{"id":1728,"date":"2016-12-22T06:54:51","date_gmt":"2016-12-21T22:54:51","guid":{"rendered":"http:\/\/www.jhouseconsulting.com\/?p=1728"},"modified":"2023-06-17T17:35:32","modified_gmt":"2023-06-17T09:35:32","slug":"installing-configuring-securing-and-using-mdt-webservices-part-2","status":"publish","type":"post","link":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/2016\/12\/22\/installing-configuring-securing-and-using-mdt-webservices-part-2-1728","title":{"rendered":"Installing, Configuring, Securing and Using MDT Webservices \u2013 Part 2"},"content":{"rendered":"<p>In <a href=\"http:\/\/www.jhouseconsulting.com\/2016\/12\/12\/installing-configuring-securing-and-using-mdt-webservices-part-1-1713\" target=\"_blank\">Part 1<\/a> we walked through <a href=\"http:\/\/www.jhouseconsulting.com\/2016\/12\/12\/installing-configuring-securing-and-using-mdt-webservices-part-1-1713\" target=\"_blank\">the installation and configuration of Deployment Webservices<\/a>. In this part we will focus on securing the Webservice.<\/p>\n<p>There are five&nbsp;(5) main areas that I focus on to lock down the Webservice, and I&#8217;ll include two (2) optional areas for consideration:<\/p>\n<ol>\n<li>Use Request Filtering, which is basically what the old URL Scan morphed into from IIS 7 (Windows 2008) and above. Request Filtering gives a tighter level of control over the settings and where they are applied than&nbsp;URL Scan ever did.<\/li>\n<li>Authentication &#8211; Disable anonymous authentication. That should be a no-brainer!<\/li>\n<li>Authorization Rules &#8211; Only allow specific users access.<\/li>\n<li>Changing the authenticatedUserOverride serverRuntime setting to UseWorkerProcessUser. IIS 7.5 (Windows 2008 R2) and above allows us to configure IIS so that the worker process identity is used for accessing resources, such as the file system, whilst the authenticated user is only used for authorization purposes. This means that you only need to set NTFS permissions for the worker process identity.<\/li>\n<li>Setting NTFS Permissions on the DeploymentWebservice folder for the worker process identity.<\/li>\n<li>Optionally, you can also exclude some of the higher risk AD Functions.<\/li>\n<li>Optionally, you can also SSL enable the site with a certificate.<\/li>\n<\/ol>\n<p><!--more--><\/p>\n<p><strong>1) Request Filtering<\/strong><\/p>\n<p>I lock down the file extensions and verbs allowed. If you have a better process, please let me know via the comments.<\/p>\n<p>By default:<\/p>\n<ul>\n<li>The \u201cAllow unlisted file name extensions\u201d (fileExtensions allowUnlisted) attribute is set to TRUE. This means that you must list all file name extensions you want to deny. So we set this to FALSE&nbsp;and then only need to list the minimum number of file name extensions allowed in order to ensure the Webservice functions correctly.<\/li>\n<li>Likewise the \u201cAllow unlisted verbs\u201d (verbs allowUnlisted) attribute is set to TRUE. This means that you must list all verbs you want to deny. So again we set this to&nbsp;FALSE and then only need to list the minimum number of verbs allowed in order to ensure the Webservice functions correctly.<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1729\"><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter wp-image-1729 size-full\" title=\"Request Filtering General Settings\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Request-Filtering-General-Settings.png\" alt=\"Request Filtering General Settings\" width=\"399\" height=\"483\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Request-Filtering-General-Settings.png 399w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Request-Filtering-General-Settings-248x300.png 248w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Request-Filtering-General-Settings-300x363.png 300w\" sizes=\"(max-width: 399px) 100vw, 399px\" \/><\/a><\/p>\n<p>The Web Service only requires two extensions to function correctly:<\/p>\n<ul>\n<li>DLL extension (dll)<\/li>\n<li>Web Service extension (asmx)<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1730\"><img decoding=\"async\" class=\"aligncenter wp-image-1730 size-full\" title=\"Request Filtering File Name Extensions Allowed\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Request-Filtering-File-Name-Extensions-Allowed.png\" alt=\"Request Filtering File Name Extensions Allowed\" width=\"680\" height=\"184\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Request-Filtering-File-Name-Extensions-Allowed.png 680w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Request-Filtering-File-Name-Extensions-Allowed-300x81.png 300w\" sizes=\"(max-width: 680px) 100vw, 680px\" \/><\/a><\/p>\n<p>The Web Service only requires&nbsp;two verbs to function correctly:<\/p>\n<ul>\n<li>GET<\/li>\n<li>POST<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1731\"><img decoding=\"async\" class=\"aligncenter wp-image-1731 size-full\" title=\"Request Filtering HTTP Verbs Allowed\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Request-Filtering-HTTP-Verbs-Allowed.png\" alt=\"Request Filtering HTTP Verbs Allowed\" width=\"681\" height=\"165\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Request-Filtering-HTTP-Verbs-Allowed.png 681w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Request-Filtering-HTTP-Verbs-Allowed-300x73.png 300w\" sizes=\"(max-width: 681px) 100vw, 681px\" \/><\/a><\/p>\n<p><strong>2) Authentication<\/strong><\/p>\n<ul>\n<li>Disable Anonymous Authentication<\/li>\n<li>Enable Windows Authentication<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1732\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1732 size-full\" title=\"Authentication\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Authentication.png\" alt=\"Authentication\" width=\"419\" height=\"218\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Authentication.png 419w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Authentication-300x156.png 300w\" sizes=\"(max-width: 419px) 100vw, 419px\" \/><\/a><\/p>\n<p><strong>3) Authorization Rules<\/strong><\/p>\n<ul>\n<li>Edit the default rule and change from \u201cAll users\u201d to \u201cSpecified users\u201d<\/li>\n<li>Add the MDT Domain Join Account in the format of Domain\\Username\n<ul>\n<li>Set the \u201cFQDNDomainName\\Username\u201d to match the deployment share rules (CustomSettings.ini). I&nbsp;DO NOT use the \u201cNetBIOSDomainName\\Username\u201d format, as it may be slow in large\/complex environments.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1733\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1733 size-full\" title=\"Authorization Rules\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Authorization-Rules.png\" alt=\"Authorization Rules\" width=\"569\" height=\"116\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Authorization-Rules.png 569w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Authorization-Rules-300x61.png 300w\" sizes=\"(max-width: 569px) 100vw, 569px\" \/><\/a><\/p>\n<p><strong>4) Changing the authenticatedUserOverride setting to UseWorkerProcessUser<\/strong><\/p>\n<ul>\n<li>Open Configuration Editor<\/li>\n<li>Select Section:&nbsp;system.webServer\/serverRuntime<\/li>\n<li>Change&nbsp;authenticatedUserOverride from&nbsp;UseAuthenticatedUser to&nbsp;UseWorkerProcessUser<\/li>\n<li>Select Apply<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1736\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1736 size-full\" title=\"authenticatedUserOverride serverRuntime setting\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/authenticatedUserOverride-serverRuntime-setting.png\" alt=\"authenticatedUserOverride serverRuntime setting\" width=\"566\" height=\"267\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/authenticatedUserOverride-serverRuntime-setting.png 566w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/authenticatedUserOverride-serverRuntime-setting-300x142.png 300w\" sizes=\"(max-width: 566px) 100vw, 566px\" \/><\/a><\/p>\n<p><strong>5) Setting NTFS Permissions on the&nbsp;DeploymentWebservice folder<\/strong><\/p>\n<p>Your initial&nbsp;permissions on the &#8220;DeploymentWebservice&#8221; folder&nbsp;may vary depending on your default server template, security policies, etc. However, for this step you must remove the generic principals such as Users, Authentication Users, and Creator Owner, and only add the MDT domain join account.<\/p>\n<ul>\n<li>Disable&nbsp;inheritance and convert to explicit permissions.&nbsp;<\/li>\n<li>Remove all instances of Users, Authentication Users, and Creator Owner&nbsp;principals.<\/li>\n<li>Add the MDT domain join account with Read&nbsp;&amp; execute permissions<\/li>\n<\/ul>\n<ol>\n<ol>\n<ul>\n<li style=\"padding-left: 30px;\">Applies To: This folder, subfolders and files<\/li>\n<li style=\"padding-left: 30px;\">Basic Permissions:\n<ul>\n<li style=\"padding-left: 30px;\">Read &amp; Execute<\/li>\n<li style=\"padding-left: 30px;\">List Folder Contents<\/li>\n<li style=\"padding-left: 30px;\">Read<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/ol>\n<\/ol>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1755\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1755 size-full\" title=\"NTFS - Read &amp; execute permissions\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/NTFS-Read-execute-permissions.png\" alt=\"NTFS - Read &amp; execute permissions\" width=\"640\" height=\"412\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/NTFS-Read-execute-permissions.png 640w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/NTFS-Read-execute-permissions-300x193.png 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<ul>\n<li>Add the MDT domain join account with Special permissions<\/li>\n<\/ul>\n<ol>\n<ol>\n<ul>\n<li style=\"padding-left: 30px;\">Applies To: This folder and subfolders<\/li>\n<li style=\"padding-left: 30px;\">Advanced&nbsp;Permissions:\n<ul>\n<li style=\"padding-left: 30px;\">Create files \/write data<\/li>\n<li style=\"padding-left: 30px;\">Create folders \/append data<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/ol>\n<\/ol>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1756\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1756 size-full\" title=\"NTFS - Special permissions\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/NTFS-Special-permissions.png\" alt=\"NTFS - Special permissions\" width=\"640\" height=\"418\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/NTFS-Special-permissions.png 640w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/NTFS-Special-permissions-300x196.png 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>End state permissions will look something like the following screen shot.<\/p>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1757\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1757 size-full\" title=\"NTFS - End State\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/NTFS-End-State.png\" alt=\"NTFS - End State\" width=\"640\" height=\"406\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/NTFS-End-State.png 640w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/NTFS-End-State-300x190.png 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><strong>6) Exclude some of the higher risk AD Functions<\/strong><\/p>\n<p>Some functions are excluded by default under the Application Settings. You can certainly exclude more to limit the risk. As mentioned in <a href=\"http:\/\/www.jhouseconsulting.com\/2016\/12\/12\/installing-configuring-securing-and-using-mdt-webservices-part-1-1713\" target=\"_blank\">Part 1<\/a>, you also have the option of using <a href=\"http:\/\/deploymentresearch.com\/Research\/Post\/562\/Moving-Computers-to-another-OU-during-deployment-Webservice-style\" target=\"_blank\">Johan Arwidmark\u2019s cut down version<\/a>, as it only contains the MoveComputerToOU and AddComputerToGroup functions.<\/p>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/?attachment_id=1741\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1741 size-full\" title=\"Exclude AD Functions\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Exclude-AD-Functions.png\" alt=\"Exclude AD Functions\" width=\"571\" height=\"532\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Exclude-AD-Functions.png 571w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2016\/12\/Exclude-AD-Functions-300x280.png 300w\" sizes=\"(max-width: 571px) 100vw, 571px\" \/><\/a><\/p>\n<p><strong>7) SSL enable the site with a certificate<\/strong><\/p>\n<p>Enabling SSL will provide an encrypted communication layer between the client (typically WinPE) and the Webservice. Whilst this is a good practice, I don&#8217;t implement this because I feel that a man in the middle attack to sniff the network traffic in an attempt to obtain the credentials for the MDT domain join account is low risk for this scenario.<\/p>\n<p><strong>Conclusion:<\/strong><\/p>\n<p>If you followed and implemented at least the first five (5) steps, you&#8217;re Webservice will be locked down and limited to the MDT domain join account only. This removes a large amount of exposure and risk when deploying the Webservice in any corporate environment. <a href=\"http:\/\/www.jhouseconsulting.com\/2019\/06\/28\/installing-configuring-securing-and-using-mdt-webservices-part-3-1816\" target=\"_blank\">Part 3 will demonstrate how to use the Webservice via a PowerShell script<\/a>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In Part 1 we walked through the installation and configuration of Deployment Webservices. In this part we will focus on securing the Webservice. There are five&nbsp;(5) main areas that I focus on to lock down the Webservice, and I&#8217;ll include two (2) optional areas for consideration: Use Request Filtering, which is basically what the old &#8230; <a title=\"Installing, Configuring, Securing and Using MDT Webservices \u2013 Part 2\" class=\"read-more\" href=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/2016\/12\/22\/installing-configuring-securing-and-using-mdt-webservices-part-2-1728\" aria-label=\"Read more about Installing, Configuring, Securing and Using MDT Webservices \u2013 Part 2\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[202,388,103,389],"tags":[469,467,468,475,449,473,458,477,476,457,390,452,471,472,466,464,465,474,470,451,450,461],"class_list":["post-1728","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-mdt","category-methodologies","category-osd","tag-authenticateduseroverride","tag-authentication","tag-authorization-rules","tag-certificate","tag-deployment-webservice","tag-exclude","tag-johan-arwidmark","tag-lock-down","tag-lockdown","tag-maik-koster","tag-mdt","tag-mdt-webservice","tag-ntfs","tag-ntfs-permissions","tag-request-filtering","tag-secure","tag-securing","tag-ssl","tag-useworkerprocessuser","tag-web-service","tag-webservice","tag-winpe"],"aioseo_notices":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1728","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/comments?post=1728"}],"version-history":[{"count":5,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1728\/revisions"}],"predecessor-version":[{"id":2005,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1728\/revisions\/2005"}],"wp:attachment":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/media?parent=1728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/categories?post=1728"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/tags?post=1728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}