Tag | Security Posts

A question was posed to our user group's listserv yesterday. After typing up a response I saw that I had written a short novel on the subject, and thought it may be of use to those outside our group. First the question posed: > My employer doesn't want to expose it's production databases to the world, so they sit safely behind a firewall. The production web servers want to talk to those databases, so we open the right ports to let them talk through matching, local machine user accounts. This way ...
One of the more obscure things about the .NET Framework is the Disposable pattern used throughout the framework, supported via the IDisposable interface. This pattern is so pervasive throughout .NET, that C# intrinsically supports it via the using keyword. There is also a standard pattern for implementing the interface that the interface just can't express (perhaps because interfaces can't specify protected methods; maybe that's a C# 4.0 Wishlist part 6 item?). We can use an IDisposable object with ...
Vista SP1 to debut Monday A couple of months ago I applied the security patches to my lapttop running VISTA Ultimate and McAfee antivirus. I was unable to access several pages that I had previously accessed; among them Yahoo Mail and my employers Web Access for GroupWise. After much googling I uninstalled the latest security patch. The problem did not clear. I worked with McAfee support and finally uninstalled McAfee and then reinstalled McAfee followed by the security updates. Everything was now ...
If you are working with Windows Vista and IIS7 and developing web applications using Visual Studio 2005, you might want to know certain things before you panic on getting issues with creating http://localhost applications running out of the IIS Webserver. With Windows Vista, we ensured that security is the utmost important aspect and anything that needs an administrative privielege (could be running a script, could be creating a website in your webroot or simply could be changing your desktop resolution) ...
One of the first things we went over in my first computer science class was the idea of preconditions and postconditions for functions: what the caller should expect will be needed before and how the results will be after the call. We also discussed parameter validation, which I've found more and more to be important. Parameter validation is not only important for security purposes, but helpful in debugging scenarios when you wouldn't otherwise be sure that an exception is being generated because ...
Not much hoopla this year over the one year anniversary of Vista. In fact, when I was part of the Microsoft Foots program last year which allowed me to talk to customers at a popular Best Buy in Orlando, FL there was no excitement with customers when I showed them all the new features of Vista along with the new version of Microsoft Office 2007. I often wonder if Vista will ever get accepted at all. Sure all new notebooks have Vista installed on it but what about those PC's that could upgrade to ...
My latest project has been pretty much my first real distributed application - it involves securely storing and encrypting credit card data in a system that makes it nigh impossible to access the information. It's actually been really fun, delving into the depths of secure programming and trying to come up with security measures to thwart perceived avenues of attack against the system. Part of the way that this system works is by encrypting sensitive data as soon as it arrives to the application ...
Overall, when an incoming XML message contains multiple potential single messages, the extraction process needed to separate the messages out is thought of as "splitting " or "shredding" the message. The splitter pattern then, is a reliable, uniform way to address splitting/shredding throughout your applications. An example for why your application might need to split messages would be something like a single input XML message with multple pension fund benefits for multiple persons which require ...
If you are getting the message: The test form is only available for requests from the local machine it is because you are probably testing the web service from the remote box you just migrated the web service to! The quick solution to that is to follow the advice of Juan Ignacio Gelos... (http://geekswithblogs.net/... ...and do the following: 1. Edit the web.config file for your web service application. Add or Edit: <configuration> <system.web> <webServices> ...
Recently on a project, I was bit hard by a Least User Access (LUA) bug that I ultimately should have caught. I was using a third-party component which was performing some unexpected operations. I didn't catch this item, however, until it almost went live. And it was intermittent at best when it failed. This was an unknown unknown as opposed to one of those known unknowns. So, where did my process go wrong? LUA and Development Going back through my career, I've usually been security focused. I want ...
Tech night 08 was a great success last night in the Lakefront room at LHPS. There were close to 50 students and parents in attendance to listen to Andrea Barr from Apple who talked about Podcasting. Etan Horowitz from the Orlando Sentinel talked about Tech Tips for students. Richard Connor from Laptop Plus dove into pc security and finally Dan Waters from Microsoft talked about the tablet pc and Onenote software. Lots of information in two hours time. Thanks to Microsoft for the donation of an XBOX ...
The Web Service Software Factory (also known as the Service Factory) is an integrated collection of tools, patterns, source code and prescriptive guidance that helps Architects to enforce / streamline constraints to quickly and consistently construct Web services that adhere industry standard architecture and design patterns. The Service Factory provides guidance that addresses many of the challenges associated with building WCF and ASP.NET Web services and the components of a distributed application. ...
Update: Fixed some code issue and added a bit more discussion With our DC ALT.NET group, we've discussed IoC quite often as part of the discussion. Some are pretty new to the concepts of using Dependency Injection with these IoC containers. Instead, you'd find people with overloaded constructors all over the place and mocking out the dependencies in the unit tests and so on. Anyhow, I have two favorite IoC containers, being Jeremy Miller's StructureMap and Castle Windsor. If you unfamiliar how to ...
Just wondering if anyone could clarify a SharePoint question for me that relates to the TS: Microsoft Windows SharePoint Services 3.0 - Application Development exam. One of the objectives being measured is to Configure a target computer for Windows SharePoint Services development and beneath this is a mention of SecurityAdministrator. I'm not sure if they are referring to SharePoint Forefront Server Security Administrator or something different. Anyone have some insight ...
· Workflow services, new for 3.5, are services that are authored using workflows. Durable services are services that use a persistence provider to persist state information after an operation has completed. · The implementation of the service contract is handled through one or more ReceiveActivity activities, which are sequence activities that support either one-way or request/response message exchanges with a client. The client invokes operations through SendActivity activities, which are basic ...
So from what Alessandro is saying it currently only works with Linux, I wasn't aware of that limitation but that's OK from an Appliance perspective, but you kind of wonder how hard it might be to replicate that on the Windows side of things? Certainly this sounds like it can really help VMware distinguish itself from some of the other competitors - but only for the moment as I'm beginning to think that we might see something like an "Arms Race" as all the Virtualization players rush to out do each ...
As a consultant I am often asked to provide training and mentoring. Let's face it: Technology changes extremely often and typical IT departments have plenty of work. As a result, staying on top of technology is tough. So organizations often (and smartly) hire consultants to help weed out the most appropriate technologies and provide focused mentoring and training. Note: Everytime you read "world class" insert your tongue firmly into your cheek. Occasionally, however, an organizational representative ...
Mixit Inc, a Wall Street based company, with its development arm in Karachi, is the Diamond sponsor for the Security Traders Association of Chicago’s (STAC) Annual Winter Meeting Jan 10-13, 2008 in Chicago. Mixit Inc. is a world class technology provider to the financial services industry globally providing a high performance suite of products including order management and order routing solutions and networks. Mixit connects brokers, dealers, institutions and exchanges. The Security Traders Association ...
With the new Navigation controls in ASP.NET 2.0 you can easily setup security trimming with any provider you choose to use and a web.sitemap file or any other datasource you posses that can give you a menu structure. I would provide a link to a sample on the net by Scott Gu the ASP.NET guru. The samples include using both sql server and Windows Authentication But when setting up this nice and easy handy stuff there are some issues : 1)You will not see your menu listed (nothing will appear)when your ...
I have been trying Vista on a corporate Laptop over the holidays in advance of getting hold of the "Approved" corporate image for my laptop and in some ways it's a clunker - so if you know what you're doing and want to "trim" some of those annoying messages and confirmations then this might be just the tool for you? Vista4Experts Current Version: 1.0.0.1 Download Vista4Experts Vista4Experts is kind of a treat for computer experts who don't want security center notifications, User Account Control ...
WPF is the next generation Interface Design System for Windows Forms applications. The arrival of WPF is going to change the WinForm application development a lot. The WPF has made many architectural changes to UI subsystem. Now there is a better element subsystem, notification mechanism for the changed events for the UI elements etc. What are the new features of WPF? Integration : With existing UI services like User32, WinForms, Direct3D etc. Simplified Development using XAML : Flexible UI composition ...
This article is a Part 3 of the Interview Questions series. Part 1: BizTalk: Questions for interview without answers Part 2: BizTalk: Interview questions and principles Part 3: WCF: Questions for studying and interviewPart 4: WCF: Questions for studying and interview: DiscoveryPart 5: WCF: Questions for studying and interview: Routing Service Part 6: BizTalk: Advanced Questions Additions (2008-06-18): Debugging: What tools are used for the debugging WCF? Is it possible to log the messages on the ...
To quote Joel Oleson: The Security & Compliance Solution Accelerator team has put together some guidance and a solution to quickly deploy an extranet solution based on WSS or SharePoint Server 2007. The Extranet Collaboration Toolkit for SharePoint is now in Beta and available via MSConnect! To learn more about the toolkit, click here ...
We recently concluded the Microsoft Security Summit 2007 in 4 cities. I had blogged about this in my earlier post If you happened to attend the Chennai event, well, I was present over there doing keynote and other announcements, for a change. Well, the purpose of this post is to help you download all the presentations. You can download the same from http://www.microsoft.com/in... Cheers ...
Part of my job is not only to design and implement solutions for my customers, but also to make my customer's developers stronger as well. During these customer engagements, there are many times when junior developers are involved. My job is to help those on the team to be stronger and then in turn help become leaders. Where to start? Well, I could start with a stack of point technology books (ASP.NET, SharePoint, BizTalk, etc) that become obsolete right during their printing, so that's not where ...
I just signed up the Philly.net Code camp. Did you? There are only 400 seats available! Here are the details: Our first installment of the 2008 Code Camp series will be held at the DeVry University campus in Fort Washington, PA on Saturday, January 12 from 8:00-5:30. Please register on our web site.-->Detailed directions are on the DeVry web site. Lots of code, just say no to slides! 9 hours 48 sessions (8:00, 9:30, 11:00, 1:00, 2:30, 4:00) 8 tracks 400 seats with tables (laptops welcome) Free breakfast, ...
I watched lastnights BBC Money Programme on Facebook which you can watch on iPlayer again in the UK from here. The section of the show I found most revealing was on 1000heads who are 'digital dialogue experts' which basically means they read online conversations which can be between you and your friends to build up a picture of likes and dislikes. This information is then used in marketing. This happens across blogs and information sources were this information can be read publicly. This is why Facebook ...
I had to write a custom download component to download modules for a ClickOnce deployed application. The actual downloading is simple, the tricky part was creating the manifest and make sure that I only download files that are required. I am using an GeneraApplicationManifest MSBuild task to generate an application manifest. The documentation is very easy to follow. The generated manifest will include a Hash value. It is fairly simple to compute the same hash value manually and be able to validate ...
I found this article today at CIO via an Article at Doug Browns site www.dabcc.com and thought it too good to just post the quote. This is exactly why Virtualization is shaking up the IT market so much - it has the capacity to drastically change the way you think about "Flexibility" and "Agility". Being able to provision on the fly in 30 minutes or so doesn't hurt either - and it's this very reason that makes concepts like VDI seem so very attractive. Virtualization at Warp Speed: How One Company ...
Validating user input is a very common task that we perform during web page development, and in the ASP.NET world we have a handful amount of choices to perform validation. ASP.NET Validation Controls ASP.NET ships with a handful amount ASP.NET Validation controls such as RequiredFieldValidator, CompareValidator, RangeValidator, RegularExpressionValidator, CustomValidator and ValidationSummary. These controls are very easy to hook up with other ASP.NET controls, and if properly configured they check ...
I have a simple goal. I want to be able to work with domain experts and quickly diagram the application area. This should be similar to the class diagram tool already built into Visual Studio. Once the diagram is built and approved, the ability to code generate should be next. My idea here is to generate the Data Access Layer (DAL) by using NHibernate. This would allow the application to be database agnostic by generating dynamic SQL on the fly. The Business Persistence Layer (BPL) would be generated ...
I was wanting to use LoadGen to call an orchestration exposed as a wse web service. In the documentation it covers a set of elements for the WSE Transport which will create a username token for the WSE call. I wanted to however use Kerberos so this is what I did. 1. Amend the LoadGenConsole.exe.config file to include the config section for WSE. I also included the element to point to a policy cache file. 2. I set up a policy cache to have the appropriate config to call a wse web service with Kerberos ...
In April, I wrote about my issues with Microsoft's Ten Immutable Laws of Security. Well, they've surfaced again, and once again, Microsoft is using them to justify calling an issue "not a security vulnerability." Why? Because once again, "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." Windows 2000 and Windows XP were found to have a bug in the pseudorandom number generator, part of the Microsoft CryptoAPI (CAPI) and used throughout not only the ...
Name: Everything runs as the same user Description: This situation exists on some of the test environments at a project I have been working on. Basically all of the BizTalk hosts and IIS application pools are configured to run as the same user account because it is easier to setup. This is especially common for development and testing environments. I came across the situation on this particular project where the user account had become locked out and as result testers on three different environments ...
Last Friday I took 3 exams to update my resume again. The exams I took and which I all passed were: 70-620 Configuring Windows Vista Client 70-622 Microsoft Desktop Support – Enterprise 70-351 Microsoft Internet Security & Acceleration Server 2006,Configuring So here my review of what I used to prepare for these exams. Exam 620 The tools I used were Microsoft E-learning and U-certify Prepkit. The Microsoft E-learning is a great way to interactively train yourself online and offline with the subjects ...
I have a frameset page that has two frames from different domains, and tried to call(from one frame) javascript function on parent page to change URL on other frame , but received Permission Denied The similar problem described in "Cross-frame scripting, works in FF but not IE" discussion. I made sure the "Navigate sub-frames across different domains" was enabled for all my zones http://news.hping.org/comp.... The scenario is of two different web servers. The parent ...
Was doing some deep digging in google to find a comprehensive post on MOSS's Security Model, and came across Reza's post. Its a good read and comprehensive. Technorati tags: SharePoint, MOSS, WSS, Securtiy, Object Model, Permissions, SPRole, SRoleDefinition, SPRoleAssignment Cross-posted from tariqayad.com ...
Are there really places that just use zip files for source control? Wow. I've been lucky to never have worked anywhere like that...VSS was always the lowest point I was at. Optimistic locking is a good thing; keeps things current. Friends don't let friends use VSS. Tortoise SVN has an adapter for TFS that allows you to see the status of your files (checked out, not checked out) in your explorer! Very kewl. Branching - How to Structure Your Sourcecode Folder Subversion can move the folder structure ...
I heart Rob Windsor...I must say that up front. Rob is a class guy and I'm really looking forward to him stroking my cereberal cortex with WCF goodness. WCF Basics Service ContractDefined by an interface type,a nd attributes are used to indicate the methods that will be included in the service topic. Service ClassRegular class with no inheritance requirements and implements the service contract interface. Service HostServices hosted in any application, as well as IIS.Service ClientConsumes operations ...
I had some more fun with the old Windows 2000 server today. When we got the new Windows 2003 server we tried to join it to the current domain just to the get the users and security permissions all taken care of. There was an extra issue involved though. All of the programming done in MS Access, and who knows how many other C# applications had a hard coded path to the server name and sometimes the IP Address. So I decided the best course of action was to swap out the servers and then re-join the old ...
Introduction This week, I've been to ITWorx first public seminar called "CuttingEdge Club" on Saturday. The idea of a public developer seminar was pretty interesting to me being one of the organizers and speakers for the first developer seminars held in Egypt ever (the DemoDay event we started earlier back in November 2006), and being a speaker myself in ITWorx internal seminars just last week! Interestingly enough, ITWorx started their internal seminars/conferences/clubs (call it whatever you like ...
So just this morning when i was looking at all the rss feeds i was supprised to see that Trika had published a post on her blog about a new exam that is released. ISA 2006 is now available as an exam and even gives you a special MCTS certification on your Transcript. The new exam is labeled 70-351: TS: Microsoft Internet Security and Acceleration (ISA) Server 2006, Configuring The MCTS certification is labeled: ISA Server 2006, Configuration I will schedule this exam as soon as possible, too bad ...
So how bad can it get? I'd suggest you hold on to your seats and buckle up, things could get bumpy from here in? Do check out Jim Rogers comments at the bottom of the post. “This is worse than the S&L crisis. This is the first time – this is the worst credit bubble we’ve ever had in American history. No – never in American history have people been able to buy a house with no money down…never. That’s never happened anytime in the world. So, we have the worst credit bubble. It’s going to take a ...
I like many people now use Linked-In as my primary source of business contact information, it’s not ideal as I am concern about my privacy and am I really feeding some kind of great big marketing machine? However it is fantastically useful for keeping track of people as they move around. One of the primary reasons why you have a person as a business contact in the first place is because of the role they currently occupy. When that person moves roles, your link to that role has been lost. A classic ...
The UK HMRC third breach in security this year is the biggest. This BBC new reports holds the details. Why are such large amounts of personal data sent around government on unencrypted CD's? Why can't the NAO perform audits in Government departments? Just because there is no evidence of criminal activity why aren't people getting new personal details? This is unbelievable and criminally inexcusable. What can the Government do now to restore our confidence? Get the computer systems fixed and stop ...
Source:MSTN How to Change Windows Vista Boot Screen Some of you remember how it was possible to change the boot logo screen of Windows 95/98. I'm not sure why anyone would go into the trouble of actually doing it, but it seems that it is possible to do the same for Windows Vista. By using a freeware 3rd-party tool called Vista Boot Logo Generator (written by Dan Smith), you can easily change the Windows Vista boot screen and use any high resolution image or photo as your boot screen. This is the ...
At Microsoft, we give the highest priority to Security and always make it as a core tenet of our products and technologies. Here again we are up with an MSDN Event for Developers, Senior Developers, Architects etc., on Security of different Applications be them Desktop Applications, Web Applications etc., The Security Summit 2007 is an aim to address some of the key ideas we had in implementing security in our products and technologies and how you can use them effectively to write secure code and ...
Judging by my limited experiences with Vista the "security" sounds like it might be a case of how much security you need to turn off until your Server actually communicates with the other devices and runs the Applications correctly? Other than that I'm looking forward to seeing just how much can be accomplished with Power Shell, it's certainly got my Brother excited ;-) 10 things to consider when making a Windows Server 2008 upgrade decision Windows Server 2008 is expected to officially launch in ...
Installing a BizTalk App can be quite a challenge. You have options of 1) Manual, lots of documentation needed. But then you were going to create docs anyway, right? This is good when you only need to install it once. 2) BizTalk-generated MSI. This is simple and quick to produce. My main issue is that this is not customizable with regard to the application name and product version (think Add/Remove programs) nor can you specific the installation folder. Another huge problem is that *if* the deployment ...
In this article we'll see how easy it is to use Virtual Earth SDK to produce a simple mashup, using web services that provide information in JSON format. Live Demo - Source Code If you are not familiar with JSON or how to integrate JSON services in ASP.NET AJAX applications, you can take a look at my 3-part series of articles on JSON and ASP.NET AJAX here. First of all, we need to create a simple .aspx page, and add a ScriptManager to it. Then, we're going to reference the Virtual Earth API in the ...