I admit it: I am a regular reader of the event log. In doing so, I came across an error message last week that I rarely get to see - invalid Viewstate:

Now, that wouldn't be a problem, usually at least. However, in this special case I went WTF? when I looked at the description more closely, especially at the PersistedState information:

PersistedState: a
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Mailer: EMUmail 4.5
Subject: jam n
bcc: <list of addresse removed by me />

comes from the loin in the middle of the back of the pig. t is a lean meaty 
cut of bacon, with relatively less fat compared to other cuts. iddle bacon 
is much like back bacon

daa6c5071189f202ceb370d0e9d38c33
.

Come again - spam in Viewstate? What would be the point of this? After some research together with Alex I came across this article: Interesting Crack Attempt to Relay Spam (a more detailed article is available too: Form Post Hijacking). How did I manage to not take notice of this attack vector any earlier I don't know, but I have to admit that the idea is pretty clever.

Counter-measures in general? Well, either don't allow users input in the headers at all, or vet the form fields for carriage return / line feeds. Note that I did not verify if any of the available mail components for .NET would be actually susceptible to this kind of attack.

At next year's VSone in Munich (a German developer conference taking place in February), I will be doing three talks:

• Visual Studio 2005 Team Edition for Database Professionals
• User Account Control (UAC) in Your Applications
• Advanced Code Access Security (CAS)

Two security topics, one team-development focused. See you in Munich!

I already talked about the virtualization features of Windows Vista in a previous blog post entitled UAC Redirection 4 Fun & Profit. Today, I want to tackle the file redirection that happens when UAC virtualizes your application and you try to write to a location it monitors - like the Program Files directory:

This command prompt was started with Run as Administrator (the window title hints at that). I was UAC-prompted, and then could go about my business. Not so if I would be running it unelevated:

It tells me that I don't have access. Right, not a big surprise, but why didn't virtualization kick in for cmd.exe? Because it is off by default for the command line. How can I turn it on? Well, easy. Go to Windows Task Manager

Add the Virtualization column

After a bit drag & drop magic I made it the second column and I can see which application is virtualized or not. And sure enough, cmd.exe isn't. Right-clicking allows you to change that:

You will be warned that this will possibly affect the running application, but go ahead. And then try again to write to the Program Files location:

This time I can write to Program Files - wait a second, really? No, it of course went to the virtual store for this user account:

As you can see, it lives next to files from a heck a lot of applications that wanted to write to somewhere (like system32) where they didn't have access to - but virtualization (on by default for applications except those opting out explicitly) took care of the disk operations and redirected them to the virtual store. Note that a well-written application (ie one that doesn't require administrative rights) wouldn't show up here...

The versions 4.1 of MSF for Agile Software Development Process and MSF for CMMI Process Improvement contain updated guidance for Data Dude (VSTE for Database Professionals). In addition to this, be sure to check out David Anderson's interview on Channel9: Thoughts on Visual Studio Team System and "Dark Matter" Iteration Forecasting. In this interview, he is talking about MSF backgrounds, and why he is interested in scaling agile to the enterprise level - and he has a new blog post up on this very topic. So if you are interested on why the software 'guys' should be playing on the team, be sure to check out the interview, really great background information in there (oh, and don't miss out on the lean project management slide deck).

Another week, another ATE (Ask the Experts) assignment. Aside from the keynote, I got around to watching to these sessions:

• ARC202: Design for Operations using VSTS and MOM 2005
• DAT309: SQL Server Analysis Services 2005: Integration with 2007 Office System
• WCL403: Windows Vista System Integrity Technologies
• CSI401: Microsoft.com Operations: Solutions for Highly Available and Secure Web Sites
• MGT310: Microsoft System Center Essentials (SCE): Technical Overview and Drilldown
• ARC301: Microsoft, Open Source and Interoperability
• INF303: How to Virtualize Infrastructure Workloads
• IAM403: Monitoring Active Directory (AD) Security with MOM 2005
• MGT320: Using Application Virtualization to Decrease Your Application Management TCO
• DAT401: SQL Server Always On Technologies: Disaster Recovery Strategies for Isolated Damage and Human Error
• SEC402: Securing your Certification Authorities (CAs) Private Keys
• WCL402: Windows Vista Kernel Changes
• CSI303: Building a Custom Log Analysis Solution with Log Parser 2.2 for Internet Information Services (IIS) 6
• DAT402: SQL Server 2005: Advanced Indexing Strategies
• MGT311: Performance Modelling: A Powerful Tool for Planning Deployments

The dud-of-the-week award goes to IAM403 which didn't live up to its level. Enjoyable as ever was Steve Riley in his security sessions. I didn't get around to watch "Windows Vista User Account Internals" by Mark Russinovich because of ATE duty, but will do so once the conference DVDs turn up in mail!

In today's pre-lunch session at IT Forum the speaker used a term I had never heard before: stiffware. And I have to agree - stiffware does pose a serious problem when you cannot 'call' (other means of 'communication' might be unreliable to say the least <g />) the guy who wrote that piece of software so you can properly configure or even install it.

Speaking of the session itself, Microsoft SoftGrid is a really cool technology. The client - which contains more than the SoftGrid client - called the Desktop Optimization Pack, is equally interesting.

Read the release announcement in the PS blog. The English download is here. Now that is a CLI!

The final SQL Server-related post for today: Working with tempdb in SQL Server 2005.

Another noteable tidbit from the "Achieving High Availability with SQL Server 2005" preconference session: the whitepaper Partitioned Tables and Indexes in SQL Server 2005.

Currently listening to the half-day preconference session "Achieving High Availability with SQL Server 2005" by Kimberly Tripp. Interesting tidbit for decreasing downtime for operational tasks (like create database or restore): Instant File Initialization. The figures really point to huge time savings! Quite a selling point for Enterprise Edition of SQL Server.