Tag | Security Posts

I am getting the message: "Unable to set permissions on the shared documents home folder" This is probably happening because the needed membership in the security groups for EDI/SQL roles aren't set up all the way through, it is likely some of it is set up already and some of it isn't -- so when your bts service account is trying to execute EDI, you see this sort of error. To correct this, try these quick few steps first. If all else fails, Microsoft has an online reference: http://msdn2.microsoft.com/... ...
I recently had a requirement to interop with a web service (written in Java, not that it matters all that much what it was written in) with a quasi-unique set of security requirements. They were as follows: SOAP 1.1 Transport security was an option. Production endpoint was using SSL; test endpoint was not. Need the flexibility to turn this on or off. Message Security consisted of two tokens (both WS-Security 1.0) Unsigned username token with plaintext password (forget the argument about plain text ...
CIPS Regina has done an incredible job setting up a 2 day seminar May 13 - 14th in Regina, SK. This seminar has Tech, Business and Student tracks on the first day; Tech and Business tracks on the second day. Dr. Venkat Subramaniam, is the feature presenter at this seminar. Dr. Venkat Subramaniam, founder of Agile Developer, Inc., has trained and mentored thousands of software developers in the US, Canada, Europe, and Asia. He has significant experience in architecture, design, and development of ...
There was a break-in at our company the other night. We had some nice products on visible display through the front door in our office's small reception area that evidently made for an easy target of a smash and grab operation. The entire caper was recorded on our internal security video system. The perpetrators (one inside taking things to the door, the other just outside receiving) broke the glass out of the front door and proceeded to carried out the items on display. At one point during the ~1 ...
Following on from BizTalk in the cloud now we have SQL server in the cloud..... SQL Server Data Services (SSDS) are highly scalable, on-demand data storage and query processing utility services. Built on robust SQL Server database and Windows Server technologies, these services provide high availability, security and support standards-based web interfaces for easy programming and quick provisioning. Get more info here ...
The patterns & practices WCF Security Guidance project has released the the WCF 3.5 Security Guidelines. This is useful if you're trying to follow the best practices for securing your services. Here are the categories and topics for the initial release of the guidelines. For more in depth information, go to the site. Categories Auditing and Logging Authentication Authorization Binding Configuration Management Exception Management Hosting Impersonation and Delegation Input/Data Validation Proxy ...
So in this post I will revisit a post I wrote a while back TFS Server Administrators (when you can't be a Windows server administrator). Is it possible to manage a TFS instance without being a windows administrator? Well I'm aware of one thing right now I can't do as a regular application administrator. There are probably others but we are able to be pretty affective by following the steps in this and the previous post. I wrote the first post about a year and half ago and after going through many ...
I was playing around with another user control yesterday that would allow me to show people who is inside an AD Group. Unfortunately, in the object model (as far as I can tell) there is one function "IsDomainGroup" that can even help out. So that inevitably brought me to use this AD Wrapper that someone created in my company. It will display the group users on a windows app on the server or on an asp .net application on the server in the c:/program files/common files/microsoft shared/web server extensions/12/templates/lay... ...
Now that Unity has been released into the wild, there has definitely been a bit of interest swirling around it. One of my key wants for a good IoC container is basic interception capabilities. My criteria for evaluating a container usually comes down to the following: Configurability (XML, DSL, Code) Dependency Resolution, usually opinionated Lifetime Management (Per Thread, Pooled, Singleton, Transient, etc) Extensibility for Interception So, I realized that Unity was missing some of these things ...
In this post I would like to share my experiences with the new communitar I found few days ago - next application I found with help of friend of mine Chris Koenig - called just Digsby. What this communicator is so special? I would like to explain this in next few lines of my post. However, at the begging let me back few years back and introduce some problems I had with my previous communicators. Gadu Gadu It is really simple application, but one serious bug I am ecountering is conctact list synchronization. ...
This weekend rocked, but it was also very stressful. I started to think about what I want to do with my career. I have to admit that where I want to go is at least to try to obtain MVP Status. I have to want it enough and head myself in the right direction. I need to stop sitting back and assuming what I am doing is working out. So you guys are going to see some changes happening soon. I have to thank a lot of people for helping me out, especially Sahil Malik and David Isserman. They spoke to me ...
One of the most difficult things that many tech people have, are problems with relationships and communication. I was recently forwarded a document that outlines two types of relationships. I found it very appropriate to every type of relationship I have had. Parent - child, significant other, boss - employee, employer - employee, co-workers, friends. I hope you'll read over it and evaluate yourself and the relationships you have. If you find that your boss or employer is selfish, perhaps it's time ...
On my new Dell XPS M1330 there is a finger print reader, now I have had a load of problems getting it to work on x64 Vista, well the driver was there, but the associated software is not supplied by dell in an x64 version. I did however find the full retail version from the Upek website, that thankfully is 64 bit and considering it cost <£10, I didn't think twice about the investment. I am totally loving it, no more typing anything to login, I simply swipe my thumb across the reader and bingo! ...
I recently put together a glossary of common security-related terms to aid in discussions around "Single Sign-On" scenarios. I've experienced this a few times now -- a level-set on terminology is almost always needed to make security discussions productive from the start. Oftentimes the terms are confused, misused, or ambiguously defined. I have attempted to stay general with the definition of terminology, however, since I'm a Microsoft consultant the examples and products mentioned are Microsoft's. ...
What is normalization? Explain different levels of normalization? Check out the article Q100139 from Microsoft knowledge base and of course, there's much more information available in the net. It'll be a good idea to get a hold of any RDBMS fundamentals text book, especially the one by C. J. Date. Most of the times, it will be okay if you can explain till third normal form. What is denormalization and when would you go for it? As the name indicates, denormalization is the reverse process of normalization. ...
When was .NET announced? Bill Gates delivered a keynote at Forum 2000, held June 22, 2000, outlining the .NET 'vision'. The July 2000 PDC had a number of sessions on .NET technology, and delegates were given CDs containing a pre-release version of the .NET framework/SDK and Visual Studio.NET. When was the first version of .NET released? The final version of the 1.0 SDK and runtime was made publicly available around 6pm PST on 15-Jan-2002. At the same time, the final version of Visual Studio.NET was ...
Code Access Security (CAS) Ask any typical .NET developer about Code Access Security (CAS) and you've got the chance of hearing "Huh?" as the response. Most developers haven't run into CAS at all—let alone in a way that would cause them to develop a deep understanding of it. Ask your typical SharePoint developer about CAS and they're likely to begin to shudder uncontrollably. Why is that? Well, SharePoint developers have been dealing with CAS since the day that SharePoint was released. Unlike ASP.NET, ...
Authentication in ASP.NET There are two closely interlinked concepts at the heart of security for distributed applications - authentication and authorization. Authentication is the process of obtaining some sort of credentials from the users and using those credentials to verify the user’s identity. Authorization is the process of allowing an authenticated user access to resources. Authentication is always precedes to Authorization; even if your application lets anonymous users connect and use the ...
UDPATE: October 2, 2009 There is a better way of doing it with Ajax Control Toolkit version 3.0.30930 which works with .NET 3.5 SP1 and Visual Studio 2008 SP1. Please read this post for a step by step instruction One of the common queries I get across my sessions is that, the File Upload control doesnt work inside an Update panel. All of us would like to implement a Gmail File Upload kind of interface and when you try to implement a similar thing using UpdatePanel (which works like a charm for other ...

Congrats to Dave Woods for his MVP award in the area of Security (which is funny since most fathers lock up their daughters when Dave comes around...)

;)

D

If you don't know by now you can reset your web applications and or web sites with a simple change to the web.config. For example you can FTP(if remote or hosted) to your server and edit the web.config by adding a space or removing a space. Basically you want the application your using editing with think something has changed since you touched the document. Save the form after this has happened and IIS will recycle the application / web site. This however can be tedious and just well feel like a ...
I realize it's been a while since my last post on Inversion of Control containers and looking at Unity as one of them. Since that time, Scott Hanselman linked to some of the comparisons that I did for IoC containers here. I'll be the first to admit that the look was a bit naive, but to get you all interested in looking at IoC container and how they can improve your applications. It was suggested here that my posts weren't a complete comparison, although in my previous posts I covered a lot of those ...
Let me give a very big thank you to all of you who have come to dotNETwork 3rd gathering yesterday. To those who don't know what I'm talking about, read here :). I've enjoyed with you all Mohamed Hossam's great session on Windows Workflow, and enjoyed you, the great attendees during my Scrum session. his came clear in many areas. The fun sole that you all had was great, the input and interactivity from the most was very inspiring, and the way how our talk moved from applying Scrum in the real world ...
It's hard to believe that SQL injection is still an issue. My friend Zain Naboulsi gave us a great overview of basic security hacks and how to defend against them at our last MSDN Express event. I recall learning about SQL Injection issues over 12 years ago in my first job. Here's a fairly decent article about some of the details of SQL Injection, in case you're not familiar with it's problems. http://www.sqlservercentral... ...
It is something of a shame that Symantec is not making the best of this acquisition, especially when you consider the amount of change and hype in the Virtualization space over the last 14 months since Symantec announced the purchase? I made the comment only a few weeks ago (Thinstall quick out of the blocks) that it was quite gratifying to see good technology not sitting by the sidelines waiting for the politics and marketing to settle before it can again back on with getting the work done - but ...
Jesse Liberty on Getting Started with SL2, Tim Sneath on Silverlight Streaming, Michael Schwarz on SL2 breaking changes and updating his Surface demo to SL2, Delay added databinding to his HTMLTextBlock sample, Pete Brown on SL2 and WCF, Brad Abrams on the release of the SL2 Control Code, Frank Lavigne and Chrishayuk both on Cross-Domain issues, Jose Fajardo updated his Media player to SL2, and not SL, but Karen Corby gave up the source to her SnippetManager! From SilverlightCream.com: Tip of the ...
As D'Arcy shared on his blog last night, Will Craddock and Rodney Buike hosted a Community Connection event sponsored by CIPS and Microsoft in Regina, Sask, Canada. We had a great turn out, expected 175 people, I would assume 100+ attended although I did not get the final numbers. This event type was certainly new to our market; it followed the idea of Open Spaces that has been all the rage in the community. What I was most impressed with, is the fact that Microsoft made an effort to enforce community ...
I'm heading to Regina tonight (thank you Telus Aircard for the uninterrupted, hassle free internet!) to attend their community connection event in association with the VS.NET 2008 launch events. Very pumped. I'm meeting Gary and Will for drinks...I guess I'll have to sample Pilsner...I never have. [Edit] In the time that I started writing this and right now, they just announced the flight will be delayed...I'm not boarding until 9ish, which is about 40 minutes late.[/Edit] So...I'm going through ...
OK so this is my first blogpost (EVER) so I hope it'll be of value to some people. This post is about passing through some information at the client to the server, and how to automate this using the WCF configuration. Case study: I was with a client, developing WCF services which are hosted on IIS. Since they already have a wide range of security settings stored in databases, it would be a shame to let go of those configurations and force a whole new security model on them instead of trying to integrate ...
According to the Washington Post, industry executives fear there won't be enough new defense sector workers to replace those employees as they retire. The problem is that almost 60 percent of U.S. aerospace workers in 2007 were 45 or older could affect national security and even close the door on commercial products that start out as military technology, industry officials said. Another part of the problem is the fierce competition for a limited pool of math and science experts from all corners of ...
Security trimming is a feature which allows you to hide the urls based on the roles. This mean you can have a single web.sitemap file which contains all the urls of the website. The urls will be served to the users based on the roles. A common place where security trimming is used is when you want to display a menu based on the user role. To get started with sitemap and security trimming check out the following post: http://geekswithblogs.net/a... Now, sometimes ...
In a move sure to make many an ITPro squeal with delight, Apple announced today that the iPhone will soon be enterprise-ready by licensing ActiveSync from Microsoft and adding remote lock, remote wipe and other requested features. Sign up for the Enterprise Beta program here. The iPhone will offer full Exchange support, thanks to licenses from Microsoft. The iPhone will also get enterprise-friendly security features, including remote wipe, support for Cisco IPsec VPN, certificates, identities, and ...
It's very nice to know that the launch event is not merged with EDC 2008, but comes before it. The 2008 launch event covers VS 2008, Win 2008 and SQL 2008. It'll be held March 24th @ Intercontinental City Stars Hotel (Register Now) The agenda: Time General Sessions 09:00 AM - 10:00 AM Registration / Coffee 10:00 AM - 11:15 AM Keynote Speech 11:15 AM - 11:45 AM Break Infrastructure Track Database & Development Track 11:45 AM - 12:30 PM Windows Server 2008 Overview Breakthrough software development ...
Right, the virtual server is up and running...time to soak up some SharePoint...get some dnrTv episodes down my throat. Sahil Malik recorded a series of SharePoint episodes, 4 in fact. He starts with what happens when SharePoint is installed and finishes with some massive XML files for a Business Data Catalogue application. Tip: They are an hour long, so watch it in fast mode, the talking speed is still good and it only takes 30 mins to watch. Session 1 Session 2 Session 3 Session 4 Note: You can ...
Mary Jo Foley has an article on bringing back creating Windows Workstation 2008 (Part I) and proposing the idea that in the past there was a “server” version of NT4 and Windows 2000 and a “workstation” version that was the same product with limits on concurrent usage when running IIS, etc. She says that since Windows Server 2008 is the best version of Windows Server ever by a wide margin, why not capitalize on that an offer a “workstation” version. Some people, especially in the consulting field ...
Grisoft has release version 8.0 of it's anti-virus software. We run the paid network edition which released yesterday on the 28th. It doesn't look like the free version has been updated yet, so home users and cheap skates will have to wait. I've been running this anti-virus program for years now and have had very few problems with it. Far fewer than McAfee or Norton. It does the two things an anti-virus package should do: Stop viruses and not slow down the system. Version 8.0's biggest feature to ...
One of the missing things from Windows Vista that most perplexed me (or frustrated the monkey cr*p out of me) was the lack of the RunAs shell extension. Following proper administrative best practices, I don't log in to my laptop with domain administrative privileges, I have a separate account for that. Running something like ADUC was never easy, and UAC in Vista often got in the way. If you turned it off, you could not get prompted to run an application under a different set of credentials. You could ...
Last week I attended the Black Hat DC 2008 Briefings. The following is a list of the presentations I saw, the key concepts discussed as well as things I found interesting or didn’t know. Summary of Black Hat DC 2008 Briefings DAY 1 - Web App Track Preparing for the Cross Site Request Forgery Defense · A cross site request forgery (CSRF) can be used to force users to submit data to online web applications, sometimes manipulating their local cache or history. · This vulnerability could make a user ...
Today, I was playing around with ASP.NET MVC Framework when I came to an interesting situation. I was displaying Categories from the Northwind database as ActionLinks. When clicked on the link it will popup a confirmation box asking whether you want to delete the item or not. Here is the code to display the link and the confirmation box: <% foreach (var category in ViewData) { %> <%= Html.ActionLink<Category... => c.Delete(category.id), category.CategoryName, new { onclick ...
This great MSDN article: "How To: Use Medium Trust in ASP.NET 2.0" will probably answer nearly all of your questions about how to work in medium trust and how to customize medium trust permissions. Here are a few extracts from this document that serve as a sort of "quick start" to medium trust. By default, ASP.NET 2.0 Web applications and Web services run with full trust and applications can perform privileged operations and access resources subject only to operating system security and Windows access ...
Simple and Pretty Cool. Originally Posted on mikedopp.net <a id="login-link" href="javascript:showLogin(... <div id="login-panel" style="visibility: hidden;"> <fieldset onkeydown="checkForEnter();... <label> UserName: <input type="text" id="userName" /></label> <label> Password:<input type="password" id="password" /></label> <label class="checkbox" for="rememberMe"> <input type="checkbox" id="rememberMe" checked="checked" ...
As I mentioned when I pioneered this blog, I work for Terralever, an interactive marketing firm based in Tempe, AZ. I started there following a rather interesting series of events that involved an application to Blizzard. As someone who has read much of my blog will know, a lot of my interest in programming lies in areas outside of web-based programming. I consider my specialties to lie in .NET internals, object-oriented design and analysis, and Windows-based UI design -- these are the areas that ...
I recently posted the VB.NET Mersenne Twister code (rewritten from C# courtesy of Paul Vick) over at ILoveVB.NET. If you haven't looked at it before, it's pretty neat stuff. It wasn't even possible in VB.NET 1.1 because of a lack of support for unsigned integers, with VB.NET 2.0 that problem went away. If you don't know what a Mersenne Twister is, or why I would want one over, say, System.Random or System.Security.Cryptograph... then you may want to read this fine piece of ...
Authentication and authorization is the two basic part of the user-end security in asp.net web applications. After to successful authentication of a user, authorization takes the place according to which the authenticated user are allowed to access to the corresponding resources in the web application. Role based security is very basic requirements in the current trend of web applications. Mostly there are two roles involved, which are registered user and the admin users. However in a web application ...
Now that the code camp is over, it's time for some reflection of what went well, what we'd do differently, and what others should watch out for in planning their own code camp. Do get a solid team for pulling off a Code Camp The guys we had organizing our event were top notch and is the main reason the event went off without a hitch. Organizing an event like this is not trivial, and you need to ensure that you have a team around you that buys into the event. Do contact sponsors and don't be afraid ...
Note this article is primarily based on Microsoft/.Net technologies, although the principle apply to any technology. Before development of any reasonable business software project begins the following areas need to be nailed down: Application Architecture (application structure) ORM (Object/Relational Mapping - data source access and translation to/from business objects) Base framework (system framework, helper classes, base classes, etc) UI. There are many tools available that will dictate or guide ...
Grrr... Just wasted lots of time on a stupid mistake due to misleading error message. I hate it when that happens. I usually do self-hosting for my WCF services, but on a project I am working on we wanted to host in IIS. I was focused on the security aspects - trying to get Integrated Windows security on a web site, using impersonation to call the service under the client's credentials, protecting the service with Integrated Windows Authentication and turning off anonymous access in IIS. I was trying ...
Great video by Will DePalo on how to securely communicate by digitally signing xml messages. Originally found on MSDN. How Do I: Add Security to Visual Basic and Visual C# Applications with Digital Signatures? Join Will DePalo as he shows you how to tighten security on your XML documents built with Visual Basic .NET and Visual C# by verifying digital signatures. Presented by Will DePalo on January 29, 2008 Length: 20 minutes 19 seconds Video Downloads: ZIP | WMV | iPod | MP4 | 3GP | Zune| PSP Audio ...
Linux is a Godsend! Why? It's a mature operating system that has a reputation for being robust and resilient. Has legions of devoted followers a number of which support it with an almost religious fanaticism. Has been popularised in the media fervently. It has become more than just an operating system but a momentous unstoppable force in the IT Industry. Linux has become a movement that represents a seemingly just and noble cause about the success of the underdog using the weapons of mutual cooperation ...
Today was .NETwork usergroup second gathering. The usergroup is the first and only large/effective "offline" usergroup in Egypt (although there're many others in INETA). They had a great success in their first gathering when they brought Steven Forte to talk about SQL Server 2008 new features for developers and ASP.NET MVC design pattern. I had a detailed post about it in my GWB blog at that time. Check it out for details. Background: First To Second Gathering (Warning: Boring Part!!) The .NETwork ...