Security and Protection (StreamInsight)
This topic describes important security information for Microsoft StreamInsight.
Process dumps are generated through the Windows Error Reporting (WER) framework. The generation of a dump file is controlled by the WER settings. Because a dump can contain event data, the user must be aware of the possible disclosure of sensitive information through dump files.
On Windows XP and Windows Server 2003 platforms, minidumps are placed by the Windows Error Reporting tool, DW20.exe, into the administration queue, which is owned by the administrator and read-accessible by everyone. The disk location of this queue is: %USERPROFILE%\Local Settings\Application Data\PCHealth\ErrorRep\QSignoff. For more information, see Error Reporting and Diagnosis.
If a hosting process specifies to use the SQL Server Compact metadata provider instead of the in-memory provider, the metadata will be written to a SQL Server Compact database file on disk (.sdf file). If a file with the specified file name does not exist, it will be generated. The permissions of this database file correspond to its location.
ETW trace files are created using the default security descriptor. This means that the log file will have the same ACL as the parent directory. The user who turns on tracing controls the location of the trace file and, therefore, its permissions. If access to the trace must to restricted, a parent directory that has the appropriate ACL must to be created.
In order to avoid unauthorized reading or tampering with the checkpoint files, ensure that the permissions of the containing folder are set so that only trusted entities have access. Moreover, never accept and use checkpoint files from untrusted sources.
The query language allows the execution of any code that is accessible to the StreamInsight server execution context (for example, the StreamInsight server host context) through a .NET Framework fully qualified method name (for example, user-defined functions) on the host computer. Therefore, by submitting and running such a query, a Web service user acts as the host context on the host computer. The developer or administrator of a host process (or user of the provided StreamInsightHost.exe) must be aware of this and restrict access to the Web service if required.
The StreamInsight service that can be creating during the installation of an instance of StreamInsight runs under a NetworkService account. This account has minimum privileges on the local computer.
After a user has access to the StreamInsight server through the management interface (possibly exposed as a WS endpoint), the user has full access to the management functionality and can perform the following operations:
Submitting, reading, or deleting any metadata.
Starting or stopping any query.
Retrieving diagnostic information about the StreamInsight server and its queries.
Connecting the StreamInsight Event Flow Debugger to a live server and running queries.
Each registered StreamInsight instance is associated with a Windows group. Only users in that group can connect to a published server that is created under that instance.
StreamInsight leverages the Application Log ETW channel to publish administrative events into the Windows Event Log. Corresponding to the permission model of the Event Log, any member of the “Event Log Readers” group can access these events in the Event Viewer.
The Debug Event Log uses a separate ETW provider to collect StreamInsight events and make them available to consumers like the Event Flow Debugger. Note that this data includes the events’ payloads. Only members of the Windows group “Performance Log Users” can consume this trace.
Performance counter data, including StreamInsight performance counters, is accessible to any user on a computer. Note that this does not disclose event payload data, but contains information about running servers, queries, and adapters.