Security Guidelines for MapInfo Discovery 1.1

Security Guidelines for MapInfo Discovery 1.1

This paper provides guidelines and detailed instructions for improving the security of your Mapinfo Discovery™ deployment.

In this document:

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2More Secure File Locations and Access Control . . . . . . . . 3User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Securing MapInfo Discovery – IIS Web Site Permissions . 7Securing Pages Using IIS FTP Site Permissions . . . . . . . . 8Securing Pages Using NTFS File Permissions . . . . . . . . . 10Restricting FTP and HTTP Access . . . . . . . . . . . . . . . . . . . 15


Overview

MapInfo Corp. has researched security issues related to Mapinfo Discovery™ deployed on the internet. This paper summarizes those findings. Our goal is to assist you in providing a secure deployment of Mapinfo Discovery™ and to help protect your Discovery server from malicious users.

The information provided in this paper is consistent with the security guidelines you should implement with any application deployed on the internet.

These issues are of less concern for an intranet deployment, where your IT department has implemented steps to protect your environment inside the firewall.

MapInfo will continue to monitor your feedback, evaluate security issues, and take steps to address your concerns.

For a complete overview of IIS 5.0 security issues, see the following articles:

https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/

reskit/iischp9.mspx#EFAA

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/EDAA

These articles contains IIS 5.0-specific information on configuration, user authentication, certificates, troubleshooting, and include references to many additional resources.


© 2005 MapInfo Corporation. All rights reserved. 2 disovery11_security.pdf

https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/reskit/iischp9.mspx#EFAA

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/iis5chk.mspx#EDAA


More Secure File Locations and Access Control

There are some basic configuration choices that can provide better security for your internet deployment of Mapinfo Discovery™.

We recommend putting the Default Web Site on a non-default drive. This will prevent users from traversing through a known directory structure.

When you install IIS 5.0, you cannot change the default installation location on C:\inetpub. After you install IIS 5.0, you can then change the paths of web site entities. You must do this manually, by following the procedures outlined below.

1. Select the contents of the C:\inetpub directory and copy the contents of each folder.2. Select and expand a non-default location (such as the F: drive) select EDIT, then select PASTE.

You still must instruct IIS to look in the new locations for the relocated files. To do this, follow these steps:

3. Run the IIS Manager by choosing START > CONTROL PANEL > ADMINISTRATIVE TOOLS > INTERNET SERVICES MANAGER.

4. Right-click on Default Web Site and choose PROPERTIES.5. In the Default Web Site Properties dialog box, select the Home Directory tab.6. Change the Local Path to point to the non-default directory to which you copied the resource.

For example, change the Local Path of the Default Web Site from C:\inetpub\wwwroot to the relocated F:\inetpub\wwwroot.




Similarly, you must instruct IIS to look in the new locations for all the web site entities (such as Scripts or IISHelp) that you have moved to non-default locations. For example, the IISAdmin virtual folder is originally installed on C:\WINNT\system32\inetsrv\iisadmin\. After copying the contents of this folder to F:\inetpub\inetsrv, use IIS (PROPERTIES > HOME DIRECTORY tab) to look for the relocated files in the new area:

Use the same basic procedure to sequentially copy the contents of each Default Web Site subfolder to the non-default location, then use IIS to point to the new location.

Note: After you have completed this procedure, stop and restart the World Wide Web Publishing Service to ensure that your changes have not caused any problems. From Control Panel, select ADMINISTRATIVE TOOLS > SERVICES, then right-click on World Wide Web Publishing from the list of services. From the context menu you can select STOP or START.




In addition to locating the Default Web Site on another drive, you should install MapInfo Discovery™ in an alternative location. This can be the same drive but in a unique subfolder under the relocated Default Web Site. This will help to ensure that anonymous login users can view and browse maps, but not gain access to more sensitive files that only administrators should be able to access.

Also, the MapInfo Discovery™ installation drive should be on a volume that does not have the operating system on it.

MapInfo Discovery™ executables, dlls, and other sensitive files should be installed in directories that are secured with NTFS file permissions. These directories, files, and recommended permissions are described in Recommended NTFS Permissions Settings for MapInfo Discovery Server on page 12.

User Authentication

IIS 5.0 web sites can be configured to authenticate users before users are allowed access to the site, a folder in the site, or even a particular document within a folder at the site. For more information, review the following article, which describes how to configure web site authentication in IIS 5.0.

https://support.microsoft.com/default.aspx?scid=kb;en-us;310344

Tip: You can also locate this and related articles by searching all the words “anonymous authentication iis 5.0” in: http://www.msdn.com.

MapInfo Discovery uses Anonymous User authentication. This is more fully described in the next topic.




http://www.msdn.com


Anonymous User AccessWhen the Anonymous User option is enabled in IIS, any request for a web page from IIS will be seen as a request from Anonymous User. When a user requests a file via a web browser, the operating system checks file permissions to determine whether the Anonymous User has privileges to open the file. If Anonymous User has sufficient privileges, authentication is satisfied, and the file (web page) can be sent.

Note: Anonymous User access does not in itself compromise security. There are additional layers of security that you can implement to prevent anonymous users from getting access to restricted resources. These security steps are described in this document.

In IIS, anonymous users are assigned a default account of IUSR_<Your_Machine_Name>. The IUSR_ <Your_Machine_Name> account is denied write access to web content by default.

Correction:In the MapInfo Discovery v1.1 Product Guide, the topic on Web and FTP Virtual Directories / Managing Disk Space incorrectly describes the access rights that should be granted to IUSR_<Your_Machine_Name>. Do not grant full control access rights to the IUSR_<Your_Machine_Name> account.

For more information on using anonymous login accounts, see the Microsoft web site at:

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/iisbook/c09_anonymous_web_authentication.asp

Secure Sockets and CertificatesYou can use HTTPS (HTTP using Secure Sockets) to provide more secure the information flow between the Discovery server and web browser. For example, when an administrator logs on to a web site, the administrator’s password can be encrypted. Similarly, password-protected maps can be secured.

If you start a session using https (rather than simply http), the secure status is retained throughout the session. If you have configured your site to use SSL/HTTPS, you should distribute links as “https” so that users will use secure protocols when they access your site. For example:

https://<yourserver>\MiDiscovery\

IIS 5.0 mapping allows the administrator to set up a rule or group of rules that determine how a client authentication certificate is mapped to a Windows user account, without requiring the use of Basic or any other form of authentication.

The following article describes how to configure your web server for SSL/HTTPS.


Tip: You can also find this and elated articles by searching all the words “certificate mapping iis 5.0” in: http://www.msdn.com.

The following article provides detailed information on implementing and using certificates in IIS 5.0:

https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/

reskit/iischp9.mspx#EFAA



http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/iisbook/c09_anonymous_web_authentication.asp




http://www.msdn.com


Securing MapInfo Discovery – IIS Web Site Permissions

Web and FTP permissions apply to all users accessing your Web and FTP sites. Web and FTP permissions control access to virtual directories on your Web or FTP site.

MapInfo Discovery allows IIS anonymous user access. Therefore, we recommend that you set appropriate security for every directory on the web site to prevent unintended use by anonymous users.

You should not grant both Write and Execute Scripts permissions to anonymous user. And in general, anonymous users should not be given the privilege to both Read from and Write to the same directory. Following are the steps which you can follow to set the permissions for a directory in IIS.

1. Run IIS Manager by choosing START > CONTROL PANEL > ADMINISTRATIVE TOOLS > INTERNET SERVICES MANAGER.

2. Navigate to the Default Web Site, right-click on the virtual directory that you are interested in, and choose PROPERTIES. In this example we choose the MIDiscovery virtual directory.

3. The Properties dialog box for the directory will be displayed. This allows you to set the permissions for the directory. Read and Write permissions can be set by using a checkbox control. Script Execution permission can be set by using the "Execute Permissions" drop-down list.

4. For a secure site, you should never allow Script Execution and Write permission together. Good combinations to use are Read and Script Execution permission OR Write permission.




5. We recommend that you uncheck the checkboxes for Directory browsing, Log visits, and Index this resource.

Securing Pages Using IIS FTP Site Permissions

The MapInfo Discovery™ FTP site allows client users to publish to the DiscoveryMaps directory on the server. The Discovery Publisher establishes an FTP connection with the server and uploads the data for a map into the DiscoveryMaps directory. The Publisher also queries the DiscoveryMaps directory when accessing the user interface. Therefore, the FTP site needs to allow Read/Write access to this directory. However, the FTP site can restrict the list of machines that are allowed to access the DiscoveryMaps directory.

The following steps show how to secure FTP site permissions.

1. Run IIS Manager, by choosing STARt > CONTROL PANEL > ADMINISTRATIVE TOOLS > INTERNET SERVICES MANAGER.




2. Navigate to the Default FTP Site, right-click on the DiscoveryMaps virtual directory, and choose PROPERTIES.

3. In the Properties dialog, on the Virtual Directory tab, set the following permissions for the DiscoveryMaps directory. The Discovery Publisher must be able to read and write to this directory. Therefore, you should keep the Read and Write options checked. The Log visits option should be unchecked.

4. You also can choose to restrict which machines can access the DiscoveryMaps Virtual Directory. This restriction is done by IP address. To do this, click on the Directory Security tab in the Properties dialog.

5. In the Directory Security tab of the Properties dialog, use the ADD... and REMOVE buttons to grant or deny access to certain machines. Specify the IP address that you wish to grant or remove. You can also specify groups of IP addresses. Click OK when finished. See also: Restricting FTP and HTTP Access on page 15.

This strategy ensures that only authorized people or groups of people will have access to the FTP site.




Securing Pages Using NTFS File Permissions

NTFS permissions apply to a specific user or group of users who have a valid Windows account. NTFS controls access to physical directories on your server. This differs from Web and FTP permissions, which apply to all users who access your Web or FTP site and control access to virtual directories on your web or FTP site.

For information on how to set required NTFS permissions and user rights for an IIS 5.0 Web server, see the following Microsoft support document. This document also describes the anonymous user permissions and access.


Tip: You can also locate this and related articles by searching all the words “ntfs iis 5.0” in http://www.msdn.com.

Web administrators can restrict file permissions using the Windows Access Control Lists (ACLs). You can do this on a file-by-file basis, or by changing the permissions on the whole directory and all files contained within that directory.

To change permissions on either an entire directory or on specific files within a directory, use Windows Explorer on an NTFS drive.

1. Using Windows Explorer, navigate to DISCOVERY > SERVER > WEBAPP and locate a file or directory you wish to secure.

2. Right-click on the file or directory that you want to secure. See the table NTFS Permissions Settings on page 14 for a directories and recommended permissions. That same table includes recommended permissions for files in the \services and \services\mapengine folders.

3. For each selected directory or group of files, select PROPERTIES to display the Properties dialog box.

4. From the Security tab, select Internet Guest Account and click the ADVANCED... button.



http://www.msdn.com

http://www.msdn.com



5. In the Access Control Settings for WebApp dialog box, you will see a list of all users and groups with access privileges to the file or folder in question.

Note that in the Access Control Settings for WebApp dialog box, you can specify whether the permissions for a directory should recursively dictate the permissions of all child objects. You can also specify whether the permissions for this directory are inherited from its parent directory. These options are respectively set by the checkboxes at the bottom of the dialog




box. These options are very useful when recursively setting the NTFS permissions (for example <drive_letter>:Program Files\MapInfo\Discovery\Server\WebApp directory and below).

6. In the Access Control Settings for WebApp dialog box, select the Internet Guest Account and then click on the VIEW/EDIT button. This displays the Permission Entry for WebApp dialog box.

7. Change the permissions for the Internet Guest Account at the on the file or directory level, as appropriate. In most cases. the Internet Guest Account should only be given Read access, as displayed above. In some cases, such as for executables or DLL files, the Internet Guest Account should be given no privileges. Click OK when done.

Recommended NTFS Permissions Settings for MapInfo Discovery ServerThis section describes the recommended NTFS file permissions for your MapInfo Discovery Server. These settings will help improve the security of the server. The tables illustrate the permissions key and the recommended permissions.

The Key to File Permissions table specifies the permissions key, which define the permissions format used in subsequent tables.

The Internet Information Services (IIS) Permission Settings table specifies the virtual directory permissions that can be set using IIS.

The NTFS Permissions Settings table specifies the NTFS file and directory permissions that can be set for the MapInfo Discovery™ Server-related files.




Key to File Permissions

Symbol Meaning Actions Needed

+R Grant Read Permissions • In IIS, check the "Read" checkbox.• In NTFS, check the following checkboxes:

1.Read Permissions2.Read Attributes3.Read Extended Attributes4.List Folder / Read Data

+W Grant Write Permissions • In IIS, check the "Write" checkbox.• In NTFS, check the following checkboxes:

1.Create Files / Write Data2.Write Attributes3.Write Extended Attributes4.Create Folders / Append Data

+S Grant Script Execution Permissions • In IIS, choose "Scripts only" in the "Exe-cute Permissions" drop-down list.

+D Grant Delete Permissions • In NTFS, check the following checkboxes:1.Delete Subfolders and Files2.Delete

+E Grant Execute Permissions • In NTFS, check the following checkboxes:1.Traverse Folder / Execute File

-R Deny Read Permissions • In IIS, uncheck the "Read" checkbox.• In NTFS, uncheck the following check-

boxes:1.Read Permissions2.Read Attributes3.Read Extended Attributes4.List Folder / Read Data

-W Deny Write Permissions • In IIS, uncheck the "Write" checkbox.• In NTFS, uncheck the following check-

boxes:1.Create Files / Write Data2.Write Attributes3.Write Extended Attributes4.Create Folders / Append Data

-S Deny Script Execution Permissions • In IIS, choose "None" in the "Execute Per-missions" drop-down list.

-D Deny Delete Permissions • In NTFS, uncheck the following check-boxes:1.Delete Subfolders and Files2.Delete

-E Deny Execute Permissions • In NTFS, uncheck the following check-boxes:1.Traverse Folder / Execute File




Internet Information Services (IIS) Permission Settings

Directory Permissions

<drive_letter>...\MIDiscovery +R +S -W

<drive_letter>...\MIDiscovery\ErrLog -R -W -S

<drive_letter>...\MIDiscovery\docs -R -W -S

<drive_letter>...\MIDiscovery\asplib +R -W -S

<drive_letter>...\MIDiscovery\css +R -W -S

<drive_letter>...\MiDiscovery\DiscoveryMapImages +R -W -S

<drive_letter>...\MiDiscovery\DiscoveryMaps +R -W -S

<drive_letter>...\MIDiscovery\Images +R -W -S

<drive_letter>...\MIDiscovery\Js +R -W -S

<drive_letter>...\MIDiscovery\Services +R +S -W

<drive_letter>...\DiscoveryMaps +R -W -S

<drive_letter>...\DiscoveryMapImages +R -W -S

NTFS Permissions Settings

Directory Permissions

<drive_letter>...\MIDiscovery\WebApp +R (recursively)

<drive_letter>...\MIDiscovery\ErrLog +R +W

<drive_letter>...\MIDiscovery\docs +R

<drive_letter>...\MIDiscovery\Asplib +R

<drive_letter>...\MIDiscovery\DiscoveryMapImages +R +W

<drive_letter>...\MIDiscovery\DiscoveryMaps +R +W +D

<drive_letter>...\MIDiscovery\Images +R

<drive_letter>...\MIDiscovery\Js +R

<drive_letter>...\MIDiscovery\services\*.dll +R +E

<drive_letter>...\MIDiscovery\services\*.tlb +R +E

<drive_letter>...\MIDiscovery\services\*.exe +R +E

<drive_letter>...\MIDiscovery\services\mapengine\* +R +E




Restricting FTP and HTTP Access

We recommend that you use Internet Information Services (IIS) to restrict access to the FTP and HTTP ports and permit access only from authorized IP addresses (or groups of addresses). This strategy will ensure that only authorized people or groups of people will have access to the FTP or HTTP site.

The following article provides an overview of configuring IIS web site authentication in Windows 2000.

https://support.microsoft.com/default.aspx?scid=kb;en-us;308160#4

Tip: You can also locate this and related articles by searching all the words “anonymous authentication iis 5.0” in http://www.msdn.com.

See the following Microsoft support document for a description of How to Limit FTP Access in Windows 2000. This discussion includes sections on configuring Anonymous users and limiting access to specific computers.


Tip: You can also locate this and related articles by searching all the words “iis ftp access” in http://www.msdn.com.

To effectively restrict FTP and HTTP access to your MapInfo Discovery™ server, you must know the IP address of all users who will access the site. If Discovery is deployed as an intranet application, you may have good control over this. However, if Discovery is deployed on the internet, it may be more difficult to identify every IP address that you wish to grant access.

Restricting Access to FTP SitesYou can use IIS to deny FTP access from selected IP addresses sites (and thereby permit access from other IP addresses). Follow these steps to permit access from those sites and restrict access from unknown sites.

The following strategy outlines the procedure for denying access to a known group of IP addresses.

1. Open IIS and right-click on the name of your Discovery FTP server.2. Select the Directory Security tab.3. The GRANTED ACCESS radio button will be selected by default. Change this to the

DENIED ACCESS. Selecting the Denied Access Radio button means that by default all



http://www.msdn.com

https://support.microsoft.com/default.aspx?scid=kb;en-us;308160#4


http://www.msdn.com

http://www.msdn.com


computers will be denied access to your Discovery FTP site. Only the sites you specify (in the following steps) will be granted access.

4. Click the ADD... button. The GRANT ACCESS ON dialog box will appear.5. In the Grant Access On dialog box, select the GROUP OF COMPUTERS radio button. The Default

Web Site Properties dialog box appears.




6. From the Directory Security tab, select EDIT... from the middle panel (IP addresses and domain name restrictions).

7. From the IP ADDRESSES AND DOMAIN NAME RESTRICTIONS dialog box, the Granted Access radio button should be selected. This means that by default all computers will be granted access to the Discovery FTP site except those that you will specify in the next step.

8. Click ADD... and enter the IP addresses or domain names that you wish to deny access to your Discovery FTP site.




Restricting Access to HTTP SitesSimilarly, you can restrict HTTP access to your Discovery site.

The procedure for doing this mirrors the procedure for restricting FTP access. Open IIS and right-click on your Discovery web site. Select the Directory Security tab, and follow the procedures similar to those outlined in the topic for Restricting Access to FTP Sites on page 15.



Documents

Security Guidelines for MapInfo Discovery 1.1