-
|
Microsoft has announced two new Security Development Lifecycle (SDL) tools here : MiniFuzz File Fuzzer MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors. Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase...( read more ) Read More...
|
-
|
For those of you who had installed a previous beta of Forefront TMG (yes, it's the new name for ISA Server) you might have had the pleasure of experiencing your TMG server going down after the 180+7 days grace period with the message "the evaluation period has expired" in the eventlog. It's really hard to figure out the Forefront TMG version history, but currently (September 09) the latest one I've found is the Beta 3 . The upgrade path is based on backup (export) and restore (import) of your settings...( read more ) Read More...
|
-
|
We run a public SQL Server on Windows Server 2008 and had a lot of dictionary attacks in the past. To prevent that, do following 1) disable sa user 2) enable Windows Firewall, set a inbound rule ( here named sql) and lock the port 1433, then add the external IP’s ( scope tab) which needs access from extern Now you are save. New problem is, what happens when you have dynamic IP address on client and need access by SQL Manager or Visual Studio Server Manager. Take really long time to solve that problem. My goal was to establish a website, where you click a button and your IP is in the firewall. 1) create a user account on server which have exactly the fitting rights for netsh and firewall. Group User should be enough 2) create in IIS7 a...
|
-
|
The repeated Twitter hacking exposes the complex and serious security issues on the web. "The repeated Twitter hacking exposes the complex and serious security issue on the web. Unfortunately for Twitter (Google Apps, Facebook, and others), the problems have unfolded in a public arena, forcing them respond quickly to calm users and resulting in a short term solution (that clearly has not been working!). What is unknown to many internet users is that the problem doesn't end with Twitter's band aid...( read more ) Read More...
|
-
|
In my last post, I wrote about the hijacking of JSON arrays . Near the end of the post, I mentioned a comment whereby someone suggests that what really should happen is that browsers should be more strict about honoring content types and not execute code Read More......( read more ) Read More...
|
-
|
Last week I posted the following blog which showed how to use Process Monitor to troubleshoot service startup issues. http://blogs.msdn.com/webtopics/archive/2009/06/16/troubleshooting-service-startup-issues-with-process-monitor.aspx To continue on that topic, I ran across another issue recently where Process Monitor was again very helpful in troubleshooting. Problem – When browsing ASP pages, we were getting below error in the browser. Browsing any HTML page worked fine. HTTP Error 401.3 - Unauthorized...( read more ) Read More...
|
-
|
This afternoon I will be presenting a session about Web Oriented Architectures (WOA) at SOAWorld . The session explores the concepts behind real world architectures based on the principles of REST and how they represent an interesting alternative to traditional SOA. The SOAWorld team always manages to put together a great speaker lineup including some of the top SOA practicioners in the world. Among many other things, I would recommend attending to the "Business Value" panel that Anne Thomas Manes...( read more ) Read More...
|
-
|
Many things can cause a service, like IIS’s World Wide Web Publishing Service, to fail on startup. When troubleshooting such an issue, Process Monitor can be an invaluable tool. What Process Monitor does is monitor all File and Registry access on the system in real-time. The latest version of process monitor can be obtained here . Most of the time, we use this tool to troubleshoot Access Denied related issues. In those scenarios, Process Monitor shows exactly what user account tried to access what...( read more ) Read More...
|
-
|
Today was the first day of DevDays ‘09 in the World Forum in The Hague city. There are around 80 sessions in these two days, from cloud computing, .NET, Ajax to Silverlight and a lot more subjects. The first sessions of today was the key note session with David Chappel , the talk was about Microsoft's cloud computing platform Azure . He told us what this new technology means and what it can do, like how do we use it in practice. The technologies that came by are Windows Azure, .NET Services and SQL services. He also mentioned some alternatives like Amazone EC2 , Google Appengine and Salesforce Platform . The second talk I went to was C# 4.0 and the Future of C# from Krishnan Subramanian , in a very packed hall he talked about dynamic...
|
-
|
My good friend and colleague Pablo Cibraro will be presenting a MSDN WebCast tomorrow about the capabilities, relationships and differences of emerging security standards such as OpenID, OAuth and LiveID. The WebCast is targeting Microsoft’s Latinoamerica developer community and will be conducted in Spanish :( If you follow Pablo’s weblog , you might have read some of his recent posts about RESTful services security and its relationship with WCF. If you are interested on the options available for...( read more ) Read More...
|