February 2007 - Posts
Consider the following ASPX page:
Here is why it cannot be accessed:
When trying to navigate there you get:
Great, love URL authorization!!
Now let's examine another ASPX page:
When navigating to this page you surprisingly get this:
The reason for that is when using Server.Transfer the request to the second page does not go through the whole ASP.NET pipeline which includes URL Authorization module
Security part is here http://msdn2.microsoft.com/en-us/library/ms998375.aspx
Performance part is here http://msdn2.microsoft.com/en-us/library/ms998549.aspx
Performance and Security has never been good friends - fortunately we have J.D. who is bridging the two letting us enjoy both.
Enjoy
I've been blogging on importance of input validatoin some time ago App Architecture with Security in mind - Video, Part I
Web Services is not different from ASPX - accept parameters and process it. So the strategy for input validation should be the same as with ASPX - each and every input parameter MUST be checked for goodness (no black list allowed!). The only difference with ASPX is that there is no validation controls for ASMX, so the simplest way would be as follows:
from http://msdn2.microsoft.com/en-us/library/ms998375.aspx#pagquestionlist0001_input1
[WebMethod]
public decimal RetrieveAccountBalance(string accountId)
{
if (!Regex.IsMatch(accountId,@"^[a-zA-Z'.\s]{1,40}$"))
{
// AccountID does not match expression
// do not process request
}
}
Common regex patterns are here: http://msdn2.microsoft.com/en-us/library/ms998267.aspx
It is more complicated when dealing with complex types as input parameters - will save it for the next post
Enjoy
Very short and nice read - Gates: Now's the time to stop using passwords--really
"One problem people face is knowing whether they’re at a legitimate web site or a malicious site."
More here http://antiphishing.org/
"People also face numerous problems in identifying themselves to the sites they use."
Check out some problems related to passwords here http://www.guidanceshare.com/wiki/Authentication_Vulnerabilities
"CardSpace is part of the solution to all of these problems."
More here One-Page Introduction to Windows CardSpace
CardSpace Home is here http://cardspace.netfx3.com/
Enjoy
I realized that for some reason lately I was concentrated on tools:
Scriptomania - Scripting Tools and Utilities
More Powerful Security Tool
Most Powerful Security Tool
This blog entry is about another security tool - ShareEnum(free download)
I am about to conduct Security Deployment Inspection with some project and this tool might be very handy.
Another handy utility could be TCPView (free download) to identify activity for TCP and UDP
You must agree that this one is nicer than black and white netstat :)
.gif)
All the rest of Sysinternals goodies are here:
Enjoy.
Have you noticed that little slogan in the bottom of p&p logo?
.gif)
"proven practices for predictable results"
When I landed in Seattle for Another Breathtaking Microsoft Convention I called my precious wife to tell her I am OK. What I heard in response was cry and she was telling me that she was involved in serious car wreck. I can recall now that first thing I asked was "Were you wearing safety belt?" and when I heard "yes" I could estimate what could happen to her. I could not be sure about her explanations since she could be under shock, but since she applied proven practice I could imagine what damage it could be. I am home now and my precious just fine, thank god.
Next day I called her she told me that IRS is about to arrest our bank account and we are about to pay $4000 fine. I knew it was going to happen since I was constantly receiving from them letters but I lived in ignorance. This time I got busted. Here are some more about Approaches That Don't Work
Both cases are about being [or not] proactive
Here is small case study that my US teammates published on the Web.
I am sure that proactive is the key word here:
Start proactively applying Security Engineering
I was blogging lately about security tools (see Most Powerful Security Tool). For some reason there is perception that security tools are about scanning, intercepting, cracking, and tampering - in other words, something reactive.
To me security tool is something that supports Security Engineering as the whole and can be anything from document templates to simple checklists. But my favorite is of course Guidance Explorer (see patterns&practices Guidance Explorer) that constantly gets updates (see He Who Doesn't Ask - Just Doesn't Get). Today it contains about 1000 prescriptive items for security and performance.
I've used it for the following scenarios:
- Create high level security principles documents (yeah! it generates word documents - see picture below). It is suitable for adding it to RFP's or for PDR's (preliminary design reviews).
- Create detailed prescriptive guidance for specific project. When you are to assess the team for security - they hate you, but if you proactively guide them - they love you.
- Create custom views so you can generate you own sets of prescription items - say for AJAX.
- Well it does not have AJAX items yet but you can create your own items.
Enjoy
I've recently presented Security Engineering topic during internal Microsoft convention to international audience (see Back From Seattle - Another Breathtaking Microsoft Convention) and it went really good until I ran into trouble while trying to connect to compromised server using Terminal Services.
The hack was about to exploit Dynamic SQL and Over Privileged Account to run nasty xp_cmdshell extended stored procedure (turned off by default in SQL Server 2005 - Run SQL Service with lowest possible privileges) to create account on target machine and add it to administrations local group
The hack (Stored Procedure Is Not A Silver Bullet Against SQL Injection Attacks) seemd to succeed but Terminal Services refused to connect.... what a dissapointment
So I asked for apologies and continued with the demo
Fortunately the audience was very friendly and I think I was able to deliver some value even with screwed demo (there were some 7 or so more demos)
When I was investigating this I found out that I've done too much home work preparing to it and just forgot to close previous Terminal Services sessions - exhausting all available ones...
Conclusion - too much home work is BAD
Cheers
It's Between Your Ears
Why?
Because "Security is man-vs-man and humans are intelligent." - more about this here: What is it that makes security hard?
I am strong believer of process integration when it comes to security - more about it here: http://msdn.com/securityengineering
And here are some tools to support the process:
Threat Analysis and Modeling - http://go.microsoft.com/fwlink?linkid=77002
FxCop - http://www.gotdotnet.com/team/fxcop
FindStr - Security Code Inspection - First Look For What To Look For
Fiddler - http://www.fiddlertool.com/fiddler
NETMON III - http://blogs.technet.com/netmon/default.aspx
Cheers
from http://www.iis.net/default.aspx?tabid=2&subtabid=24
IIS Webcast Series
Upcoming Webcasts | IIS7 | Security | Performance | Management| Diagnostics| Deployment| Microsoft.com Series
No comments needed here - JUST GO THERE AND ENJOY WHILE SIPPING GLASS OF <<substitute here with you drink of choice>>
.http://msdn2.microsoft.com/en-us/library/ms188354.aspx
"In SQL Server 2005 you can define the execution context of the following user-defined modules: functions (except inline table-valued functions), procedures, queues, and triggers.
By specifying the context in which the module is executed, you can control which user account the SQL Server 2005 Database Engine uses to validate permissions on objects that are referenced by the module. This provides additional flexibility and control in managing permissions across the object chain that exists between user-defined modules and the objects referenced by those modules. "
I think it is AWESOME!!!
With security thing we have couple of principles, and if you mix Compartmentalize and Use least privilege principles you can get also known "need to know " or "separation of duty" principles.
Imagine the following scenario:
- Developer created code that uses Stored Procedures that are vulnerable to SQL injection attack (read more here - Stored Procedure Is Not A Silver Bullet Against SQL Injection Attacks)
- IT guy deployed the application to run under system account
- The result would be loss of the server as a whole
- But they were smart enough to: 1. run SQL 2005 and hire smart DBA who added EXECUTE AS <<low privileged account>> statement at the beginning of each Stored procedure.
- This would potentially contain the problem within the app space (the server and DB objects) and NOT the whole server
What do you think?
From http://hosted.ap.org/dynamic/stories/T/TECH_TEST_NETWORKED_SPYCAM?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2007-02-08-16-15-46
“If you've ever wondered whether the neighbors are taking a dip in your pool while you're at work or how the baby sitter is really treating your kids, the LukWerks Spy Camera might be for you.”
Now let’s run some different scenario - you get cool present from your closest friend and you put it on your desktop. By doing so you just let your “closest friend” and millions of other connected to the Internet to spy on you…
I know, I know… I am paranoid guy :)
Cheers
Could not hold it back!
I am on my way (right now in Newark airport) from Seattle where I was attending largest technical internal Microsoft convention.
Actually I was not only attending but also presenting - coolest experience, presenting to international audience from all over the world. The feedback was great, here are the samples:
“I just thought I’d let you folks know that I really enjoyed your presentation. It’s also the one I find discussing the most with my colleagues.”
“Thank you very much for the extra information. Your talk was really great and I learned a lot more about SQL injection because of it.”
“The Security problem is really a serious issue in every system. But, Alik Levin and Graham Calladine [ed. – my colleague, co-presenter, and just great guy] use attracting and funny skill to let us know and discuss about the issues. It's really good.”
“The session was more oriented to security mistakes on www.somesite.com than secure coding best practices.” – got some homework work here to do, thanks for the constructive feedback – you can bet on this one, I’ll take it into account for the next time.
“Best breakout so far...”
“This is the best evaluation I have submitted - it was an excellent presentation!!”
All I am allowed to say is it was just breathtaking with regards to what is to come up. Security is no exception. Stay tuned for:
- IIS 7 here http://www.iis.net/Default.aspx?tabid=1
- CardSpace here http://cardspace.netfx3.com
Go see really cool showcase for net fx 3.0 sample application DinnerNow here http://www.dinnernow.net/default.aspx?tabindex=0&tabid=1
Cheers