MikeShaw's WebLog

No charge training for Developers on Windows XP SP2

mikeshaw — Wed, 20 Oct 2004 08:16:00 GMT

Every developer should know about the latest features of the operating system they are targetting, especially the new security features and how they may impact existing and new applications. Training on the security features of Windows XP SP2 is close to my heart, so I was delighted to see the free Clinic titled "Developing and Maintaining Applications on Microsoft® Windows® XP Service Pack 2".

Here's the overview of this 6 hour self-paced course: This online clinic provides students with the knowledge and skills to understand the security enhancements included with Microsoft® Windows® XP Service Pack 2 (SP2) and how these features may affect applications that need to run on Windows XP SP2.

You can find Clinic 2853 at https://www.microsoftelearning.com/eLearning/offerDetail.aspx?offerId=11678

Visual Studio .NET and .NET Framework 1.0 need patching

mikeshaw — Wed, 22 Sep 2004 09:32:00 GMT

Hopefully this is old news to everyone, but just in case it isn't...

The JPEG GDI+ buffer overrun vulnerability affects multiple software applications which need to be patch individually. Visual Studio .NET 2002 and 2003 as well as the .NET Framework 1.0 SP2 all need patching following the MS04-028 security bulletin. Here are the most common patches that a developer like you might have installed:

•	Microsoft Visual Studio .NET 2002 and – Download the update (KB830348)
•	Microsoft Visual Studio .NET 2003 – Download the update (KB830348)
•	The Microsoft .NET Framework version 1.0 SDK Service Pack 2 – Download the update (KB867461)
•	Microsoft Platform SDK Redistributable: GDI+ - Download the update

Don’t forget desktop applications like Office and Visio are affected too. Check out this link for a complete list of affected software, there may be more you’ve missed: http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

I shall write more on the topic of why the GDI+ DLL patching has been so tricky in the near future...

Until then... happy patching!

Time to get personally connected on MSDN UK

mikeshaw — Fri, 17 Sep 2004 14:12:00 GMT

I have always been astounded by the shear volume of content that is available on MSDN. Sadly, like security, the more of it there is, the harder it is to use! Search engines can be a great help in finding what you need, but not so good a finding updated or new information.

So, the MSDN team in Reading, UK, have come up with MSDN Connection. Lindsey Langedijk (she’ll probably kill me for mentioning her name in public ;-)) has done a great job in driving the creation of a personalised view of content, sliced and diced by the topics you select. But there’s more! It is now also possible to subscribe to an RSS feed of your selected content. Very cool and only the beginning. Sign-up today and keep coming back to MSDN UK for more great innovations in the months to come…

http://www.microsoft.com/uk/msdn/preferences.aspx

Footnote:

Now, I know some of you may be a little put-off because this service uses .NET Passport to allow you to save your preferences. .NET Passport really is only an Authentication Service and all your personal and private data is not shared or used for anything you don’t choose, so if you haven’t got a Passport, then please may I encourage you to take this opportunity to sign-up. When you do sign up, always make sure that the box marked ‘let Microsoft use this email address’ (or works to that effect) is checked because if you uncheck it, we will be obliged to remove you from any other mailing lists you may already be on at Microsoft, to comply with the UK’s Data Protection Act

Is Linus Torvalds secretly working for Microsoft?

mikeshaw — Thu, 02 Sep 2004 17:21:00 GMT

An interesting article about the cost of Windows vs the cost of certain Linux deployments: http://www.forbes.com/enterprisetech/2004/08/31/cz_dl_0831msft.html. Read and enjoy ;-)

Microsoft Technical Briefing on 4th October at Wembley Conference Centre, London.

mikeshaw — Wed, 01 Sep 2004 16:33:00 GMT

There is only just over a month to go before I will be speaking at the Technical Summit at the Wembley Conference Centre, London. The day will begin with Rafal Lukawiecki Director of Project Botticelli Ltd, talking about Threat Modelling for ssecure design, then I will have a session on Security tips for developers. After lunch Rafal is back to talk about the features of Windows XP SP2 that developers need to be aware of and how to take advantage of them. After that practical lessons from the frontline with the Government Gateway will describe the experiences of deploying Secure Web Services in the real world. To finish the day, our very own Steve Ballmer will address the audience. Oh, I nearly forgot, that throughout the day we will be trying a first for these sort of events - chalk and talk sessions where a handful of attendees will be able to get a little more interactive on the topics under discussion. Oh, yeah, there is an ITPro (security infrastructure) track as well ;-)

To register, click here and but hurry – spaces are limited!

Microsoft Baseline Security Analyzer V1.2.1 ready for Windows XP SP2

mikeshaw — Wed, 01 Sep 2004 16:10:00 GMT

There is now a new version of the Microsoft Security Baseline Analyser updated. MBSA is a tool that can be used to validate the configuration and patch status of computers on your network. It is a BASELINE tool i.e. it gives you a place to start with your security configuration.

New improvements in MBSA V1.2.1 include:

• Support for Windows XP Service Pack 2 security enhancements

• Clear guidance for locating updates and necessary actions

• Prioritize results more easily by showing summary counts for each score

Localization:

• MBSA releases are available for German, Japanese, and French.

• The mssecure.xml file will be localized to these four languages and will be automatically downloaded and used by the tool when a German, Japanese, or French machine is scanned once they are available in the Microsoft Download Center.

Additional Product Support:

• MBSA can scan for security updates in the following products

• Microsoft Office (local scans only; see list of products)

• Exchange Server 2003

• MDAC 2.5, 2.6, 2.7, and 2.8

• Microsoft Virtual Machine

• MSXML 2.5, 2.6, 3.0, and 4.0

• BizTalk Server 2000, 2002, and 2004

• Commerce Server 2000 and 2002

• Content Management Server 2001 and 2002

• Host Integration Server 2000, 2004, and SNA Server 4.0

Alternate File Version Support (allows multiple sets of file details to be checked in security updates scan)

Additional Configuration Checks:

• Internet Connection Firewall configuration check

• Automatic Updates configuration check

• Internet Explorer zone configuration checks (custom Internet Explorer zone interpretation, Internet Explorer Enhanced Security Configuration checks for Windows Server 2003)

• MBSA tool version check (for new MBSA releases)

Additional MBSA CLI Switches (-unicode, -nvc)

You can get more details and download from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx

ASP.NET Architecture Internals

mikeshaw — Wed, 25 Aug 2004 18:04:00 GMT

On the 5^th July I delivered a webcast on ASP.NET Architecture internals as a follow-on to the UK MSDN Roadshow events we ran in the UK earlier in the year. You can find the link to the download of the webcast at

http://www.microsoft.com/uk/resources/techroadshow/postevents/webcasts.mspx . The reason for blogging this now is because in the webcast I talk about the Server Version of the .NET Framework Garbage Collector and recently I came across this excellent blog entry by Junfeng Zhang that explains the Server GC configuration far better than I did http://blogs.msdn.com/junfeng/archive/2004/07/13/181534.aspx. Enjoy!

XML Firewall and more

mikeshaw — Mon, 16 Aug 2004 15:16:00 GMT

On 27^th July, I was invited to a meeting at the Microsoft Thames Valley Park Campus with Vic Morris, CEO, Mark O’Neill, CTO and Stephen Byrne, SE of Vordel. I was impressed by what they had to say, not only in the capabilities of their existing products, but also in the maturity of their thoughts and planning behind it. Far too few companies in the XML Web Services Firewall space have the same breadth of thought.

Vordel SOAPbox is a free download from Vordel that is a good tool for debugging Web Service security traffic. It lets you configure some HTTP header parameters as well as more advanced things such as configuring and sending SAML in a signed SOAP message over SSL. I thought it was quite cool for a free too anyway. Find it at http://www.vordel.com/soapbox/index.html

VordelSecure is there XML Gateway or Firewall product and VordelDirector is their centralised Web Services product, offering federation and integration with identity management. They have some way to go to fully integrate with the whole Microsoft product suite, MOM, MIIS, ISA etc, but they do manage to offer a set of sophisticated products with solutions to some of the complex security issues that arise when implementing a Service-Oriented Architecture.

I’m sure that I’ll come across Vordel quite a lot in the future, but I’d be interested to hear any feedback anyone has from using their products or from anyone actively working in the XML Firewall space in the UK. I get a lot of questions about XML and Firewalls…

Released Service Pack 1 of Web Services Enhancements (WSE) 2.0 available for download

mikeshaw — Fri, 30 Jul 2004 09:56:00 GMT

If you’re doing anything with secure web services using the .NET Framework, then you’ll want to get the latest version of WSE 2.0 available at http://www.microsoft.com/downloads/details.aspx?familyid=fc5f06c5-821f-41d3-a4fe-6c7b56423841&displaylang=en . This first Service Pack for the WSE 2.0 at a little over 7MB is miraculously 210k smaller than the original!

To quote the update notes on it: “This updated version of the Web Services Enhancements 2.0 contains fixes to scalability and functionality based on customer feedback, as well as important security additions.”

The best list of the changes (and other things about WSE 2.0) are from Hervey Wilson at http://www.dynamic-cast.com/mt-archives/000060.html

Oh what a week! Security Myth #3 delayed...

mikeshaw — Fri, 30 Jul 2004 09:24:00 GMT

This has turned out to be one of those weeks I didn’t plan for and suddenly it’s the Friday before a week’s vacation and I haven’t managed to achieve even half the things I’d hoped, so sadly, Security Myth #3 “Cryptography is too hard” will have to wait another week before I can really give it the time to do it justice.

“Expect the unexpected” they tell you or “plan for the unknown”. Hmmm, I’m neither psychic or good at guessing games. If only I knew that Monday morning would see the demise of my hard disk. It had indicated a few warning signs – the mouse becoming jerky as the CPU got tied up waiting for disk IO to complete. So, ‘run chkdsk’ I thought ‘that will fix these kind of problems’. Alas, on the reboot so the checker could lock the system partition the disk made a tremendous ‘THUNK’ noise and that was it – dead disk.

I replaced the laptop disk with the one from my external USB storage device and started the rebuild, getting back as much backed up data as possible. Fortunately for me, one of my colleagues, Alastair Dick, used to be an engineer at Dell and knows a thing or two about disks. With his help, standing the old disk at an obscure angle and keeping it extra cool I was eventually able to recover much of my lost data – all proving to be a tedious activity.

Ha ha! I can hear the echos on the internet – ‘why didn’t he just restore from his backup?’. Well I have an 80Gig drive – 20Gigs for system and apps, the rest for data – lots of Virtual PC images for all the demos and things I do – how do you easily back up 60Gigs of data from your laptop?

One of those virtual images was critical to the demos I will be giving at an event in Reading on 11^th August. The session I’m responsible for at the event ‘What’s new in Visual Studio .NET 2005’ is on Visual Studio Team System. An impossible task to do justice to the enormity of the product in only 75 minutes!

So sadly my week was not quite what I’d planned and please accept my apologies that Myth #3 will be postponed until I’m back from my vacation in sunnier climes…

Bootable USB memory stick

mikeshaw — Fri, 23 Jul 2004 11:46:00 GMT

For a while now, I’ve had a DOS based BIOS update for an internal DVD-RW drive. The machine in which the drive is installed doesn’t have a DOS boot partition or Floppy drive, making booting into DOS a little tricky. OK, so I could build a bootable CD with MS-DOS or Windows 98 on it, and there are great instructions and tools to do this here.

But, the BIOS upgrade utility will not work when booted from the device it is trying to upgrade … drat! In the absence of any other usable media I decided that I wanted to use a USB memory stick to boot to MS-DOS and then perform the upgrade. After much searching I discovered a very useful utility from HP that will allow you to format a bootable USB memory stick (not just HP’s own devices) without any pain or hassle at all. You can download the utility yourself from HP’s download site here, and my thanks must go to Oliver Aaltonen for his great instructions here if you get stuck.

Despite my delight I could still not boot on my test machine, an HP tc 1100. It turns out that I had overlooked Oliver’s warning about the capabilities of the BIOS. This all important factor is will make all the difference. Your BIOS must explicitly allow booting from a USB floppy or ZIP drive it would appear, and that just booting from a generic USB device is not enough.

Have fun!

[Please note that none of the tools pointed to in this post are supported by me or Microsoft, and that the appropriate licensing is required for any operating systems or other software you use]

Myth # 2: The Internet is full of nice people

mikeshaw — Tue, 20 Jul 2004 11:44:00 GMT

When Windows for Workgroups 3.11 shipped I don’t think anyone believed that over the coming 10 years the number of computers in use would increase more than 10 fold and that almost all of them would, at one time or another, connect to the internet. Back in 1992, everyone on the internet was nice, because if you stood next to someone in the office, then between you would have enough fingers and toes to count everyone that could use their computer to connect to another computer outside of their own company!

The only network that could be used to successfully spread a virus back then was ‘sneaker-net’ and actually physically sharing media, the scourge of the 5 ¼ inch floppy. A few companies tackled this problem by purchasing floppy-disk locks to stop their staff from bringing in games from home which might be accompanied by an unwelcome selection of bits and bytes.

As the internet grew and the .com bubble began to swell, the need for every company to be seen and accessible, at least in online brochure form caused huge pressures to be placed on IT departments. Online strategies became an essential part of company reports and business proposals. The continued business pressure and the demands of home computer users armed with hours of free internet access and free modems, to see more and more images of their favourite products, lead to the realisation that business could actually be done on the internet.

“If you build it, they will come” became the mantra of the mid-nineties. High Street retailers now wanting to sell their products online and capitalise on this new market built e-commerce web sites with a philosophy of ‘we can stand a bit of fraud in our shops, so we can cope with a bit of fraud online too, after all, most people that come to our shops are nice and just come to buy’.

And sure enough, the site was built and the consumers came and purchased and occasionally a stolen credit card was used, but most of the transactions were ‘nice’.

But then one day, Mr Businessman woke up to a news headline “Credit card details published on Web after hack attack” which made him wonder… Perhaps not everyone on the internet is nice. It’s not possible to smile at someone as you hand them their change and wonder if you trust them or not. It’s not possible to video a bank robber coming into an online bank. Attacks from Cyberspace are different….

So, a question for you: How do you install a virus on someone’s computer?

Answer: You send it as an attachment to an email with the subject of ‘ILOVEYOU’

Now, I bet you smiled to yourself when you read that. Steve Riley tells it better than me, but I hope you get the point: a nice person sent you a nice email and before they realised it, thousands of people were infected because they wanted to fulfil that basic human need – to feel loved.

How could something so innocent become so malicious? You recognised the name of the sender as a trustworthy friend. Now that they’ve emailed you a virus, is that trust irrevocably broken? Or will you forgive them because they just did something a bit silly and they had no idea it was a silly thing until it was too late? Double clicking an email attachment was/is an everyday occurrence after all and they had a previously untarnished record of virus free emailing. But it is not the sender you don’t want to trust, but the ethereal virus author. Trust is a strange thing when you begin to look at it and there is an entire spectrum of trust that is, today, quite poorly defined, but more of that in another posting. Here’s a little tale for you:

“Got any old watches or clocks to sell?” asked the man standing in front of me on my doorstep. “Err, no”, I replied a little taken aback by the question. I cast a curious eye up and down the reasonably well presented gentleman in his early fifties and noticed a printed leaflet in his hands identical to the one I had pulled from my letterbox that very morning and discarded without really reading it. The leaflet read ‘Buy-gone Antiques, Instant Cash Paid for Watches and Clocks, Victorian Paintings and Old War Medals (any condition)’.

I turned, “Who was that” my girlfriend inquired as I closed the door and saw the man walk briskly towards my neighbour’s. I put on a gruff London accent, “No old watches or clocks to sell? …. then you must have some new ones you’re keeping hidden…” and we both laughed before returning to our laptops. After a few moments my girlfriend looked up and asked “Do you think he was a burglar?”.

“No, just an enterprising small business man”, but she had made me think. Why didn’t I think that he was trying to rip me off? Was he looking to see if people were out before breaking in, under the disguise of an antiques dealer? Did he hope that I was an old lady to prey upon and give me a pittance for my departed husbands valuable war memorabilia?... Well, I trusted him enough not to break into the house, because he’d left a leaflet with his phone number and address on it. But he could have printed them himself and made up the number and address. You have to wonder just how far someone might go, and given the evidence to hand and the effort required and the risk of exposing himself, I could reasonably trust that he was not surveying the area for robbery potential. I would not, however, trust that man with much else.

We are naturally all quite trusting individuals – its in our nature to believe in people, but on the internet, it is harder to identify people and verify who they are and what their intentions are, so some good approaches are available to minimise the amount of exposure and it is well worth thinking about this as you build any computer system.

Secure by Design, Secure by Default and Secure in Deployment. Of course, these principles translate to quite a few practical activities, so I’ve listed three of my favourites below:

1) Build a Threat model – no excuses, JFDI – Just Do It!

2) Run your code with least privilege. This doesn’t only mean the account that is executing the code only has the permissions necessary to carry out its task, but also in the age of .NET, application code itself can be restricted in the permissions it is granted. Currently this is a bit tricky to determine what permissions are actually required by a .NET application, but the permcalc application in Whidbey (sorry, Visual Studio .NET 2005) makes this a whole lot easier! Things get even better in Longhorn.

3) Never trust any input.

Resist the natural urge to trust the people that are using your application, be they within your organisation or on the internet, make security a part of your whole software development lifecycle and, in the words of Andy Grove “only the paranoid survive”.

I think Myth #3 will get a bit more technical as it will be title “Cryptography is just too hard”

Mike

ISA Server 2004 has shipped (last week)!

mikeshaw — Wed, 14 Jul 2004 15:18:00 GMT

Well I must have blinked because I missed it first time around. I, along with many others, found ISA Server 2000 a bit tricky to configure and the product team have done a great job in making ISA Server 2004 much, much easier. But not only that, there is a plethora of new features that made me wonder what on earth was in the previous version! Click here to see the list of what’s new.

Product Info: http://www.microsoft.com/isaserver/

Eval download: http://www.microsoft.com/isaserver/evaluation/trial/

If you’re running on Windows Server 2003, then you can download a tool to turn ISA Server 2004 into a Remote Quarantine Server (RQS). To do this you need the Windows Server 2003 Resource Kit and the updated RSQ.exe file.

One little gotcha that had me was that when upgrading from ISA Server 2000 to 2004, the migration wizard will only work if you have installed ISA Server 2000 SP1 or later first! Oops, I didn’t realize they were available L here, and I had hoped that MBSA 1.2 would have informed me of this short-coming… Oh well, I’ll never make a SysAdmin.

I seem to have missed a lot about ISA… I wonder is I’m alone in this?

Steps for client certificate mapping to AD accounts using IIS 6.0

mikeshaw — Wed, 14 Jul 2004 14:16:00 GMT

Just a really quick entry because this had been bugging me on the back burner for a while now. How do you set up IIS 6.0 to do the certificate to user mapping for Authentication again Active Directory in Windows Server 2003. All of these sorts of infrastructure things are always a bit odd for me, coming from a developer background.

All the information is out there on how to do this, but it’s usually shrouded in a ton of other information making it difficult to find the 3 steps you actually need to make things just work. So, what are those steps:

1) Enable Active Directory name mapping for certificates, and don’t forget that the certificates you need to use must be suitable for client authentication.

2) In IIS 6.0, enable the Windows directory Service mapper

3) On the web virtual directory you want to use mapping, enable certificates as an acceptable form of authentication on the properties tab. If mapped certificates is going to be the only way you will access the site, then you can actually turn off all other forms of authentication. In the secure communication directory setting, you need to accept certificates and simply click the ‘Enable client certificate mapping’ but don’t bother changing anything under the ‘Edit…’ button or changing any options there.

This is pretty much all in this document, but there are too many steps for this little thing when I wanted just to do some testing!

I’ve not mentioned some of the periphery things that you need to make this happen like SSL, Auto enrolment for certificates (if you want it), certificate trust lists etc etc but the above are the crucial nugggets to make sure it works.

It’s cool and it worked for me in the end ;-)

.NET Framework Service Pack Tech Preview's Available for Download

mikeshaw — Wed, 14 Jul 2004 10:11:00 GMT

Well, I bet I’m not the first to blog about the .NET Service Pack Technology Preview’s availability since they wer released two weeks ago. These service packs have about 140 changes, including a roll-up of the framework hotfixes, some improvements to the WSDL importing and, and the reason I’m blogging this, are 2 security related areas: Data Execution Prevention (DEP) and Buffer Overrun protection. So there are lots of fixes and changes, some in preparation for Windows XP SP2.

My one word of caution before installing is to note that you can’t uninstall these babies! So my advice would be to use a Virtual PC or other test machine (if you want to test the Data Execution Prevention then you’ll need the appropriate hardware) and enjoy!

You can get your copy of the Technology Preview bits here http://msdn.microsoft.com/netframework/downloads/updates/sptechpreview/default.aspx along with all the detail about the changes and revisions that have been made.

Please feedback at http://communities.microsoft.com/newsgroups/default.asp?icp=techpreview&slcid=us to help us get it right for you!