April 2008 - Posts

• Live Mesh: First Look at Microsoft's New Platform

  The new Live Mesh service that just launched as an invite only "technology preview" is Microsoft's attempt to tie all of our data together. Live Mesh synchronizes data across multiple devices (currently just Windows computers, but theoretically it will extend to mobile and other devices in the future) as well as to a web desktop that exists in the cloud. It can sync data across devices used by a single users, as well as create shared spaces for multiple users. On the surface, Mesh is a lot like competing file sync services such as Dropbox, SugarSync (which we covered in January), and even Microsoft's own FolderShare product. But what sets Live Mesh apart is its platform approach. How It Works Essentially, Live Mesh is a collection of feeds (which can be expressed as ATOM, JSON, FeedSync, RSS, WB-XML, or POX). Every piece of data entered into a user's Mesh -- be it a file, a folder, a message, a user permission, or a new device -- is rendered as a piece of information in a feed. The feeds are then synced with other devices that are part of that Mesh following rules for how to sync each particular piece of information (i.e., File A may sync with Users 1, 2, and 3, while File B may only be told to sync with Users 1 and 2). Mesh is a combination of web based services that sync files and information across a cloud environment, and client software that allows individual devices to sync with the Mesh. This is a continuation of Microsoft's "software plus services" strategy, in which client software is augmented by (or reliant upon) web services. The News Feed While Mesh doesn't have any version control capabilities yet -- a must for a service that syncs data between multiple users -- it does borrow a popular feature from the web for keeping users up-to-date on what's going on across a system: the news feed. The Live Mesh Notifier is a news feed of all the activity on a user's Mesh. Right now that means changes made to files, folders, devices, user permissions, and comments left on files/folders. However, because Live Mesh is a platform that seeks to interact with third party services (more on that below), it is easy to envision how much more could be pushed through the news feed. We were shown a demo application that synced tweets on Twitter with the Mesh Notifier, for example. As more services use the Live Mesh platform, could it, or a service built on top of it, eat FriendFeed's lunch? The Platform What makes Live Mesh potentially very special is that Microsoft has turned synchronization into a platform. Eventually, services as well as devices will be able to hook into Mesh. We were shown some early demos of the type of things Microsoft envisions for the Mesh service that were quite impressive. In one proof-of-concept demo, a photo that was taken via a cell phone camera, was automatically synced to a Mesh that pushed the pictures out to a Facebook photo album. It was certainly impressive to see data -- in this case a cell phone camera picture -- almost instantly synced across multiple devices and saved to a web service immediately after it was created. Microsoft envisions Mesh as a platform for data synchronization for any service we use and for any type of data. Ideally, for example, if someone were to comment on that photo at Facebook, the comment would sync to anywhere else that photo was hosted (your desktop computer, the desktop computers of anyone sharing the photo, your laptop, other photo sharing sites, etc.). Taking On Google Gears? Perhaps the most interesting bit that Microsoft demoed to us was an offline compontent of the Mesh platform. Web apps using the Mesh platform will be able to lean on the client software to take their web applications offline, including all user data, and sync it up when the user gets back online at a later time. Microsoft is taking an offline approach that is more akin to Google Gears or Mozilla Prism than Adobe AIR -- the web-to-desktop functionality of Mesh is essentially a wrapper for the actual web app. The same HTML and JavaScript, etc. runs in a desktop window in offline mode, data is stored locally, and synced later. The difference is that Microsoft is ting offline access into the Mesh service, so developers don't just get the technology to take their apps offline, but also access to the synchronization and cloud storage services to move their data back and forth. We've talked about the importance of web apps on the desktop on this blog, so this could be an important component of Mesh. Will It Work? It is still very early for Mesh. Microsoft intends to invite key development partners to try out the system in the next few weeks, and will roll out support for other devices (including mobile and Mac) over the next year. One thing that could hinder Mesh, though, is Microsoft's rather confused marketing around its online services. Between Mesh, SkyDrive, Live Spaces, and FolderShare there is so much overlap in Microsoft's services that users are bound to get confused. Ideally, Mesh will be a platform that will tie all of Microsoft's online storage, synchronization, and sharing services together -- along with other, third party services. But the confusing muddle that is Microsoft Live could stymie mainstream adoption. Microsoft needs to clean up their act and present a more clear marketing message. Software + services is also a potentially tougher sell than software as a service -- people don't like downloading things. Still, Microsoft has created a compelling product that they hope will standardize synchronization across the universe of devices and web services we each use every day. The prospect of getting easy access to user data on multiple devices could be attractive for developers and prompt them to embrace the platform, but it is probably too early to make any specific predictions. Ray Ozzie Memo Accompanying the launch of Live Mesh is a new memo from Microsoft Chief Software Architect, Ray Ozzie. It notes that Microsoft sees the Web as "the Hub of our social mesh and our device mesh." Ozzie calls this "social mesh" and writes that "in scenarios ranging from productivity to media and entertainment, social mesh notions of linking, sharing, ranking and tagging will become as familiar as File, Edit and View." VIA : ReadWriteWeb Posted Apr 23 2008, 12:55 PM by Hosam Kamel with 2 comment(s) Filed under: Microsoft, Windows Live Services, Windows Live

• patterns & practices WCF 3.5 Security Guidelines Now Available

  " For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF 3.5 Security Guidelines.  Each guideline is a nugget of what to do, why, and how.  The goal of the guideline format is to take a lot of information, compress it down, and turn insight into action. The downside is that it's tough to create prescriptive guidelines that are generic enough to be reusable, but specific enough to be helpful.  The upside is that customers find the guidelines help them cut through a lot of information and take action.  We contextualize the guidelines as much as we can, but ultimately you're in the best position to do the pattern matching to find which guidelines are relevant for your scenarios, and how you need to tailor them. Here's a snapshot of the guidelines, but you can see our security guidelines explained at our WCF Security Guidance project site. Categories Our WCF Security guidelines are organized using the following buckets: Auditing and Logging Authentication Authorization Binding Configuration Management Exception Management Hosting Impersonation and Delegation Input/Data Validation Proxy Considerations Deployment considerations  Auditing and Logging Use WCF auditing to audit your service If non-repudiation is important, consider setting SuppressAuditFailure property to false Use message logging to log operations on your service Instrument for user management events Instrument for significant business operations Protect log files from unauthorized access Do not log sensitive information Authentication Know your authentication options Use Windows Authentication when you can If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option If your users are in AD, but you can’t use windows authentication, consider using username authentication If your clients have certificates, consider using client certificate authentication If you need to streamline certificate distribution to your clients for message encryption, consider using the negotiate credentials option If your users are in a custom store, consider using username authentication with a custom validator If your users are in a SQL membership store, use the SQL Membership Provider If your partner applications need to be authenticated when calling WCF services, use client certificate authentication. If you are using username authentication, use SQL Server Membership Provider instead of custom authentication If you need to support intermediaries and a variety of transports between client and service, use message security to protect credentials If you are using username authentication, validate user login information Do not store passwords directly in the user store Enforce strong passwords Protect access to your credential store If you are using Windows Forms to connect to WCF, do not cache credentials Authorization If you use ASP.NET roles, use the ASP.NET Role Provider If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization If you need to authorize access to WCF operations, use declarative authorization If you need to perform fine-grained authorization based on business logic, use imperative authorization Binding If you need to support clients over the internet, consider using wsHttpBinding. If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding If you need to support remote WCF clients within an intranet, consider using netTcpBinding. If you need to support local WCF clients, consider using netNamedPipeBinding. If you need to support disconnected queued calls, use netMsmqBinding. If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding. Configuration Management Use Replay detection to protect against message replay attacks If you host your service in a Windows service, expose a metadata exchange (mex) binding If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex) Manage bindings and endpoints in config not code Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration Encrypt configuration sections that contain sensitive data Exception Management Use structured exception handling Do not divulge exception details to clients in production Use a fault contract to return error information to clients Use a global exception handler to catch unhandled exceptions Hosting If you are hosting your service in a Windows Service, use a least privileged custom domain account If you are hosting your service in IIS, use a least privileged service account Use IIS to host your service unless you need to use a transport that IIS does not support Impersonation and Delegation Know the impersonation options If you have to flow the original caller, use constrained delegation Consider LogonUser when you need to impersonate but you don’t have trusted delegation Consider S4U when you need a Windows token and you don’t have the original caller’s credentials Use programmatic impersonation to impersonate based on business logic When impersonating programmatically be sure to revert to original context Only impersonate on operations that require it Use OperationBehavior to impersonate declaratively Input/Data Validation If you need to validate parameters, use parameter inspectors If your service has operations that accept message or data contracts, use schemas to validate your messages If you need to do schema validation, use message inspectors Validate operation parameters for length, range, format and type Validate parameter input on the server Validate service responses on the client Do not rely on client-side validation Avoid user-supplied file name and path input Do not echo untrusted input Proxy Considerations Publish your metadata over HTTPS to protect your clients from proxy spoofing If you turn off mutual authentication, be aware of service spoofing Deployment considerations Do not use temporary certificates in production If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client. If you are using a custom service account and need to use trusted for delegation, create an SPN If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN Use IIS to host your service unless you need to use a transport that IIS does not support Use a least privileged account to run your WCF service Protect sensitive data in your configuration files My Related Posts patterns & practices WCF Security Guidance: Updated Application Scenarios patterns & practices WCF Security Application Scenarios patterns & practices WCF Security Guidance Now Available " VIA : J.D. Meier's Blog Posted Apr 19 2008, 07:18 AM by Hosam Kamel with 16 comment(s) Filed under: .NET 3.0 & .NET 3.5, Patterns and Practices, WCF

• .NET 3.5 Enhancements Training Kit released

  There are some great enhancements coming to .NET 3.5 with the SP1 release scheduled for later this year.  If you'd like to get started with these new enhancements early, and want some great training on them this is the way to do it.  All you need to do is download the kit from here:  http://go.microsoft.com/?linkid=8719735 For more information check out Jonathan Carter's blog post on the Training Kit.   VIA : US ISV Developer Evangelism Team Posted Apr 17 2008, 08:18 AM by Hosam Kamel with 3 comment(s) Filed under: Visual Studio, Free Tools, .NET 3.0 & .NET 3.5, Microsoft, Geek tools

• patterns & practices WCF Security Guidance: Updated Application Scenarios

  " For this week's release in our patterns & practices WCF Security Guidance project, we added new sections to our WCF Security Application Scenarios.  We added sections for analysis, code and configuration examples.  The analysis section explains the rationale behind some of the decisions.  The idea behind the application scenarios is to show you a before and after look of end-to-end solutions.  Rather than a single solution, we give you a set of solutions to pick from.  The main parameters that vary in each solution include: Intranet vs. Internet, ASP.NET client vs. Windows Forms clients, TCP vs. HTTP, impersonation/delegation vs. trusted subsystem, and AD (domain credentials) vs. a custom user store. WCF Security Application Scenarios Intranet Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP) Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP) Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP) Intranet – Windows Forms to Remote WCF Using Transport Security (TCP) Internet Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem) Internet – Windows Forms Client Calling WCF Using Message Security Note that if there's enough interest and time, we'll add a scenario that shows accessing an existing custom user store (i.e. you aren't using Membership.)  My Related Posts patterns & practices WCF Security Application Scenarios patterns & practices WCF Security Guidance Now Available " VIA : J.D. Meier's Blog Posted Apr 11 2008, 11:15 AM by Hosam Kamel with no comments Filed under: .NET 3.0 & .NET 3.5, Microsoft, Patterns and Practices, WCF

• 6 free online editors for your asp.net site

  VIA : .Net Adventures   FCKeditor this HTML text editor brings to the web much of the power of desktop editors like MS Word. Download FCKeditor Demo Damn Small Rich Text Editor - very small text editor.Built on top of well known JQuery library. Download Damn Small Rich Text Editor Demo TinyMCE -Cross platform HTML WYSIWYG text editor .Supports templates, easy localizable and can be extended using plugins Download TinyMCE Demo HotEditor - browser-based rich text editor that provides an advantage in simplifying the workload and providing options for integration to forum software Download HotEditor Demo WYMeditor - simple cross platform XHTML  web editor Download WYMeditor Demo SPAW Editor is a web based in-browser WYSIWYG editor control enabling web site developers to replace a standard textarea html control with full-featured, fully customizable, multilingual, skinable web based WYSIWYG editor. Download SPAW Editor Demo Posted Apr 10 2008, 08:42 AM by Hosam Kamel with 3 comment(s) Filed under: ASP.NET Tips & Tricks, ASP.NET, Free Tools, Geek tools, JavaScript

• Basic System.Diagnostics

  The .NET framework has shipped with the System.Diagnostics namespace since version 1.0. My efforts to build a method context information gathering framework on the services of System.Diagnostics has brought me a deeper understanding of its classes and configuration settings. I will talk about my method context information gathering framework in a later post, but first I thought I would get us all on the same page on System.Diagnostics. System.Diagnostics implements several classes that play a key role in outputting trace text from your application. Better understanding these classes will bring you insights in to how to extend the existing diagnostic framework in .NET or how to set up the configuration file to make full use of the out-of-the-box functionality.   Read the full article at Obiwan Jacobi's Blog Posted Apr 05 2008, 03:42 AM by Hosam Kamel with no comments Filed under: ASP.NET Tips & Tricks, ASP.NET, do more with less using .NET 2.0 series

• CTRL + ALT + DEL in a remote desktop session

  I was trying to change the admin password for one of the servers I'm currently used in my project which have a windows server 2003 installed, I'm connecting to this server through a remote desktop session , I have to press CTRL + ALT + DEL to be able to apply the changes ... I tried to do so actually but I got may machine security dialog and not the remote machine one.   So after searching the Internet I have found that to use the CTRL + ALT + DEL in a remote desktop session you have to use CTRL + ALT + END instead.   funny :)   [Update] Another way suggested by rajbk and Jonas is to use "Windows Security" by click on Start - Windows Security in the remote session. Thanks a lot. Posted Apr 03 2008, 10:25 PM by Hosam Kamel with 7 comment(s) Filed under: ASP.NET Deployment, Microsoft, Windows

• Enterprise Library 4.0 March 2008 CTP released

  " We are pleased to announce the release of the EntLib 4.0 March 2008 CTP and invite your feedback. This release has been adapted to work with WMI version 2.0 and version 3.5 of the .NET Framework. Enterprise Library 4.0 has the Allow Partially-Trusted Caller attribute (APTCA) on all assemblies. This means that you can call the methods of Enterprise Library and the application blocks from an application running in a partial trust environment. You can do this with the signed assemblies provided with Enterprise Library. There is no longer any requirement, as there was in version 3.x, to recompile the source code then either use the unsigned binaries or strong-name them yourself. The Caching Application Block has been refactored to allow developers to replace the CacheManager class with other implementations, including the ones offered by the distributed cache solution providers. This does not affect the API of the application block. There are also additions in functionality to the Logging Application Block, the Validation Application Block, the Exception Handling Application Block. For details see the change log on the release page. Note: This community preview does not include the integration with Unity or the integrated Visual Studio 2008 config tool. These features are plannned for the final release. EntLib4.0 March 2008 CTP download site " via : Grigori Melnik Posted Apr 02 2008, 04:48 PM by Hosam Kamel with no comments Filed under: .NET, .NET 3.0 & .NET 3.5, Visual Studio 2008, Microsoft, .NET 3.0 & .NET 3.5, Patterns and Practices