Archives / 2004 / May
  • [Tech-Ed] One of the best values at Tech-Ed (even if you're not an attendee)...

    The hidden gem at Tech-Ed is the Microsoft booths in the Exhibit Hall .

    They have a separate booth for each technology - SQL Server, ASP.NET, all the different server products, etc., and the people at these booths are developers / dev leads / program managers / etc. folks that really know their stuff. I pestered the hell out of the ASP.NET group and they answered tons of questions for me. I was wishing I hadn't had those two free beers and had a written list of questions - they were answering my questions a lot faster than I could ask them.

    Non-attendees can still go to the Exhibit Hall - tickets available onsite for Wednesday and Thursday. I've heard it's $75.


  • [Tech-Ed] DEV320 Visual C# Best Practices: What's Wrong With this Code?

    Good presentation - disguised a best practices talk as a quiz to keep it interesting. Much tougher to spot the problems then to nod along with a bullet points about writing good code.

    Not gonna try to summarize this - just point you the the slides. They're pretty self explanatory, you can get through them in a few minutes, but you'll get more out of them if you try to spot the problems before going to the next slide to see the answer.

    Good stuff on exception handling, resource management, performance issues, and some sources of nasty bugs.

    Okay, just one thing - did you know you can cast an arbitrary int (or whatever the underlying datatype is) to an enum without generating any kind of error?

    enum EmployeeType {Grunt, Manager, Executive }
    EmployeeType text = (EmployeeType) 50000;


  • [Tech-Ed] WIN321 Running IIS Web Farms: Tips and Tricks

    I attended WIN321  Running IIS Web Farms: Tips and Tricks Monday. The slides are online here [updated], but here are some high points:

    Datacenter Overview
    $4 million anual datacenter budget - pretty cheap for what they do.
    Doing less with more - consolidation, etc. - same pressures most IT shops face.

    They use NLB heavily.
    Content Management Server for TechNet content
    Sharepoint for search

    AMD 64
    Moving to AMD 64 for more real and virtual memory
    4GB RAM vs 2GB RAM - Immediate (ASP.NET 1.1 is 32 bit)
    TB's of virtual memory in ASP.NET 2.0 (full 64 bit support)
    Running 32 bit code on 64 bit (WOW64) only 1% CPU overhead
    Trial and Beta versions available
    WOW64 in W2K3 SP1

    Data management
    Significant amount of data - 100GB content, 2-5 GB changes daily
    No fileshare - files are local on box, boxes in farm are clones
    Content distributed by glorified RoboCopy

    Server Build Process
    VBS Batches (included in slides)
    Baseline - Initial OS / Webserver install
    Site Specific - Reg settings, etc., for site
    Not using Ghost / imaging
    Not using Web Gardens (per CPU instances)

    IIS 6.0 App Pooling
    Protect good apps by putting in separate pool
    Logical groupings of "bad apps" in app pools

    Resource Management
    WSRM (Windows Server Resource Management) for CPU management
    App Pools for memory management

    Tips / Tricks (Many in IIS Resource Kit)
    IISCNFG /EXPORT (Metabase Replication / Backup)
    IISCERTDEPLOY.VBS (push certs to servers without getting on each machine)
    Metabase Explorer - Migrate metabase from IIS 5 to IIS 6 by drag / drop config from one instance to another
    Logparser, Logparser, Logparser!
    PSEXEC (SysInternals)
    Logparser / Netmon to detect SYN attacks
    Replay Weblogs with Logparser and Webcat

    Hotfixes without reboots
    Analyze Hotfix (INF files, Tlist, Filemon) - determine processes that need to be shut down
    Run Hotfix inside a wrapper (Kill processes, install hotfix, restart processes)
    Tricky process, tested thoroughly and roll out cautious and distributed

    Hack defense
    Crazy stats about number of hack attempts per day
    Using Logparser scripts that run every 15 minutes - near realtime log analysis
    Hardware packet filtering to drop bad packets before they hit webservers

    Server Performance Advisor (W2K3)
    Should be released within a few weeks
    HTML reports with all kinds of goodies, uses ETW


  • [Tech-Ed] BOF RSS Without the Blog

    (don't worry, I'm not going to be able to attend that much of Tech-Ed so I'm not going to be blogging every single session)

    Ray Schraff lead a BOF session on uses of RSS beyond blogging. It was interesting, and he's a very bright guy. There were only about 10 people there, which was good and bad - limited input, but pretty relaxed so everyone could speak up.

    He talked about RSS Annotations in the Longhorn SDK (something I'd missed). He used it as a springboard - if an SDK page can use RSS, what else can we do? He talked about using RSS to push business information - transactions, account information, workflow events, etc. One benefit is the smooth integration with "sometimes connected" (offline / disconnected / remote) client applicaitons. RSS aggregators handle this smoothly, so why not leverage it in business applications?

    The question of bandwidth was raised - people have been concerned that RSS is pretty chatty and will bring the internet to its knees. Ray pointed out that since it's text only, most RSS responses are far smaller than an internet page response, since it doesn't include all those 50+ KB gifs.

    Someone else asked why not just use e-mail for statusing. Ray said one big reason is that we can't really trust our e-mail anymore; it's so flooded with spam. With RSS, you request from a server you've subscribed to, so you can't be spammed (and if you do, you unsubscribe).

    Another question concerned security. If there's a feed that has my transaction information, I want to be sure no one else can subscribe to it. We discussed extensions, wrapping the RSS communications in a secure SOAP message, and querystring / HTTPS approaches.

    Then there's the issue of RSS spec fragmentation. Ray said if he's targeting aggregators, he'd probably use a RSS .9x, otherwise he'd use RSS 1.0 since it's got RDF support and is therefore extremely extensible.

    One other thing Ray brought up was the difficulty of keeping OPML and cached content (read / unread) status in sync between work and home machines. He uses a memory stick to cart his SharpReader info back and forth. I know BlogLines is supposed to answer this quesiton, but didn't work all that well for me. The guy that writes an aggregator with a bundled OPML hosting system's gonna make at least $5 (mine).

    All in all, this was a good discussion - interesting to see where this goes.


  • [Tech-Ed] BOF - Code Generation

    Scott Hanselman lead a BOF on Code Generation. I agree with Andres - there was a lot of discussion on business rules definition, which was interesting but I think took away from more common uses of codegen.

    Peter Provost was talking about using the Code DOM to crank out one off's. Peter's a lot smarter than me, and can probably burn the extra brain cycles on the Code DOM complexities. Seems like a lot of work to me.

    Others talked about using XML and XSLT to write their code for them. I agree with the sentiment others expressed - XSLT is not an easy language to program in. Programming logic into XLST is like writing procedural cursor based T-SQL - you can do it, but it'll make you cranky and you won't understand how it works in three months. I like the declarative model in concept, but the XSLT work I've done has been tedious at best. 

    John Lam talked about the "angle bracket tax" of XML, but he was advocating what basically amounted to writing your own language. I don't know about that - codegen's supposed to create less work, right? Once again, I guess if you've got some cycles to burn then go for it, but I'm looking for solutions that simplify my work. I'd rather not have to debug my custom code generation language while I'm trying to complete a project.

    So, to sum it up... people were talking madness and I felt like I was taking crazy pills.

    Then in the last 10 minutes, Scott presented what he's doing. He's using CodeSmith. I use CodeSmith. I love CodeSmith. CodeSmith is easy - it's ASPX code, which I know. It's powerful. It's easy. It seemed they were pumping sanity back into the room through the ventilation system.

    Scott pointed out the difference between generating code based on nouns (domain information) vs. verbs (business rules). He said you should start with what's easy to describe - the nouns. Agree. Describing nouns is easy, so it's easy to automate. Describing business rules (e.g. tax code) is not easy. As Scott said, starting with CodeSmith's Strongly Typed Collection Classes is a good way to get a quick win with codegen.

    Scott's company uses XML Schema to define entities. The elements have domain specific attributes. They've extended things quite a bit - for instance, the properties have custom attributes which describe formats. The data is isomorphic. That's good, I think.

    They's then gone on to describing the business rules using WSDL. Purty slick. They map multiple inputs (database, mainframe, etc.) to multiple outputs (web, wap, client) through a generated framework. Cool.

    We've been using CodeSmith quite a bit at my work - I've been meaning to blog about some of the things we've come up with (extending codegen code with support for regen, custom filtering, etc.). I'm sure it's all been done before, but might save someone some time.

    So, I enjoyed the session. I wish Andres had spoken up (I'll try to catch up with him at the DeKlarit booth this week), and I wish Scott had spent a little more time describing what he's doing. But, Scott ended the session by giving out copies of CodeSmith Pro so there's no way I can complain.


  • TITLE tags for hyperlinks - little datagrid usability thing

    [updated based on feedback from Rick and Fabrice]

    Master / Detail pages are a snap to create with ASP.NET, but they can be frustrating on the end user. If the information you're looking for isn't on the master page, you end up clicking back and forth to find the record you want. From a selfish point of view, those unneeded round trips to the server are also a waste of server CPU and bandwidth.

    So here's a simple little feature that can save some clicks - a "title" attribute for the edit links. Mouse over them to see what I'm talking about:

    Edit * Requestor Phone Extension Department
    200454378 Nathaniel Pemberton 7012 Marketing
    200454379 Bart McKinley 2000 CEO
    200454380 Nathaniel Pemberton 7012 Marketing
    200454383 Walter Jennings 4302 HR

    *mouse over Order ID for details

    The idea is the same as an alt tag for images.

    <a href= title="Monkey pictures!">Click Here</a> = Click Here

    Works in IE and Firebird. Haven't tested in Lynx.

    + Code to generate the datagrid above


  • It's a Tech-Ed miracle (for me, anyhow)!

    It's like a scene out of a Christmas special. Looks like I've got a last minute opportunity to attend at least bits and pieces of Tech-Ed.

    The head programmer in my group at work had a baby show up two weeks ahead of schedule, so he's not able to attend. Tech-Ed registration said they can transfer his registration to my name. It's sounding like I'm not allowed to take time off work, even unpaid, but I can hopefully catch some evening sessions at a minimum.

    Woo hoo!

    I have no idea what the schedules look like - gonna have to check out some recommended lists and see what's available. I'm especially interested in the ASP.NET master pages stuff, as we have a rewrite of a huge site coming up this year.


  • Online Book - A .net developer's guide to Windows security

    I "google stumbled" onto an amazing online book by Keith Brown - "a .net developer's guide to Windows security". The whole (in progress) book, including some sample code, is available online. There's even an rss feed with updates.

    This book is a great compliment to "Writing Secure Code". Writing Secure Code tells you how to avoid security mistakes of all types; Keith's book tells you how to work with the Windows security model from .NET. As Keith points out on the book's splash page, the .NET framework doesn't do a good job of abstracting the gory details of the Windows security model, and it can be pretty difficult to find .NET code that calls into the Windows security API's (hello,!).

    So get down and dirty with the SIDs, tokens, profiles, impersonation, priveleges, ACL's, etc. Good stuff.

    And while you're at it, check out Password Minder 1.5 and his other cool security related utilities and samples here.


  • [SQL] Cannot perform an aggregate function on an expression containing an aggregate or a subquery.


    select avg(count(ip)) from pagehits where [month] = 2 group by ip

    will give the following error: “Cannot perform an aggregate function on an expression containing an aggregate or a subquery.” MS SQL Server doesn't support it.

    Solution - use a derived table:

    select avg(ipcount) from (select count(ip) ipcount from pagehits where [month] = 2 group by ip) as sub

    I'm posting this because searches on the error message didn't return good results, so if someone else has this problem (read: when I forget this again) this may save some frustration.


  • Windows Orchestration Engine in Longhorn

    AWARE THAT many people are beginning to give up hope of ever seeing a new version of Windows, Microsoft is continuing to send its spinsters waxing lyrical about what it will contain when it arrives. The latest prediction that the Redmond sleeping giant has ‘leaked’ to CNET is that it wants to embed core orchestration and workflow into Longhorn. New workflow and orchestration technology, called the Windows Orchestration Engine will be ready for the Longhorn/Orcas time frame.

    CNET quoted Bob Muglia, senior VP at Microsoft's Windows Server Division, who confirmed that work was under way. "Stay tuned," he told them showing his remarkable ability to pun in the face of tough questions from CNET hacks.


    WOE seems like an unfortunate acronym.

    Almost as bad as the Children's Hospital Of Philadelphia.


  • NeoWin RSS 2.0 Feed

    NeoWin's RDF feed is pretty lame if you're used to RSS 2.0:

    RDF may be cool in a retro kinda of way, but it doesn't even have post description (body). Lousy.

    Just saw this site that has RSS 2.0 feeds:

    They've got an RSS 2.0 NeoWin feed (as well as a lot of other feeds, including some rollup feeds):

    It's got the ExPress News logo on the feed, but that's no problem for me.


  • Tech-Ed San Diego - So close, so far


    Despite the fact that I live in San Diego, I'm not able to go to Tech-Ed[1]. As an hourly perma-temp, I can't afford the double hit of Tech-Ed registration and a week off from work. Drat.

    I'm hoping to be able to meet up with some of the blogging crowd if they leave the posh convention center and go slumming out in town with us regular folks.

    I'm not Mr. San Diego by a long shot, but I can pass on a few pointers if you haven't been here and have no better information source than the blog of some goofball you've never met.

    Napa Valley Grille is pretty cool - it's at the top of Horton Plaza and has pretty good food at around $20 for a main course.
    Candelas is pretty cool for a sit down dinner, too.
    Old Town is an old standard for Mexican restaurants.
    The Padres have a cool new ballpark but unfortunately there aren't any games that week.
    Kent (the SqlJunkie) was looking at lining up at tour of the Ballast Point Brewing Company.

    [Update] Sushi recommendations (via my hip downtown friends)
    Downtown: Taka Ra Sushi Deli
    La Jolla: Cafe Japengo's Sushi on the Rocks Sushi Ota (good sushi, no glitz)

    And the church I attend and highly recommend (meets in the Gasslamp Theatre): Harbor Presbyterian Church is a pretty good source of info. I looked and didn't see much in the way of local music to recommend that week.

    Maybe I'll add some more stuff here if I think of it and this post gets at least two hits.

    [1]And it's sold out, so don't try to guilt trip me about how I should steal the money somehow and go.


  • Enterprise Connection String Management in ASP.NET - Best Practice?

    This is mainly a problem statement - it lists some solutions, but all have some pretty big downsides. I'd really like to find a good solution to this, so please comment if you have anything to add.
    There are some significant problems with using keeping connection strings with SQL Server Authentication in ASP.NET web.config files. Here are a few:
    1. Security - Both username, password are stored in plain text (associated with the server), so if the web.config file is compromised a hacker has the keys to the database. Config files are associated with the HttpForbiddenHandler, which mitigates the risk of hackers getting to web.config files, but only via HTTP.
    2. Control - Keeping login information in web.config files makes it difficult to control developer access to production databases, since developers will likely view web.config files during production support activities or in source control.
    3. Administration - Keeping login information in individual files on a per application / per webserver basis makes changing passwords (including regular password rotation) difficult.
    Trusted Connections (using Windows Authentication rather than SQL Server Authentication) seem to offer a better solution - connection strings don't contain login information, and centralized account maintenance of Windows accounts is well defined and supported. Trusted connections don't send credentials over the network, so they're much more secure Several Microsoft security articles propose this approach:
    However, this approach sounds like it works better in theory than in practice when it comes to ASP.NET applications. While the network communications are more secure, using Trusted Connections requires changes that make the ASP.NET application less secure.
    There are two methods available for connection to a database server with Windows Authentication - Domain Accounts and Mirrored Accounts.
    Trusted Connection cons (both domain account and mirrored account):
    1. Impersonation still requires putting a password in a config file (machine.config and web.config) so we've got passwords in plain text again. It is possible to encrypt the impersonation identity and to store it in registry, but this complicates administration.[1]
    2. Impersonation requires a little more setup on the webservers - the impersonated account needs write permissions on serveral folders (good info here). Also, upgrading .NET versions doesn't migrate machine.config information (why?) so there is additional work / risk when upgrading .NET versions.
    3. Impersonation in ASP.NET complicates matters a bit. I've run into some unrelated issues with ASP.NET impersonation in the past that indicates it's a bit of a frontier.
    1. Security issues have been mentioned with running the IIS user as a user that is a member of a domain.
    1. Difficult to change passwords, need to edit web.config / machine.config on multiple webservers
    Much more discussion here:
    1. Difficult to change passwords, need to edit registry on multiple webservers.[1 again]
    Custom encryption of Connection Strings in web.config cons:
    1. Makes management of multiple servers (password rotation, etc.) more difficult
    2. Custom or homegrown solution - may not be supported, may not be secure, etc.
    Centralized Connection String Management solution:
    A central service provides applications their connection string (and possibly other configuration data) in an encrypted format. Applications would use a common component to access and decrypt the information.
    Centralized Connection String Management cons:
    1. "Crown Jewels" - if that system's compromised, all databases are exposed
    2. Key management issues to do secure communications with central server
    3. Single point of failure for all applications
    4. Homegrown security solutions are likely to be insecure, and quickly turn into legacy systems that make upgrading difficult.
    Domain Accounts with Trusted Connections seems the best approach (if the security issue is not such an issue), with the impersonation account stored in the registry. Microsoft documentation / recommendations kind of lay out the options but don't indicate a preferred method. It would be great to have some general guidance on how to manage database connections in an enterprise web environment.
    It would also be great if impersonation were a bit more transparent - changing an encrypted registry setting is a bit complex. Changing the account an IIS Application runs under is as simple as logging into Windows; impersonation should work the same.
    Visual Studio 2005 has a Connection String Manager in the IIS MMC that interfaces with web.config and supports encryption, but that's a ways off.
    Comments? Guidance? What's worked for you? WWMD (What would Microsoft do)?
    [1] There are ways to push out registry changes to multiple servers (SMS, others)


  • SQL used for evil

    Yikes. I heard about a website being hacked, probably via SQL injection. This trigger was added:

    CREATE TRIGGER tr_Orders_INSERT_InsteadOf ON Orders
    AS RAISEERROR("[Microsoft OLE DB Provider for SQL Server] Timeout expired",16,0)

    That's a rough one to catch, because it looks to the calling function as if you're getting unexplained timeouts every time you try to add a new row to the Orders table. This is pretty much a “denial of service” type of attack in that it's designed to harm the business rather than steal from it. Not cool.

    And while I'm at it, it's not a good idea to have files with non-standard extensions (.bak, .inc, .site) in a web directory since IIS doesn't know about them and will happily serve them up as text files. That can help a hacker find places where you're vulnerable to other attacks such as SQL injection.