jorkeo - hosting geek : .net

Partial Trust MVC, LINQ and OLE/ODBC Providers

jorkeo — Tue, 09 Sep 2008 07:22:40 GMT

So if you're a hosting provider or even just developer, you'll be running your applications in Medium trust when on the Internet, right? suuurree... Well you really should..

Anyway a couple people have noticed some issues running LINQ in their hosted environments under the "Medium" trust level. If this is your issue, then you'll need to update your trust config file with with the following (remembering to install asp.net 3.5 first..) :

In the SecurityClasses element, make sure it's set to the following:

<SecurityClass Name="ReflectionPermission" Description="System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

Then dig about for the "ASP.net" PermissionSet element and set the following:

<IPermission class="ReflectionPermission" version="1" Flags="RestrictedMemberAccess" />

A few people also have asked about getting OLE/ODBC providers for the likes of MS Access to work, weelllll this has been around since ASP.NET 2.0 was released - and basically the same story as above:

Set the SecurityClass element:

<SecurityClass Name="OleDbPermission" Description="System.Data.OleDb.OleDbPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

and set the IPermission in the PermissionSet

<IPermission class="OleDbPermission" version="1" Unrestricted="true"/>

That should fix the LINQ and OLE/ODBC issue. All I can say for MVC, at this stage its still waiting a couple of updates to allow partial trust. Keep an eye out on Scottgu blog and you should see something soon.

-jorke

Technorati Tags: ASP.NET,mvc,linq,partial trust,trust,cas

Hacked Web Applications causing storm - rattling Windows...

jorkeo — Mon, 28 Apr 2008 16:01:35 GMT

For the past few days a "Cyber attack" has been taking place and according to internetnews.com :

"number of infected IIS servers at 282,000. Less than a day later, security firm F-Secure wrote its own blog entry, putting the infestation at over 500,000"

and f-secure :

"Performing a Google search results in over 510,000 modified pages."

Without pointing out the reporting inconsistencies between servers and pages .... what is actually happening here..

First of all its not at all related to the security advisory that was released last week. Nor is it in fact related to any other security issue with IIS, ASP, ASP.NET or Windows. It's really important to understand that, its all to do with dodgy and insecure development practices.

Well very simply put its an age old SQL injection attack on a web site that modifies the return code adding a hidden link to a site that downloads malware to client viewing the web page. Nothing new technology wise here, just a new method of delivery - which really should not affect those who have kept their machines up-to-date.

In this case the attackers have chosen to target ASP/ASPX based web sites that have poorly written validation methods and deliver their code via a database content management system. The result being that pages on the site will return a hidden script tag that directs to one of the sites listed in the earlier articles - which picks on particular vulnerabilities available on the client machine, not just those related to software developed by Microsoft either.

Well that's all very nice you say - but "How do I protect myself against these kind of attacks?".

The way I see it, there are three areas of responsibility where lies the ability to protect the world against those few malicious people.

1. The Developer - FIX YOUR BROKEN CODE! Seriously - check your code for possible attack vectors and test, test test. I've seen heaps of web sites and web servers compromised due to poorly written or no validation checking. Incorrect security settings deploying to high risk environments. Don't always assume you know who is going to access your app. Don't assume that app will exist with everything local to it. Catch those errors - I could go on. There is heaps of guidance around this - here is a few to start you off:

2.The Client - Keep your machine up-to-date - as Coatsy says "go to update.microsoft.com and Download the golden padlock of goodness" from Microsoft Update.

3. The System Admin / Hoster / Guy who has to run the web server - Hey I sympathise with you most (of course I would!) You have to get a site with poorly written code up and running, and now what? you have to check the thing isn't going to compromise your server? but of course the code supplied doesn't work in your standard low security settings to you need to bend the rules to allow that code to work.. Be Strong!

But you may have been too late, and you have to clean this mess up on your server - how are you going to prevent this malicious code being delivered to and from your server, while keeping everything up and running?

Stop the attack coming in

If you are using IIS7 or URLScan on IIS6.0/5.1 you can filter the request to prevent the incoming attacks. In IIS7 This is what the configuration string looks like in your server wide applicationhost.config file (based on the info in articles):

Stop it going out

This is a little trickier, but due to the awesome modularity of IIS7 (only going to look at this) you can very easily write a module that can look in all the requests scan for the URL sequence in the response and send it to null. More information on doing this is at the IIS.NET website. Hey, if I get enough comments I'll write one and post it up here!

Done and Dusted

What we all need to remember about these kind of attacks is that vulnerability in the web sites being targeted are not limited to just a particular operating system platform. SQL Injection attacks is rampant in many platform agnostic applications and its such a simple thing to prevent.

As you have probably guessed I'm pretty passionate about this subject, and when I see such misguided reports and irrational reactions to incorrect or misunderstood information, it inspires me to ensure that the truth of the issue is available. Speaking personally; In my short time at Microsoft, I have never seen such commitment behind ensuring that the Windows Operating System is the most versatile and secure operating system on earth.

- jorke

Note: Graphics "borrowed" from Microsoft Japan Security Bulletins

Technorati Tags: SQL Injection,Security Vunerability,IIS,Windows,Microsoft

Source Code for .NET libraries released

jorkeo — Fri, 05 Oct 2007 07:14:54 GMT

via Scottgu

Now this is definitely a step in the right direction!

- jorke

Dynamics Dev Sessions

jorkeo — Fri, 05 Oct 2007 05:12:15 GMT

Shout out for Dave Lemphers who's running Dynamics Dev days with what looks like a scorching agenda.

In Dave's words:

"No marketing fluff, no sales spiels, no PowerPoint (I've ditched that in favor of good ole' fashioned flip charts! and talkin'). Just honest, hardworking info on how to build solutions using Visual Studio, .NET and Dynamics... like mamma used to make!

So to kick things off this month, I'll be demonstrating how to use Dynamics NAV 5.0 as an ERP platform base to build a asset tracking app that has a WPF admin component, ASP.NET AJAX with Virtual Earth tracking component, and Windows Mobile 6 notification component. Hot damn!"

Go to Dave's post for more details.

Initially in Sydney and Melbourne only, but hopefully the content will be recorded for all to see.

-jorke

Technorati Tags: .net , dynamics , titan , crm