Robert Hurlbut's Blog

As you may know, the long awaited Windows Server 2003 SP1 has finally reached RTM. Here is some technical information, and a Top Ten feature list [links found by way of Sam].

I didn't get to play with the betas that much for this product, so this was my first real exposure. I decided to install it on a couple of virtual servers I have running on my main development server. In both cases, I can access the virtual servers either through the Virtual Server Administration web pages or through Remote Desktop. Installation on both servers worked without flaw, but I noticed it locked down nearly every port, including Remote Desktop! The one port it leaves open is the port used by the Security Configuration Wizard (which you still have to manually install). So, if you are installing this over a Remote Desktop connection, you may find after you reboot that you are no longer able to access your machine. I am sure there must be a work around for this, but I don't know what it is at the moment.

One nice feature is that when the Service Pack has been installed, all the previous hotfixes are removed from the "Add/Remove" window (since SP1 rolls them all in, the "uninstall" operations for hotfixes are no longer needed, but I don't remember other Service Packs removing those previous ones for you like this one did).

I started to run the SCW, but backed off as I want to put a couple of other bits of software on the servers before locking it down completely. So far, except for the Remote Desktop issue, I am very impressed.

I noticed over the last couple of days my "Writing Secure Plug-in Applications in .NET" session is listed for VSLive! Boston. This talk is similar to what I did at Win-Dev 2004, describing CLR Hosting, secure plug-in design and development, and other updated information specifically for .NET 2.0.

There is an MSDN TV overview of writing partially trusted applications with ASP.NET [found by way of Dominick Baier].

My friend Kevin Hegg mentioned this link to me on Friday, but it wasn't live yet. But, it is now: Michael Howard mentions it's "live" status at http://msdn.microsoft.com/security/sdl which forwards you to this link for the above document.

This looks to be a great start on some guidelines for creating secure software. Some key takeaways:

There are three facets to building more secure software: repeatable process, engineer education, and metrics and accountability. This document focuses on the repeatable process aspect of the SDL, although it does discuss engineer education and provide some overall metrics that show the impact to date of application of a subset of the SDL.

If Microsoft's experience is a guide, adoption of the SDL by other organizations should not add unreasonable costs to software development. In Microsoft's experience, the benefits of providing more secure software (e.g., fewer patches, more satisfied customers) outweigh the costs.

The SDL involves modifying a software development organization's processes by integrating measures that lead to improved software security. This document summarizes those measures and describes the way that they are integrated into a typical software development lifecycle. The intention of these modifications is not to totally overhaul the process, but rather to add well-defined security checkpoints and security deliverables.

Take a look, and happy reading!

(Cross-posted)

Have you tried installing SQL Server 2005 yet? If so, how did it go for you?

There is a survey the SQL Server team would like you to fill out:

The Yukon setup team is looking for feedback related to your setup and installation experience. They've setup a survey that asks for a few demographics as well as your experience and any issues with the setup of the Betas or CTPs.

They are looking for error messages as well as your impressions, so if possible, do an install and take the survey soon afterwards. Save your errors, jot some notes, etc., while installing SQL Server 2005.

If you want to help improve the setup process and spare some others the pain of problems, please take a few minutes to complete the survey. This data is very important to the survey team to capture and help improve the user experience.

I already filled out the survey -- everything was pretty smooth for me in my VPC install in an Windows XP SP2 environment. I do have some security related questions that I have posed directly to the SQL Server security team that I am hoping to get answered soon -- some "gotchas" I found that seemed odd.

As I dig into this more, I am hoping to post information on my SQL Server blog regarding SQL Server 2005 Security. Stay tuned.

I got my Avalon and Indigo CTPs installed without any problems as I already went through the pains of setting everything up last weekend for Code Camp III. I have been reading through the docs (all live) and sample information, but this is definitely going to be weekend playtime for me (not quite up to the level of Clemens, but fun regardless)

Looking around the blogs, Jean-Luc has some great links to get started:

If you want to play with the March 2005 "Avalon" and "Indigo" Community Technology Preview, head on right over to the MSDN Subscriber downloads website (FYI, the .iso file is 444 MB). You have a few options once it's installed - you can try coding everything command line like Sam Gentile. Or opt to use the February CTP of Visual Studio 2005.

Next, you need documentation. A really good place to get started for all things Indigo is the Longhorn Developer Centre. David Chappell has written a really nice primer to get your head wrapped around the new concepts. Then head on over to the FTPOnline website for Indigo webcasts from VSLive! (I'd highly recommend looking at the Steve Swartz/Don Box webcast with a soup to nuts overview of Indigo. Don also has a very informative weblog with great tidbits of Indigo here and there).

Speaking of Sam, he also posted a great New England event coming up in April regarding Indigo:

   “Got Indigo?” Developing Applications using Indigo and .NET

Wednesday, April 27 9:00 AM - 4:30 PM

Microsoft Waltham

Register Now

Special Key Note by David Chappell

Indigo is the code name for Microsoft's new foundation for distributed computing and service-oriented applications. Join us for a day long dive into Indigo using the Community Technology preview. This developer focused day provides an introduction to Indigo, describing what it is, how it works, and how it fits with existing technologies like ASP.NET web services, .NET Remoting, and Enterprise Services. While some familiarity with .NET is assumed, the target audience includes anybody who's interested in how software development will look in the coming service-oriented world.

We both received this email from Thom Robbins who is organizing the local event (in his usual excellent way as he does with the Code Camps). I replied back to Thom: "Nice! "Got Speakers?" :) Thom mentioned this will be all Microsoft speakers as this is too new at the moment. Sounds like an exciting event!

As Brad Abrams mentions:

I am super excited about the first CTP of Avalon and Indigo that work nicely together.. And check that out – we beat the March 38^th date rudder promised at VSLive!   Do we get a bonus for that ;-)

 

This bits work on top of the latest VS 2005 CTP and include some nice project system support in the SDK.  I can’t wait to see what kind of apps you build with these bits… Have a blast!

 

That's great! I will be able to load it directly into my already running Feb CTP VPC slice! Here is more info.

As I mentioned in my last post, I had a lot of fun speaking at Code Camp III: The Madness.

The conference began with a blizzard making it difficult to drive in (as my friend Dave Burke experienced). With the bad weather, there were still 300+ people in attendance!

I spent most of last week trying to get the February CTP 3 bits downloaded and installed into my Virtual PC slice through various starts and restarts of the downloading process. When I arrived home on Friday night, I noticed I had a DVD in the mail -- would have been nice to have earlier. :) Checking my demos on Friday night, I thought I was having problems, and so re-installed VS 2005 on my way in to the conference. When I got to the conference, nothing worked! I tried to install VS 2005 one more time, and even though it said the install failed, everything fired up. Whew!

All the talks went well, but I had an tough time working with the new ASP.NET 2.0 security controls in the Security for ASP.NET 2.0 talk. The controls were fine, but as I walked through setting up a simple login site, I found some odd quirks. One interesting item is that I can develop and debug as a non-administrator now with VS 2005, but there is no easy way to fire up the ASP.NET Configuration tool from the IDE if you are running as non-administrator (no "run-as"). I can fire up an admin browser session to the configurator, but it kept timing out on me. Although I had to go through a few hoops, some people liked seeing that as they have had their own share of struggles getting things to work.

I have placed the slides and code (some sessions don't have code at the moment as I will be adding that later) on my SecureDevelop code site. If you have any problems with the slides or code, please let me know.

I had some great questions and comments in the sessions that have given me some ideas for new talks and/or articles. One big highlight for me was having a few people come up and say they not only appreciated the material but thanked me for taking time out from my weekend to come present the talks. I, for one, enjoy opportunities like this but that remark really made my day!

Last night ended a series of talks I gave last week in a couple of locations. Last Wednesday, I enjoyed speaking to the Connecticut Access User Group on Security, and I had a great time this weekend delivering four talks at Code Camp III on Security and SQL Server 2005 topics. I was going to speak at the Rhode Island .NET Users Group on Thursday night, but it was postponed again (maybe I will get to speak there someday!).

I will talk more about Code Camp experiences in another post, but I wanted to post this quick follow-up to one of my most popular talks: Penetration Testing of ASP.NET Web Applications (it was so popular that we had to move from a smaller room we were originally in to a much larger room just to accomodate all the people -- and then it was standing room only in some spots!).

One question that was posed was how do you detect if a network sniffer is running on your network? I am not sure as I haven't set up any tools to do that, but a network person afterward indicated it is very, very difficult, if not impossible, to detect. I just noticed this post by Tim Rains (Microsoft) on just such a proposed tool:

Do you know whether your Windows system is sniffing network traffic off the network without your knowledge?  

 

This type of passive attack can be very difficult to detect.  There are numerous third party tools that try to detect network sniffers running on the network by looking for signs of systems with network interfaces running in “promiscuous mode.” Since many of these tools use network-based detection techniques that rely on bugs in operating systems and/or specific sniffer behavior, they can generate false positive and false negative results.

 

I have developed a tool that can detect managed Windows systems that have network interfaces running in promiscuous mode – a key indicator that a network sniffer is running on the system.  I use a host based detection technique instead of a network based detection technique in order to make this tool as accurate as possible.

This looks very interesting, and I am looking forward to testing the capabilities.

I submitted one of the first TechEd Birds of a Feather (BoF) sessions on this topic:

Developing software as a non-administrator

I just noticed Keith Brown has also submitted some other great security BoF topics as well (Writing Secure Code, Writing partially trusted code). Be sure to vote for these and other favorites here.