|
@CyberForge
 Monday, June 23, 2003
This weblog is done.... for now.
May I suggest the following resources as alternatives to feed your Secure Coding and Secure Admin Habits:
For those who have become regular readers to learn about security in the Microsoft world, my sincere apologies.
For those who read for other reasons... Y'know, once upon a time, I probably would have had some vitriolic comment here, but these days my kids think that I am the greatest Dad in the world, and their opinions trump yours EVERY time! :-)
- Anil John
7:05:47 PM 
Comment
Friday, June 20, 2003
To get it programmatically, from managed code, use
Assembly.ImageRuntimeVersion. From unmanaged, use mscoree.dll’s
GetFileVersion(). (From the command line, starting in v1.2, ildasm.exe will show
it if you double-click on "MANIFEST" and look for "Metadata version".) Those
will give you the CLR version that the image claims it wants. However, that’s
not necessarily what it was actually built against (compilers can be configured
to put any string there).
Also, the CLR version that will be run by an exe is not necessarily the same
as what’s in its image runtime version. The chosen version can also depend on
its hosting application’s choice, a config file, environment variables, and
registry settings. If you need to override those, you can set the
supportedRuntime/requiredRuntime in the app.config for the process exe.
[Suzanne
Cook's .NET CLR Loader Notes]
Not strictly security related BUT the security
capabilities of the .NET CLR is tied to which version you are running. For
example, Code Access Security (CAS) is available for ASP.NET applications
starting in version 1.1 but is pretty much turned off (runs with FullTrust)
in version 1.0. So it would be nice to programmatically find out version of
the CLR your server is running :-)
7:33:31 PM
Comment
I came across these again on TechNet. They've been around for
some time, but we can all use a reminder now and then.
The Ten Immutable Laws of Security by Microsoft
Security Response Center
- If a bad guy can persuade you to run his program on your computer,
its not your computer anymore.
- If a bad guy can alter the operating system on your computer, its
not your computer anymore.
- If a bad guy has unrestricted physical access to your computer,
its not your computer anymore.
- If you allow a bad guy to upload programs to your web site, its
not your web site any more.
- Weak passwords trump strong security.
- A machine is only as secure as the administrator is
trustworthy.
- Encrypted data is only as secure as the decryption key.
- An out of date virus scanner is only marginally better than no
virus scanner at all.
- Absolute anonymity isn't practical, in real life or on the
web.
- Technology is not a panacea.
- Nobody believes anything bad can happen to them,
until it does.
- Security only works if the secure way also happens to
be the easy way.
- If you don't keep up with security fixes, your
network won't be yours for long.
- It doesn't do much good to install security fixes on
a computer that was never secured to begin with.
- Eternal vigilance is the price of security.
- There really is someone out there trying to guess
your passwords.
- The most secure network is a well-administered
one.
- The difficulty of defending a network is directly
proportional to its complexity.
- Security isn't about risk avoidance; it's about risk
management.
- Technology is not a
panacea.
5:48:09 PM
Comment
Thursday, June 19, 2003
I was browsing TechNet today and
came across these Product/Technology specific Security Centers
where you can ".. get in-depth information information about implementing and
maintaining security on your server or network."
In addition, there is also a
list of Security Topics where you can "... find in-depth
information on security issues"
- Patch
Management, Security Updates, and Downloads
- Hardening
Systems and Servers: Checklists and Guides
- Cryptography
and Secure Communications
- Protecting
Your Networks: Wireless, Firewalls, and Perimeter Security
- Mobile
Devices and Remote Access
- Virus
Protection Strategies
- Disaster
Recovery and Incident Response
- Architecture,
Deployment, and Management
- Security
Policy, Assessment, and Vulnerability Analysis
- Digital
Identity, Authorization, and Authentication
- Access
Control and Smart Cards
- Microsoft
Security and Privacy Policies
- Standards,
Regulations, and Government Issues
- Developing
Secure Applications and Web Services
Enjoy!
9:19:03 PM
Comment
"Regard your good name as the richest jewel you can possibly be possessed of
- for credit is like fire; when once you have kindled it you may easily preserve
it, but if you once extinguish it, you will find it an arduous task to rekindle
it again. The way to gain a good reputation is to endeavor to be what you desire
to appear."
[Socrates]
8:40:32 PM
Comment
... the range is short (2 meters
roughly), but how long of a range do you need on a crowded subway? The fine
folks at @Stake have released the first known tool specifically
targeting Bluetooth. Dubbed "RedFang", the tool is merely a brute-force method
of discovering non-broadcasting BT devices. In most cases, the fact that the
device is not broadcasting its address is the sole security enabled from the
factory, and with RedFang, you can blow right past that. Take for example, the
Compaq iPaq, that is set to share out its entire storage subsystem to anyone who
knows the Bluetooth address. The article
about the project is up on SecurityFocus. It's an
interesting read, albeit short. I think we're about to see a big push to test
the various security options of Bluetooth. Bluetooth can be secured rather
effectively, but we're seeing a lot of implementations that are insecure right
out of the box. Have we learned nothing from the "Secure by default"
debates?
[bmonday(dot)com]
Scary, considering that a lot of folks synch
up their business and personal email as well as contact information and
notes with their Bluetooth enabled mobile device without giving any
consideration to security. With Microsoft jumping on the Bluetooth bandwagon as
well, this technology is poised for wider adoption, which means security needs
to be addressed ASAP.
5:47:53 PM
Comment
There was a question recently
posed on one of the security mailing lists that I am on about how best to secure
Wireless networks. If you are looking for a Microsoft solution, do check
out the following Patterns and Practices guide:
Microsoft Solution for Securing Wireless LANs
http://go.microsoft.com/fwlink/?LinkId=14844
"The
Securing Wireless LANs solution provides Planning, Implementation, Operations
and Test guides, as well as additional resources including installation
scripts, security templates, monitoring scripts, and implementation planning
resources.
This solution provides an overview of Microsoft's Solution
for Securing Wireless LANs. The solution focuses on Microsoft's approach of
using 802.1x authentication, RADIUS and public key infrastructure (PKI) to
provide a robust, highly secure answer to the problems of current wireless LAN
deployments for organizations ranging from several hundred to many thousand
users. It will aid the IT Professional in understanding the design,
installation, and ongoing management tasks involved. Topics include: secure
authentication of wireless clients using 802.1x, EAP-TLS and Internet
Authentication Services, tackling weaknesses in WEP, deploying a PKI with
Microsoft Windows Server 2003 Certificate Services, integration with Active
Directory and Group Policy, configuration of Windows XP clients, and
monitoring and management of these
components."
12:02:39 AM
Comment
Wednesday, June 18, 2003
You are Agent Smith, from "The Matrix." No one would ever want to run into you in a
dark alley. Cold as steel, tough as a rock, things are your way or the highway.
What Matrix Persona Are You?
Had to put this in.... :-)
11:30:53 PM
Comment
Recently posted to the NTBugTraq list by Michael Howard (Microsoft)
In an effort to provide customers with greater defense in depth, Microsoft has released an Active Server Pages (ASP) replacement for the Internet Information Server 4 and Internet Information Services 5 change password capability, ISM.DLL. This new script code no longer runs as SYSTEM, therefore reducing the attack surface of the Web server. Note that IIS 5.1 and IIS6 do not ship ISM.DLL, they both use the updated ASP functionality.
This package has been tested and approved for use with Microsoft Exchange versions 5.5 and 2000 running Outlook Web Access (OWA).
If you use the password change functionality of IIS, it is HIGHLY recommend you use this new package.
Full details can be found at http://support.microsoft.com/?id=331834
10:53:08 PM
Comment
Monday, June 16, 2003
Michel Gallant's crypto article is the new feature on the MSDN Security Developer Center.
Check out Extending
.NET Cryptography with CAPICOM and P/Invoke. Good stuff!
[Brian
Johnson]
Nice! As noted in the article, the .NET
framework does provide rich crypto support. More information can be found
in an earlier article "Protect Private Data with the Cryptography Namespaces of the .NET Framework"
But ".... as a general recommendation for .NET
developers building applications using cryptography, if the required
functionality is not available natively in the core .NET classes, one should
consider using CAPICOM as a first approach. If the functionality is not provided
by CAPICOM, then one might consider using P/Invoke with CryptoAPI libraries
directly to access the required feature."
11:21:10 PM
Comment
Designing .NET Systems That Have Enhanced
Security
Wednesday, June 18, 2003:
10:00 A.M. Pacific time (Greenwich mean time- 7 hours).
Learn best practices for designing .NET systems that have
enhanced security. Hear the basic elements to be considered during the design
stage. Get a list of checkpoints to improve architecture security. Learn how to
develop assemblies with enhanced security.
Microsoft Data Access Components: Security
Features in MAC 2.8
Thursday, June
19, 2003: 10:00 A.M. Pacific time (Greenwich mean time- 7 hours).
This Microsoft Support WebCast provides an
overview of the main security features that are introduced in Microsoft Data
Access Components (MDAC) 2.8
Writing Security
Enhanced Code
Thursday, June 26, 2003: 10:00 A.M. Pacific time (Greenwich mean
time- 7 hours).
Learn about writing security enhanced code. Hear about
common techniques that hackers can use to compromise software systems. Find out
about strategies and best practices to mitigate these threats. Learn about
buffer overruns and cryptography hacking.
Sign up for these and more @ http://support.microsoft.com/WebCasts
10:49:23 PM
Comment
Sunday, June 15, 2003
The .NET Framework provides rich support for cryptography via the following name spaces:
- System.Security Cryptography - Core classes that provide crypto functions
- System.Security Cryptography.Xml - Classes used to encrypt and sign XML documents
- System.Security Cryptography.X509Certificates - Classes used to retrieve certificate information
Like anything to do with Security, the crypto field is full of jargon as well. So a few definitions are in order:
Plaintext or Cleartext is just that, something that is plain and has not had any crypto functions used on it.
Ciphertext is output of using some sort of a crypto function on plaintext.
Encryption is the process of smacking the data around so completely, using a specified key, that it basically looks like a big lump of apparently unrecognizable goo (ciphertext). Decryption is the process of taking that big lump of goo (ciphertext), stirring it with a key, and turning it back into the original data (There.. That should be scientific enough for ya!)
Symmetric encryption
The same key is used for converting plaintext to Ciphertext, and back.
Asymmetric Encryption
This is also known as public-key encryption. Instead of one key, you have a pair of keys (called a key pair) that are created at the same time. One key is called a public key and the other a private key. The interesting thing here is that the conversion to Ciphertext is done with the public key and the reverse can ONLY be done with the corresponding private key. There is no way that you can use a public key to decrypt the information. (UPDATE: This is not true, or the whole concept of digital signatures would fall down. It is more accurate to say that anything encrypted with one key can only be decrypted with the other one). So if you wanted someone to send you an encrypted message, you could very well advertise your public key and anyone could use that to send you a message. And you would be the only person who could decrypt that message, because you would have the only corresponding private key!
Hashing (also called a message digest) is a way of producing a fixed size representation of plaintext, which can be of any size. This is a one way process whereby you turn plaintext into unrecognizable Ciphertext! There really is no way to reconstitute the Ciphertext back into plaintext. A good place where you would use this would be for storing passwords. Instead of storing the passwords in plaintext, you could hash them into Ciphertext and store it. When you needed to verify a password, you would use the same hashing function to process the given plaintext password into Ciphertext and compare it to the stored value. If the hash values match, you are golden! If not, the wrong password was entered.
Salting the Hash comes in because hashing by itself has a vulnerability. Most people, when creating something like a password uses alphanumeric combinations that are memorable. (See my earlier entry about how truly bad most passwords are). Which means those passwords are vulnerable to a dictionary attack. A dictionary attack is an attack in which a cracker tries all words and word combinations in order to get a password match.
A salt is a cryptographically strong random number that is combined with the hash to create the final Ciphertext. So in order to compare the given password to the stored Ciphertext, you also need to provide the salt, which makes dictionary attacks a whole lot harder.
9:11:55 PM
Comment
This last week I had the pleasure of wandering around Florida speaking with
Dan Sandlin and David LeBlanc at a series of Microsoft architecture councils.
For those who don't know the name David LeBlanc wrote the very popular book Writing Secure
Code with Michael Howard. At each of the session I would do a talk / q&a
on P of EAA (which got a
JavaWorld award
this week) and David would follow on security.
One thing that interested me was that several people found the combination
odd - implying that few people would be interesting in two such diverse topics.
I think this is at the heart of problems about security in the industry.
Security is seen as some separate topic area which sits in its silo. Yet
security isn't something you can just add to an application by putting in a few
encapsulated classes here and there. Security thinking should pervade a whole
team - particularly on applications that are available on the internet or a
large corporate intranet.
To be fair there's room for people to focus on security issues. There's a lot
of stuff to know about on security. But everyone should have a reasonable
knowledge about it. As David points out: many eyeballs don't lead to secure code
- you need many educated eyeballs. One of the things I like about David's
attitude is that educating developers is a key part of the picture, with less
emphasis on review steps with security groups.
[Martin Fowler's
Bliki]
Right On! Security should not
be something that is bolted on but should be part of the application lifecycle
from the start.
BTW, for those not familiar with the name,
Martin Fowler is the author of two amazing books, "Refactoring" and "Patterns of
Enterprise Application Architecture". And David LeBlanc is the co-Author of
"Writing Secure Code"
12:44:38 PM
Comment
Fairly significant update to FxCop was posted today... check it out... Lots
of new rules and bug fixes...http://www.gotdotnet.com/team/fxcop/
[Brad
Abrams]
Indeed.. Just a recap that "FxCop is a code
analysis tool that checks .NET assemblies for conformance to the Microsoft .NET
Framework Design Guidelines. It uses reflection, MSIL parsing, and callgraph
analysis to inspect assemblies for more than 200 defects in the following areas:
naming conventions, library design, localization, security, and performance. The
package includes both GUI and command line versions of the tool, as well as the
SDK to create your own rules."
To see the list of Security related rules
see http://www.gotdotnet.com/team/fxcop/docs/rules/SecurityRules.aspx
12:06:12 PM
Comment
Saturday, June 14, 2003
NGSCB Spells Better
Security for Windows - eWeek's evaluation of
the-technology-formerly-known-as-Palladium, based on stuff Microsoft has
published. They point out just how much new hardware will need to be developed
to make the scheme work.
[Larkware
News]
More information from Microsoft can be found
@
1:51:35 PM
Comment
All too often when people are
demonstrating sample code, whether you are doing this online or during a
presentation, they have a tendency to take the easy way out and use insecure
coding for their samples. I've been guilty of that in the past as well. All too
often, the the audience may not be aware of the possible security breaches that
could occur if they simply copied and pasted our code. I know that Michael
Howard of "Writing Secure Code" fame is on a mission to eliminate insecure
sample code from both presentations and online samples. From a story that was
posted recently by Brian Johnson, it would appear that this awareness is very
much alive within MSDN as well. Excellent!
In short, when we give demo's,
even though it may be easy or we may think that this is just sample code, just
take the extra time to make sure that the sample code is as secure as possible.
We cannot judge the security awareness of the audience, so it is
better to demonstrate good Secure Coding practices in every piece of code that
we show.
9:54:39 AM
Comment
Take a look at the security challenges of Web services and how to address
them with security architecture, including what it can offer going forward when
XML traverses firewalls.
[FTPOnline]
Web Services at present are used to a great
extent within the Firewall for Application Integration. One of the challenges
that need to be addressed to move to a Service Oriented Architecture than spans
disparate systems across public networks is the issue of Security. A lot of
vendors, particularly Microsoft and IBM are working on this to make this a
reality.
9:20:12 AM
Comment
Friday, June 13, 2003
This Support WebCast session will examine some of the best practices for designing .NET systems that have enhanced security. It will review some basic elements that must be considered during the design stage. The WebCast will also review a list of checkpoints to improve the architecture security. It will discuss the factors that pertain to developing assemblies with enhanced security, code access security, remoting, and similar topics.
Signup information and presentation material can be found here.
6:05:52 PM
Comment
Jiri over at blogattic said some nice things about @CyberForge. Thank You!
Make sure you check out the blogattic list of Security Weblogs.
5:54:03 PM
Comment
Thursday, June 12, 2003
Bake security into the application lifecycle. It's a comprehensive guide for creating "hack resilient" apps. Use the guide to secure the network, host and application (there's something for architects, devs, system admins, testers, and security pros). It's principle-based and threat focused. Guidance is task-based and modular with tons of implementation steps. Deep drill-down on each technology, Code Access Security, ASP.NET, Enterprise Services, Web Services, Remoting, and Data Access (ADO.NET/SQL Server), with threats and countermeasures are provided. Also, includes checklists and How Tos.
Key Problems Solved:
- Hosting multiple Web Apps securely
- Writing secure managed code
- Designing secure apps
- Using CAS from ASP.NET
- Preventing key security issues: Input validation, SQL injection, Cross-Site Scripting
- Securing your developer workstation
- Securing your web server
- Securing your database server
- Locking down ASP.NET
- Performing security reviews on design, code, and deployment
Congratulations to JD, Alex, Srinath, Michael, Ray, Anandha and Sandy on the PAG Team (and to the many other folks who contributed to this book)
I had the extreme pleasure of working as an external Technical Reviewer for this book, specifically on the areas of Code Access Security and Hosting Scenarios. I also provided some input regarding resources on the writing code as non-Admin portion which is detailed in the Securing your Developer Workstation section.
The only thing I can tell you is It’s LIVE and is pure Security Goodness! Go GET IT NOW! [1] Because this is one AWESOME book!
This is the second book in the .NET/Web Security Series from the Microsoft Patterns and Practices Team. The first was "Building Secure Microsoft ASP.NET Applications"
[1] http://msdn.microsoft.com/library/en-us/dnnetsec/html/threatcounter.asp
10:25:09 PM
Comment
Keith Brown is writing his new book out in the open – he’s posting it
on here on his website as he
writes it. The tentative title is A .NET
Developer's Guide to Windows Security. If you’ve read Keith’s
Programming Windows Security,
you’ll know this is something to be excited about it. Read it! Send him
feedback!
[CraigBlog]
Excellent! Keith is one of my favorite people
when it comes to Windows Security. Glad to see that he has put more content
online.
7:32:19 PM
Comment
Wes Felter's Hack the Planet is another very cool
blog I discovered via Boing Boing Blog. I'm sure most everyone knows
it already, but it's new to me and it has tons of good info.
[Brian Johnson]
Cool! RSS feed can be found @ http://wmf.editthispage.com/xml/rss.xml
7:26:48 PM
Comment
The MSDN ASP.NET Developer Center
is now live at http://msdn.microsoft.com/asp.net/
ASP.NET Security related content
can be found at http://msdn.microsoft.com/asp.net/using/understanding/security/default.aspx
Not much there except links to
articles and PnP stuff already published. Hopefully that will change as time
goes by.
7:18:53 PM
Comment
Discussion on Trustworthy Computing and security at Microsoft with Security Business Unit Vice President Mike Nash. Come with your questions on security products, initiatives and issues for Mike.
June 16, 2003
Time: 10am Pacific/1pm Eastern/17:00 GMT/18:00 BST
Join the chat room on the day of the chat: http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015
Information on other Technical Chats (Security related or others) can be found at http://www.microsoft.com/technet/itcommunity/chats/default.asp
7:05:22 PM
Comment
Wednesday, June 11, 2003
My daughter graduated from
Kindergarten today! It just seemed like yesterday when I first walked her to her
class. She has a blast every day at school and is really looking forward to
first grade. On top of that, she is the greatest daughter a Dad could ever have
(Yes, I know every Dad feels that way about their daughter, but this one is
mine!). What more could I ask for?
11:08:04 PM
Comment
Reading Chris Brumme's weblog makes my brain hurt :-) But he has some incredible stuff that is related to Security.
8:07:51 PM
Comment
Password and account lockout settings are designed to protect accounts and
data in your organization by mitigating the threat of brute force guessing of
account passwords. Settings in the Account Lockout and Password Policy nodes of
the Default Domain policy settings enable account lockout and control how
account lockout operates. This white paper describes how these settings affect
account lockout and makes some general recommendations for configuring and
troubleshooting account lockout issues.
UPDATE: The original link is dead (It actually was a link to a zip file). But Susan Bradley, in my comments pointed to what I initially thought was something different, but looks like an HTML version of the same document as well as the tools to go with it. Thanks Susan!
BTW, be sure to check out Susan's Site at http://www.sbslinks.com/. She is a Microsoft MVP for Small Business Server and her site "... is designed to help accumulate all the web sites, knowledge base articles and other links that have been designed to specifically help support the Microsoft Small Business Server or it's component parts". Cool!
UPDATE 2: Found the original document! Available for download as a word document.
6:51:23 PM
Comment
This episode covers the importance of privacy for building customer trust. It
also covers how to perform a privacy analysis and applying the analysis to
application and Web site development.
[MSDN
Just Published]
4:33:08 PM
Comment
This episode covers how to create privacy settings to provide informed choice
to consumers. It illustrates how developers can link registry based privacy
settings to group policy for access by IT administrators.
[MSDN
Just Published]
4:32:49 PM
Comment
Developer's machines can often be more vulnerable to viruses than the average
corporate user because of their more frequent access to remote machines and
shares, and the differing administrative privileges they maintain across
multiple machines. Reliance on antivirus software is fine as a first line of
defense, but you need a basic arsenal of skills for securing the executables on
your system and coping with viruses on your own. This article reviews proactive
methods you can use to defend yourself against malicious executable code in
resources, component libraries, scripts and macros, as well as how to avoid a
handful of other potential vulnerabilities.
[MSDN
Just Published]
4:31:55 PM
Comment
.... TechEd
keynote by Scott Charney is a must read, on a lot of different
levels.
[Brian
Johnson]
Agreed! You can find a full transcript @
http://www.microsoft.com/presspass/events/teched/06-03charney.asp
4:26:48 PM
Comment
Tuesday, June 10, 2003
I am in the process of pointing
the CyberForge.com domain to a E-Mail provider that supports SSL connectivity
for POP/IMAP and WebMail. It is going to take a couple of days for the DNS
entries to propagate so sending mail to me via the Radio Link or to the
CyberForge.com domain is a losing proposition :-( . Please feel free to leave
comments .... When Haloscan is back up. ARRRGH!
11:27:58 PM
Comment
Ingo Rammer has posted a list of Remoting related changes [1] for .NET 1.1/VS.NET 2003 focused on increasing Security.
[1] http://www.ingorammer.com/remotingFAQ/changes2003.html
7:16:52 PM
Comment
This white paper provides information about the communication that flows
between components in Windows Server 2003 and sites on the Internet, and it
describes steps to take to limit, control, or prevent that communication in an
organization with many users. The white paper is designed to assist you, the
administrator, in planning strategies for deploying and maintaining products in
the Windows Server 2003 family in a way that helps provide an appropriate level
of security and privacy for your organization’s networked
assets.
[via The Furrygoat
Experience]
12:03:38 AM
Comment
Monday, June 09, 2003
Scoble seems to be surprised at the Security advocacy at Microsoft. He should not be. People like Michael Howard, David LeBlanc and the PAG Team have been advocating Security for some time. And finally, with the backing of Bill Gates himself, they are no longer considered a voice in the wilderness.
All too often, it is easier to focus on the sexier technologies like the Tablet PC or the gee-whiz UI features of Longhorn (Sorry, Robert, could not resist that one! :-) ) and while that works in the Consumer Space, if you want traction in the Enterprise space, you have GOT TO work to change the perception of Microsoft as a company that does not care about security.
Windows 2003 is the first product out of the gate that in a lot of ways applies the lessons that were learned during the Security Push. And the lessons have been applied darn well. It is now time to get the word out.
I would like to see people who are working in the trenches to get the word out about Security get better play in the wider community as well. Yes, we all know about luminaries like Don Box and Chris Sells. But how about people like J.D. Meier, Srinath Vasireddy, Sandy Khaund, Brian Johnson or Erik Olson? Do people know who they are? They should, because they are (and I am sure that there are a whole lot more) amoung the people who are trying to educate the Developer and Sys-Admin community about Security as it regards to Microsoft Products.
11:45:39 PM
Comment
Cool! I got linked to by both Brian Johnson and Joe Bork who both said nice things. Thanks Guys!. Glad that I am providing a resource at least two people read :-)
Brian is the MSDN Security Content Strategist and Joe works in the Visual Studio Group breaking things as a Software Design Engineer in Test.
10:39:50 PM
Comment
Sunday, June 08, 2003
The digital security consulting firm @stake announced on June 3, 2003, the results of an independent Security Analysis of the .NET Framework and the J2EE Framework represented by IBM WebSphere running on both Unix and Linux environments.
They are pretty up front in saying that while the analysis was funded by Microsoft, it was performed with no assistance from any of the vendors involved.
The results of the analysis are:
- Both platforms provide infrastructure and effective tools for creating and deploying secure applications
- The .NET Framework 1.1 running on Windows Server 2003 scored slightly better with respect to conformance to security best practices
- The Microsoft solution scored even higher with respect to the ease with which developers and administrators can implement secure solutions
More information here:
9:44:54 PM
Comment
I was exploring the MSDN Security Developer Center and came across these links to some very good information.
and more.. Make sure you explore.
9:35:58 AM
Comment
Saturday, June 07, 2003
The following was posted by Scott
Guthrie (ASP.NET Team) to the ASP.NET Forums today:
Yesterday we became aware of a security
vulnerability in two of our sample applications: the IBuySpy Portal and the
Portal Starter Kit. We have temporarily removed the IBuySpy Portal sample
download and are actively working on an update. An updated Portal Starer Kit
sample (version 1.0b) is now available which fixes the problem for that
sample.
This email provides the steps to immediately fix existing
sites and mitigate the potential for a malicious attack.
Who is
vulnerable?
-- Any version of the VB.NET IBuySpy Portal sample
configured to use html forms authentication.
-- Any version of the VB.NET
Portal Starter Kit sample configured to use html forms authentication
--
Older pre-ASP.NET V1 versions of the C# IBuySpy Portal sample (specifically
for ASP.NET beta1 and beta2) configured to use html forms authentication.
This vulnerability does NOT effect:
-- The VB.NET version of
the IBuySpy Portal sample configured to use Windows Authentication
-- The
VB.NET version of the Portal Starter Kit sample configured to use Windows
Authentication
-- The C# version of the IBuySpy Portal sample released for
ASP.NET V1
-- The C# version of the Portal Starter Kit sample
-- The
IBuySpy Store sample
-- The Community Starter Kit sample
-- The
TimeTracker Starter Kit sample
-- The Report Starter Kit sample
-- The
Store Starter Kit sample
Note that this problem is not an ASP.NET
product vulnerability or a bug in the ASP.NET Forms Authentication feature.
Rather it is a result of a bug in how the forms authentication feature was
used in the VB.NET language versions of the IBuySpy Portal and Portal Starter
Kit sample applications.
What is the vulnerability?
A
malicious user can login as a portal sample administrator and exploit the site
by:
-- Altering text and content on the site
-- Creating and
Deleting portal users used with the sample's forms authentication system
-- Changing portal user passwords used with the sample's forms
authentication system
-- Retrieving user IDs and passwords used with the
sample's forms authentication system
The vulnerability specifically
*does not* enable the following actions:
-- A hacker *cannot* take
over the server (e.g. it does not allow hacker code to be executed on the
server)
-- A hacker *cannot* access or compromise Windows usernames or
passwords
-- A hacker *cannot* use the vulnerability to initiate a SQL
injection attack
How to manually fix the vulnerability?
An updated version of the VB.NET Portal Starter Kit sample (version
1.0b) is now available for download. An updated version of the VB.NET IBuySpy
Portal will be posted shortly. If you have an existing installation of the
samples, you can immediately fix the problem by performing the following
steps:
To fix the SDK VB.NET versions of IBuySpy Portal and the Portal
Starter Kit:
1) Open up the adminRegister.aspx file with a text
editor
2) Replace the following line of code in the RegisterBtn_Click
handler:
If accountSystem.AddUser(Name.Text, Email.Text, Password.Text) Then
with:
If (accountSystem.AddUser(Name.Text, Email.Text, Password.Text) > -1) Then
3) Save the file
4) Log into your Portal site
5) Change your admin password
6) Optional: Instruct registered portal users to change their passwords
To fix the Visual Studio.NET VB.NET versions of IBuySpy Portal and the Portal Starter Kit:
1) Open up the Visual Studio Project found in the directory in which the application was installed.
2) Open the adminRegister.aspx page
3) Switch to the Code Behind view for the page
4) Replace the following line of code in the RegisterBtn_Click handler
If accountSystem.AddUser(Name.Text, Email.Text, Password.Text) Then
with:
If (accountSystem.AddUser(Name.Text, Email.Text, Password.Text) > -1) Then
5) Save the file
6) Rebuild the application (Ctrl-Shift-B)
7) Log into your Portal site
8) Change your admin password
9) Optional: Instruct registered portal users to change their passwords To fix C# beta versions of the IBuySpy Portal please upgrade to the latest version of the IBuySpy portal.
We sincerely apologize for the inconvenience that this has caused,
- Scott
11:06:31 PM
Comment
Sam points to two recent articles that address the peformance of managed code. They are:
The articles are indeed excellent. What is disappointing to me is that Security in the context of performance is given almost no play in either article. The only comment as regards to Security that is made (on a document that consists of 19 printed pages) is "Security is a necessary and integral part of the CLR, and has a performance cost associated with it. In the case that the code is Fully Trusted and the security policy is the default, security should have a minor impact on the throughput and startup time of your application. Partially trusted code—for example, code from the Internet or Intranet Zone—or narrowing the MyComputer Grant Set will increase the performance cost of security."
One of the biggest excuses given by Developers when talking about designing and implementing security into an application is how it will "kill peformance", and all too often Security is sacrificed at the alter of performance.
If Microsoft wants that to change, the trade-offs involved in the Security/Performance matrix needs to be explicitely explained. When hard-core articles like these, which are looked upon as best practices by many developers come out, it is truly a shame that peformance impacts and trade-offs that happen when integrating security into the app are not explored in more detail.
10:28:48 PM
Comment
Notes on a TechEd 2003 Presentation by Karthik Jaganathan (Program Manager, Windows Security - Microsoft)
Abstract
Learn about the security services built into the Microsoft Server
family and how application developers can leverage these services to build
secure applications. Focus on how these technologies can be integrated into
existing legacy backend applications as well interoperating with
non-Microsoft platforms. Technologies covered include: Windows 2000,
IIS, Enterprise Services, SQL Server and introduce security capabilities
coming in Windows Server 2003 such as Kerberos enhancements, Roles based
authorization, etc.
Notes
Karthik outlines a number of different scenarios (i.e. extranet, intranet,
etc.) and the requirements for each.
Karthik briefly mentions the Authorization Manager (AZMAN), which is
starting to look like a totally killer management tool.
Karthik mentions the trusted subsystem vs. impersonation debate. (Something
that's not very well understood by many developers.) Many of the points being
made by Karthik are outlined in Tim Ewald's (excellent) book, "Transactional
COM+". Essentially, impersonation kills scalability (i.e. connection pooling)
for the benefit of a granular security model. On the other hand, compromising
a trusted subsystem can cause a lot more damage. It really is tough to get the
best of both worlds (scalability vs. security) when building systems.
Karthik is going through various types of authentication (i.e. Windows
Integrated, forms, SSL, Basic/Digest, Passport) along for code snippets for
each. Pretty basic stuff. He is also showing how to map x509v3 certificates to
a particular AD user through IIS (by enabling the Windows directory service
mapping). Yet another example of AD mapping - this time, he shows how to
associate .NET Passport credentials to an AD user.
Signed messages (via PKCS#7) are typically used in an asynchronous model.
(Good point.) Karthik shows an example using CAPICOM to create a signed
message using a x509v3 cert. from the local store.
Protocol Transition - Kerberos S4U2self extension. (This sounds pretty
cool.) Essentially, you can establish a Windows identity (i.e. Kerberos
service ticket) after custom authentication. You can even get an
identification service ticket without TCB. (Neat.)
using
System.Security.Principal;
WindowsIdentify id = new
WindowsIdentity("TESTDOM\test");
Cool!
Constrained Delegation - Kerberos S4U2proxy extension. Allows a service
ticket to obtain a TGT from a KDC for delegation purposes. (Cool!)
Authorization Manager - Here we go... (I'm quickly starting to love this
thing...)
AZMAN looks really sweet. (I can't believe I haven't
heard more about it until now.) If you haven't seen this thing yet, get your
ass to a Win2K3 machine! :-)) AZMAN should help a great deal when building
large-scale applications. Roles are much a kin to COM+ roles except they are
entirely logical objects; they don't map to specific groups.
UI (i.e. SOAP endpoint) <-> Windows
Authorization API <-> AZMAN <-> Policy Store
Role = {Tasks},
Task = {Operations}.
Sweeeeeet.
Finally, Karthik showed a pretty cool demo showing an IE client obtaining a
Kerberos ticket via HTTP from an Apache server running on UNIX. Sadly, I got a
bit lost here. I am not very well versed in the Kerberos protocol. Note to
self: Review the slide deck afterward. :-P
Overall, a good talk. [John Bristowe's
Radio Weblog]
12:07:05 PM
Comment
"To love what you do and feel that it matters - how could anything be more
fun?"
[Motivational
Quotes of the Day]
11:39:20 AM
Comment
This white paper describes the default security settings for components of
the Microsoft® Windows® Server 2003 operating systems.
[Microsoft
Download Center]
11:25:33 AM
Comment
Friday, June 06, 2003
Everyone always tells you the importance of having a strong password that is be hard to guess. Use letters and numbers they say.... Did you listen?
I've recently been doing some reading on passwords and crypto [1] and came across the best explanation for the need for strong passwords and I wanted to pass it on.
Consider for a moment if you have an application that uses DES as a cryptographic algorithm. DES requires a 56-bit key, which means that a good DES key has an equal probability of falling anywhere in the range of 0 to 2^56-1. A big number!
Ah, Ha! Not so fast. Take as an example an english language user. When asked for a password, we will typically pick something easy to rembember, most likely containing ASCII values such as A-Z, a-z, 0-9 and possibly punctuation marks.. Guess what, you just cut down (waaay down) on the number of possible values for a password that an attacker needs to try and guess. The attacker simply has to attempt to guess easy-to-remember ASCII groups of values.. Yikes!
Now, let me show you the bit that REALLY brought this home to me about how bad passwords could be! Given that DES has a 56-bit key and is considered INSECURE for long-lived data, take a look at these very common scenerios regarding the available character pool size and the password lengths that are required to create an equivalent 56-bit and 128-bit keys. Available Characters and Password Lengths for Two Keys [2]
| Scenerio |
Available Characters |
Required Password length for 56-bit key |
Required Password length for 128-bit key |
| Numeric Pin |
10 (0-9) |
17 |
40 |
| Case-insensitive alpha |
26 (A-Z or a-z) |
12 |
28 |
| Case-sensitive alpha |
52 (A-Z or a-z) |
10 |
23 |
| Case-sensitive alpha and numeric |
62 (A-Z, a-z and 0-9) |
10 |
22 |
| Case-sensitive alpha, numeric and punctuation |
93 (A-Z, a-z, 0-9 and punctuation) |
9 |
20 |
SCARY! When was the last time you created a 8-10 character password that contained case sensitive alpha, numeric and punctuation? Hmmm...?
[1] "Writing Secure Code, 2nd Edition" by Michael Howard and David LeBlanc
[2] Table 8-1, "Writing Secure Code, 2nd Edition" by Michael Howard and David LeBlanc
BTW, I can't recommend the second edition of this book enough!
10:52:52 PM
Comment
Wednesday, June 04, 2003
I gave the second part of my .NET
Security presentation to our local ASP.NET user group (CMAP).
The topics that I touched upon
(and it was indeed that, as each topic could stand on its own for a full presentation)
were:
- Threat
Modeling
- Threat Mitigation via Secure
Coding
- Authentication, Authorization,
Impersonation
- Cryptography support in
.NET
- Code Access Security &
ASP.NET
- Building and Configuring a DEV
machine
I had a blast as it was a
very interactive session and there were a lot of good comments flying back and
forth.
One specific thing that I wanted to share was on the topic of
hashing passwords for storage. The basic premise behind
hashing a password is that, if an application needs to verify that a user knows
the password, you can compare the hash of the password that is entered by the
user with the hash of the password stored by the application. It they match, you
have a valid password. To make things difficult, you can also salt the password.
A salt is a random number that is added to the hashed password to eliminate the
use of precomputed dictionary attacks. A dictionary attack is one in which the
attacker tries every possible password combination to decrypt the data. The salt
is normally stored unencrypted with the hash (more on this later). The issue
that one of the members raised (good one, Jeff!) was that, if the
salt is also stored, and does not come from the user, the attacker in reality
could simply not worry about the salt and just attempt to guess the password. So what is the point of doing it?
The correct answer in this case would be that the salt prevents an attacker from attacking the password database DIRECTLY (If the salt is stored separately). It DOES NOT prevent an attack where the application performs some of the hashing on behalf of the user. So if you stored the salt in, say the registry or within the application itself, even if someone had direct access to the database they would not be able to run a dictionary attack. You would in this case also use other mechanisms to prevent someone from coming in as the user, for example locking out an account after different passwords have been entered more than 5 times.
9:52:50 PM
Comment
The Microsoft Baseline Security Analyzer provides a streamlined method of
identifying common security misconfigurations.
[Microsoft
Download Center]
9:31:47 PM
Comment
Today I ran across an entirely new option: the /netonly switch. Using it means that
the credentials you supply don’t have to be
valid on the machine you’re running it on, but will still be passed on when
remote calls are made!So cool. Why? Because I’m doing work with
Microsoft, and I need to do things against their servers that require
authentication. I don’t want to join my machine to their domain, which means I
can’t get a process running under my Microsoft domain account. However, using
this switch, I can make a process look to remote systems as if it were running
under my Microsoft domain account. This turned out to be crucially important for
getting our build process working on my machine.
The one caveat is that since it doesn’t do an actual login, it’ll take
whatever password you throw at it. Even if it’s wrong – you won’t find out until
you try to actually use those credentials.
[CraigBlog]
9:24:30 PM
Comment
Sunday, June 01, 2003
I recently participated in an e-mail conversation on how best to store User ID's and Passwords for a
website.
The basic tenant one should follow in this case is to NOT store secrets if it is not necessary. In this case, the storage of passwords is not necessary. It is simply enough to store the hash of the password.
But the issue that then comes up is how to deal with password resets. Some possible scenarios that were discussed were:
- Password Hints entered at time of original password choice.
- Send a time sensitive GUID (password reset bit valid for limited time) that is sent to existing e-mail as a query string, which if clicked on will allow a password reset.
- Create a random password, hash it and store it. Send the clear text to user with instructions on how to change it.
I then came across these following documents that explore this situation in depth.
Anyone facing this issue should read these docs.
9:54:44 PM
Comment
[E2K
Security]
11:43:23 AM
Comment
|
|
