e-con Security Reference

(1)

e-Con Security

Reference

Project : e-Con 3.5 Author: Riné le Comte Company To-Increase B.V.

(2)

Document Information

Document number E-Con2005-08

Version 5

Status Draft

Title e-Con Security

Subject Reference

Author Riné le Comte

Department Development

Manager Marijn van Poelje

Project e-Con 3.5

Last saved 11/25/2005 3:53 PM

Revision history

Version Date Status Changes

1 07/07/2005 Draft First version

5 10/01/2006 Final

The information in this document is subject to change without notice. No part of this document may be reproduced, stored or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of To-Increase B.V. To-Increase B.V. assumes no liability for any damages incurred, directly or indirectly, from any errors, omissions or discrepancies between the software and the information contained in this document

(3)

Chapter 1

Introduction

This document describes the security settings for the e-Con 3.5 product. This e-Con version is based on the Microsoft .Net framework and ASP.Net. Security has become increasingly important in the Microsoft Windows environment and a lot of improvements have been made in the Windows software. These improvements have sometimes negatively affected the e-Con product.

The document first describes the dependencies that e-Con has upon the underlying OS and the related backend applications. Then a testing environment and installation protocol are described in which the security settings are considered. The third part contains the recommendations for security settings.

The document covers three Windows versions, including Windows 2000, Windows XP Professional and Windows 2003 Server

(5)

The e-Con 3.5 product

©To-Increase B.V. 5

Chapter 2

2.1

Dependencies

2.1.1

e-Con runtime dependencies

The e-Con runtime is dependent on a number of standard Microsoft components or DLL’s, including

§ Microsoft .Net version 1.1. This is the Microsoft .Net framework and class library

§ ASP.Net. This is the .Net version of Active Server Pages.

§ IIS 5.0 or 6.0. This is Internet Information Services, the Microsoft Web server.

§ SQL Server 2000. This is the Microsoft database.

§ Microsoft XML Parser 3.0, 4.0 or 5.0. This is the Microsoft implementation of the XML parser and XML Document Object Model

§ Microsoft Application Blocks ExceptionManagement. This is a component offering exception handling functionality.

§ Microsoft Application Blocks Data. This is a component offering data access functionality.

§ Microsoft Application Blocks Cache. This is a component offering data caching functionality.

§ Microsoft SQL XML. This is the .Net implementation of the XML integration with SQL Server.

§ Microsoft Office. This is the integration with Microsoft Office.

§ Internet Explorer 6.0. These are the Microsoft web browsers, including the programmatic web browser components.

The e-Con runtime and its extension libraries are also dependent on some other components, including

§ FACE. This is a photo-realistic visualization library.

§ SharpZipLib. This is a .Net Zip library.

2.1.2

e-Con studio

The old e-Con studio is dependent upon the following components

§ PVExplorer. This is an OCX for the Outlook bar and tree control. The new e-Con studio is dependent upon the following components

§ The components on which the e-Con runtime is depending

§ SyncFusion. This is a .Net user interface library.

2.1.3

Backend integration (Navision, Axapta)

The e-Con backend integration uses the following applications and components

§ Microsoft Navision, various versions.

§ eCon.Forms.dll

§ Microsoft Navision Application Server. This is a special Navision client, which can handle requests, which for example come from a message queue.

§ Microsoft Axapta, version 3.x

§ eCon.Controls.ocx

§ Microsoft MSMQ 2.0 or 3.0. This is the Microsoft message queuing product.

(6)

§ The Axapta Platform. This is a layer over the Axapta application developed by To-Increase for integration purposes.

2.2

File locations

2.2.1

e-Con program folder

e-Con version 3.5 is by default installed in C:\Program Files\e-Con 3.5. Under this folder a Web folder is created as well. This web folder is accessed via the virtual path

http://<machine>/econ3.

This folder must have read access for the modeling user and for the ASP.Net account. In this folder the file localhost.config.xml with the settings is located. This file must have write access for the users that are responsible for implementing e-Con

2.2.2

e-Con web site

The e-Con web site has by default two virtual paths, one for the e-Con runtime and one for the e-Con administration.

Virtual path: http://<machine>/econ3

Default physical path on <machine>: C:\Program Files\e-Con 3.5\Web Virtual path: http://<machine>/econadmin

Default physical path on <machine>: C:\Program Files\e-Con 3.5\Admin

2.2.3

e-Con data folder

If e-Con uses the file repository, there is a data folder under which the models, objects and other XML documents are stored. The default location is C:\Program Files\e-Con3.1\Data

2.2.4

Temporary ASP.Net Files folder

2.2.5

Temp folder

2.3

Databases

e-Con can use a SQL Server database as a repository, in which models, configurations and reports are stored. The default name for the repository is eConRepository. The modeling users and the account of the ASP.Net worker process (default: ASPNET) must have read-write permission on

2.4

Registry settings

Location of the e-Con configuration file: HKLM/Software/To-Increase/e-Con (Watermark-Innovation for version <= 3.1 sp1)

2.5

Services

Navision Application Server (NAS)

2.6

Message queues

e-Con uses MSMQ message queues to communicate with the application backend. In the standard installation three queues are created

§ Request queue (Navision, Axapta). This is the queue which is used to send data retrieval requests to the application backend.

(7)

The path is <machine>\private$\navisionrequest or <machine>\private$\axaptarequest.

§ Response queue (Navision, Axapta). This is the queue which is used to receive data retrieval responses from the application backend.

The path is <machine>\private$\navisionresponse or <machine>\private$\axaptaresponse.

§ Post queue (Navision, Axapta). This is the queue on which full configurations are posted that are processed in the application backend. The path is

<machine>\private$\navisionpost or <machine>\private$\axaptapost.

2.7

Others

2.7.1

Event log

e-Con uses the Microsoft Application Block for Exception Management. The default publisher for exceptions is using the Windows event log. This event log must have full access permissions for the account under which the ASP.Net worker process runs. The registry path is HKLM\System\CurrentControlSet\Services\Eventlog\Application.

2.7.2

Performance counters

(8)

Testing environment

Chapter 3

Testing environment

3.1

Windows 2000

A clean Windows 2000 image is loaded into a virtual machine. Service Pack 3

Interner Explorer 6.0

Log on as Machine\Administrator IIS 5.0 is turned on.

MSMQ is installed.

.Net framework 1.1 is installed.

Navision 4.0 is installed, Navision Application Server 4.0 is installed. An account econaccount is created in the role Users.

e-Con 3.1 SP1 is installed.

Integrated Windows authentication is enabled for the e-Con web site Integrated Windows authentication is enabled for the e-Con admin web site

3.2

Windows XP Professional

A clean Windows XP Professional image is loaded into a virtual machine. Log on as Machine\Administrator

IIS 5.0 is turned on. MSMQ is installed.

.Net framework 1.1 is installed.

Navision 4.0 is installed, Navision Application Server 4.0 is installed. An account econaccount is created in the role Users.

3.3

Windows 2003 Server

A clean Windows 2003 Server image is loaded into a virtual machine. Log on as Machine\Administrator

IIS 6.0 is installed and turned on. MSMQ is installed and turned on.

.Net framework 1.1 is installed and turned on, ASP.NET is turned on. Navision 4.0 is installed, Navision Application Server 4.0 is installed. An account econaccount is created in the role Users.

(9)

Recommendations

Chapter 4

Recommendations

The following structure is used to describe security recommendations for e-Con.

Ref Windows version Authentication

Imperso-nation Domain Account Standard process account

W2K-A Windows 2000 Anonymous user ON econuser ASPNET for

aspnet_wp.exe W2K-I Windows 2000 Integrated

Windows Auth. ON Domain User ASPNET for aspnet_wp.exe

WXP-A Windows XP Anonymous user ON econuser ASPNET for

aspnet_wp.exe

WXP-I Windows XP Integrated

Windows Auth. ON Domain User ASPNET for aspnet_wp.exe W2K3-SA Windows 2003 single

application pool Anonymous user ON econuser Network Service for w3wp.exe W2K3-SI Windows 2003 single

application pool Integrated Windows Auth. ON Domain User Network Service for w3wp.exe W2K3-MA Windows 2003

multiple application pools

Anonymous user ON econuser Network Service for w3wp.exe / local user for each pool (member of IIS_WPG) W2K3-MI Windows 2003 multiple application pools Integrated

Windows Auth. ON Domain User Network Service for w3wp.exe / local user for each pool (member of IIS_WPG)

(10)

Recommendations

Note. On Windows XP the Security tab in File Properties or Folder properties may be missing. Uncheck the ‘Use simple file sharing’ property in the Folder Options\View list.

(11)

Recommendations

The accounts used must get permissions for the following resources.

Type Location Description Required

Permission Account

File C:\WINNT\Microsoft.Net\ Framework\v1.1.4322\ Temporary ASP.Net Files C:\Windows\Microsoft.Net\ Framework\v1.1.4322\ Temporary ASP.Net Files

The ASP.Net dynamic compilation location. It is either WINNT or Windows, depending on the OS. Indexing should be disabled.

Full control process account, domain accounts

File C:\WINNT\Temp

C:\Windows\Temp

This is the Windows temp folder %temp% Full control process account File C:\Program

Files\e-Con3.1\Web e-Con application folder (may exist in other locations as well) Read, Execute, List Content process account, domain accounts File C:\WINNT\Microsoft.Net\

Framework\v1.1.4322 C:\Windows\Microsoft.Net\ Framework\v1.1.4322

.Net Framework assemblies folder Read, Execute, List

Content process account, domain accounts

File C:\WINNT\Microsoft.Net\ Framework\v1.1.4322\ CONFIG C:\Windows\Microsoft.Net\ Framework\v1.1.4322\ CONFIG

.Net Framework configuration folder Read, Execute, List

Content process account, domain accounts

File C:\WINNT\assembly C:\Windows\assembly

The global assembly cache of .Net Read process account,

domain accounts

File C:\Inetpub\wwwroot The path to the default web site Full control process account

File C:\WINNT\system32 C:\Windows\system32

(12)

Recommendations

Receive message, Get properties

NAS account Messaging <local machine>\private$\

navisionrequest The default Navision request queue

Send message, Get

properties domain accounts Receive message,

Get properties domain accounts Messaging <local machine>\private$\

navisionresponse The default Navision response queue

Send message, Get

properties NAS account Send message, Get

properties domain accounts Messaging <local machine>\private$\

navisionpost The default Navision post queue

Receive message,

Get properties NAS account Receive message,

Get properties

Axapta account Messaging <local machine>\private$\

axaptarequest The default Axapta request queue

Send message, Get

properties domain accounts Receive message,

Get properties domain accounts Messaging <local machine>\private$

\axaptaresponse The default Axapta response queue

Send message, Get

properties Axapta account Send message, Get

properties domain accounts Messaging <local

machine>\private$\axaptapost The default Axapta post queue

Receive message,

Get properties Axapta account Database <server>\eConRepository The SQL e-Con repository with models,

configurations, etc CRUD on eConElements domain accounts

Database <server>\application database The application database Read access domain accounts Registry HKLM\SOFTWARE\ Definition of environment, folder, server Read access domain accounts

(13)

Counters HKLM\SYSTEM\ CurrentControlSet\Services\ e-Con\Performance

The performance counters of e-Con Read process account

domain accounts EventLog (not applicable before e-Con 3.5) HKLM\SYSTEM\ CurrentControlSet\Services\ Eventlog\Application\ ExceptionManagerPublishedEx ception

Microsoft Exception Management Application

block Read process account domain accounts

4.1

IIS/ASP.Net authentication and impersonation

4.1.1

IIS

There are two possibilities for authentication in IIS, which are applicable to e-Con 3.5. The first possibility is anonymous access. In fact there is then no authentication. The anonymous access type uses a Windows account. This account is by default the IUSR_Machine account, but it can be any account. IIS will use this account for security checks. Anonymous access should only be used if people that use e-Con are not defined in the Active Directory domain, for example in a web situation. Note that this account may be used for accessing resources if impersonation is turned on (see below).

Recommendation: Attach the econuser account to the anonymous access type.

The second possibility is integrated Windows authentication. The user that is accessing IIS (the web site) with a browser will automatically authenticate to IIS using his Windows account. IIS will use this account for security checks.

Recommendation: Use integrated windows authentication if all users of e-Con are defined in Active Directory. Note that this account may be used for accessing resources if impersonation is turned on (see below).

(14)

Recommendations

4.1.2

ASP.Net (W2K / WXP)

The ASP.Net worker process aspnet_wp.exe runs by default under the local ASPNET account. This account can be changed.

Recommendation: Do not change the account for the ASP.Net worker process.

4.1.3

ASP.Net (W2003)

The ASP.Net worker process w3wp.exe runs by default under the local Network Service account. This account can be changed.

Recommendation: Change this account if you like to use more then one application pool. Use a new local user account and make it a member of IIS_WPG. In this way you are able to recognize which process belongs to a pool in the process explorer.

ASP.Net can use impersonation to impersonate the authenticated user. This is important when resources are accessed.

e-con Security Reference

e-Con Security

Table of Contents

Chapter 1

Chapter 2

e-Con studio

Backend integration (Navision, Axapta)

File locations

e-Con web site

e-Con data folder

Registry settings

Others

Performance counters

Windows XP Professional

Windows 2003 Server

Chapter 4

Ref Windows version Authentication

Type Location Description Required

IIS/ASP.Net authentication and impersonation

ASP.Net (W2K / WXP)