Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Policy Advisor for WSE 3.0

 
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Policy Advisor for WSE 3.0

patterns & practices Developer Center

Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0

Microsoft Corporation

patterns & practices Developer Center
Web Service Security: Home
December 2005

DownloadDownload this guide in PDF format
CommunityWeb Service Security Community Workspace [Content link no longer available, original URL:http://go.microsoft.com/fwlink/?LinkId=57044]

Contents

Overview
PolicyAdvisor.xml
Input Format
Output Format
Using Policy Advisor with Visual Studio 2005

Overview

In Web services and clients implemented with WSE 3.0, you can use declarative XML configuration and policy files to determine many aspects of SOAP message processing. Separating security critical processing from code is considered good practice, because it makes it easier for manual review, and it allows you to customize during deployment without recompiling code. However, the flexibility of the configuration and policy formats creates a risk that subtle errors can occur. These errors can leave Web services vulnerable to replay, man-in-the-middle, redirection, and dictionary attacks. In the context of SOAP security, these are known as XML rewriting attacks to distinguish them from other types of attack, such as buffer overruns or SQL injections.

Policy Advisor is a security tool for WSE 3.0 that you can use to help you review the security of WSE 3.0 installations. The tool examines the configuration and policy files for one or more WSE 3.0 endpoints, highlights typical security risks, including XML rewriting attacks, and provides some remedial advice. The tool also summarizes the associated trace files when they are present, and displays message flows between the endpoints. Like most automated security tools, Policy Advisor can generate false alarms. Conversely, an absence of warnings does not guarantee an absence of security vulnerabilities. However, Policy Advisor isolates a range of vulnerabilities to XML rewriting attacks that you otherwise might not detect.

PolicyAdvisor.xml

Policy Advisor is implemented as an XSL transform that processes a user-supplied XML endpoints file to discover and analyze WSE 3.0 security policy and configuration files. After you install the samples, you can access the Policy Advisor tool in the WSE 3.0 installation at /samples/Policy Advisor/PolicyAdvisor.xml.

If you open the PolicyAdvisor.xml file in Internet Explorer, you can view the documentation for the Policy Advisor, including a list of all the security risks that the Advisor identifies, as shown in Figure 1.

Ff650614.appx_poladv_f01(en-us,PandP.10).gif

Figure 1. PolicyAdvisor.xml viewed in Internet Explorer

Input Format

An example endpoints file named WSE Sample Endpoints.xml is located in the same folder as the PolicyAdvisor.xml file. This file lists a selection of the client and server endpoints in the WSE 3.0 samples.

If you open the WSE Sample Endpoints.xml file in Notepad, you can see the XML input format, which is a sequence of endpoint elements within a root endpoints element, as shown in Figure 2.

Ff650614.appx_poladv_f02(en-us,PandP.10).gif

Figure 2. WSE Sample Endpoints.xml displaying how endpoints are configured in the policy advisor

An endpoint element may have the following attributes, each of which is optional:

  • name: This is a name to identify the endpoint in the report that the Policy Advisor generates.
  • path: This is a base path for the following attributes.
  • config: This is the configuration file for the endpoint. The concatenation of path and config is the path to the configuration file.
  • policyCache: This is the policy file for the endpoint. The concatenation of path and policyCache is the path to the policy file.
  • input: This is an existing trace of input messages for the endpoint that when present illustrates its message flow. The concatenation of path and input is the path to the trace file.
  • output: This is an existing trace of output messages for the endpoint that when present illustrates its message flow. The concatenation of path and output is the path to the trace file.

The relative paths are resolved with respect to the folder containing the PolicyAdvisor.xml file, not the folder containing the endpoints file, (which is incorrectly stated in the Policy Advisor documentation). This file format is specific to the Policy Advisor tool and contains the XSLT expressions that generate the evaluation report. No other WSE 3.0 components use it.

Use caution when editing the input files. If any of the paths cannot resolve to a file, the XSL engine will fail when running the code in the PolicyAdvisor.xml file, which generates an error message, such as: "The system cannot locate the resource specified."

Output Format

If you open the WSE Sample Endpoints.xml file in Internet Explorer, you can see a sample report, as shown in Figure 3.

Ff650614.appx_poladv_f03(en-us,PandP.10).gif

Figure 3. WSE Sample Endpoints.xml illustrates a Policy Advisor sample report

The first part of the report lists the names of the endpoints in the input file, and links to the associated files, such as the configuration and policy files.

The next part of the report, shown in Figure 4, aggregates the results of running a collection of security queries on all the configuration and policy files provided as input. For each query that is triggered, the report includes a one-line summary, a list of the endpoints that triggered the query, a description of the risk, and advice for a suggested action.

Ff650614.appx_poladv_f04(en-us,PandP.10).gif

Figure 4. WSE Sample Endpoints.xml illustrating how the Policy Advisor tool issues advisories

The report describes issues such as weak or apparently inconsistent security properties, shows settings that are useful during test, but inappropriate in production, and raises some questions that you can address during security reviews.

As well as presentational markup, the Extensible Hypertext Markup Language (XHTML) output includes <instance> elements that contain the raw results of queries. This means that it is possible to use batch scripts to run the Policy Advisor tool and then extract the raw data of the report to compare it with previous reports.

Using Policy Advisor with Visual Studio 2005

You can include an endpoints file in a project and invoke Policy Advisor directly in Visual Studio 2005, as shown in Figure 5.

Ff650614.appx_poladv_f05(en-us,PandP.10).gif

Figure 5. Using Policy Advisor in Visual Studio 2005

To invoke Policy Advisor in Visual Studio 2005, perform the following steps.

To use Policy Advisor in Visual Studio 2005

  1. Open the solution, then in the Solution Explorer, right-click the project and click Add Existing Item.
  2. Navigate to the directory in WSE 3.0 where the policy advisor sample is installed. By default, it is located at C:\Program Files\Microsoft WSE\v3.0\Samples\Policy Advisor.
  3. Select the PolicyAdvisor.xml file and click Add.
  4. In the Solution Explorer, right-click the project and click Add New Item.
  5. In the same directory as the PolicyAdvisor.xml file, locate the WSE Sample Endpoints.xml file, select it, and then click Add.
  6. In the Solution Explorer, right-click the WSE Sample Endpoints.xml file, select Rename, and then rename the file as endpoints.xml.
  7. In the Solution Explorer, double-click the endpoints.xml file to open it.
  8. Identify as many <endpoint> elements in the file for as many applications as you want to run against the Policy Advisor tool.
  9. Delete the remaining <endpoint> elements from the file.
  10. Update the name attribute of each <endpoint> element that remains in the file with the name that you want to use for the endpoint.
  11. Update the path attribute of each <endpoint> element to point to the project folder for that endpoint. Ensure that a back slash "\" appears at the end of the path.
  12. Update the config attribute of each <endpoint> element to point to the configuration file for that application. This is usually "App.config" or "Web.config" for client applications and Web applications, respectively.
  13. Update the policyCache attribute of each <endpoint> element to point to the policy cache file for that application. If you used the default settings to configure policy on the application, the policy cache file name is "wse3policyCache.config."
  14. In the Properties window, specify the output location in the Output property. This is usually an .htm file, such as "PolicyOutput.htm."
  15. Specify the Stylesheet as the PolicyAdvisor.xml file that you added in Step 3.
  16. On the toolbar, click the Show XSLT Output button to display the results of the policy analysis of your configured applications as shown in Figure 6.

Ff650614.appx_poladv_f06(en-us,PandP.10).gif

Figure 6. The Policy Advisor output file that displays in Visual Studio 2005

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.