Thursday, September 11, 2008

IdentityMinder - Protect your TEWS WebService

If you work with IdentityMinder, you probably know about TEWS or Task Execution Web Service. TEWS allows for the execution of IdentityMinder tasks (normally used in the GUI) to be executed via XML Posts to the TEWS web service.

One thing that a few people may not know is how loose the security is on TEWS, particularly the old version of TEWS. (Which is still installed with IdentityMinder) Any tasks that are enabled for the webservice (you can see these marked as webservice="true" in the Role and Task Settings XML file for any environment) can be executed with nothing more than an administrative User DN. That's right, no password is required. The other, and probably more dangerous part of the TEWS webservice is that once it is enabled, it is not protected by SiteMinder by default. I recently was reminded of this again on an IdentityMinder system, which got me thinking. A quick Google search on the internet showed many (> 10) systems out there with TEWS exposed to the internet. I contacted a few of these systems, ones that might have a lot riding on their security, and let them know about the potential vulnerability. In short, if you install IdentityMinder, protect the TEWS Web Service via SiteMinder on the internet side, and preferably with network ACLs and IPSEC/VPN. If back end systems need access to TEWS, try to limit the number of users who can access TEWS to the bare minimum.

No comments: