Tag | Security Posts

Update: Shawn Wildermuth has changed his session and will be talking about Silverlight Security instead. The MIX conference this year had an open call for sessions, and 12 sessions were voted by the public out of 169. Surprisingly (or maybe not that surprisingly in fact), 3 sessions out of the 12 have the MVVM pattern in their title. This shows a lot of interest for this pattern which is helping the developer to create decoupled, testable, blendable applications in Silverlight and in WPF. Read the ...
Today, I had to deliver a talk on Security features in .NET and IIS and I was going through the www.iis.net website. In the past I had been there for Smooth streaming and other stuff but I stumbled upon the tools, a truck load of them that are very handy utilities while managing a webserver. URL Scan Site Shell Server Defender and much more related to security at http://www.iis.net/download... and with respect to performance http://www.iis.net/download... Ok, and my titbit for this ...
It would appear that one of the biggest threats to our digital security has been exploits in Word documents. Or at least, from the extensive security features built into Word 2010, one would come to that conclusion. I came across an odd issue tonight while testing a Silverlight application. I had a Word document (a .doc file, not .docx) on a webserver, but when I tried to access it I got this: To which I said “Yes”, but when Word 2010 opened up, I got this message: I thought maybe there was an issue ...
Using SQL Azure for your applications is relatively straightforward. All you need is... a connection string... and since SQL Azure uses TDS as its underlying communication protocol, just like SQL Server, it may seem natural that you don't need to change much in your application design approach when connecting a SQL Azure database. However, this may not necessarily be true. SQL Azure was designed for ease of deployment and scalability; and as such you may need to take certain things into consideration ...
So with Mix 10 approaching, and the voting for the community submissions open, I’m sure you’re wondering “D’Arcy, who are YOU voting for?” since obviously my recommendations and backing is GOLDEN. So this can either be seen as a boost to the submitters, or the kiss of death to their hopes of speaking. I prefer to think the former, but hey, enough chit-chat, let’s look at my ballet pics! SketchFlow for Real Software Development David Wesst Vote For This Talk! There are a few SketchFlow talks scheduled ...
SharePoint sends outgoing email as anonymous SMTP. Under Exchange 2003 this wasn’t much of an issue as all you had to do was allow the SharePoint server IP as an allowed relay under the SMTP virtual server. In Exchange 2007, however it becomes a bit trickier since Exchange 2007 has built-in security to make it more difficult to create open relays. First you have to create a custom receive connector with the IP addresses of your SharePoint front ends listed as allowed relays. Set your authentication ...
I am just trying to put my hands into VSTO in VS 2010. This is just an overview of that based on Saurabh Bhatia`s PDC Presentation. Some important points are briefly discussed in this post. Have a look. One of the biggest hurdles with VSTO is deployment. As you probably know, the pre-requisites for running a VSTO app (even of the simplest Hello World variety) include: .NET Framework 3.5 Primary Interop Assemblies (PIAs) VSTO Runtime (Plus Office of course) Now, packaging these isn’t the issue, since ...
This was definitely one of those facepalm moments, where you spend a couple of hours beating on an issue then find out it's one line of code - so hopefully folks googling the same things I did will hit on this and have a solution. Short version - if you need to HTTP post to your controller from an HTML form, and one of your fields has embedded HTML text (in my case, it was a nifty WYSIWYG text editor), you will get a very nasty error that looks something like this: A potentially dangerous Request.Form ...
The best practice for publishing an Internet facing SharePoint site is to use ISA as a reverse proxy solution to provide an additional layer of security between the SharePoint portal and the end user. This eliminates any traffic originating from the Internet from ever reaching the internal protected network. Instead the traffic terminates in the DMZ at the ISA server and it in turn performs Active Directory or Forms Based authentication through LDAP, LDAPS, or Radius. It then proxies the content ...
first a note: I know this is the name of my blog is cloud9 and im supposed to be talking about Azure but just like everyone has thier pronounciation of the word Azure... I have my own defintion or vision of what Azure is. Azure is the core of a software + services platform. At this point in the game you might be saying DUH.. Whatever. Well let me just whatever your whatever lol. Azure = S+S = ( Azure Cloud, ServiceBus, Identity Metasystem (ACS/WIF/ADFS20/Cardspace etc), Dublin, WCF, WF, REST, Silverlight, ...
Building Blocks of Service Service is a Collection of operations that are exposed to the clients. Service contract defines what operations are available and how clients use them. Data contract describes data that the client and service can exchange. Service Contracts Service Contracts Describe the operations supported by a service, the message exhange pattern used and format of each message. ServiceContract attribute marks an interface as a service contract. OperationContract attribute exposes methods ...
Have you asked yourself why Web development tasks are so complex? Why must you master so many different coding languages and moving-target standards to develop a single line-of-business Web application? Do you understand what it takes to optimize an application's performance and security and to minimize the bandwidth and the CPU consumption without drastically raising the development costs and time-to-market? Based on pages, the Web was designed to carry informative Web sites and some stateless-based ...
UPDATE 10 May 2010 : I finally discovered where the Remote Desktop team documented this process last December and thought it might be useful; blogs.msdn.com/rds/archive/... UDPATE 20 February 2010 : Sorry for how long the final solution took to discover, but thanks to Aaron Parker's blog entry at http://blog.stealthpuppy.com we now have the final missing pieces that allow remote applications to be hosted within a standard Windows XP SP3 virtual machine. ...
In this post, I'm going to list out the configuration tasks that are needed for any new MojoPortal installation. These tasks are listed elsewhere in documentation, but I haven't seen them listed all in one place yet, so here goes. I'd like to keep this list up to date as possible, so if there is anything you see that I've missed or gotten wrong let me know and I'll update. This list includes server-side configurations but stops at the point when you must use the admin UI to make additional changes ...
One of the MVVM Light Toolkit’s user requested that I add the possibility to pass the EventArgs of an event to the ICommand that it is bound to through the EventToCommand trigger. At first I was a bit reluctant because it seems like a transgression of the rule that says you should avoid to have too much knowledge about the UI layer in the ViewModel. For example, if you have a RelayCommand in the ViewModel that expects a MouseEventArgs, it kinds of binds you to a certain kind of UI element, which ...
Anyone that deals with Enterprise Content Management (ECM) shudders when the subject of email comes up. With good reason! It truly is a massive problem in almost any size of organization. The problem space is itself ill defined and not well understood by anyone. Governments and Corporations large and small struggle with the issue, mostly by either brute force archiving, or ignoring it. It plays a huge role in eDiscovery and can cause innumerable security and personnel issues when it is mismanaged. ...
Technorati Tags: Leadership Smart Enterprise Magazine - insights and perspectives for the CIO This magazine covers inspirational stories, latest IT practice like Corporate governance, risk management. CIOs who integrate security throughout their IT operations can cut both risk and costs. IT leaders explain how they use Lean IT approaches to help their organizations stay competitive. With so many companies rethinking their business models, CIOs now enjoy a unique opportunity to demonstrate the business ...
There is a new open source approach to Ajax architecting. The approach is called Empty Client. The name is derived from the fact that with this approach there is no logic, data or open service on the client and all Ajax calls are routed through a central HTTP/XML pipeline and optimized to a degree never realized on web before. The approach is implemented by Visual WebGui which positions the approach as Windows Over Web and cloud. The approach seems to get traction with Dot.Net developers, which use ...
Technorati Tags: Web Services Security Some tips on how to implement Web Services Security on a .NET web service. If we are developing on WCF (Windows Communication Foundation) platform, there is built-in support for OASIS WS-Security Basic Profile and we can configure through configuration settings. If ywe are developing on ASMX platform (Classic .net web services), you have to depend on WSE (Web Services Enhancements) to implement the same. WSE 3.0 from MS site offers samples for most security ...
Technorati Tags: Tutorials Managing an enterprise data center is full of challenges. Traditional physical systems and infrastructure management is complicated and accelerated by new technologies like virtualization and cloud computing. Meanwhile, business users are demanding more dynamic IT service management and ever-increasing service levels. These factors are making old problems harder and creating new issues and requirements. This one-hour webinar covers: • Planning and optimization - to ensure ...
And yes before anyone asks, Hate is a strong word, I know. I'm ok with the HIPPA rules, and although it frustrates me that, although I'm married to my wife, I cannot verify a payment made on her account but I suppose I understand it... it doesn't stop me from complaining, but I understand. So in this day of all the hoo-ha about health care and all the records being locked down tighter than an accountants ass... yesterday I get a letter from United Health Care. Oh, to be specific, my wife got a letter ...
I’ve been building my own machines for a while now and I’ve gotten into a routine of installing certain apps when I do I rebuild. I’ll not only grab the latest Microsoft updates, plus Office, but I’ll also install a whole list of utilities. This list keeps growing and was often something like the following: PDF reader (I go back and forth between FoxIt Reader and Adobe) FireFox and Chrome Instant messengers (MSN, GoogleTalk, Skype) Tweetdeck Live Mesh Some kind of free antivirus (Microsoft’s Security ...
I tried to format my camera SD-card and my windows comes up with the error: A little bit google helped: Starting management console as lokal administrator Start | Run | Open: runas /user:<LokalAdmin> mmc.exe Adding group policy snap-in File | Add/Remove Snap-In… | Add… | Group Policy Object Editor | Add | Finish | Close | OK Browse to security policy Console Root | Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options Pimp ...
Over a year after vice president candidate Sarah Palin's email account was hacked due to a poor security question the question is still being used by popular wireless provider AT&T: Click here for a larger image This is the exact same question the hacker used the hack Sarah Palin's account: "...the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her ...
A few weeks ago I was part of a meeting that outlined some of the challenges that Agile development was inducing on an existing corporate infrastructure. And Cloud Computing became a possible solution to the fast pace changes required by Agile development initiatives. Agile projects tend to be short in nature, with fewer documentation and evolving requirements. From a project management standpoint, development cycles are divided in Sprints, which can be a couple of weeks long in certain cases. The ...
What is Proxy and how to generate proxy for WCF Services? The proxy is a CLR class that exposes a single CLR interface representing the service contract. The proxy provides the same operations as service's contract, but also has additional methods for managing the proxy life cycle and the connection to the service. The proxy completely encapsulates every aspect of the service: its location, its implementation technology and runtime platform, and the communication transport. The proxy can be generated ...
The DotNetNuke web hosters at PowerDNN have put together a nice 3 minute survey to analyze your needs on what version of DotNetNuke that you might need to have. The survey has 3 categories. 1. Website Size 2. Website Usage 3. Project Details With an easy UI of drop down lists, you just answer the questions listed in each category and then submit them to the site. After you submit, you'll get reasons why you should use either the Community or Professional Edition of DotNetNuke. Here's an example of ...
Some time ago I was asked to fix the following issue on a MS Vista Home Premium SP1 desktop: a user would be constantly getting a black or blank screen after booting into the PC. After doing some initial research first using the most popular search engines I was not able to arrive to the proper solution. How I did resolved it: I noticed that I can click Ctrl-Shift-Esc after the OS booted to get to the Windows Task Manager. What stroke me was that Explorer.exe process was not listed in it! As a side ...
This KB article (KB926642) explains 2 methods for handling the scenarios that we as developers require for using a local machine for development. My option has been, going forward, of being explicitly in the host names that my development machine will use. From that article: Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication request To do this, follow these steps for all the nodes on the client computer: Click Start, click Run, ...
In a previous post I talked about a problem I encountered with thread startvation when using the WSE 2.0 Adapter. I thought it would be a good idea if I actually put down some notes about this adapter and how it is installed. Web Service Enhancements Web Services Enhancements (WSE) is an add-on to the Microsoft .NET Framework. It includes a set of classes to implement additional WS-* Web service specifications specifically for areas such as security, reliable messaging, and sending attachments. WSE ...
I passed the TS: Microsoft Office Communications Server 2007, Configuring exam last week. For those that are interested in taking the exam, please note there is still a heavy emphasis on Microsoft Office Communications Server 2007 on the exam though the Skills Being Measured (http://www.microsoft.com/l... for the Microsoft exam make it very clear that the focus of the exam is on Microsoft Office Communications Server 2007 R2. The Office Communications Server 2007 ...
The Windows Azure team announced availability of the November 2009 CTP of Windows Azure along with new Tooling for Visual studio and an improved Development Fabric as well as samples. The official announcement is given below, straight from the horses’ mouth. Today we released several new features for Windows Azure through the Windows Azure Tools and SDK. This release adds support for Visual Studio 2010 Beta 2 and VWD Express 2010 Beta 2. What’s New · Service Model UI:A redesigned and significantly ...
http://dotnetradio.com/arch... Andrew sits down with Atif Aziz. Atif Aziz is a senior IT business analyst at Cargill International and an ex-Microsoftie. His primary focus is helping customers move to the .NET Framework. He speaks regularly at Microsoft conferences and can be reached through his web site. You can find out more about Atif Aziz by visiting his web site www.raboof.com. Raboof.com = FooBar!! Atif describes to us what ELMAH is and the history behind it. He then ...
I stumbled across this series of posts by Maarten Struys and Dougturn on "Getting started with windows mobile development with Visual C#". I remember Joel too having mentioned it in one of his posts. I went through a couple of articles and was able to create a few basic applications in C#. I must mention that creating a basic application with your menus and a few controls takes no time at all in visual C#. The visual designer is nice, supports a lot more controls and takes care of things that you ...
I am not sure why it took me so long to implement, but I finally had it with the Vibrant Media IntelliTXT in-line text advertising and their intrusive pop-ups. You have probably seen them yourself. They are the highlighted green words with a double underscore present in many news and blog pages. While they generate money for those sites, they are as irritating as hell, so I decided to remove them. I opened a web page which I knew would display the Vibrant advertising. A few seconds after the page ...
Thank You for Your Service I got out of the Army in 1973 and didn't hear those words from anyone until 1998, so I just wanted to say that to all the people serving or who have served. I was in college in 1970, and that was the first year they did the lottery for draft numbers. Everyone that was of service age got dumped in that pot in 1970. My number was 35, and if I remember right they took 60 numbers in January, and they used up all the numbers by the time the year was over. I knew I passed the ...
Overview There is sometimes an issue on the BizTalk Server, often following an operation such as an operating systems service pack installation, where the MSDTC settings can be reset from those that BizTalk requires to work. MSDTC - Microsoft Distributed Transaction Coordinator - is a transaction manager which permits client applications to include several different sources of data in one transaction and which then coordinates committing the distributed transaction across all the servers that are ...
I just got through interviewing Atif Aziz (@raboof on twitter – foobar spelled backwards!) probably most known (at least to me) for his ELMAH (Error Logging Modules and Handlers) contribution. We discussed ELMAH, ELMAH’s Veracode Application Security Rating which made OWASP top 10 in 2007 and SANS-CWE top 25, Fizzler, Jayrock, BackLINQ, LINQBridge, and MoreLINQ. Atif is a very smart guy and you can truly hear his passion for sharing with the development community when speaking with him. This was ...
The next Winnipeg SharePoint UG event will be on Tuesday, November 24th at 5:30 PM. Same location as always: 17th floor conference room at the Richardson Building (One Lombard Place). Pizza will be provided. Presentation abstract is below, and to register please visit our registration site here. Architecting SharePoint Solutions Presenter: Juan Larios During the last year or so, Juan Larios has been working for a local client and has had a chance to architect solutions to common problems that many ...
As I am digging more into SQL Azure, it seems choices for auditing will become a little bit more restricted. Generally speaking there are four ways to audit SQL Server statements; these mechanisms are used by various software vendors to deliver auditing capabilities for compliance mandates and for security reviews. However as we will see, many of the products will stop from working for SQL Azure due to some limitations imposed by the database. At a high level, the four auditing mechanisms are: Server-side ...
Tools and Techniques for the Windows CE developer I’m opening this blog after two presentations at TechEd EMEA, one in 2008 in Barcelona called “Go embedded!” which was presenting some specific challenges encountered in embedded projects – and another one this year in Berlin called “Windows CE Tools and techniques to face the embedded challenge”. These two talks have a logical articulation, first the “what” and then the “how”. I decided to cover the “Tools and Techniques” subject after several recent ...
I thought twice before actually posting this. It was mostly because, of a guilt, that I might be recommending a wrong way of doing things. But then I did realize, that, even if it seems to wrong, it does provide some benefits. Anything that is beneficial, is not necessarily wrong. The problem at hand is, we want to enable ASMX style Authentication in WCF. Its not that WCF does not do a good job when it comes to Security, but because people are more inclined to send the credentials in clear text. ...
I am currently sitting in a seminar on BI in the Cloud by John Welch at the PASS Summit 2009. SQL Server Azure looks promising for a variety of applications. Currently it only supports SQL Server relational database services but future plans to include the BI stack of SQL Server. I have yet to see how loading of data is handled and security is handled but it seems to have a lot of potential for small data sets (< 10 GB). Couple of points: Apparently data manipulation is slower than normal SQL ...
Forgive this interruption of the normal tech content presented here. But there’s a dangerous man in my neighborhood, posing as a package delivery man, ringing doorbells, then pushing his way in, tying up whoever is there, and stealing their property as they watch. One incident involved a 3-year old being present. If you live in the West Village, please be vigilant. The following is from Marilyn Dorato, president of the local block association: ___________________________... From: Marilyn ...
Presenters: Simon Skaria and Umesh Unnikrishnan This was my second session during the week. It was one in which my hopes were that they would talk about the deployment differences that SharePoint 2010 would have over 2007. I was not disappointed. So to sum it up a bit: 2010 has a much more flexible model compared to 2007. Improved security model Claims Based Authorization/SAML Better administration with Central Administration and also PowerShell Service Isolation Now the Services that you deployed ...
I've fixed this error so many times and have had to search the internet for the fix everytime that I've finally decided to log it into my own blog. Mainly so I can easily find it. Here's the problem. As a general rule, all https applications do not cache any pages for security reasons. This leaves the issue of downloading files from a https site. For example, if you try to download a file (pdf, xls, doc, etc) from any site, your computer will download it to cache before opening it with the associated ...
There's been a few discussions going on recently with various colleagues and community members on the back of the SOA Manifesto announcement. In this discussions it made me think back to a year or so ago when I was watching some presentations about various SOA things. At the time there were discussions about why SOA was good, what it offered, why companies struggled with it and all of the usual stuff. At the time I was reflecting on things on the way home and was thinking you know SOA is really just ...
Researchers continue to challenge Apple’s security by obscurity position and highlights that Windows Vista and Windows 7 are more secure than the recently released Mac OS X Snow Leopard. I always love perspectives like these from top researchers that are not in the tank for Microsoft. Check out these articles: Apple missed security boat with Snow Leopard, says researcher http://www.computerworld.co... ...
When one of our users attempted to synchronize a Windows Mobile 6.1 device in our Exchange 2003 SP2 environment, the user would see the green Synchronizing icon continuously spin clockwise until it timed-out. We confirmed that the mobile device was able to connect successfully to the user’s mailbox but would not synchronize the contents of the mailbox with the user’s mobile device. In a nutshell, we use ISA Servers and Exchange 2003 Front-End servers in our Exchange ActiveSync environment. So, while ...
This is an Open Letter to the Editor of CIO in response to an article posted on Computer World discussing the five problems that supposedly keep legacy applications out of the Cloud. Dear Editor, In light of your recent article about the challenges that legacy application face in migrating to the cloud, below please find a response which provides answers to 4 of the most problematic issues. We believe your readers would greatly benefit from the information, and we regret that we were not directly ...