aug 2005 14:58:23 -0700
| > | Lines: 90
| > | Message-ID: <D8AFC9AE-2BD3-4FD7-89A4-0A25CCEC3F88@microsoft.com>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 8bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.inetserver.iis.security
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.inetserver.iis.security:8114
| > | X-Tomcat-NG: microsoft.public.inetserver.iis.security
| > |
| > | THIS IS A RE-POST OF A PREVIOUS QUESTION, SO I GET MY MSDN RESPONSE.
| > |
| > | I don’t know if this is the correct newsgroup for this
question, but it
| > is
| > | about security and vulnerabilities.
| > |
| > | I need to get the following questions answered in response to some
| > security
| > | issues raised about Web Services by my system administrator. I know
this
| > is
| > | long but bear with me.
| > |
| > | First some basic background:
| > |
| > | 1. The Web Service was implemented using Visual Studio 2003 and it
uses
| > | strongly typed Datasets. Each Dataset contains multiple tables with
one
| > or
| > | more rows and relationship defined. The Dataset is the methodâ€â„
¢s return
| > | value.
| > |
| > | 2. The Web Service is installed on a Windows 2003 Server.
| > |
| > | 3. The Web Service is run within its own Application Pool with a
unique
| > | Identity.
| > |
| > | 4. When a service method returning a Dataset is called, the schema
(XSD)
| > | file for the Dataset(s) is “compiledââ‚?or “re-compiledÃ
¢â‚?(don’t
| > know if
| > | compiled is the correct term but I’ll use if for this topic)
and the
| > | %windir%\Temp directory is used.
| > |
| > | 5. The service uses Windows authentications and the code contains
check
| > for
| > | authorizing methods based on User Groups.
| > |
| > | My first questions are:
| > |
| > | 1. Why is the Dataset’s XSD schema file “compiledâ�
Once the Web
| > Service is
| > | generated by VS 2003 the Class for the Dataset exists as a C# (CS)
file.
| > |
| > | 2. Is the XSD file “compiledâ�for each initial invocation of
the Web
| > Service?
| > |
| > | 3. Is there away, other than using untyped Datasets, from having the
XSD
| > | file compiled?
| > |
| > | Now the server where this Web Service is running is very tightly
locked
| > | down. The %windir%\Temp directory security is set such that the
| > compiling of
| > | the Dataset schema files fails with a
| > “System.InvalidOperationException:
| > | Unable to generate a temporary class (result=1)â� The system
admin will
| > not
| > | enable the %windir%\Temp directory so the schema can compile. He
states,
| > that
| > | write access to the Temp directory is a vulnerability with Web
Services,
| > but
| > | it is not a problem with Web Pages. I do not see a difference
between
| > Web
| > | Page and Services.
| > |
| > | Now my solution is to:
| > |
| > | 1. Create the Web Service’s Application Pool Identity by
copying the
| > NETWORK
| > | SERVICE built-in account in the User and Group admin utility.
| > |
| > | 2. Have the process that “compilesâ�the schema files use
another
| > directory
| > | path. To do this the web.config file is modified on the
| > â�compilation>â�
| > | element by adding a “tempDirectoryâ�attribute, which points
to a non
| > Virtual
| > | Directory file pate. This prevents access from the Web Service URL.
| > |
| > | 3. Set the security on the new path such that only the Identity for
the
| > | Application Pool can access it. The setting should mirror those of
the
| > | NETWORK SERVICE‘s setting for the %windir%\Temp path.
| > |
| > | I have this configuration working on my test environment of two
Windows
| > 2003
| > | servers, so I know it runs.
| > |
| > | My last questions are:
| > |
| > | Are there any vulnerability with a Web Service and the temporary
| > | directories? I do not see any. The Web Service is authenticating
the
| > user
| > | via Windows authentication so the user must be on our Intranet. So
| > unless
| > | the domain is compromised Internet access is blocked. The service is
| > running
| > | with its service account, which has minimal permissions and
privileges.
| > So
| > | it the service account is compromised access is limited on resource
| > access.
| > | Bad information in the SOAP message is prevented using strong types.
If
| > a
| > | message is incorrect (buffer overrun) that is caught via the strong
types
| > | causing exceptions.
| > |
| > | If there is a problem what is it? And is there a solution?
| > |
| > | The only acceptable solution I have been given by the administrators
| > | in-house is not to use strongly typed Datasets, thus avoiding the
schema
| > file
| > | compile. This I find unacceptable, all the information I have read
leads
| > me
| > | to choose strongly typed Datasets! Plus uptyped Datasets are a
| > collection of
| > | System.Objects, which accept anything as data.
| > |
| > | Jim
| > |
| > |
| > | --
| > | Jim
| > |
| >
| >
|
- Next message: Anbu: "Problem in Web Site initiation"
- Previous message: atwork17_at_hotmail.com: "Re: WEBDAV Authentication"
- In reply to: JimM: "RE: Web Service Implementation Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
