|
@CyberForge
 Saturday, May 31, 2003
pretty soon, starting with an example application of web services and
Windows Controls hosted in a Web Browser.
.......
[InkBlog : The Random Musings
of David Weller]
Excellent.. I am looking forward to that very
much. I was the technical lead for .NET implementation at my company (one of
those Fortune 500) and actively lobbied for and got the .NET 1.1 version of the
Framework installed as part of a standard desktop build. My justification
was that in the future, the complexity of the UI choice will be dependant on the
business requirements and Smart Client Applications are a very viable choice
going forward for apps that require a richer UI.
I hope that you will pay particular attention
to issues regarding CAS policies and customizing policies to grant
selective access to protected resources and how to best deploy these type
of applications.
Oh yes, InkBlog is David's opinions and not that of his employer.. LOL!
4:27:02 PM 
Comment
Thursday, May 29, 2003
With the goal of "Helping
developers to create secure software", Microsoft has launched its newest MSDN
Developer Center @ http://msdn.microsoft.com/security/
UPDATE: Brian Johnson, the content strategist for the site, has a blog at http://www.bufferoverrun.net/.
9:15:59 PM
Comment
Wednesday, May 28, 2003
Sean
'Early' Campbell & Scott 'Adopter' Swigart talk about locking down the ASP.NET State Service.
But their proposed solution seems to defeat the purpose of having a State Service in the first place. The way that you configure State
Service in a farm is to enable it on one machine in the farm and point all
others to it. By disabling remote connections, you are NOT sharing the session
state across the farm. This procedure only serves any purpose if the intent is
to save session state between process recycles (as noted above). Of course, then
you would have to enable it on each machine in the farm as
well.
State Service to me has always
been the odd-one out as I consider it a single point of failure in a web
farm. When architecting our web farm, our choice of Out-Of-Process session
storage was SQL Server. If you use the persistent storage option and the SQL
Server is hosted on a cluster, sessions can survive a SQL Server failure as well.
And since the performance difference between a State Service option and SQL
Server is negligible (within a few percentage points), I'll go with SQL Server
every time.
As to how you would secure the traffic between the Webserver and SQL Server, Building Secure ASP.NET Applications gives you some options.
10:08:29 PM
Comment
This update for Microsoft Internet Information Services version 5.1 can help
protect your Web server from several new security vulnerabilities.
[Microsoft
Download Center]
9:48:39 PM
Comment
Tuesday, May 27, 2003
This guide provides a set of security recommendations for Active Directory
day-to-day operations that can be applied to both new and existing Active
Directory implementations. The scripts and procedures provided are designed to
simplify the implementation of these recommendations.
[Microsoft
Download Center]
8:25:08 PM
Comment
Friday, May 23, 2003
Hmm... I've been reading Ingo's article on ASP.NET vs. Remoting Performance.
In the conclusion to his article, Ingo mentioned the following:
"If you have to use HTTP as the underlying protocol but are going to stay with the .NET framework for both, your clients and your server, you should go for Remoting components hosted in IIS. This way you also have access to standard authentication, authorization and encryption (SSL!) features of Internet Information Server."
At the same time I am reading the Remoting article @ MSDN Magazine and the author says "So now that you know that HttpServerTransportSink is a Web server, the question remains—can you connect to the server using HTTPS? Unfortunately, you can't. The HttpServerTransportSink does not support SSL."
I am not a Remoting person but simply someone who is trying to come up to speed on this stuff.. Are they both speaking about the same thing? If so, it does sound like they are disagreeing. So who is correct?
9:58:07 PM
Comment
I decided to take the day off from work yesterday.
I slept in late, which I never do (If you have a 3 year old, you would understand) :-)
Took my 5 year old daughter for breakfast at a local french bakery/cafe. She has such a fresh and wonderful perspective on the world that it immediately cheered me up. Then after dropping her off at her school, I came back to the house and caught up on e-mail and spent some time online.
Went out to lunch with my friend Jim who is having a blast at his new job. He is uber-Coder there and seems to have a great boss as well. Had a great conversation that wandered all over the place.
To top it all of, decided to kill some time by seeing Matrix Reloaded - again!. It is sometimes good to just put your brain on hold.
Came back home after picking up the kids and found out that there are indeed people looking out for me and that what I thought was incredibly bad news the day before is slowly being tranformed into something that sounds great.
Life is good!
7:32:03 PM
Comment
The Microsoft Windows XP Security Guide provides several levels of security
guidance for customers interested in hardening deployments of Windows XP for
desktop and laptop clients in their environment.
[Microsoft
Download Center]
7:09:59 PM
Comment
Wednesday, May 21, 2003
The price people pay when they break agreements in the world is the disintegration of trust in the relationship - David Allen
Agreements can be as simple as someone telling you that they will return your call or respond to your email - but don't. It could be something you told yourself that you would do - but did not. Or they can be much more significant. But whether the agreement be small or large, the breaking of one is a source of negative feelings.
Today was a depressing day. Tomorrow is a new day with new possibilities. Such is the rhythm of life.
9:12:49 PM
Comment
Tuesday, May 20, 2003
Matt Clapham outlines the top 10 tips testers should know to
securely test applications.
[MSDN
Just Published]
10:35:00 PM
Comment
In this episode, Michael Howard outlines a simple, yet effective
way of thinking about how to build secure applications using SD3+C. This
high-level model is being used to drive the security of new products within
Microsoft.
[MSDN
Just Published]
10:34:28 PM
Comment
The Windows Application Verifier (AppVerifier) [1] examines
executable programs for common application quality issues. Running this tool on
an application aids a tester in detecting issues dealing with stability,
security, and compatibility. The AppVerifier works by monitoring an
application's use of the operating system, i.e. the file system, registry,
memory, and APIs, while the application is being run. Once issues are discovered
through the AppVerifier, the tool guides developers on how to fix these issues
at the source code level.
Download [2] and learn more [3] about it.
Thanks to Raj Chaudhuri (via Craig) for the pointer.
[1] http://www.microsoft.com/windowsxp/appexperience/appverifier.asp
[2]
http://www.microsoft.com/downloads/details.aspx?FamilyID=7fc46855-b8a4-46cd-a236-3159970fde94
[3]
http://msdn.microsoft.com/library/en-us/dnappcom/html/AppVerifier.asp
9:15:03 PM
Comment
Sunday, May 18, 2003
So far, I have been unable to get Quicken running as non-admin. Or rather, I
have been unable to get it running correctly. It starts just fine, but then
starts to act all screwy, like showing me the online registration dialog, but
never coming back once I hit “Next”.
[CraigBlog]
I am currently running Quicken 2003 Home &
Business Premier as non-Admin on my machine. The work around for this badly
written (from a Principle of Least Privilege perspective) piece of software is
the following:
- Install with Admin rights (i.e. Put your
account in the admin group for installation)
- Manually point Quicken to the 'My Documents' tree as the location of file storage
- Give your account change rights to the
Quicken directory tree
After the making the above changes you
should be able to run the program as a non-Admin.
11:38:01 PM
Comment
Saturday, May 17, 2003
Went to Lowe's today to get
replacement sand for my three year old's sandbox. I knew that I needed 15 bags, each
weighing 50 lbs. What I did not figure on is the antiquated trolley-thing whose
steering wheels are in the back that I had to use to get all of those bags to my
vehicle. But my son had a blast riding on top of it while his Dad was
trying to maneuver the infernal thing down aisle ways that seem to be blocked by
stacks of stuff, and people who could not seem to understand that
something that heavy does not stop on a dime!
Finally got the thing to my
van and started putting the bags in. My son kept asking
me why I was making all those noises when I was putting the bags in. Don't think
he got the "darn things are heavy and they leak" part. It also had not clicked
for him why I was getting these bags. So finally we got home and unloaded
everything.
Then I told to him that the
sand was for his sandbox.
Ahh... These are the moments
that you live for and cherish as a parent! I LOVE being a
Dad!
7:14:40 PM
Comment
Top 75 Security Tools from Insecure.Org via Larkware
News
2:53:42 PM
Comment
There have recently been
discussions in many places about running and developing as non-Admin. I figured
that I would add my $0.02 to it.
There is an excellent document
[1] by Lars Bergstrom (Visual Studio Core Team) on MSDN that outlines how
to develop as non-Admin when using VS.NET. I've followed the procedure
documented in it and have had no issues in developing and debugging ASP.NET
applications as a Local User.
Recently, I installed VS.NET 2003
on my primary DEV machine and decided to follow the same instructions and ended
up running into a couple of issues. Hopefully my solutions and work-arounds will
help others who are trying to do the same thing. I am not going to repeat the
existing docs but am just going to document the deltas.
NOTE: My dev machine is Windows
XP Pro.
ProcessModel
By default, my restricted user
login cannot debug Web applications. The web server started up ASP.NET as the
NETWORK_SERVICE account and my user account, which is running the debugger,
does not have the rights to debug other users' programs
(SeDebugPrivelege). The work around for this is to either grant my account
this right or edit machine.config file to run the ASP.NET process under my user
id. The document recommends the latter approach for IIS 5 (Windows XP)
which is what I chose to do.
This is done by changing the
<processModel> from the default of:
<processModel
userName="machine" password="AutoGenerate" ......
/>
to
<processModel userName="YourUserName" password="YourPassword"
...... />
Security Note:
If you do not set a restrictive ACL on the machine.config file, putting your
userid and password in cleartext allows anyone to see your password. Even if you set a restrictive ACL, all users in the Administrators group will still be able to see it.
My resolution to the
above Security Note was the following. Use the aspnet_setreg.exe utility [2] to
put an Encrypted version of my account userid and password in the registry by
using the following command:
aspnet_setreg.exe -k:SOFTWARE\MY_SECURE_APP\processModel -u:"YourUserName"
-p:"YourPassword"
Then modify the
processModel as follows to point it to the
registry:
<processModel
userName="registry:HKLM\SOFTWARE\MY_SECURE_APP\processModel\ASPNET_SETREG,userName"
password="registry:HKLM\SOFTWARE\MY_SECURE_APP\processModel\ASPNET_SETREG,password"
...... />
Registry
Permissions
By default the DACL on the
"HKLM\SOFTWARE\MY_SECURE_APP" hive grants Full Control to only System,
Administrators and Creator Owner. Since ASP.NET is running under my userid,
the caveat here is to make sure that I gave my userid (ex. "YourUserName")
Read access to this registry hive where the userid and password are now
stored.
This way, even if someone
peeks into both machine.config and/or the registry they cannot see a cleartext
version of my userid and password.
File system
Permissions
VS.NET 2003 installs version 1.1
version of the .NET Framework. Majority of the file ACL's needed are
the same as documented in [1] except for that the %INSTALLROOT% changes to
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322". So you need to give the
following rights to your account:
- %INSTALLROOT% - Read
-
%INSTALLROOT%Temporary ASP.NET Files - Read and Write
Once I made the above
changes, I've have had no issues developing and debugging Web Applications using
VS.NET 2003.
[1] Developing Software in Visual Studio .NET with Non-Administrative
Privileges
[2] Use the ASP.NET Utility to
Encrypt Credentials and Session State Connection Strings
2:18:01 PM
Comment
Friday, May 16, 2003
I just went through Scott Guthrie's ASP.NET Security Presentation and noticed that he mentions the upcoming Patterns and Practices book "Improving Web Application Security – Threats and Countermeasures". I had the opportunity to collaborate on and technical review this book and it has some awesome stuff in it. Should be out in print around the July time frame, but hopefully will be available electronically much earlier.
6:39:56 PM
Comment
Lots of interesting comments on Julie's story.
6:18:17 PM
Comment
Everyone has heard of the Microsoft iLoo story by now.. David Weller , a 'softie, has a hilarious take on it @ InkBlog. Good one!
5:56:49 PM
Comment
Recently posted to the
BUGTRAQ Mailing List:
A PDF file is now available for the e-book "IIS Security and
Programming Countermeasures" published
last week.
Raw text and graphics in source format:
http://www.forensics.org/jasonc/iisforensics.zip
A
PDF that somebody else created from the text and graphics files:
http://www.forensics.org/IIS_Security_and_Programming_Countermeasures.pdf
5:30:19 PM
Comment
Recently posted to the BUGTRAQ Mailing List.
Microsoft is pleased to announce the release of _Solution for
Securing Wireless LANs_.
This
prescriptive guide addresses today's wireless network vulnerabilities, and provides a reference
implementation of certificate services for
securing WLANS, which is suited for organizations of several hundred to many thousands of wireless
network users. The reference
implementation is derived from Microsoft's own use of PKI for securing the WLAN for its 55,000 employees, and
best practices learned while aiding
customers with their own secure WLANs.
The solution is divided into the
following
components:
PLANNING
-
Secure WLAN Strategy
- Secure WLAN
Solution Architecture
- Designing
PKI
- Designing RADIUS
infrastructure
- Designing WLAN
Security using 802.1x
BUILD &
DEPLOY
- Implementing
PKI
- Implementing RADIUS for WLAN
Security
- Implementing WLAN
Security Using 802.1x
OPERATE
-
Managing PKI
- Managing RADIUS and
WLAN
The documentation also includes a Test Guide that outlines the
overall test strategy used by Microsoft to
validate the solution, spreadsheets for
cost and risk analysis, and a project model.
You can download _Solution
for Security Wireless LANs_ from:
http://go.microsoft.com/fwlink/?LinkId=14843
5:26:33 PM
Comment
Thursday, May 15, 2003
In an upcoming InfoWorld article, which will post next Friday and appear in
print the following week, I review the SpamBayes filtering engine and Mark
Hammond's brilliant Outlook addin. Thanks to this
remarkable open source duo, I am ready to declare victory on spam.
[Jon's
Radio]
Indeed.. I used to use Cloudmark as my spam
filtering tool, but I've since switched over to the SpamBayes Outlook addin. It
does Rock. Even more remarkable is that it is completely
free!
11:59:28 PM
Comment
See how the WS-Security specification and implementation can be used to
securely sign Web service calls between Microsoft .NET and Java.
[MSDN
Just Published]
9:33:43 PM
Comment
Remoting traffic can be secured when objects are hosted in IIS, but when they
aren't hosted in IIS, custom security solutions can be developed to secure them.
This article provides an in-depth look at writing channel sinks for .NET. It
also details the flow of data through custom channel sinks and explains the
kinds of manipulations that can be performed on that data.
[MSDN
Just Published]
9:32:01 PM
Comment
I will not read a review.. I will
not read a review... I am going to see it with a friend on Monday and am trying
very hard to not read any reviews so that I don't encounter any
spoilers!
9:16:30 PM
Comment
..... debate revolved around whether or not developers should run as administrator. This is something that Keith Brown has been advocating . Since there's been a lot of public discussion around this issue lately on mailing lists and weblogs, I thought it would be interesting to post the discussion here, publicly, to both show people both sides of the argument and to give them a glimpse into the inside of DM.
[CraigBlog]
Craig Andera has posted an excellent internal Developmentor debate that shows both views. I, for one, am firmly of the opinion that developers should indeed be running as non-admin when creating and testing software. At the same time, I am also aware of the gyrations one has to go through to get the Microsoft development tools to work properly as a non-admin.
Because of my concern about this issue, I actually addressed this issue at a Q&A Session at the last Microsoft MVP Summit in Redmond. Let's just say that the response was very positive :-).
9:04:39 PM
Comment
Got myself a Kyocera 7135 Smartphone yesterday.
This is a bit of a departure for me as this phone is Palm OS Powered. That is not to say that I am unfamiliar with the Palm OS. In fact, I had one of the original US Robotics Palm 1000 units. But over the last couple of years I have been exclusively using a Pocket PC (iPaq).
But my current phone was on its last legs and my iPaq was getting old so it was time for a hardware refresh. My first inclination was to look for Windows CE (Pocket PC) powered devices but unfortunately they really did not meet my selection criteria which were:
- Coverage, Coverage, Coverage
- Phone first, PDA Second
The primary purpose of a phone is to communicate. In order to do that, it has to be on a system that has extensive coverage across the area that you are interested in. To me, that means the phone has to be active on one of the major US national carriers like Verizon, Sprint or AT&T. The issue is that the current crop of Smart Phones are purely digital and really did not
have an analog fallback option.
While there are Pocket PC Phone Editions that are coming out on the major networks, I really could not see myself talking into a PDA. In addition, I have always been a fan of the clamshell design which provides better protection for the the screen. The Pocket PC Phone Editions are Candybar style.
The Microsoft Smartphone would have been an option that I would have been willing to consider. But my only comment to that would be "Where art thou (In the US, on a major network)?". In fact it would appear that T-Mobile, the only carrier who had agreed to carry the Smartphone in the US is backing away.
But the most important thing that I based my decision on were my own PDA habits. I use the PDA primarily as a contact and list manager. That is something the Palm OS does exceedingly well. I also have the need to carry my PDA with me everywhere to take notes and make calls. So I am very much a candidate for the converged device.
Yes, the choice of the Palm OS does mean that I have to give up the ability to do .NET Compact Framework development, but I can live with doing that on my iPaq.
So for me the following factors made the decision easy:
- Coverage - Verizon Express Network, CDMA Digital AND Analog
- Form Factor - Clamshell and relatively small
- Expandability - SDIO slot
UPDATE: It appears that T-Mobile WILL be shipping a SmartPhone, just not anytime soon. My reasons still hold.
1:06:29 PM
Comment
Sunday, May 04, 2003
"That man is successful who has lived well, laughed often, and loved much, who has gained the respect of the intelligent men and the love of children; who has filled his niche and accomplished his task; who leaves the world better than he found it, whether by an improved poppy, a perfect poem, or a rescued soul; who never lacked appreciation of earth's beauty or failed to express it; who looked for the best in others and gave the best he had." -- Robert Louis Stevenson
... I am working on this :-)
12:52:55 PM
Comment
|
