vulnerability affecting ASP.NET and SharePoint

Leave a comment

Microsoft has recently released a Microsoft Security Advisory for a vulnerability affecting ASP.NET.  This post documents recommended workarounds for the following SharePoint products:

  • SharePoint 2010
  • SharePoint Foundation 2010
  • Microsoft Office SharePoint Server 2007
  • Windows SharePoint Services 3.0
  • Windows SharePoint Services 2.0

A workaround is not necessary for SharePoint Portal Server 2003. 

The workarounds for the affected versions of SharePoint and Windows SharePoint Services listed above are temporary measures that do not fix the underlying issue but help to block known attack vectors until an ASP.NET security update is released.  We will provide instructions on how to revert the workarounds when the security update is released.

Microsoft recommends that all affected SharePoint customers apply the workaround as soon as possible.  You should apply the workaround to every web front-end in your SharePoint farm.



Security issue in WSS 3.0 and MOSS

Leave a comment

You have to be carefull if you use the Sharepoint Central Administration tool to change the account running the Application Pool used by a Web Application to provide Sharepoint Content. 
The steps are quite simple, you just open the Sharepoint Central Administration, then go to the Operations, and then select Service Accounts (under Security Configuration), then select your Web Application and then type in the new account.
Once the account is changed, Sharepoint will add a new login in SQL granting the new account the required rights to the content database.
The problem is that it will also grant the account the Security admins and Database Creator role on the SQL Server, wich is too much rights for the Account running the application pool used by the Web Application providing Sharepoint content.  These permissions are required by the Account running the Application Pool for the Sharepoint Central Administrationm, not for the application pool used by the content Web applications.
So now as my security best practice, If I change the application pool account running the Sharepoint content application via the Sharepoint Central administration Tool, I will go and remove the Security admins and database creator roles in SQL, for the new account logins.
Also you should remove the rights from the old account because when you are changing the accounts used by the application pools, Sharepoint will not automatically remove the rights from the old account in SQL.