Eli Robillard's World of Blog.

CodeSmith is one of the best apps to happen to development and it's been updated to version 2.6. The update mainly contains improvments to CodeSmith Studio (a VS-style IDE for developing templates); for those of you (us?) who rely mainly on the free CodeSmith Explorer it contains a number of minor fixes to make it a worthwhile install.

One nice touch is that the folder hierarchy now automatically sorts templates by language. For example, when I connect to the network location where my team shares templates I now see C# and T-SQL folders, making it a touch easier to navigate. A detailed list of changes is available on Eric's site, here's the short list:

Syntax highlighting of both template and target languages in CodeSmith Studio.

Much improved Visual Studio .NET custom tool.

Outlining support in CodeSmith Studio.

Line modification markers in CodeSmith Studio.

CodeSmith Studio is now a single instance application.

Improved compiler and template execution performance.

Better Unicode support.

Tons of other minor improvements and bug fixes.

In case you missed it, the title isn't "Validating Strong Passwords" because by now the inherent weaknesses of traditional passwords are well-known. Even with pass phrases, enforcing "strong" by policy is a good idea to boost entropy.

Most of the available regular expressions check for at least one uppercase, lowercase and numeric character. What they all seem to miss is a declaration of acceptable characters in the first place. I've created a pair of suitable expressions to check against. One ensures that certain characters exist, the other ensures that only those characters exist. If my RegEx skills were better perhaps I could combine the two into a single expression.

The goal is to ensure a user's password is strong according to Microsoft's definition of a strong password, particularly:

• at least seven characters long
• contains at least one character from each of the four groups: uppercase, lowercase, numerals, and symbols found on the keyboard.

Since this will validate pass phrases rather than passwords the minimum length will be 14, not 7 (a number suggested by MS PSS lead Robert Hensing). On the upper bound, Windows (from NT forward) allows passwords of up to 128 characters so this method will accept that too. Note that the old limit was 14 characters and this boundary may be in effect on networks still configured to accept connections from older clients.

Other "strong" criteria exist (e.g. does not contain the user or company name, and does not contain a dictionary word) but we will stick to what we can cover with regular expressions. In the end, the OS or Active Directory will be the final arbiter, we just want to eliminate the bulk of invalid requests to update the password.

I've removed a few special characters from the list to demonstrate that you can and should customize this to suit your own needs, policy, or comfort level (in this case the \, <, >, and " characters).

Wherever you use this you will need to drop in the following reference:
using System.Text.RegularExpressions;

This is a static method to display all cookies associated with the current domain. Wherever you use it, be sure to include System.Text and System.Web. This is essentially a C# translation of code found in Mike Pope's MSDN article "Basics of Cookies in ASP.NET," updated to use a StringBuilder and provide the output as an HTML table.

While most people know and use the IIS Lockdown tool, few install the URLScan companion piece. I strongly recommend that this utility be installed on all servers running IIS 5.x, this is as important as staying up to date with critical fixes. Much of the functionality is available in IIS6, but why wait to upgrade when you can get that peace of mind for free today?

From the summary: "URLScan is an ISAPI filter that allows Web site administrators to restrict the kind of HTTP requests that the server will process. By blocking specific HTTP requests, the URLScan filter prevents potentially harmful requests from reaching the server and causing damage."

Many features provided by URLScan are baked into IIS6, other potential problems are avoided entirely by IIS6's redesigned page and security models. The URLScan home page provides an excellent walk-through of URLScan features vs. built-in IIS6 functionality.

Still running ASP.NET sites on IIS5? Install it!

[ Microsoft URLScan Home Page ]
[ MSDN How To: Use URLScan ]

SharePoint makes use of FrontPage Themes, but FrontPage doesn't make it easy to get at the files which make up a theme. First some background and then we'll look at how to get more control over building and deploying a theme.

When customizing a SharePoint template in FrontPage you access the available themes through the Format... Themes menu. This brings up the locally installed themes, which are stored in the c:\Documents and Settings\[username]\Application Data\Microsoft\Themes\ folder. Clicking a theme brings up options to Apply or Customize each theme. Customize is limited to a wizard UI, and walking through the stylesheet to update individual styles(Customize...Text...More Text Styles) is tedious work.

When you have a site open, the FrontPage IDE makes a _themes folder available, but this points to the actual web site folder so changes made here are not saved back to the local themes collection. What you need to do is edit the locally installed theme, not the files already applied to your website.

Each theme folder contains the following files: an ELM file, an INF file, and a UTF8 file. A PNG thumbnail might also be available. The ELM file is the package which contains the graphics and stylesheets for the theme. To unpack and repack these you will need to create a couple of VBS scripts which can be found in KB article FP2000: Unpacking and Repacking Files in FrontPage Themes.

After making a backup of your theme, unpack it with your new Unpack_elm.vbs script. From there you can use your favourite editor to search and replace items in the theme.css file, update graphics and their CSS references (like topgrad.gif and toolgrad.gif), whatever. During this stage it's helpful to have a reference handy for the WSS styles, I like the navigable visual reference at SharePointCustomization.com and the more detailed text reference on MSDN.

When done, repack with your new Repack_elm.vbs script and re-apply the theme to the site through FrontPage.

Now you've got a reusable Theme, let's move on to a reusable Site Template. Once you're done creating a Team Site just the way you want it, click to Site Settings...Go to Site Administration... and Save site as template. Fill in the blanks here and check the box labelled Include content to store Lists and Document Libraries as well. If successful, a link on the confirmation page will take you directly to the Site Template Gallery. Note that there is a 10Mb ceiling, so watch the size of those picture libraries.

In the Site Template Gallery, clicking on a name downloads that template as an STP file. As with InfoPath XSN files, a SharePoint STP file is just a CAB file with a new extension. Rename the file and you'll be able to unpack it and modify its contents. The rough part here is that SharePoint renames all the resources with great names like b1000000.000 and you will need to learn the format of the manifest.xml file before getting anywhere.

You can also delete templates in the Site Template Gallery, something you will want to do before creating a new template with content; this avoids storing templates inside templates. In fact, it's not a bad idea to delete a template once you've downloaded it, and keep all your standard templates in a single repository.

Better, you can install your new Site Template to be available from all team sites on the portal. There is an MSDN article which describes the process but we can break it down to a couple of steps. First, download the template and move it into a folder on the SharePoint server. Then from the command-line execute the following:

stsadm -o addtemplate -filename template.stp -title "My New Template" -description "My Template Description"

You can find stsadm.exe in C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\

If it worked, you will see the message "Operation completed successfully." and a request to reset IIS. After executing iisreset.exe the new template will appear in the Template Selection page while creating a new site.

And that's all there is to it. Enjoy!

While searching for a reference on uploading and implementing a new set of gradient images for a site, I stumbld on Mads Haugbø Nissen's Weblog. It's chock-full of useful discoveries with a focus on SPS/WSS customization. Subscribed.

Also check out Mads' contributions on GotDotNet. If a title like Auto-Deployment of Sharepoint WebParts grabs you, you'll dig.

My current client is being hit with a virus that seems to be hitting LDAP / AD to pick up usernames and then running dictionary attacks on those accounts (against Exchange in their case). The end result is that a mass of accounts on this company's network were locked out.

Aside from the usual measures against attack, this is an excellent example of why admins should a) train users to use pass phrases and not passwords or "strong" passwords fewer than about 10 characters, and b) disable account lockout policies which make this sort of attack possible.

Here's the blog that changed the way I think about passwords:
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
Anyone responsible for administering a network should read every word Robert posts.

I personally believe it's a good idea for admins to regularly run attacks on their own networks (aka password auditing) to see who's not following policy. If you don't rattle your doorknobs, you can be sure that someone else will.

No one can depend on policy alone to protect a network. Consider this: P@ssw0rd (a frequently used MS demo password) and its variations qualifies as a valid "strong" password on most networks.

I've stumbled on two good resources recently for Tablet development.

The first is Dr. Neil's Getting Started eBook. For the novice tablet developer this is a terrific first-time resource. On his Samples page you will find a homegrown notepad application and sample code for ink manipulation (loading/saving/clipboard).

The other is an Ink Utility class posted on Rhy Mednick's chickenscratchsoftware.com. The class includes methods for bounding, scaling, positioning and aligning Ink. Read the articles, link to the docs, and download at will.

There are many more of course. The MSDN Tablet Developer Center is a great starting point, as your first download should be the Tablet SDK, and XPSP2 (if you don't have it already) which contains the free upgrade to Windows XP Tablet Edition 2005.

Windows XP Tablet Edition 2005 deserves special mention. Anytime a service pack makes your PC an order of magnitude more enjoyable to work with, well that's gotta be good.

The new Input Panel alone makes this one worthwhile. It's accessible whenever you hover near a textbox, automatically expands to multi-line when you reach the edge of the screen, and has combed input for entering non-words like URLs or e-mail addresses. And it provides instant feedback as you ink, so you know before clicking Insert whether it understands your scrawl.  I now find myself using the stylus more while surfing, filling in forms, working in Office apps, anywhere. It's really that good. Together with an improved recognition engine, this is a no-brainer. All that's missing for me is recogniser support for Canadian English. Go get it!

A SharePoint KB article was posted today that's more like a FAQ item, and it got me thinking about all the other "oh yeah [slaps forehead]" things I figured out while setting up and configuring SPS/WSS sites. I've been wondering what sort of SharePoint posts to write and beginner snippets like this make good sense so expect more.

This particular KB article answers the question, "why do I need to login again whenever opening a document?" The answer is that Basic Authentication is still turned on, so your credentials aren't passed from MSIE to the app requesting the document. You can read the official answer on KBAlertz or MSDN.

If you're on an intranet you'll want to turn off Basic and turn on Intgrated Windows Authentication as you presumably have control over the browser installed on desktops. If you're hosting a public WSS site with authentication this configuration change will bung up non-MS browsers which don't support the authentication model (Opera, Netscape, Safari), the decision is yours.