Archives
-
[Bookmarklet] Copy text with links
Someone contacted me through my blog and asked if I knew of an IE Addin that would copy page text with expanded url's, so Google becomes [Google](www.google.com).
-
[Tech-Ed] One of the best values at Tech-Ed (even if you're not an attendee)...
The hidden gem at Tech-Ed is the Microsoft booths in the Exhibit Hall .
-
[Tech-Ed] DEV320 Visual C# Best Practices: What's Wrong With this Code?
Good presentation - disguised a best practices talk as a quiz to keep it interesting. Much tougher to spot the problems then to nod along with a bullet points about writing good code.
-
[Tech-Ed] WIN321 Running IIS Web Farms: Tips and Tricks
I attended WIN321 Running IIS Web Farms: Tips and Tricks Monday. The slides are online here [updated], but here are some high points:
-
[Tech-Ed] BOF RSS Without the Blog
(don't worry, I'm not going to be able to attend that much of Tech-Ed so I'm not going to be blogging every single session)
-
[Tech-Ed] BOF - Code Generation
Scott Hanselman lead a BOF on Code Generation. I agree with Andres - there was a lot of discussion on business rules definition, which was interesting but I think took away from more common uses of codegen.
-
TITLE tags for hyperlinks - little datagrid usability thing
[updated based on feedback from Rick and Fabrice]
-
It's a Tech-Ed miracle (for me, anyhow)!
It's like a scene out of a Christmas special. Looks like I've got a last minute opportunity to attend at least bits and pieces of Tech-Ed.
-
Online Book - A .net developer's guide to Windows security
I "google stumbled" onto an amazing online book by Keith Brown - "a .net developer's guide to Windows security". The whole (in progress) book, including some sample code, is available online. There's even an rss feed with updates.
-
[SQL] Cannot perform an aggregate function on an expression containing an aggregate or a subquery.
Problem:
-
Windows Orchestration Engine in Longhorn
AWARE THAT many people are beginning to give up hope of ever seeing a new version of Windows, Microsoft is continuing to send its spinsters waxing lyrical about what it will contain when it arrives. The latest prediction that the Redmond sleeping giant has ‘leaked’ to CNET is that it wants to embed core orchestration and workflow into Longhorn. New workflow and orchestration technology, called the Windows Orchestration Engine will be ready for the Longhorn/Orcas time frame.
CNET quoted Bob Muglia, senior VP at Microsoft's Windows Server Division, who confirmed that work was under way. "Stay tuned," he told them showing his remarkable ability to pun in the face of tough questions from CNET hacks.
[NeoWin]
WOE seems like an unfortunate acronym.
Almost as bad as the Children's Hospital Of Philadelphia. -
NeoWin RSS 2.0 Feed
NeoWin's RDF feed is pretty lame if you're used to RSS 2.0: http://www.neowin.net/backend.php?page=main
-
Tech-Ed San Diego - So close, so far
Despite the fact that I live in San Diego, I'm not able to go to Tech-Ed[1]. As an hourly perma-temp, I can't afford the double hit of Tech-Ed registration and a week off from work. Drat.
-
Enterprise Connection String Management in ASP.NET - Best Practice?
This is mainly a problem statement - it lists some solutions, but all have some pretty big downsides. I'd really like to find a good solution to this, so please comment if you have anything to add.There are some significant problems with using keeping connection strings with SQL Server Authentication in ASP.NET web.config files. Here are a few:1. Security - Both username, password are stored in plain text (associated with the server), so if the web.config file is compromised a hacker has the keys to the database. Config files are associated with the HttpForbiddenHandler, which mitigates the risk of hackers getting to web.config files, but only via HTTP.2. Control - Keeping login information in web.config files makes it difficult to control developer access to production databases, since developers will likely view web.config files during production support activities or in source control.3. Administration - Keeping login information in individual files on a per application / per webserver basis makes changing passwords (including regular password rotation) difficult.Trusted Connections (using Windows Authentication rather than SQL Server Authentication) seem to offer a better solution - connection strings don't contain login information, and centralized account maintenance of Windows accounts is well defined and supported. Trusted connections don't send credentials over the network, so they're much more secure Several Microsoft security articles propose this approach:However, this approach sounds like it works better in theory than in practice when it comes to ASP.NET applications. While the network communications are more secure, using Trusted Connections requires changes that make the ASP.NET application less secure.There are two methods available for connection to a database server with Windows Authentication - Domain Accounts and Mirrored Accounts.Trusted Connection cons (both domain account and mirrored account):1. Impersonation still requires putting a password in a config file (machine.config and web.config) so we've got passwords in plain text again. It is possible to encrypt the impersonation identity and to store it in registry, but this complicates administration.[1]2. Impersonation requires a little more setup on the webservers - the impersonated account needs write permissions on serveral folders (good info here). Also, upgrading .NET versions doesn't migrate machine.config information (why?) so there is additional work / risk when upgrading .NET versions.3. Impersonation in ASP.NET complicates matters a bit. I've run into some unrelated issues with ASP.NET impersonation in the past that indicates it's a bit of a frontier.Domain Account cons:1. Security issues have been mentioned with running the IIS user as a user that is a member of a domain.Mirrored Account cons:1. Difficult to change passwords, need to edit web.config / machine.config on multiple webserversMuch more discussion here:Alex Chang's blog: How to use Trusted Connection when SQL server and web Server are on two separate machines.
Barry Dorrans' blog: Using sql trusted Connections with asp.net1. Difficult to change passwords, need to edit registry on multiple webservers.[1 again]Custom encryption of Connection Strings in web.config cons:1. Makes management of multiple servers (password rotation, etc.) more difficult2. Custom or homegrown solution - may not be supported, may not be secure, etc.Centralized Connection String Management solution:A central service provides applications their connection string (and possibly other configuration data) in an encrypted format. Applications would use a common component to access and decrypt the information.Centralized Connection String Management cons:1. "Crown Jewels" - if that system's compromised, all databases are exposed2. Key management issues to do secure communications with central server3. Single point of failure for all applications4. Homegrown security solutions are likely to be insecure, and quickly turn into legacy systems that make upgrading difficult.Domain Accounts with Trusted Connections seems the best approach (if the security issue is not such an issue), with the impersonation account stored in the registry. Microsoft documentation / recommendations kind of lay out the options but don't indicate a preferred method. It would be great to have some general guidance on how to manage database connections in an enterprise web environment.It would also be great if impersonation were a bit more transparent - changing an encrypted registry setting is a bit complex. Changing the account an IIS Application runs under is as simple as logging into Windows; impersonation should work the same.Visual Studio 2005 has a Connection String Manager in the IIS MMC that interfaces with web.config and supports encryption, but that's a ways off.Comments? Guidance? What's worked for you? WWMD (What would Microsoft do)? -
[Tool] Document Examiner for IE
Document Examiner (download) is Right-click addin for IE that allows browsing the DOM and updating it on the fly, like the DOM Inspector that's built in to Firefox.
-
SQL used for evil
Yikes. I heard about a website being hacked, probably via SQL injection. This trigger was added: