Tag | Security Posts

This is to provide a little bit of explanation on the implementation of FBA authentication with SP 2010. There have been blog posts that indicate there are no sliding sessions, but with a little manipulation and understanding of some of the settings, there is somewhat of support for sliding sessions and re-issuance of tokens. The current model provides for a little trade-off on performance as re-requests to the FBA providers and also any SP Custom Claim providers can have impact on overall performance. ...
Recently while performing a .Net unit testing on some .Net dll, I kept getting the below error - 'XXX is a strongly named assembly. It will need to be re-signed before it can be executed. Warning VSP2013 : Instrumenting this image requires it to run as a 32-bit process"...... A little of google revealed that since its a strongly named assembly and while performing unit testing it needed to be re-signed or I need to remove the 'strong name' all together... As I didn't had the orginal private key file ...
Has the cloud backlash started? Stallman's cloudburst when he railed against the dangers of allowing our data to be locked up offsite and online (http://www.guardian.co.uk/... was perhaps predictable, but he is not the only voice to have suggested that cloud vendors are overselling the benefits and ignoring the risks. On the one hand we have some very large corporations (Amazon, Google and Microsoft in particular) pushing the advantages of migrating ...
Dears, I've just recently tried the new feature in SP2010 which is granular backup and restore. In my case, I wanted to backup a list with the data in it and restore to another sharepoint site with the same template and language. So, the steps are very simple: Go to central administration --> Backup and Restore --> Granular Backup --> and choose "Export a site or list" Then choose the list/site that you want to backup and write the path of the backup ".cmp" file, and you can choose to export ...
PDF stands for Portable Document Format. As the name implies, it is a data format that can be used to describe documents. Adobe, the developers of PDF, market software to create, edit and visualize PDF files. Because the specifications of the file format are publicly available and meanwhile even became an official ISO-standard, a lot of other companies develop PDF-related software as well. In prepress, PDF is commonly used as a format to exchange data, either complete pages that need to be printed ...
Late last week it came to my attention that in Exchange 2010 SP1, Microsoft made some major changes to the way we export mailboxes to PST files. While I usually say that I embrace change, I don't when it comes to applications I manage. For those familiar with Exchange 2007, the Export-Mailbox cmdlet was a nice and easy method to take some email and dump it into a PST. All you had to do was provide yourself full access to the mailboxes you were looking to export and run the cmdlet. Well goodbye Export-Mailbox, ...
When debugging it is useful to display the connection string but what you do not want is to disclose the password. So I wrote a function StripConnectionPassword to strip the connection string of any password. The function takes a string like: Provider=SQLOLEDB.1;Passwor... Security Info=True;User ID=DINGBAT;Initial Catalog=tempdb;Data Source=DALET and returns: Provider=SQLOLEDB.1;Passwor... Security Info=True;User ID=DINGBAT;Initial Catalog=tempdb;Data Source=DALET The function ...
Ok, so you have locked your SQL down. No users allowed. But then there is this information worker for whom the IT department made a special SSIS package. And they loaded the package in to the SQL server and created a SQL Agent job for it. Well no problem so far. But now the user wants to be able to start the job when ever he needs to. Hmmm, huge problem. Because you need to have SA equivalent rights. What?? Yes, you read it right. SA equivalent !! Hell no! Ok a sql geek will now say, that's wrong, ...
I'm a fan of pretty much all kinds of music, but certain types of music really resonate with me. For most of my adult(?) life, I've been a huge Danzig fan. I've seen them play live at least 5 times and have managed to collect a few backstage passes, guitar picks, tshirts, etc over the years... along with buying everything they've ever released, for better or worse. Mostly, I'm a fan of the first three albums and the Demonsweat Live EP. After that, there were too many lineup changes and musical direction ...
At the UK Connected Systems User Group meeting yesterday we had a good session from Imran on Azure AppFabric. We ran out of evening before the end of the session, so I didn't get to raise this question, but it's a crucial point for me. The Service Bus exists to easily expose internal services to the outside world. It's an easy sell to tech guys, but I haven't yet worked with a client's security team who are open to the concept. I think the security guys have a good point: the status quo for exposing ...
Let’s focus on Exam 70-583 this time. This exam is PRO: Designing and Developing Windows Azure Applications. This guide itself will be a different approach to preparing for the exam itself. Instead of just taking the individual topics, let’s review the topic in as much information as we can. Here is a set of resources to get started. This is the topic I will be presenting at TechEd North America 2011, so expect more information after 5/18/2011. Here is the link to the session: http://northamerica.msteche... ...
Let’s focus on Exam 70-513 this time. This exam is TS: Windows Communication Foundation Development with Microsoft .NET Framework 4. Additional Resources: http://msdn.microsoft.com/e... http://msdn.microsoft.com/e... The exam objectives are: Creating Services Create service and operation contracts http://msdn.microsoft.com/e... http://msdn.microsoft.com/e... http://msdn.microsoft.com/e... ...
It’s not often I let my personal life creep into affecting the things I’m involved in and doing. I usually let my hobbies kind of get me through the tough parts. And while I’ve been having fun distracting myself with playing games and coding this week, I’ll admit my eye wasn’t on the community like it normally is. I apologize for the late posting of the notes and for how light and sparse they are. I’m sure there was more going on in the XNA community (and if you were missed in this weeks notes, shoot ...
One of my recent projects involved creating an authentication module compatible with both .Net 3.5 and 4.0 and supporting platforms as early as Windows 2000. In the next few lines, I will highlight our progressive thinking and the various implementations we experimented with along with a summary of shortfalls we found with each. For those reading this post, please feel free to share your thoughts in the comments section as I am looking forward to reading and learning from your ideas and input. Principal ...
Just had a stupid fake anti virus software program try to infect my computer. Two scary things about it; first, it tried to present itself as a legitimate operation by Microsoft trying to copy a file while browsing images of a band in Bing using IE9. I got the User Access Control (UAC) prompt (that thing that pops up and grays out the rest of your screen) twice. After telling it no twice, it crashed IE then presented itself not just as the fake anti virus software but also with its own fake “Action ...
This is just a note to myself on what needs to be changed while working on projects that are on a UNC share. Problem 1: The first problem is the Trust level for Intranet Zone. Fix: Go to Control Panel\Administrative Tools\ and launch Microsoft .NET Framework 2.0 Configuration Tool. Click on Runtime Security Policy, then in the right pane, click Adjust Zone Security. Click Local Intranet and change the trust level for this zone to Full Trust. Then you might get this error: Problem2: The network BIOS ...
Yesterday I had a brush with multi-channel digital marketing that worked. Here is the story. To set the stage, we have to go back a few months when replaced my aging laptop with a new Mac and migrated my Windows operating system on to Parallels. Once the migration was complete an offer was presented to me. It was a trial for anti-virus or maybe anti-spyware software with a name that began with a K and seemed foreign to me. I declined. Now jumping ahead to yesterday, I was watching TV and I recognized ...
First, let me clarify the “killing kittens” statement. A couple of years back, I had a chance of attending a sessions presented by Todd Klindt and Shane Young on SharePoint Installation and to raise awareness of how little control, and not to say the limitations, of installing in Standalone mode, they would state “Everytime a SharePoint Standalone Installation happens, God kills a kitten”. Ok, now on to the rest of the purpose of the post. Assumption: SQL Server 2008 R2 is already installed on the ...
HTML5 introduces markup-level functionality for rich graphics, animation and web multimedia. It also supports a richer web application functionality and extends the client capabilities with local storage. Many pundits see it as the next generation web - web 3.0 if you like - and an open standard replacement for propriety plug-ins, Microsoft Silverlight and Adobe Flash. But, for all its new features, HTML5 is still only the end product. This article looks at HTML5 from the web programmer's point of ...
This post is extension to BRE Data Services how to expose the On-Premise REST based service thru Azure appfabric service bus to your partners outside your enterprise securely. We at Tellago have created numerous REST based service for monitoring and managing for BizTalk Server, BRE and RFID Data services etc. Want if your enterprise wants to leverage the service to be accessible outside your enterprise in secured manner by external parties or mobile apps. So by using Appfabric Service Bus you’re ...
This is a security patch for Visual Studio 2010 Professional. It gave me a generic error code of Normal 0 false false false EN-GB X-NONE X-NONE MicrosoftInternetExplorer4 /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.000... mso-pagination:widow-orphan; ...
This post is from a very good friend of mine, Billy Hollis. He’s got some interesting food for thought and I think you’ll enjoy his perspective! For over 15 years now, our industry has been struggling with a crucial tradeoff. We can get broad reach via standards, or we can get the best possible user experience with applications that take advantage of particular devices or platforms. It's a stereotype that people in software development tend to be code and technology centric and not user centric. ...
Leadership Veracity consultants are an interesting group of people. We have some of the best and brightest people working to help our customers deliver great products to their customers. While there are a lot of consulting shops in the industry, most are not like Veracity Solutions. Many shops simply want to put a body into a chair. They offer cheap hourly full time employee replacements (contractors) instead of people that can actually help their business be successful. Veracity, on the other hand, ...
Ok here is a cool trick I figured out that I hope will be helpful to someone: What if you wanted to block all the incoming ip addresses from a given country to a given site using only PHP and mySQL (without using .htaccess, etc.) and be able to log who you blocked into your mySQL database? First, you need to have a white list or a black list. I got mine from http://software77.net/geo-ip/ because they were free, based off of countries and worked pretty darn well. For myself, I used the x.x.x.x-y.y.y.y ...
(these are lifted verbatim from Microsoft here, here and here and are presented below only because it’s convenient to have them lumped altogether…) Getting Started with Windows Phone Windows Phone development platform supports both XNA Framework and Silverlight. This unit takes you through the step-by-step creation of your first Windows Phone Silverlight application. Hands-On Labs · Hello Windows Phone This lab intends to be the classic "Hello World" application, introducing you to the tools and ...
XNA Games in Windows are hosted within a Windows Forms Form. This allows you access to many special Windows-only features, such as drag and drop, provided that you know the right code to put in to get access to that form. Someone on the App Hub forums had asked earlier today about how to enable drag and drop for a Windows-only XNA game. Since it sounded like a neat thing to learn how to do, I coded up a quick sample to display it. As always, the code is heavily commented so that it should be easy ...
We noticed some very odd, random behavior in our environment specifically with Exchange 2010 ActiveSync and Outlook Web App. Some of our mobile devices had trouble synchronizing email (problems with connecting, direct push wasn’t working properly). Some of our users had trouble connecting to Outlook Web App. Some of our users using Outlook Web App externally were inadvertently connecting to other user mailboxes that they did not have permission to and, not to mention, a serious security breach (I ...
I have had to rebuild my Windows 7 PC and all has gone fairly well until I tried to connect to a Samba share on a legacy Linux box running Redhat 8. No matter what combination of domain / user /password I would just see the same message of: "The specified network password is not correct." This is a misleading error, very annoying and a little confusing until I found a hint that Windows 7 default authentication was not supported on older Samba implementations. I guess I figured this out once before ...
The much anticipated RTM release of Internet Explorer 9 (IE9) happened today. IE9 preview release was first showcased at MIX 2010 and post that there were 7-8 Platform Preview releases. Also, IE9 Beta came out in September 2010 with close to 10 million downloads within a month. More recently, the RC version was out with much improved performance. Today, marks the launch of IE9 RTM. What this means is that, within an year, the IE Team has shipped the stable product, much faster than the earlier cycles ...
Someone recently asked me “is cloud computing going to change the way we perceive data?”. My first instinct was “off course”; but I restrained myself and thought for a moment. Then my answer was “no”. Why do I feel that way? Technology and business have evolved quite a bit in the past few decades; however, the need to effectively view and utilize data hasn't changed. It is not uncommon to see many organization to rely on multiple database management systems (DBMS). Applications and systems are often ...
I spent most of yesterday removing an annoying virus from my PC. I feel slightly foolish for getting one in the first place, but after so many years I guess I was always going to eventually succumb. I was also a little surprised at the failure of various tools at removing it. The virus would redirect the browser to websites including ‘licosearch’, ‘hugosearch’ and ‘facebook’, and the disk would be thrashing away infecting dlls in some way. I had the full up to date version of McAfee installed. This ...
In this Back from the Summit Issue, I am overloaded with posts to choose from. Submittals go first, but I'll eventually catch up... hopefully by MIX :) : Ollie Riches(-2-), Colin Eberhardt, John Papa, Jeremy Likness, Martin Krüger, Joost van Schaik, Karl Shifflett, Michael Crump, Georgi Stoyanov, Yochay Kiriaty, Page Brooks, and Deborah Kurata. Above the Fold: Silverlight: "ClassifiedCabinet: A Quick Start" Georgi Stoyanov WP7: "Easy access to WMAppManifest.xml App properties like version and title" ...
Thanks to everyone who helped pack the room at the Fox Valley Day of .NET. This presentation was designed to help developers understand why secure coding is important, what areas to focus on and additional resources. You can find the slides here. Remember to understand what you are really trying to protect within your application. This needs to be a conversation between the application owner, developer and architect. Understand what data (or Asset) needs to be protected. This could be passwords, ...
The Cloud and SaaS models are changing the face of enterprise IT in terms of economics, scalability and accessibility . Visual WebGui Instant CloudMove transforms your Client / Server application code to run natively as .NET on Windows Azure and enables your Azure Client / Server application to have a secured-by-design plain Web or Mobile browser based accessibility. Itzik Spitzen VP of R&D, Gizmox will present a webcast on Microsoft Academy on Tuesday 8 March at 8am (USA Pacific Time) explaining ...
SoapUI is one of the best free tools around to test web services. Some time ago I was trying to send a soap message towards a SSL web service that was set up for client certificate authentication. I pretty soon got stuck at the “javax.net.ssl.SSLException: HelloRequest followed by an unexpected handshake message” error, but after reading several posts on the internet I solved that issue. It’s not really that complicated after all, but since I could not find a decent place on the internet that explains ...
The Past A few years ago my small software company made the jump from storing code on a shared folder to source code control. At the time we had evaluated a few of the options and settled on Tortoise SVN. The main motivation for going the SVN route was that we found a great plugin for Visual Studio that allowed us to avoid the command prompt for uploading changes (like I said we are windows programmers… command prompt bad!! ) and it was free. Up to now we have been pretty happy with SVN as it removed ...
I’m currently writing a large piece on MSMQ security and wanted to check I was covering the right areas. I have some doubts as I’ve seen the occasional MSMQ forum question where a poster has used the word “security” in different contexts to what I was expecting. So here are the areas I plan to cover: Message security encryption on the wire (SSL and IPSEC) encryption of the message (MSMQ encryption) encryption of the payload (data encryption) signing and authentication Queue security SIDs and ACLs ...
Secunia Personal Software Inspector is now available in a updated version that is free for personnal use. The home page says "The Secunia PSI is aFREE security tool designed to detectvulnerable andout-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular" among criminals. The only solution to block these kind of attacks is to apply security updates, commonly ...
For quite a while I have been using the concept of base pages when developing pages in ASP.NET applications. It is a wonderful method for exposing common functions to all of your applications pages and also overriding certain events for various purposes (i.e. dynamic themes). Recently I found out a new developer will be joining my team. This prompted me to review the applications code for readability and ease of maintenance. I began adding comments through out the code behind for all pages within ...
An issue was brought to my attention today at work where certain users were unable to open Office files (specifically Excel) from Internet Explorer 7. The user would click on a button which simply generated an inline JS call to open a pop-up pointing to the .xlsx file on the server. IE would open the pop-up and then shortly thereafter the pop-up would disappear without the file ever opening. I tweaked the security settings in the users browser...added the site to the list of trusted sites and lowered ...
Up until recently one of my applications has used the membership provider within ASP.NET exclusively. However, it has been proposed that while the currently defined roles are beneficial, security needs to be more granular to restrict both access to certain pages and functionality present within a given page. Unfortunately, the role based security ASP.NET gives you out of the box falls down in this area. This is not due to a lack of foresight by Microsoft, but rather it was simply not designed for ...
I’ve been updating the Winnipeg Code Camp website over the last few weeks with sessions and speakers as we’ve added them, and I’m happy to announce the full set of sessions!* We have a very interesting mix this year with new speakers and varied technologies! Remember this is a *FREE* event, so head over to our website to find out how to register for what will be a fantastic code camp! *OK, so we still have one session that needs to be have an official title, and one session that’s still TBA…but close ...
I know a lot of technical people who work in partners (ISVs, System Integrators etc). I know that virtually none of them would think of going to the Microsoft Partner Network (MPN) learning portal to find some deep and high quality technical content. Instead they would head to MSDN, Channel 9, msdev.com etc. I am one of those people :-) Hence imagine my surprise when i stumbled upon this little gem Architectural Guidance for Migrating Applications to Windows Azure Platform (your company and hence ...
We love seeing projects from start to finish, and we’re happy to share the latest example with you. Who: SaaS Web Apps – they use Software as a Service to create web applications that look and feel like desktop applications. What: SaaS Web Apps needed to build a Sports Contract Management System (SCMS) for one of its customers, Premier Stinson Sports. Why: The SCMS database is used for collecting, analyzing and recording college coach and athletic directors’ employment and contract data. The Challenge: ...
I'm sure that over time you've run into the dreaded "File transport does not have read/write privileges for receive location "C:\Flatfile\SAPTestIn\".". Usually you simply go to the folder and either give the BizTalk account full permission (bad) or Everyone full permission (really bad). So for a production environment, what is the absolute minimum permissions required? For the Receive File Adapter the explicit permission are: NTFS Attribute Property Name DELETE Delete Files FILE_READ_DATA List Folder ...
A colleague has pointed me towards two useful add-ons for Firefox. The first is XPATHER which is a feature rich XPath generator, editor, inspector and simple extraction tool that he found useful in constructing tests with Selenium See the home page at https://addons.mozilla.org/... The other isXXS me. The home page at https://addons.mozilla.org/... states "XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting ...
In this Issue: Michael James(-2-), Joost van Schaik, Colin Eberhardt, Jesse Liberty, John Papa, Levente Mihály(-2-), Peter Kuhn, WindowsPhoneGeek, and Daniel Egan. Above the Fold: Silverlight: "Creating Packs from the Silverlight Application Themes" Peter Kuhn WP7: "A Windows Phone 7 Jump List Control" Colin Eberhardt Shoutouts: Mike Ormond gave a Tech Days virtual confernece session on Thursday, and posted his material and links: Links from my “Silverlight for Windows Phone” session From SilverlightCream.com: ...
Getting this silly thing to work turned out to be a painful experience, so I am recording my lessons learned so that if some other downtrodden programmer wants to see what I did, they will be able to figure it out faster (hopefully): Ok, so say you have a silverlight application and you want to talk to a database. Silverlight is Client-based, and Databases are Server based. This is a problem. You can either pass the values in initially (not very good for interactive stuff) or you can make a WCF service. ...
If you attempt to make an ajax call that cross domain or protocol boundaries, the default XHR (XmlHttpRequest) processor will fail. The out-of-the-box implementation forbids crossing boundaries. Enter flXHR. A flash-based proxy that implements (and extends) the XHR API. That’s good news for JQuery developers. It means you can use flXHR just like the native Jquery XHR. There’s also a Jquery proxy plugin that makes it SIMPLE. You can download the sample here. In my example, I’m hosting the website ...
We want to use both subversion usernames and passwords as well as Active Directory for our authentication on our Collabnet subversion server. This has proven to be more of a challenge than we thought, mostly because Collabnet’s documentation is weak in this area. To supplement that documentation, I add my own. The first thing to understand is that the attribute that you specify in the LDAP Login Attribute ONLY applies to lookups done for the user. It does NOT apply to the LDAP Bind DN field. Second, ...