Training

LearnVSXNow!

Chris Eargle — Thu, 21 May 2009 16:47:20 GMT

I can't believe I've been writing packages for Visual Studio and didn't know about the series of blog articles on Visual Studio Exensibility by DiveDeeper or about the VSXtra project. Since I want a quick index of the LearnVSXNow! series, I'm posting links to every article. This is a series every managed package framework developer should read.

LearnVSXNow!

How to start VSX programming?
Creating an empty package
Creating a package with a simple command
Creating a package with a tool window
Basic VSX ideas
Creating our first toolset — Prolog
Creating our first toolset — Finishing the sample
Intermezzo — The regpkg.exe utility
Creating our first toolset — Refactoring to a service
Creating our first toolset — Reusing code
Testing a package
Stepping forward: “VsxLibrary” and “HowToPackage”
Menus and comands in VS IDE
Basics of the .vsct file
Creating a simple custom editor — the basics
Creating a simple custom editor — the first ten meter
Creating a simple custom editor — under pressure
Advanced VSCT concepts
PowerCommands Deep Dive — Command Architecture
PowerCommands Deep Dive — Commands and UI
PowerCommands Deep Dive — Analyzing Commands
Thinking about a new MPF
Coping with GUIDs
Introducing VSXtra
Advanced VSCT Concepts: Behind Combos
Services — with no-code service initialization
Multiple Tool Windows
VSXtraCommands Part 1 — Command handling patterns
VSXtraCommands Part 2 — Commands removing recent items
Custom Editors in VSXtra
Merging Package Menus with VSCT
VSXtra at DevCon - Part 1
VSXtra at DevCon - Part 2
Working with Hierarchies Part 1 - Hierarchy Basics
Working with Hierarchies Part 2 - Internal Structure of Hierarchies
Working with Hierarchies Part 3 - Properties and Hierarchy Traversal
Meet Visual Studio 2010 and the New VS SDK 2010 CTP
VS 2010 Editor - Text Coloring Sample Deep Dive
Working with Hierarchies Part 4 - Hierarchy Windows
Working with Hierarchies Part 5 - Managed Classes for Custom Hierarchies
Toolbar Layout and Persistence

Sidebar

Automatically loading packages
Resolving string resources
Simplifying tool window declaration
Command handlers
Deep Dives on MSDN Code Gallery
Longer version of Package Reference Sample Deep Dive
Showing a toolbar at Visual Studio startup

Zune Game Development Book

Chris Eargle — Mon, 16 Mar 2009 23:11:52 GMT

Zune Game Development Using XNA 3.0 by Dan Waters will be released on March 23rd.

Here's the product description:

XNA 3.0 brings you the ability to create games that will run not just on the PC and Xbox 360, but also on the Zune mobile device. While creating games for Zune is, in many ways, similar to working on the other platforms, it also presents its own unique set of challenges and opportunities. Smaller screens, limited storage, and less processing power all affect the way you need to think about designing and implementing your games.

Zune Game Development Using XNA 3.0 is a comprehensive book that will guide you through the many aspects of XNA game development and their specific implementations on the Zune platform. The book addresses Zune game development concepts in detail and shows you how to apply them in practical, step–by–step examples, building complete, working XNA 3.0 examples along the way that you can download and play.

I primarily do business development, but the idea of making games for my Zune is just too good to pass up. I think I'll pick this book up next week.

WCF 3.5 Security Guidelines

Chris Eargle — Thu, 17 Apr 2008 18:22:03 GMT

The patterns & practices WCF Security Guidance project has released the the WCF 3.5 Security Guidelines. This is useful if you're trying to follow the best practices for securing your services.

Here are the categories and topics for the initial release of the guidelines. For more in depth information, go to the site.

Categories

Auditing and Logging
Authentication
Authorization
Binding
Configuration Management
Exception Management
Hosting
Impersonation and Delegation
Input/Data Validation
Proxy Considerations
Deployment considerations

Auditing and Logging

Use WCF auditing to audit your service
If non-repudiation is important, consider setting SuppressAuditFailure property to false
Use message logging to log operations on your service
Instrument for user management events
Instrument for significant business operations
Protect log files from unauthorized access
Do not log sensitive information

Authentication

Know your authentication options
Use Windows Authentication when you can
If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
If your users are in AD, but you can’t use windows authentication, consider using username authentication
If your clients have certificates, consider using client certificate authentication
If you need to streamline certificate distribution to your clients for message encryption, consider using the negotiate credentials option
If your users are in a custom store, consider using username authentication with a custom validator
If your users are in a SQL membership store, use the SQL Membership Provider
If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
If you are using username authentication, use SQL Server Membership Provider instead of custom authentication
If you need to support intermediaries and a variety of transports between client and service, use message security to protect credentials
If you are using username authentication, validate user login information
Do not store passwords directly in the user store
Enforce strong passwords
Protect access to your credential store
If you are using Windows Forms to connect to WCF, do not cache credentials

Authorization

If you use ASP.NET roles, use the ASP.NET Role Provider
If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider
If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization
If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization
If you need to authorize access to WCF operations, use declarative authorization
If you need to perform fine-grained authorization based on business logic, use imperative authorization

Binding

If you need to support clients over the internet, consider using wsHttpBinding.
If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding
If you need to support remote WCF clients within an intranet, consider using netTcpBinding.
If you need to support local WCF clients, consider using netNamedPipeBinding.
If you need to support disconnected queued calls, use netMsmqBinding.
If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding.

Configuration Management

Use Replay detection to protect against message replay attacks
If you host your service in a Windows service, expose a metadata exchange (mex) binding
If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
Manage bindings and endpoints in config not code
Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration
Encrypt configuration sections that contain sensitive data

Exception Management

Use structured exception handling
Do not divulge exception details to clients in production
Use a fault contract to return error information to clients
Use a global exception handler to catch unhandled exceptions

Hosting

If you are hosting your service in a Windows Service, use a least privileged custom domain account
If you are hosting your service in IIS, use a least privileged service account
Use IIS to host your service unless you need to use a transport that IIS does not support

Impersonation and Delegation

Know the impersonation options
If you have to flow the original caller, use constrained delegation
Consider LogonUser when you need to impersonate but you don’t have trusted delegation
Consider S4U when you need a Windows token and you don’t have the original caller’s credentials
Use programmatic impersonation to impersonate based on business logic
When impersonating programmatically be sure to revert to original context
Only impersonate on operations that require it
Use OperationBehavior to impersonate declaratively

Input/Data Validation

If you need to validate parameters, use parameter inspectors
If your service has operations that accept message or data contracts, use schemas to validate your messages
If you need to do schema validation, use message inspectors
Validate operation parameters for length, range, format and type
Validate parameter input on the server
Validate service responses on the client
Do not rely on client-side validation
Avoid user-supplied file name and path input
Do not echo untrusted input

Proxy Considerations

Publish your metadata over HTTPS to protect your clients from proxy spoofing
If you turn off mutual authentication, be aware of service spoofing

Deployment considerations

Do not use temporary certificates in production
If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
If you are using a custom service account and need to use trusted for delegation, create an SPN
If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN
Use IIS to host your service unless you need to use a transport that IIS does not support
Use a least privileged account to run your WCF service
Protect sensitive data in your configuration files

My Related Posts

.NET 3.5 Enhancements Training Kit

Chris Eargle — Wed, 16 Apr 2008 19:04:19 GMT

Microsoft has released a training kit for .NET Framework 3.5 Enhancements. It includes labs, demos, and Power Point files for the following technologies:

ASP.NET MVC
ASP.NET Dynamic Data
ASP.NET AJAX History
ASP.NET Silverlight controls
ADO.NET Data Services
ADO.NET Entity Framework