cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Restrict access to DWS.asmx and People.asmx on a Forms Based Authentication Site.

Deleted
Not applicable

‎Jun 21 2017 12:18 PM

‎Jun 21 2017 12:18 PM

Restrict access to DWS.asmx and People.asmx on a Forms Based Authentication Site.

Hello

 

We just implemented an intranet site with Forms Based Authentication on Sharepoint 2016, and our customer ran an Ethical Hacking Service on the website.

 

They found 2 issues (according to them), as I am not an expert on security, I am not sure if they are really problems or not, and if they can be fixed or not.

 

1. As an anonnymous user: I can go to _vti_bin/DWS.asmx, and see the contract of the services, according to the client thats a vulnerability, is it?

 

2. Same applies for people.asmx

 

3. When logged in as a Forms Based Authentication User, then with SOAPUI, those users can interact with the services, retrieveing information from users.

 

same applies for disco.asmx

 

1. Can I just disallow access to these services somehow for both anonymous and fba users without breaking sharepoint?

 

Is there any official documentation about this?

Labels:
1,926 Views
0 Likes
2 Replies
Reply
2 Replies
best response
Liam Cleary

‎Jun 21 2017 12:46 PM

‎Jun 21 2017 12:46 PM

Solution

Re: Restrict access to DWS.asmx and People.asmx on a Forms Based Authentication Site.

Hey Luis, hope you are well. Added some comments for you:

 

1. As an anonnymous user: I can go to _vti_bin/DWS.asmx, and see the contract of the services, according to the client thats a vulnerability, is it? Not really, as you cannot interact with it. To change that you can add web.config entries to make it so that it prompts for authetication when someoine trieds to access that. This is done using something like this where you are allowing Auth'd users and blocking Anonymous, or just set it to allow Auth'd users. Of course you need to test this:

 

<location path="_vti_bin/DWS.asmx">
<system.webServer>
<security>
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
</security>
</system.webServer>
</location>

 

2. Same applies for people.asmx

Same thing can be done here too. 

 

3. When logged in as a Forms Based Authentication User, then with SOAPUI, those users can interact with the services, retrieveing information from users. 

This is expected behaviour, as you are authneticated user and should be able to call into the services to retrieve data. You could once again modify who can get access to the endpoints using the same approach but this time, restrict to specific groups, roles or even accounts. Using something similar to this: <add accessType="Allow" roles="Administrators" />

 

Hope this helps.

 

Liam

 

 

1 Like
Reply
Thuan Ng

‎Jun 21 2017 06:23 PM

‎Jun 21 2017 06:23 PM

Re: Restrict access to DWS.asmx and People.asmx on a Forms Based Authentication Site.

In addition to Liam's answer, if you need a little more detail, I did wrote the article here (http://thuansoldier.net/?p=4267) during my time working in a governmental environment.
1 Like
Reply
1 best response

Accepted Solutions
best response
Liam Cleary

‎Jun 21 2017 12:46 PM

‎Jun 21 2017 12:46 PM

Solution

Re: Restrict access to DWS.asmx and People.asmx on a Forms Based Authentication Site.

Hey Luis, hope you are well. Added some comments for you:

 

1. As an anonnymous user: I can go to _vti_bin/DWS.asmx, and see the contract of the services, according to the client thats a vulnerability, is it? Not really, as you cannot interact with it. To change that you can add web.config entries to make it so that it prompts for authetication when someoine trieds to access that. This is done using something like this where you are allowing Auth'd users and blocking Anonymous, or just set it to allow Auth'd users. Of course you need to test this:

 

<location path="_vti_bin/DWS.asmx">
<system.webServer>
<security>
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
</security>
</system.webServer>
</location>

 

2. Same applies for people.asmx

Same thing can be done here too. 

 

3. When logged in as a Forms Based Authentication User, then with SOAPUI, those users can interact with the services, retrieveing information from users. 

This is expected behaviour, as you are authneticated user and should be able to call into the services to retrieve data. You could once again modify who can get access to the endpoints using the same approach but this time, restrict to specific groups, roles or even accounts. Using something similar to this: <add accessType="Allow" roles="Administrators" />

 

Hope this helps.

 

Liam

 

 

View solution in original post

1 Like
Reply