<2006 May>

On this page...



Member of...

ASP Insiders

MVP Visual Developer ASP/ASP.NET

Enter CodeZone

Blog Categories



Deutsche Resourcen


Sign In

#  Wednesday, 31 May 2006

But Adobe thinks I am too stupid to choose my baseline OS on my own, and presents me with a rather limited choice:

Also note that IE 7+ doesn't render the page correctly (menu). Time to fix your Web page, Adobe.

Categories: Vista
Wednesday, 31 May 2006 15:56:20 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


When you run an application that needs administrative rights (in this specific case via a manifest file), you are prompted with an UAC dialog to allow this operation:

This is the dialog you get for the "default" user, the one you create during setup that is a member of the Administrators group. Contrast that to the dialog a standard user is presented with:


Now, I am fine with prompting the user to enter administrative credentials. However, I am not fine with providing the user with the name of the administrative user(s) on that machine. In my opinion, this is giving away security-related information without need.

Update Of course you can always use net localgroup Administrators to get a list of the members of the Administrators group (Markus pinged me on that one). This feature has been available for ages, true. However, I am not convinced that the UAC convenience of providing the administrative accounts on a silver platter is really necessary.

Categories: Security | this | Vista
Wednesday, 31 May 2006 14:46:05 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


#  Wednesday, 24 May 2006

This is ridiculous considering that we are fast approaching mid-2006:

Categories: x64
Wednesday, 24 May 2006 11:04:45 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


Michael Howard plugged his latest book The Security Development Lifecycle in his blog back in April (A New Book: The Security Development Lifecycle). It isn't yet available in stores, but I decided to preorder because I'm really looking forward to this book. Why? Because it describes a security process in development that works - the SDL @ Microsoft.

Categories: Books | Security
Wednesday, 24 May 2006 08:40:22 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


#  Tuesday, 23 May 2006

Be sure to check out IIS.net, the Web site dedicated to IIS7. There you will find forums, whitepapers, webcasts, HOL virtual labs, walkthroughs, FAQs and more.

Categories: IIS | Longhorn | Newsbites
Tuesday, 23 May 2006 20:41:59 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


Mildly surprising content on my blog: Office 2007 Beta 2 (public) is here! From the moment I saw the new UI at PDC05 I was waiting to get my (dirty) paws on this piece of software. Let's see what working with it is like, because the setup experience was already a positive one. 

Categories: Cool Download | this
Tuesday, 23 May 2006 19:04:43 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


A /. article pointed me to the blog post Reporting Vulnerabilities is for the Brave. Sounds familiar. Been there, done that. A customer had a Web site, and I told them about a problem. They told their vendor. And the vendor went after me - probably because, like most security-unconscious companies they felt threatened in one way or another.

Therefore I wholeheartedly agree with the instructions outlined, plus: lean back, and enjoy when the bad guys whack that company. Yes, this is controversial, but as long as companies don't "get it" that there are people that want to help them when reporting vulnerabilities, it is definitely better to keep your trap shut.

Aside from the cynical advice in the above paragraph, here is something to consider for your company: establish a policy - and publish it! - that you welcome security reports by security researchers (and Joe Average for that matter). This goes a long way to getting the threats mitigated before they are exploited.

Categories: Newsbites | Security | this
Tuesday, 23 May 2006 10:12:41 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


Yesterday after my talk at MS' Big>Days 2006 in Vienna I was asked how to recycle an IIS app pool from within an application / script / code. I knew I had seen it somewhere before, so I promised to post the information in my blog as soon as I had dug it up.

There are actually a few others that have posted that information before, for example on the aspitalia.com blogs - Riciclare un application pool di IIS 6 da codice C#. It does exactly what the post title implies: recycling an application pool with C#. This approach uses ADSI (aka System.DirectoryServices) to do the bidding, and I have the non-ASP.NET bound version here:

using System.DirectoryServices;


public void RecycleAppPool(string machine, string appPoolName)
string path = "IIS://" + machine + "/W3SVC/AppPools/" + appPoolName;

DirectoryEntry w3svc = new DirectoryEntry(path);
w3svc.Invoke("Recycle", null);

So, now the question arises - how do I know the names of the app pools? One way is to enumerate all the existing application pools on a box - the blog post Control the Application Pool shows how to pull it off using WMI.

Finally, I went to the authoritative source, Chris Adams blog. He has a post up titled Recycling Application Pools using WMI in IIS 6.0, so this is along the lines of the previous one. He has samples in VBScript as well as C# online. He also shows a quick way (end of the post) how to find out which app pool is servicing which IIS Web application.

I think this should cover the topic nicely ;-) Also looking forward to how easy recycling app pools will be in IIS7.

Categories: IIS
Tuesday, 23 May 2006 08:20:30 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]


#  Sunday, 21 May 2006

The TAM tool is now available as release candidate 1. If you don't know it (already), here is the quick scoop from the download page: Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

  • Data access control matrix
  • Component access control matrix
  • Subject-object matrix
  • Data Flow
  • Call Flow
  • Trust Flow
  • Attack Surface
  • Focused reports

By the way, use this link to search for the video series on threat modeling in the Download Center!

Categories: Cool Download | Security
Sunday, 21 May 2006 12:30:05 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


#  Saturday, 20 May 2006

Today I set up my new laptop with Windows Vista - a "dry run" for Beta 2, because I want to use it as the primary OS on that machine. Part of the drill was getting my UMTS card (a Merlin U630) up and running.

First, I tried it using the standard software that came with the card. Installation went smoothly, however the Connection Manager software is based on an HTA solution, and IE7 most definitely didn't want to cooperate and kept throwing JavaScript errors (Note: I view this as a bug of the Connection Manager software, this is most decidedly not IE's fault). Dialing using this software therefore was out of the question.

So I went out on the Internet to search for a solution. At first, I tried dialing manually using AT commands, but it turned out that initializing a Merlin card isn't exactly easy-peasy. So I decided that a thorough forum search was in order. Thankfully, that search turned up a great piece of software (onlinekosten.de Community to the rescue).

What I found is MWConn (looks like that this time the international audience is out of luck, at least at the time of this writing as the software is German only). It does support the Novatel card, allows for dialing (make sure you check the default connection that is generated, at least my provider is using a different dial-in number), gives feedback on UL / DL traffic you generate, plus signal quality information. Way cool & saved my day!

Categories: Cool Download | Longhorn | this
Saturday, 20 May 2006 16:17:07 (W. Europe Daylight Time, UTC+02:00)  #    Comments [2]


© Copyright 2017 Christoph Wille

newtelligence dasBlog 2.3.9074.18820
Subscribe to this weblog's RSS feed with SharpReader, Radio Userland, NewsGator or any other aggregator listening on port 5335 by clicking this button.   RSS 2.0|Atom 1.0  Send mail to the author(s)

Don't contact us via this (fleischfalle@alphasierrapapa.com) email address.