Tag | Security Posts

One of the biggest aim of BPOS is to help organization simplify management and increase productivity. So what I’m going to show in this post is how simplified it is to setup your outlook client with the help of Single Sing In Tool. Do take note that you need to have at least .NET Framework 2.0 installed in your machine before you can install this. For a start, you need to download the tools from the home tab of your admin portal. Below is a screen shot of that. To start, double click on the icon. ...
Sam Abraham (Me) will have the privilege of speaking with Joe Homnick at the Gold Coast .Net User Group October 2010 meeting about The Open Data Protocol (OData). For this talk, I plan to demonstrate how the Open Data Protocol can be leveraged in an ASP.Net MVC solution to consume data feeds using JQuery. Speaking at the Gold Coast .Net User Group brings back good memories. It was at the Gold Coast group that I first met Alex Funkhouser, Sherlock Technology’s President a little over a year ago. At ...
One of the most intriguing topics in computer security is defense in depth. This basically means having many layers to security. Think about the walls and defenses in a medieval castle. An intruder has to storm each of the outer walls before they could get access to the castle. This is the same logic that leads to system designs with firewalls, intrusion detection systems, demilitarized zones, etc. The idea is that if one layer is breached then other layer may catch and stop the intrusion. More likely, ...
Recently I was working on a BizTalk project that included a secured (SSL) SOAP connection using a WCF-Custom send port that was pointing to the partner’s endpoint. Our send port raised an interesting exception when sending a test message to our partner: A message sent to adapter "WCF-Custom" on send port "<SEND PORT NAME>" with URI "<PARTNER’S URL>" is suspended. Error details: System.ServiceModel.Communi... An error occurred while making the HTTP request to <PARTNER’S ...
If you hit this issue and are pretty sure that you have downloaded the AjaxControlToolkit and configured it, the primary source of this error is that you haven’t added a script manager in the page where you are trying to use the toolkit control. Lets examine more into this. Setting up the Toolkit AjaxControlToolkit is a set of ajax enabled controls available for free download right from the ASP.NET 2.0 AJAX days and has evolved into various versions. It was moved to CodePlex couple of years back. ...
I am using the mouse with my left hand but I am not swapping the mouse buttons. (Old habit from the times I was using public workstations at the university. I was too lazy to play with the system setup every time, so that I just moved the mouse from the right to the left side.) I am also using multiple pointing devices with my notebook. (a gaming mouse with multiple buttons at home, a simpler one at work, and also from time to time the touchpad ). Normally I would setup the mouse button layout in ...
Cyber security, Cyber war, Cyber vulnerabilities are all hot topics in the news right now. They should be. Most applications and our very infrastructure are incredibly vulnerable. This should remind of us of Weinberg's Second Law: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization. A swarm of wood peckers may be closer than we think. Everyone gets outraged about privacy vulnerabilities with google and FaceBook without ...
Any ramblings and blog posts associated with the UNISA ICT 2621 tag should be considered study notes for my lectures… Objectives of Chapter 9 Discuss the issues related to managing and coordinating the activities of the SDLC Explain the major components and levels of design Describe each major design activity Develop a simple network diagram Describe common deployment environments and matching application architectures Key Words & Definitions architectural design – broad design of the overall ...

A significant security vulnerability was discovered in ASP.Net (all versions) over the weekend.  To learn about the issue and how to protect any sites you may have running on ASP.Net, check Scott Gu's link.  http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Throughout the blogosphere there’s been reports of an issue with ASP.NET that will bring a site to it’s knees – or so, it’s been overblown and reported as such. Microsoft has released an advisory here that discusses the matter. The workaround for now is something that any public website should’ve been doing anyway. That is, implement a custom error handling page and suppress revealing detailed errors. This is a normal part of a security audit and if you follow the STRIDE threat modeling you should ...
Microsoft has recently been informed of a security vulnerability in ASP.NET and they have a fix for it. Please see ScottGu’s blog post for details: http://weblogs.asp.net/scot... In addition to providing a work-around for developers, they also have a script to run on the server to find non-compliant Web sites. Joe ...
Any ramblings and blog posts associated with the UNISA ICT 2622 tag should be considered study notes for my lectures... Objectives of Chapter 15 Discuss examples of system interfaces found in information systems Define system inputs and outputs based on the requirements of the application program Design printed and on-screen reports appropriate for recipients Explain the importance of integrity controls Identify required integrity controls for inputs, outputs, data, and processing Discuss issues ...
TOPIC: BDD and SpecFlow This is a presentation on how to use BDD and SpecFlow to build software driven by specifications. It will include a brief overview of how SpecFlow works and how to define specifications, followed by a compare and contrast with standard TDD. It will finish with real-world SpecFlow examples of successes and failures. PRESENTER: Darren Cauthon Darren Cauthon is a developer with over eight years of experience, half of which have been on the .Net platform. He currently works for ...
Hi, Shown below is one of the most easiest way to configure a BizTalk Receive Location which can receive any WCF Message based on the Binding type you provide in the configuration. This uses the WCF Custom WebService Host Factory. Where you can use this type of configurations? · Scenario where you need to send a WCF Message from .NET Code. · BizTalk Unit Testing. · Receive Locations which will be using ESB Toolkit receive locations. · and Many more. Anyways, below are the steps: - Create a IIS Virtual ...
I love Silverlight and have written / talked about it a lot. I can’t help but notice that a lot of people are new to Silverlight or may have played with it a few times. Well this post is for you. It is a list of 15 things that I’ve discovered since I started developing for Silverlight. If you are a full-time Silverlight developer than I would hope you know most of these. I promise not to scare off anyone with talks of MVVM, Prism or MEF. 1) The line highlighted below represents the MIME type and ...
MSMQ is a protocol that can benefit from the odd tweak to the registry. Unfortunately it is not always obvious what you can change to improve performance so I've tried to pull together the various sources of documentation. The first place to look is the Resource Kit Registry Reference which is pretty comprehensive. The Windows 2003 version is here but is dated "March 28, 2003" so doesn't include any new registry values introduced through hotfixes. Also, not every registry value is included for whatever ...
With lots of customers developing systems that use MSMQ across WANs, I find that I get a number of calls on problems getting messages through. Usually sending messages works a treat but pulling them back again doesn't. The main reason for this is the tightening up of MSMQ's use of RPC as documented in the Message Queuing security overview. The "Secured remote read" feature will need to be tweaked if you plan to work across forest boundaries - even if you don't, this problem can appear in development ...
You may see the following error message when you are trying to install HTTP support for MSMQ messaging: "The Message Queuing IIS extension /LM/W3Svc/1/Root/MSMQ cannot be created. Message Queuing will not be able to receive HTTP Messages. Error Code 0x80070003 Error Description: The system cannot find the path specified" What this is saying is that the MSMQ virtual directory cannot be created. Note that setup wants to create this under "/LM/W3Svc/1/Root" which is the root of the website with ID number ...
If you are designing a system that uses MSMQ over HTTP then you need to take into account that you can only push messages around the system and not pull them. So you can send from Machine A to Machine B but you can't do a similar remote receive from B to A. The reason for this is that remote receives always use the RPC protocol even if you are specifying DIRECT=HTTP or DIRECT=HTTPS. The functionality used to be present in Windows XP before service pack 2 but was withdrawn because of the limitations ...
Here's one for Windows 2008 that I've copied from the Motley Queüe Blog. MSMQ’s transactional message support uses internal messages called “order ACKs” to coordinate between sender and receiver so that no user messages are lost. When transactional messages are sent via HTTP, the URLs used to send the order ACKs back to the sender sometimes contain the special character “+”. IIS 7 has a security feature in request filtering to disallow all double escaped characters, and this interferes with the return ...
think of this as "...the neener neener heard round the world..." http://www.apple.com/pr/lib... "...today we are making some important changes to our iOS Developer Program license in sections 3.3.1, 3.3.2 and 3.3.9 to relax some restrictions we put in place earlier this year. In particular, we are relaxing all restrictions on the development tools used to create iOS apps, as long as the resulting apps do not download any code. This should give developers the flexibility ...
Just a few randoms on cloud I bumped into: Blogger Jeremy Geelan has come up with the Top 250 Players in the Cloud Computing Ecosystem and the Top 50 Bloggers on Cloud Computing. Windows Azure Security Whitepaper is live The paper provides a technical examination of the security functionality available from both the customer's and Microsoft operations' perspectives, the people and processes that help make Windows Azure more secure, as well as a brief discussion about compliance New version of Access ...
(This is a series of posts covering how to include a WinForm app inside a SharePoint 2007 application, which allows users to upload batches of files to a SharePoint document library. For further info, please see Posts One, Two, and Three. All of the code can be downloaded in Post Two.) Just a quick review of our solution, as detailed in the first three posts of this series: a Custom Action adds a menu choice to a document library’s Upload menu, which links to a Windows Form application deployed using ...
Many times, especially during development, you could have certificates that are out of date, aren’t singed by any real authority (makecert, etc.), or even don’t match the host name that the request is issued against, but you want to test, etc. One example is if you want to run Fiddler to get a good over-the-wire trace of the HTTP traffic, when the endpoint is accessed over HTTPS. With Fiddler, you can capture HTTPS traffic, only thing is, it sticks it’s own certificate in the chain which doesn't ...
This is officially my first day of being unemployed. I was off half of Monday and all of yesterday, but my pay ran through the end of August. I added the graphic on the right to my blog last night. I had a ‘bar napkin’ on there with a nice glass ring, but Shawn Wildermuth suggested it looked like a condom (in the wrapper). I suppose sized down it did, so I changed to this. Monday was nice with all the notes from everyone, and yesterday started off good with a couple phone interviews. Have not gotten ...
In part 1 of Crack .Net Applications I demonstrated how easy it was to reverse engineer an an unprotected .Net application. In this post my aim is to highlight a few techniques that one can employ to protect ones code from this type of hacking. So, my take on software protection is that one can never be 100% protected – given infinite time you can guarantee someone with enough intelligence will be able to bypass all security measures that you ever implement – that being said, we don’t have infinite ...
(This is a series of posts covering how to include a WinForm app inside a SharePoint 2007 application. For further info, please see Posts One, Two, and Four. All of the code can be downloaded in Post Two.) As I promised several months ago, I’ll cover the Custom Action piece of our solution. The custom action is used to allow the users to launch our Windows Forms application using Click Once deployment. Our custom action adds a new link to the Action menu of a document library’s toolbar: Adding a ...
A few months ago I attended a local user group meeting that focussed on software security. The presenter demonstrated several techniques that one could employ to bypass software security and several “tricks of the trade” that one could implement to make ones software more secure. The presentation rekindled the fire I had for a little research project that I had attempted several months earlier on reverse engineering .Net applications but that at the time I had lost interest in after an hour of unsuccessful ...
Unlike with previous versions of Windows Server--in which you could disable Internet Explorer Enhanced Security Configuration by removing the component in Add/Remove Programs, Windows Components--the Windows Server 2008 implementation of Internet Explorer Enhanced Security Configuration is configured through Server Manager. Select the root of the Service Manager navigation pane, and under the Server Summary click Configure IE ESC, which is part of the Security Information section. A dialog box appears, ...
In this Issue: Rénald Nollet, Michael Washington, Mingfei Yan, Kirupa Chinnathambi, Roger Peters, Rob Eisenberg, and Microsoft. From SilverlightCream.com: Use the ASP.NET Authentication Service with Windows Phone 7 Rénald Nollet has a cool post up combining the ASP.NET Security Service with WP7... this was getting a lot of play on twitter last night... Printing With LightSwitch Michael Washington's latest Lightswitch post is a tutorial on printing from Lightswitch culminating in a very professional-looking ...
The road to learning is such an awesome thing! Yesterday, while browsing the MSDN Forums, I came across some people having frustration with SQL Server Express, Visual Web Developer 2010 and the Web Installer. The Issue After installation, if you create a New Website with VWD 2010, follow the steps below: Access the Web Site Administration Tool (Solution Explorer Toolbar) Click on Provider Configuration (Once the Web Site Admin Tool opens) Click on Select a single provider for all site management ...
Update 2: Excellent news! The $99 per app was wrong. See: http://windowsteamblog.com/... Thank you, Fred! Update 1: It's possible that somebody who didn't read closely looked at the old WM 6.X app cert docs, saw the $99 per app fee there, and thought it applied to WP7. I know people who "know people" and are investigating it. I'm very hopeful it's a mistake - see the end of my next post for how someone might ...
For my first “real” attempt at creating a business application using Silverlight I decided to use WCF RIA Services, Silverlight 4.0, and Visual Studio.NET 2010. What easier way to get started than through a template provided by VS.NET 2010, right? Well, in its effort to make it easier it also create some headaches. Sometimes abstraction can add a learning curve as well. In this case it created some headache for me on this project. As an IT consultant for small to enterprise level business most of ...
El manejo de la información hoy en día es importante, pero lo es aún más la forma en que se controlan los accesos a la misma. Hoy veremos como crear reglas de accesso a nuestras aplicaciones web basadas en asp.net utilizando el membership provider que nos proporciona asp.net de una forma fácil y rápida. Para empezar, agregamos una nueva página a nuestro proyecto asp.net y definimos lo siguiente <table class="webparts"> <tr> <th> Website Access Rules</th> </tr> <tr> ...
When Commerce Server 2009 was released, it introduced a new API (commonly known as Multi Channel Commerce Foundation) based on the latest technology stack at the time. One of the biggest changes was the basis of an n-tier architect, based on WCF, which for the first time removed the Commerce Server dependencies from the web/presentation tier, and allowed all of the logic to be encapsulated on a separate application layer. In modern day architecture this becomes important when the presentation tier ...
Security Security is a nonnegotiable requirement for a cloud service offering to be successful. Access control and security for business data is of utmost importance. Business data stored in the cloud needs to be encrypted during not only during storage but also transport. Secure data and network channels across application domains in the cloud should be built right into the cloud service infrastructure. Access control prohibits unauthorized access to the data and applications and provides authorization ...
Any ramblings and blog posts associated with the UNISA ICT 2621 tag should be considered study notes for my lectures... Objectives of Chapter 4 Describe the activities of system analysis. Explain the difference between functional and non-functional system requirements. Describe three types of models and reasons for creating models Identify and understand the different types of users who will be involved in investigating system requirements Determine the kind of information that is required to model ...
What is the MSMQ problem that you are most likely to encounter? The dreaded "Insufficient Resources" error. Unless you have a working knowledge of how an operating system actually operates then this error is going to cause mass confusion. For starters, which resources does it mean? Disk space? No, that has GBs free. Memory? No, task manager shows that there is more than enough still unused. So what's up? I've had a look at the MSMQ FAQ for the following list of possibilities (plus one or two others): ...
[Source: http://geekswithblogs.net/E... In my previous post, Cloud Services and Command-Query Separation: Part 2, I walked through a sample Command-Query Separated service bus solution using readily available cloud services for communication. In this one, I'll look at some of the implications of shifting systems integration to the cloud, compared to an on-premise ESB. The focus here is mainly on Amazon Web Services, but I'll cover Azure with a dedicated sample project. Cost & Non-Functional ...
One of the new features of XNA 4.0 is the Content Project. Those of us who’ve worked in XNA 3.1 and earlier are familiar with the old Content folder, which was simply a folder inside your game project into which you’d place your raw content and from which your game would load the compiled XNB files. In theory it could be named anything since one of the things you would do in the constructor for your game is specify the name of the Content folder. XNA 4.0 has moved content (i.e. game assets like music, ...
Download GPIO Example driver and appplication source code A recent discussion thread in the Windows Embedded Compact Platform Development forum made it clear to me that for new Windows CE Software Engineers doing something as simple as accessing a hardware register can be very difficult. In the old days, Windows CE 5.0 and before, it was very easy; write an application that allocates a virtual address and then read or write a register. The problem with that is that allowing applications to access ...
Time for me to evaluate the progress on the original goals of our project. In januari, I started on a new project and set myself/the project a few goals. These goals were explicitly written down in a previous post. We've now finished phase 1 of the project, and I took the time to see what's left of my new year's resolutions.What's the point?I believe that you can only improve and learn new things when you deliberately set yourself explicit goals. Publishing these goals for all to see has been a major ...
One of the cool features of the software my company builds is the ability to create "ad-hoc queries." The concept is simple but powerful: developers build SQL views for important data, which are available to users via a visual interface. After the user has visually built a query for the exact data she needs, our software generates a SQL language query that uses one or more of the views to extract/filter the requested data. The query can be saved with a name, an owner, security permissions, and other ...
Back in January, Jeremy Miller posted a nice article on HtmlTags: Shrink your Views with FubuMVC Html Conventions. We were immediately in love with the idea and have spent several months adapting the conventions to work with our ASP.Net MVC applications. I was having a conversation with Ryan recently, reflecting on how far we’ve come and how we had no vision of that when we first read that article. I want to share some of that, so I will be working on a series of blog posts to show “What we are doing ...
When your suddenly asked to “make your code secure, right now”, you need to know where to go. This presentation is designed to inform the developers, architects and others where to go to find informative resources in secure development. This was last given at the Twin Cities Code Camp and the Iowa Code Camp during April/May 2010. Additional Resources: Slide Deck OWASP OWASP Developers Guide OWASP Top 10 OWASP Code Review Guide WebGoat WebScarab OWASP Application Vulnerability Standards Project Enterprise ...
If you see any Critical Permissions inheritance block on Exchange server object entries listed in the Exchange Pre-Deployment Analyzer report for your Exchange environment, it is highly recommended that you fix these Critical entries before you install your first Exchange 2010 server. If you do not fix these Critical entries, you may encounter the following error messages when you run the Exchange Management Console or run specific Exchange PowerShell commands to view public folder information. Please ...
Normal 0 false false false EN-US JA X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans... ...
In this Issue: Jim Jackson(-2-), Alex Golesh, Dustin Horne, Sl.ayer, xprblog, Mike James, and David Anson. Shoutouts: John Papa is on Deep Fried Bytes: Silverlight 4 Tools and RIA Services as Heard on Deep Fried Bytes Jaime Rodriguez has some help up for those that are having problems moving from the CTP to Beta bits: Tips for uninstalling the Windows Phone Developer Tools CTPs and moving to beta Koen Zwikstra reports an update: Document Toolkit 2 Release Candidate ... check out the feature list ...
*Moved to: Active Directory Groups not Syncing with Team Foundation Server 2010For a little while now I had been investigating an odd occurrence in Team Foundation Server. Users added to Active Directory groups have not been filtering back into the Team Foundation Server groups cache. The meant that we had to add users directly to Team Foundation Server in order to give them permission. While this was not ideal, it did not really inconvenience us that much, but we are now trying to streamline our ...
When MVC 2 was released, there was a last minute change to use Model Validation instead of Input Validation. Essentially, Model validation means that your entire view model will be validated regardless of which values actually got posted to the server. On the other hand, with Input validation, only the values that get posted to the server will get validated. While this was the right decision by the MVC team for the most mainstream cases, there are still some cases where the previous behavior of Input ...