Export (0) Print
Expand All

Virtual Directory Security Issues

SQL Server 2000

The following security issues relate to creating virtual directories using the IIS Virtual Directory Management for SQLXML 3.0 utility. The issues relate to the following tabs on the Virtual Directory Properties dialog box:

  • Security tab

    For added security, select the Use Windows Integrated Authentication option. Windows Integrated authentication requires valid Windows login credentials. The other authentication methods use the anonymous access method (no user name and password are required), which allows any user to access the virtual root.

    Note:When creating a virtual directory, if you specify integrated authentication, then integrated authentication is used from end to end. That is, from client to IIS, and from IIS to SQL Server. But this security setting won’t work if the domain has the credential delegation turned off. The login credential from client to IIS will work, but since the credential delegation is turned off, IIS cannot delegate these credentials to SQL Server. Thus, the integrated security won't work. In this case, you must specify either Windows or SQL Server authentication when creating a virtual directory.

    • If you select the Use Basic Authentication (Clear Text) to SQL Server account option, the user name and password are sent with base64 encoding, which is easy to decrypt. It is recommended that, if you use this option, you use it with Secured Sockets Layer (SSL) security, which encrypts all the data going over the connection.
  • Settings tab
    • In a production environment, do not select the Allow sql=..., and Allow XPath options. By enabling these options, you expose your database to malicious random queries. To prevent random queries in the URL, specify your queries in XML templates and select the Allow template queries option. This limits the users to what queries they can execute against Microsoft® SQL Server™ using the virtual directory.

    • Do not select Allow POST. POST allows a user to send large amounts of data that could potentially cause your service to fail, such as a typical denial of service problem in Web services. 

      Select the Allow POST option only when you have created a virtual directory to handle SOAP requests; for example, a virtual name of soap type is defined for the virtual directory.  When Allow POST is enabled for SOAP services, you must set the Maximum size of POST queries appropriately. The requirements of the SOAP methods must be considered in setting this value (maximize the POST size to the extent that all acceptable SOAP requests are within the POST size range).

    • By checking Suppress error reporting you can avoid detailed errors from being returned in the production environment, thus providing added security by hiding internal details.
  • Virtual Names tab
    • A physical directory associated with a virtual name of template type should contain only templates. Because all the files stored in this folder are treated as templates, if you store other files such as schemas, users can view them. For example, in the following URL, the contents of MySchema.xml will appear in the browser:

      If the schema in this file is a mapping schema, it contains database information that you may not want to expose to the end user.

    • In a production environment, do not create a virtual name of dbobject type for the virtual directory. The virtual name of dbobject type allows XPath queries specified directly against a table. Random queries put the data in database at risk. dbobject queries can be safely used, however, if you select the Windows Integrated Authentication option (in the Security tab) and set the appropriate permissions in SQL Server for each of the logins. A dbobject virtual name can be safely used in development environment.

    • For a virtual name of soap type, create a physical directory specific to the soap virtual name. Virtual names of other types, such as template and schema, should not map to this directory. For example, if you have two virtual names, such as template and soap type, that point to the same physical directory, a user can specify either of the following URLs to see the contents of the .wsdl or .ssc files:



      The configuration file has the mapping information (which WSDL operation maps to which stored procedure, user-defined function, or template) that users do need not to see.

Using the IIS Virtual Directory Management for SQLXML 3.0 Utility

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft