Thursday, October 13, 2005 11:39 AM
We have many times discussed amongst ourselves the best way to deal with the following security issue: the WebPublisher dll must either be open to anonymous access or locked down, but not both, at least through the same IIS alias. Even though an anonymous user has access to the dll, they should not be able to retrieve results from every database.
What we have done up until now is create a .NET control (the Andornot Results Control) that takes a query, whether a form POST or a canned query string GET, and handles communication with the WebPublisher dll. The active account being used is therefore the ASP.NET worker process account (NETWORK SERVICE on Win 2003) and not IUSR_machinename. We give NETWORK SERVICE the permissions on the WebPublisher install directory it needs (same as IUSR has). We then strip IUSR permissions from the "internal" databases. Even if an anonymous user knows an internal database name and constructs a canned query to target it, NTFS permissions deny them.
Now, the funky thing is that the WebPublisher dll does not behave the way you think it would. If directory security on the dbtw-wpd alias is set to both anonymous access and integrated Windows authentication, as is the default case, then these two things should happen in IIS: 1) Anonymous requests to any database with permissions allowing anonymous read requests should return results without further ado. This happens. 2) Anonymous requests to any database that DOES NOT allow anonymous read requests should return a HTTP 401 Access Denied and a message that says integrated Windows authentication is acceptable. A bit of back and forth occurs, but essentially if the requestor has Windows credentials, they should be accepted and the request carried out.
In the case of our .NET control, what should happen is that the initial request should bounce, but that the passed-in credentials (proof that it is operating as NETWORK SERVICE) should be accepted and the request fulfilled. This does not happen. The WebPublisher dll sends back a 401 for the initial anonymous request for a database with no IUSR read permissions, but then is unable to accept valid credentials and thus does not fulfill the request. So, we must set up two dbtw-wpd directories, one with anonymous access allowed and one without, until we come up with something better. We recently brainstormed about this, and we'll see what we come up with.
You can get more information about IIS authentication here: MSDN Authentication and Security for Internet Developers More information about the Results Control and the WPDK (WebPublisher Developer Kit) here: http://www.andornot.com/Products/Addons/WPDK.aspx.