Version 2 of the IE7 Desktop Security Guide is available for download. If you are interested in locking down IE7, then you will need this document.

I got myself an eval kit for RSA SecurID tokens to see how easy / hard this would be to deploy via AD. Well, I didn't get very far, that is, installation failed spectacularly in the early stages:

After this "helpful" message box setup decided to be more specific:

Ohh-Kay. Let's go to RSA and their support center (it takes roughly five clicks to get to online support, but that's another usability story) - sign in required. Hmmm. How about creating an account?

The eligibility is a real joke: "RSA customers who have a trial product (This does not include two user demos)". Excuse moi? On the Web site you told me that I was ordering a trial and in actuality it turned out to be a "2-User Promo Kit" (the moment I needed support I looked more closely on the package...) without support.

Maybe it's the Microsoft Windows Server 2003 R2 Enterprise Edition VHD I am using?

A couple of notes to self:

• Creating a CSR (the short version)
• How do I generate a certificate request? (more detailed if you want to change RSA key lengths which I would recommend)
• Contents of .pem file for Stunnel

The latter is especially important if one fails to grasp how to turn the private key plus the certificate into the .pem for Stunnel. By the way, I was using CAcert. That works just fine for internal email servers.

Before going on holidays last week I decided to put a Longhorn Beta 3 box live on the Internet. It doesn't run a lot of things just yet (except for trials of the all-new FTP server), but today I decided to take the plunge and try FastCGI (see Using FastCGI to host PHP applications on IIS7).

An application I wanted to test-drive for a long time is WebSVN. The UI looks like this:

It is PHP-based, needs Cygwin-based tools, and is quite useful for browsing Subversion repositories. After downloading the latest code from the WebSVN repository, I was able to get up and running in about half an hour (that includes failing with WebSVN RC4, installing Cygwin, etc). You can check it out at http://iis7.chrison.net/websvn/index.php

I'll add more applications to this box over the coming days and weeks, to see what works and what doesn't for the mix of technologies I am using.

Oh, and it seems that I am the first European site registered at IIS7 On Tour:

Tonight, SQL Server decided to write a 14GB error log to disk - filling it up neatly, which of course had a couple of "side effects". Drat! All log file directories (HTTPERR, IIS, MailEnable, you name it) - everything except the SQL error log is on a separate partition for exactly one purpose: that no application log can stop the server dead in its tracks.

After clearing up the mess I thought "let's move the logs for SQL Server". Thanks to Alex I finally figured out where to do that - in the Configuration Manager:

Go to the Properties dialog, and modify the Startup Parameters (-eC):

Details can be found in the article Moving System Databases, section Moving the master and Resource Databases. Someone from Microsoft care to enlighten me as to why this log directoy has been hidden so far away from sight?

Usually, this wouldn't be down my alley, but thanks to VSTS I am a WSS user: all new WSS templates in one download. There are quite a few templates to choose from:

• Absence Request and Vacation Schedule Management
• Help Desk
• Budgeting and Tracking Multiple Projects
• Inventory Tracking
• Bug Database
• IT Team Workspace
• Call Center
• Job Requisition and Interview Management
• Change Request Management
• Knowledge Base
• Compliance Process Support Site
• Lending Library
• Contacts Management
• Physical Asset Tracking and Management
• Document Library and Review
• Project Tracking Workspace
• Event Planning
• Room and Equipment Reservations
• Expense Reimbursement and Approval Site
• Sales Lead Pipeline

I highlighted a few that might be interesting to developers.

Once again, the TFS installation guide has been updated (2/5/2007). Download here

The most useful utility for deployment (or name your task, like directory comparison) is most decidedly Robocopy, which previously shipped only as part of the OS resource kits. Now with Windows Vista, however, Robocopy comes in the box.

To get up and running quickly, I recommend that you get Robocopy GUI:

It makes getting started with Robocopy a tad easier.

This is the firewall settings dialog - much the same as we know it from Windows XP already:

However, once you fire up the management console (mmc.exe), you can add snapins for advanced firewall configuration (ok, IPSec is one of my personal favorites and not necessary to configure the firewall per se...):

Once you have done this, you can now configure the firewall like, well, an administrator would expect - rule based:

In today's pre-lunch session at IT Forum the speaker used a term I had never heard before: stiffware. And I have to agree - stiffware does pose a serious problem when you cannot 'call' (other means of 'communication' might be unreliable to say the least <g />) the guy who wrote that piece of software so you can properly configure or even install it.

Speaking of the session itself, Microsoft SoftGrid is a really cool technology. The client - which contains more than the SoftGrid client - called the Desktop Optimization Pack, is equally interesting.

If you need to find out just what devices are running Web services in your network (aside from the obvious Web servers, this includes nowadays printers, access points and many more), then you should check out httprint. It doesn't rely on server banners or fall for other obfuscation techniques, so it is quite handy to find out just what software is running on that box.

In case you need it too: Configuring SSL Host Headers shows you how to get up and running with one IP, port and certificate but multiple host headers. All you need is a wildcard certificate (learn more here) and some CLI magic because there is no UI for it. Basically, it boils down to (for example):

adsutil.vbs set w3svc/siteid/SecureBindings ":443:host.wildcarddomain.com"

Don't know how this one could slip by me - Windows Server 2003 Service Pack 1 (SP1) shipped a rather important update: you can run SSL in kernel mode (http.sys) instead of user mode. There are restrictions which are detailed here (most B2C SSL sites will do just fine), and the procedure to enable kernel-mode SSL shows how to get up and running in no time. Mostly you are only dealing with the registry key HKLM\System\CurrentControlSet\Services\HTTP\Parameters\EnableKernelSSL.

On Windows Server 2003, this is the default logging directory for the Hypertext Transfer Protocol (HTTP) APIs, better known by the kernel level http.sys driver. Chances are, you don't know that this directory exists, and what is logged there (except that when you are looking right now, you will be surprised how big that directory is!).

When you are using IIS 6.0, all requests are first received by http.sys, and then passed on to IIS - previously, IIS itself was listening for requests. Http.sys is passing on the requests intelligently, which means that certain requests never even reach IIS. For example, invalid URLs are caught:

2006-02-23 19:05:00 172.179.161.165 1422 195.234.231.66 80 HTTP/1.1 GET /serv<script%20language= 400 - URL -

Most oftentimes it is simple connection timeouts, but to get the most out of the (huge) log files, you should be using LogParser anyways.

The reason why I started this blog entry is actually this: if you don't like the HTTPERR log files on your system disk, you can relocate them. The procedure is detailed in the article Error logging in HTTP API, which also dives into the format of the log file, and which kinds of errors are actually logged there.

Today, I got this message when I tried to access Microsoft Update on my Windows Server 2003 box. It told me that it either didn't find the control, or that it wasn't installed - and that I should look out for that yellowish bar advertising an ActiveX install attempt. Well...

After some hair pulling, Stephan pointed me to the article ActiveX controls may not load as expected in Internet Explorer due to defense in depth changes introduced in cumulative security update 896688. The downloadable olereg.vbs did the trick - WU is now back in business.

Three months ago, I installed the NoSpamToday! SMTP Proxy on my dedicated server box (you can read about the adventures encountered in my blog entry Web applications and SMTP proxies don't mix well). Today I had a look at the statistics:

On average, the proxy rejects four out of five mails before they reach the mail server - for reasons ranging from malformed headers, banned file extensions, virus-contaminated attachments, and a SpamAssassin-based spam detection. Needless to say that my inbox is virtually spam-free since then. Neato.

Downloads are available for x86, x64, as well as the documentation.

It is time for a "Dear John" letter to the programmer who came up with this default location:

The Program Files directory! Yikes. And I thought programmers are well aware of the fact that they should not, must not write to this location. But here in Trillian it is the default! Welcome to 2006.

Instead of risking my sanity by trying to install Virtual PC 2004 on my x64 box, I decided to go with Virtual Server 2005 R2 x64. Thankfully, this new release of Virtual Server allows installation on an XP host, and the setup experience was pleasantly uneventful.

Of course I ran into a snag - my default browser is Firefox, and the administration Web site didn't fully function with it. So back to Internet Explorer, and configure the first (existing) virtual machine:

I learned the following things:

• Do not forget to configure the network adapters. Otherwise connecting to your domain can be a challenge.
• Definitely enable Remote Desktop on your virtual machines, which brings me to the next item on my list:
• When renaming a virtual machine beware of your own cleverness. Especially if all your virtual machines were copied from a once-configured image, and you renamed one of those instance so that the original name no longer exists in Active Directory.

Other than that I have to say that Virtual Server 2005 R2 is a much better experience than Virtual PC 2004.

Now THAT takes the biscuit by a long distance:

Those are the two hard disks of my RAID mirror! Showing up in Safely Remove Hardware... hard disks, which of course are nowhere to be seen in the device manager:

Anybody have an idea on how to exclude certain devices from Safely Remove Hardware? Let me know, I'd be really glad to hear.

Update A friend of mine pointed out that he had seen this with a RAID controller on one of his boxes too. He suggested that stopping the device would not work. After some hesitation, I decided to give it a try - and it failed:

Thank goodness. If it had succeeded, I would have had a problem.

Today I set out to do something simple - at least I thought so. My server is configured to have a German keyboard layout together with the German input locale, like so:

So I set the Default input language to English (United States). Click Apply & OK, log off, and then log on again. Guess what - I am back to square one. Neither rebooting or any other brute force let me change that, it always automagically reverted back. I'm quickly loosing confidence in my sanity and the Windows server platform.

Update: Good grief! The local input language settings are automatically remoted to the Terminal session. This default behavior I view as counterintuitive. But it can be fixed, thanks to Markus Oestreicher for pointing it out to me - Input Language of Terminal Server Client Does Not Match That of Terminal Server Session

My dedicated server box not only serves Web applications (such as this blog), it also handles mail for the respective domains. This means I have to deal with spam. Which on one hand is nice because I can do whatever I please: drop mail based on whatever criteria I set up, and use whatever filtering software I need.

This is how the NoSpamToday! SMTP Proxy found its way on my box. I simply got tired of maintaining my (rather old) standalone SpamAssassin installation, and dealing with MailEnable's integrated but not chained RBL / SPF / virus scanning (by not chained I mean that those filters are evaluated separately, not like SA, where all filters[rules] are weighted and evaluated as a whole).

Because I only have one box, I had to resort to relocate MailEnable to port 45, so that NoSpamToday! could listen on 25 and forward to MailEnable if appropriate (*). I did configure SMTPS previously (port 465 redirected to localhost:45 via stunnel), so standard users could deliver their mail directly to MailEnable instead of having their outgoing mail scanned by the proxy.

But what about my Web applications? Initially, those were sending to localhost directly, and as such I had a relaying exception set up in MailEnable. This one had to go, obviously. So how can applications deliver mail to the mail server via the proxy? SMTP authentication is necessary for this to happen.

But this doesn't solve the whole issue, it opens a can of worms, performance-wise. The problem is, every single application (Community Server, dasBlog, Gemini, ...) assumes that your SMTP server listens on port 25. Wrong. That's the proxy. And that's a problem: all local outgoing email from those applications is scanned by antivirus and antispam filters. And that's completely wasting CPU resources. As well as adding to # of addresses accepted by the backend mailserver, driving up the licenses that would be needed for NoSpamToday! (**).

Call to action: Implement not only SMTP authentication in your applications, but also make the SMTP server port configurable. I'm guilty as well.

(*)

(**)

Another great tip from Ben Armstrong, aka Virtual PC Guy: Configuring NAT via using the Microsoft Loopback Adapter and Internet Connection Sharing.

Here you will find various documents to get you started with Monad. Includes a getting started guide (now that was a surprise), MSH language reference, using tracing and three hands-on labs. Downloads for Monad itself can be found in the Related Downloads section.

I admit that I am not the sort of person who likes to go through long and winded installation instructions. However, I am willing to go to great lengths when it comes to security - still with certain limits though. And I hit such a brick wall today: trying to secure Subversion. From the documentation, I knew that the recommended path was SSH, so I set out to find out how to get this up and running on my Windows box.

Owning the black sock in Google fu, I came up with various articles, the most helpful being SVN+SSH+public key authentication on Windows Box as server. Most helpful because after reading the aforementioned recipe plus Subversion / TortoiseSVN SSH HowTo, I decided to scratch my efforts. Why?

For starters, I am not a big fan of Cygwin. That's just personal mischief of a Windows guy, I can swallow my pride when the tools that depend on it provide merit. What's more of a problem for me is installing a service for adding security to another service - especially if I need that new service just for the "security purpose", and not the other bells and whistles it can provide (plus the security issues that might be hidden in those unused parts). Call me paranoid, but I simply like to reduce "moving parts" in my setups, because: What's worse than malicious traffic? Right, encrypted malicious traffic.

Secondly, do you think - honestly - that developers love to jump through hoops to get access to the repository? (I am referring to the client side of things on Windows) Not really. From the top of my head, I fall short of naming a single developer I personally know that would love to follow those steps. But every single one of them would be more than willing to just replace svn:// for svns:// when accessing a repository.

Conclusion: yes, I am whining about the usability of an open source project. As I am participating on one myself, you very well can spare me the "usual" arguments of do-it-yourself-because-the-sourcecode-is-available-anyways. This is a rant. I want to be unreasonable. But it sure would be nice if security was in the box. Especially nowadays.

This was a longer-planned upgrade to our Subversion server that happened today: moving from the 1.1 series to 1.2.1. It went smoothly, especially because I played it safe by doing a dump / load cycle (more details to be found in Migrating a Repository) with all repositories. Safety wasn't the only concern: as detailed in the release notes, I also wanted to move the repositories to a FSFS back end, and take advantage of xdelta compression. I was mostly after server-side features, I don't see many of our devs use the optional locking...

Via Virtual PC Guy's WebLog: New WinImage Beta with support for editing VHD's. Now that is not only way cool but actually extremely useful if you need that one important file from a virtual machine - now, and not wanting to wait for the vm to start up and then do the copy operation.

Check out the article 10 Immutable Laws of Security on TechNet. A couple of those should get you thinking - I especially like #6.

Looking for great information about Internet Information Services? Then IISWebCastSeries.com is the place to go. Especially interesting should be the Webcast "Recycling IIS 6.0 Applications: The Good, the Bad, and the Ugly" (related blog entry).

This white paper explains the differences between Virtual PC and Virtual Server and discusses the scenarios in which it is appropriate to use one or the other. Download

The Securing Wireless LANs with PEAP and Passwords solution guide is designed to help small- and medium-sized organizations protect their wireless local access network (LANs). This prescriptive guidance will assist you in planning, deploying, testing, and managing a wireless LAN security infrastructure using Microsoft Windows XP, Windows Server 2003, and Pocket PC 2003. The guide is a companion to the earlier solution guide Securing Wireless LANs – a Certificate Services Solution. However, this updated guide uses passwords to authenticate users and computers to the LAN instead of digital certificates. Download

Beauty is not tonights topic, neither a talking mirror - Subversion repository mirrors are. There are a couple of ways to mirroring your repository, one being SVN::Mirror. With my pronounced distaste for the make install dance, I was on the prowl for some solution with a more Windowsy touch to it.

Not too long into Google-Fu I stumbled across SVK, which has (a) a WIN32 setup, (b) loads of features which will be the topic of future blog posts:

• Trans-backend mirror and sync for Subversion, CVS, Perforce (not on Windows currently if I gather correctly)
• All operations can be performed while offline. Now that is way cool if you are working while travelling!

SVK uses Subversion FSFS for local storage, which means prior to installing SVK you need to install Subversion. With both packages on your machine, you can start exploring. All you need is a command prompt and Windows Explorer.

svk depot --init

This will initialize the // (default) depot. Create c:\svkroot, we will relocate the default repository there next.

svk depot --relocate // c:\svkroot

I am not really interested in hosting a read-only copy of a Subversion repository in my user profile. Thus for this relocation to proceed, you also need to copy the contents of C:\Documents and Settings\Administrator\.svk\local (which is a bare bones SVN repository) into the c:\svkroot directory.

svk mirror svn://glumpatweri.emailgwiax.com/Fidalgo/trunk //SharpDevelop/trunk

Now the mirroring can begin - svk mirror is used to set up a link to an existing Subversion repository.

svk sync //SharpDevelop/trunk

Depending on the repository, grab a cup of coffee. This sync operation will take some time. Oh, and for keeping a mirrored repository in sync with the master, create a scheduled task with this command.

svnserve -d -r c:\svkroot

Testing, testing. Fire up svnserve and use TortoiseSVN to check out the read-only mirror:

Done. You have successfully mirrored a Subversion repository. Read-only. Working offline and other features of SVK will be covered later.

Cool. The WSUS Wiki just saved my day - I got the error SelfUpdate Tree is not working, which quite unsurprisingly cropped up thanks to a rather looked down setup of IIS...

In the entry Subversion on Windows as a Service, plus Commit Hook and Backup Script I showed a batch file for hooking into the post commit event of a repository. This batch file annoyed me from the very beginning. During the Indigo Community Day on Thursday in Munich I decided that it was about time to get rid of it, and after yesterday's party, I thought it might be a nice pinky exercise to do the basic port to C# today.

And yes, it is very basic at the moment. All you need to do is take post-commit.exe and post-commit.exe.config from the \SvnPostCommitHook\Hook directory in the downloadable zip file and drop those two into the hooks directory of your repository. The .config file is your ticket to customization:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
 <appSettings>
  <add key="SvnLookPath" value="C:\Program Files\Subversion\bin\svnlook" />
  <add key="MailTo" value="commitlist@yourdomain.com" />
  <add key="MailFrom" value="commithook@yourdomain.com" />
  <add key="MailSubject" value="Your project name rev {0}, {1}" />
  <add key="MailServer" value="localhost" />
 </appSettings>
</configuration>

Just as the batch file, post-commit.exe's task is to read the change log and commit message, and post it to a mailing list that distributes the information to the project stakeholders. Therefore, you need to configure the four Mail* settings to match your configuration and preferences. The SvnLookPath needs to point to your Subversion installation, however, most installations should be fine with this default.

How can you test the operation of post-commit.exe? This is the syntax:

post-commit <repository> <revision>

For example:

post-commit e:\subversion\fidalgo 1830

In the current version, testing is highly recommended as no logging or exception handling is implemented.

SvnPostCommitHook1.0.0.50409.zip (12.07 KB)

The source code is BSD-licensed. Future plans are to fully parse the svnlook output, as well as add a logging infrastructure to easily find configuration problems during normal operations of your Subversion server.

This site contains links to a variety of resources on IPsec and its support in Windows Server 2003.

From the "Don't be too smart department": I am a long time user of ISA Server (since the NT4 days when it was Proxy Server). My domain setup always included a DHCP server, which was configured to not dish out option #3, the router (which obviously would be the ISA machine). This way, I could be sure that no client by default could establish an Internet connection. Define the proxy in your browser, you can surf. Install the firewall client, you can do whatever you please.

The "whatever you please" part is correct in respect to TCP and UDP plus the ports that are open on the ISA box. It is not true when it comes to other protocols, such as GRE. What is it used for, you ask? The Generic Route Encapsulation protocol (#47 for the record) is needed for PPTP (Point-to-Point Tunneling Protocol) to connect to a virtual private network (VPN). And GRE doesn't work with the Firewall Client, your machine positively must be a SecureNAT client (routing packets directly to the router).

Therefore, either change the machines IP configuration to override the gateway setting, or change the DHCP zone. I did the latter.

The IIS Diagnostics Toolkit is a combined release of popular tools used by today's IIS users. These tools include tools aimed at resolving problems related to Secure Socket Layer (SSL) issues, permission or security problems, gathering data for your SMTP server included with IIS, as well as the famous Log Parser utility used to sift through hundreds or thousands of log files very quickly.

The toolkit consolidates all the tools into a convienant download and is supplemented by updates every 90-days to ensure that users have the most current diagnostics tools at their fingertips. Download for x86

Sometimes, I still do administrative work - although a lot less frequently than a couple of years ago. However, still involved enough, and still playing around with group policies whenever time allows. One topic that keeps popping up is How do I prevent people from writing data to the USB port?, answered on GPanswers.com. Can come in handy when you want to prevent people from downloading data off of the local machine onto their USB sticks.

NNNNNOOOOooooo......! reminded me of one thing I still needed to do to speed up XP on my new notebook: regsvr32 /u zipfldr.dll.

The 80/20 Rule for Web Application Security is an article by Jeremiah Grossman, focused on increasing the security without touching the source code. The article identifies the "vital few" security solutions essential to protecting a website:

• Default server error messages
• Remove or protect hidden files and directories
• Web server security add-ons
• Add httpOnly flag to sensitive cookies

A non-programming security topic centered around securing your wireless LAN. This white paper contains instructions to obtain and install a certificate for PEAP-MS-CHAP v2 wireless authentication on the IAS (RADIUS) server and how to set up the clients to trust this certificate.

After figuring out the previous problem (DLL dependencies), I decided to install the .NET Framework SDK into the VPC image (a Windows Server 2003). No such luck: "Extracting file failed.  It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file." No, not again a memory issue...

Wait a second! That image has 400 megs of memory assigned plus a 1.2 gig growth limit for the swap file. That can't be. As usual, I used Google to search for solutions. One (older) suggestion was to update Windows Installer - I gave it a shot anyways, and installed Windows Installer 3.0. No change, but that was expected. At least I am now up2date in that respect.

To spare myself further waste of time, I decided to take the easy route and ran

setup /c

on my XP box, copied the extracted setup files to the VPC image - and presto! The SDK is installing like a charm.

Better late than never (having sent this to myself last weekend via Webmail and not touched till today): Scriptomatic 2.0 is here. The description from the download is indeed very teasing:

A completely new version of the famous Scriptomatic, the utility that writes WMI scripts for you. (And, in the process, teaches you the fundamental concepts behind writing WMI scripts for yourself.) Unlike its predecessor, Scriptomatic 2.0 isn’t limited to writing just VBScript scripts; instead, Scriptomatic 2.0 can write scripts in Perl, Python, or JScript as well. In addition, Scriptomatic 2.0 gives you a host of new output formats to use when running scripts, including saving data as plain-text, as a stand-alone Web page, or even as XML. Scriptomatic 2.0 handles arrays, it converts dates to a more readable format, and it works with all the WMI classes on your computer; on top of all that, it also writes scripts that can be run against multiple machines.

This download details changes (new as well as updated features) to the HTTP API in SP1 of Windows Server 2003. It describes:

• Improved Performance and Scalability
• Enhanced HTTP Error Logging
• HTTP API Kernel-Mode SSL Support
• HTTP API Parser Enhancements
• HTTP API Parser Exceptions
• WOW64 Support

Basically, this job is as easy as:

1. Dump the repository on the old server
2. Load the dump into a new repository on the new server

Dumping is explained here, and I won't go into detail because I wasn't the one doing it, Roman did it (I ain't touching a BSD box, more harm than good would result).

However, step two is in my ballpark, because the repository is moving to a Windows box. Two commands and you are up and running again (it can take quite some time, especially if your dump is like mine - a little over 528 MB!)

svnadmin create c:\repositories\fidalgo
svnadmin load c:\repositories\fidalgo < "e:\fidalgo.dump"

All that is left to do now is to restore the configuration and hooks (details in my last blog post on Subversion)

In closing, credit where credit is due: I gathered some inspiration from the following blog entry: A Rank Amateur Upgrades His Subversion Repository

Remember me complaining about InCD and how it gobbles up memory so you cannot use more than 1GB of physical memory with VirtualPC? Well, sometime in December I threw v4.3.0.5 off my machine to finally be able to use the full 2GB. Today I decided to risk a reboot or two to give v4.3.11.1 a shot - and Jehova! the new version works as expected. No more out of memory issues! Using InCD? Get the latest version here.

A friend of mine asked me today "Do you know a software / service to (centrally) maintain bookmarks across browsers and machines?". No, I didn't, but I went straight to Sourceforge and did a search which turned up SiteBar (the marchitecture name is ":: SiteBar :: The Bookmark Server for Personal and Team Use", but you already know that from the title). Of course I took them up on the "test on public servers" offer, and here are screenshots for both Firefox and Internet Explorer:

SiteBar for Firefox is an extension, the IE screenshot only shows the "quick & dirty" solution, not the fully integrated one (hey, I don't use IE that much any more, so why bother?). So far, SiteBar looks very promising. Oh, and btw unless you already guessed it from the marchitecture name: you can set up your own SiteBar server in your company!

Following is an installation recipe for Subversion (a free and very powerful source code control system) plus additional files for a post commit hook (so you know immediately when someone else checked something in; currently implemented as a batch file) and a backup script (so there are no excuses for not backing up your installation!). Assumptions for this recipe:

• We are creating a new repository named Corsavy
• c:\repositories is your repository root
• Backups will be located in d:\subversionbackups

Now for the recipe:

1) Install Subversion (WIN32 download). Modify the PATH environment variable so that it contains the path to your Subversion installation (usually c:\Program Files\Subversion\bin).

2) Create a repository

mkdir c:\repositories
svnadmin create c:\repositories\corsavy

Details can be found here.

3) Edit svnserve.conf (do not forget to uncomment [General]). Details see previous link, however, svnserve.conf does come with plenty of instructions itself.

4) Install Subversion as a service using the SVN Service Wrapper (Note: you have to place it in the bin directory where svnserve.exe is located)

SVNService -install -d -r c:\repositories

5) Optional: a commit hook, post-commit.bat

Put it into c:\repositories\corsavy\hooks, it will be picked up automatically

SET REPOS=%1
SET REV=%2

SET LOG_FILE=%TEMP%.\svnfileR-%REV%
SET LOG_FILE1=%TEMP%.\svnfileR1-%REV%
SET LOG_FILE2=%TEMP%.\svnfileR2-%REV%
SET AUT_FILE=%TEMP%.\svnfileA-%REV%

svnlook info -r %REV% %REPOS%>%LOG_FILE1%
svnlook changed -r %REV% %REPOS%>%LOG_FILE2%
copy %LOG_FILE1%+spacer.txt+%LOG_FILE2%+spacer.txt+%LOG_FILE%

svnlook author -r %REV% %REPOS%>%AUT_FILE%

REM SET THE AUTHOR FROM THE FILE.
FOR /F %%A IN (%AUT_FILE%) DO SET AUTHOR=%%A

blat "%LOG_FILE%" -to "toaddr" -f "fromaddr" -server localhost -s "[svn-corsavy] rev %REV%, %AUTHOR%"

DEL %LOG_FILE%
DEL %LOG_FILE1%
DEL %LOG_FILE2%
DEL %AUT_FILE%

Note that I did remove toaddr and fromaddr in this script (put in the ones you'd like to use instead), and you need a file named spacer.txt (mine simply contains four newlines). For mailing out the change log, blat is used (Note: the line with blat must not wrap). I placed blat into the bin folder of my Subversion installation, so it is automatically in the search path.

6) Optional: backup, a VBS script

Set objWsh = WScript.CreateObject("WScript.Shell")

strCmdLine = "cmd /c rmdir d:\subversionbackups\current /s /q"
nRetVal = objWsh.Run(strCmdLine, 1, True)

strCmdLine = "cmd /c mkdir d:\subversionbackups\current"
nRetVal = objWsh.Run(strCmdLine, 1, True)

strCmdLine = "svnadmin hotcopy c:\repositories\corsavy d:\subversionbackups\current --clean-logs"
WScript.Echo strCmdLine
nRetVal = objWsh.Run(strCmdLine, 1, True)

strFilename = """d:\subversionbackups\"
strFilename = strFilename &  Year(Date) & Month(Date) & Day(Date) & ".zip"""
strCmdLine = "zip -r " & strFilename & " ""d:\subversionbackups\current\*.*"""
WScript.Echo strCmdLine
nRetVal = objWsh.Run(strCmdLine, 1, True)

The Zip component in use is Info-ZIP, which is free. The VBS file is run from a scheduled task each night.

That concludes the recipe for installing Subversion - well, almost: the port used by svnserve is 3690 (TCP as well as UDP), so you might need to change the IPSec policy of your server to allow those incoming ports. Same thing client-side, but this time outgoing.

My "USB BOfH Stick" now has a few new additions - Portable Firefox and Portable Thunderbird (Portable Sunbird didn't make it). Those are USB stick-optimized versions of the respective desktop versions, especially well-received on my end is the optimization to extend the stick's live (Flash memory does indeed have a limited life when it comes to the number of r/w operations).

Not strictly a programming security topic, but useful nonetheless: Attack and penetration testing is a set of techniques and methodologies to test compliance to security policies, and to detect previously unknown vulnerabilities. The overall goal is to limit the points of exposure and to restrict the ability of unknown attackers to gain entry. However, developing an effective attack and penetration testing team presents unique management challenges. This discussion gives some best practice advice and lessons learned from the Microsoft IT experience building and operating an internal attack and penetration testing team. Download

I admit it: I'm too easily excited and tend to install about any kind of Beta that I get my hands on on my machines. That's how the WUS trial found its way on the domain controller, and aside from the disk space requirements that initially bit me, it is smooth sailing so far. Of course, I didn't put all machines "on the line":

Doing it via AD and a group policy also enables you to set the various options rather easily from one single central location:

What's that got to do with .NET development? Easy: I have tons of VPC images, and it is rather too easy (and dangerous) to forget to patch one of those. Now everything is taken care of automatically without wasting Internet bandwidth.

Benjamin Armstrong (aka Virtual PC Guy) posted a computer migration strategy using Virtual PC. Now that is kinda cool to be able to migrate the entire old computer into a virtual machine.

Michael Howard did it again in his latest Writing Secure Code column: how you can run as an administrator and access Internet data safely by dropping unnecessary administrative privileges when using any tool to access the Internet (article on MSDN Security Developer Center). Started using the DropMyRights application immediately on my email applications (yes, I'm one of those devs who does run with administrative privileges by default). Really painless. And can save a headache or two.

What would you think if you get this error message:  "The virtual machine could not be restored because there was not enough memory available on the host" (Commit Charge Total 628MB / 3433MB in Task Manager, roughly 1.5GB still freely available).

Of course, you blame Microsoft, because after all it is VirtualPC that gives you this error message. No, not this time. It is Ahead's Nero InCD (even in its most current version 4.3.0.5) which I need for my DVD RAM drive. Following the VPC FAQ entry and disabling (Task Manager / End Process) both InCD processes makes VirtualPC work like a charm. Now, what did Ahead do in InCD to make a system with > 1GB act up like that? I'd like to hear why.

MS has updated What You Should Know About a Reported Vulnerability in Microsoft ASP.NET with information on the Microsoft ASP.NET ValidatePath Module. This module essentially does what the recommended global.asax fix does - on a machine-wide level. The advantage? Only one install per machine, no developer who could forget to implement the fix, and it also works for applications for which you only have the compiled site. Running on this very Web server.

OWASP (The Open Source Web Application Security Project) has a couple of projects online focused on ASP.NET security issues. Current projects include ANBS (ASP.NET Baseline Security), SAM'SHE (Security Analyzer for Microsoft's Shared Hosting Environments), ANSA (ASP.NET Security Analyzer) as well as the ASP.NET Security Guidelines for designing and deploying secure Web applications using ASP.NET (applicable to IIS 5 & 6).

OWASP .NET Projects Homepage

Yesterday evening we (a few ASP Insiders) were chatting at dinner about various topics, and one was administration war stories of IIS. That was no surprise with Scott Forsyth at the table, and about half the guys hosting at OrcsWeb.

He mentioned WMIC (Windows Management Instrumentation Command-line), which comes with both XP and 2003. It is a command-line and scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through WMI. Too bad that I didn't stumble across it any earlier.

So I have googled for a few very useful links to get myself and everybody else up to speed and going:

• Using the Windows Management Instrumentation Command-line (WMIC) tool
• WMIC - Take Command-line Control over WMI
• Support WebCast: WMIC: A New Approach to Managing Windows Infrastructure from a Command Line