jorkeo - hosting geek : ASP.NET

Developers Developers Developers – Steve Ballmer in Australia

jorkeo — Mon, 27 Oct 2008 03:21:00 GMT

As part of a whirlwind visit to Sydney early next month, Steve Ballmer will be presenting Microsoft's future vision for developers in the world of software-plus-services. He'll discuss the next wave of technologies just launched at the Professional Developer Conference. There will also be a live Q&A session with Steve.

Immediately following Steve’s session, we’ll drill into the Software + Services vision even deeper with Microsoft Directors Gianpaolo Carraro and Tim Sneath, delivering sessions on “Understanding Cloud Computing” and “Amazing Software Experiences for Windows and the Web”. Although all the seats at the Sydney event are gone, we’ll be streaming live and a number of user groups are running events around the country to get together and watch the stream.

Watch the stream from here : http://www.microsoft.com.au/powertodevelopers/

Or if you are in Brisbane, watch it locally at the Queensland MSDN User Group

-jorke

Technorati Tags: Steve Baller,Power to Developers,Microsoft,Azure,Cloud

Partial Trust MVC, LINQ and OLE/ODBC Providers

jorkeo — Tue, 09 Sep 2008 07:22:40 GMT

So if you're a hosting provider or even just developer, you'll be running your applications in Medium trust when on the Internet, right? suuurree... Well you really should..

Anyway a couple people have noticed some issues running LINQ in their hosted environments under the "Medium" trust level. If this is your issue, then you'll need to update your trust config file with with the following (remembering to install asp.net 3.5 first..) :

In the SecurityClasses element, make sure it's set to the following:

<SecurityClass Name="ReflectionPermission" Description="System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

Then dig about for the "ASP.net" PermissionSet element and set the following:

<IPermission class="ReflectionPermission" version="1" Flags="RestrictedMemberAccess" />

A few people also have asked about getting OLE/ODBC providers for the likes of MS Access to work, weelllll this has been around since ASP.NET 2.0 was released - and basically the same story as above:

Set the SecurityClass element:

<SecurityClass Name="OleDbPermission" Description="System.Data.OleDb.OleDbPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

and set the IPermission in the PermissionSet

<IPermission class="OleDbPermission" version="1" Unrestricted="true"/>

That should fix the LINQ and OLE/ODBC issue. All I can say for MVC, at this stage its still waiting a couple of updates to allow partial trust. Keep an eye out on Scottgu blog and you should see something soon.

-jorke

Technorati Tags: ASP.NET,mvc,linq,partial trust,trust,cas

Hacked Web Applications causing storm - rattling Windows...

jorkeo — Mon, 28 Apr 2008 16:01:35 GMT

For the past few days a "Cyber attack" has been taking place and according to internetnews.com :

"number of infected IIS servers at 282,000. Less than a day later, security firm F-Secure wrote its own blog entry, putting the infestation at over 500,000"

and f-secure :

"Performing a Google search results in over 510,000 modified pages."

Without pointing out the reporting inconsistencies between servers and pages .... what is actually happening here..

First of all its not at all related to the security advisory that was released last week. Nor is it in fact related to any other security issue with IIS, ASP, ASP.NET or Windows. It's really important to understand that, its all to do with dodgy and insecure development practices.

Well very simply put its an age old SQL injection attack on a web site that modifies the return code adding a hidden link to a site that downloads malware to client viewing the web page. Nothing new technology wise here, just a new method of delivery - which really should not affect those who have kept their machines up-to-date.

In this case the attackers have chosen to target ASP/ASPX based web sites that have poorly written validation methods and deliver their code via a database content management system. The result being that pages on the site will return a hidden script tag that directs to one of the sites listed in the earlier articles - which picks on particular vulnerabilities available on the client machine, not just those related to software developed by Microsoft either.

Well that's all very nice you say - but "How do I protect myself against these kind of attacks?".

The way I see it, there are three areas of responsibility where lies the ability to protect the world against those few malicious people.

1. The Developer - FIX YOUR BROKEN CODE! Seriously - check your code for possible attack vectors and test, test test. I've seen heaps of web sites and web servers compromised due to poorly written or no validation checking. Incorrect security settings deploying to high risk environments. Don't always assume you know who is going to access your app. Don't assume that app will exist with everything local to it. Catch those errors - I could go on. There is heaps of guidance around this - here is a few to start you off:

2.The Client - Keep your machine up-to-date - as Coatsy says "go to update.microsoft.com and Download the golden padlock of goodness" from Microsoft Update.

3. The System Admin / Hoster / Guy who has to run the web server - Hey I sympathise with you most (of course I would!) You have to get a site with poorly written code up and running, and now what? you have to check the thing isn't going to compromise your server? but of course the code supplied doesn't work in your standard low security settings to you need to bend the rules to allow that code to work.. Be Strong!

But you may have been too late, and you have to clean this mess up on your server - how are you going to prevent this malicious code being delivered to and from your server, while keeping everything up and running?

Stop the attack coming in

If you are using IIS7 or URLScan on IIS6.0/5.1 you can filter the request to prevent the incoming attacks. In IIS7 This is what the configuration string looks like in your server wide applicationhost.config file (based on the info in articles):

Stop it going out

This is a little trickier, but due to the awesome modularity of IIS7 (only going to look at this) you can very easily write a module that can look in all the requests scan for the URL sequence in the response and send it to null. More information on doing this is at the IIS.NET website. Hey, if I get enough comments I'll write one and post it up here!

Done and Dusted

What we all need to remember about these kind of attacks is that vulnerability in the web sites being targeted are not limited to just a particular operating system platform. SQL Injection attacks is rampant in many platform agnostic applications and its such a simple thing to prevent.

As you have probably guessed I'm pretty passionate about this subject, and when I see such misguided reports and irrational reactions to incorrect or misunderstood information, it inspires me to ensure that the truth of the issue is available. Speaking personally; In my short time at Microsoft, I have never seen such commitment behind ensuring that the Windows Operating System is the most versatile and secure operating system on earth.

- jorke

Note: Graphics "borrowed" from Microsoft Japan Security Bulletins

Technorati Tags: SQL Injection,Security Vunerability,IIS,Windows,Microsoft

Potential Security Vulnerability for NetworkService / potential new IIS exploit

jorkeo — Fri, 18 Apr 2008 11:25:39 GMT

Important heads up with regards to a potential privilege escalation issue when running under NetworkService – which we all know is the IIS default.... But also note that it requires native code or full trust .NET.

Hosting Providers with Shared Hosting configurations should pay careful attention to this and ensure that they are running a customised version of medium trust at the very least - http://msdn2.microsoft.com/en-us/library/ms998341.aspx. Also be wary of any custom ISAPI extensions - i.e do a code review.

High level summary:

Processes running under Network Service identity can elevate to Local System on XP, Win2k3, Vista and Win2k8. Additionally, on Win2k3 any process running with an identity that has SeImpersonatePrivilege can elevate to Local System, and this privilege is required by IIS worker process identity. The Elevation of Privilege requires running native user code or full-trust managed code.

Our guidance is of course to move your app move WPI away from NetworkService to a windows account. Additionally on Win2k3, our guidance includes disabling Distributed Transaction Coordinator service (to close the hole where any identity with SeImpersonatePrivilege can elevate).

More information here: http://www.microsoft.com/technet/security/advisory/951306.mspx

Let me know if you have any further questions or require advice.

- jorke

UPDATE (6:23pm 18/4/08):

Check out Ken Schaefer's Blog for the origin of this potential issue.

Technorati Tags: Security Vunerability,NetworkService,IIS,exploit

What size footprint does your worker process leave?

jorkeo — Mon, 05 Nov 2007 15:43:00 GMT

Well it all depends on what you are cramming into your request pipeline! With IIS7's modular architecture you have the ability to load only what you need to run. What does this mean - well let's look at the footprint of a worker process that has all default modules loaded, i.e. ASP/ASP.NET/CGI/Authorization etc etc.

To see the footprint in its entirety we want to dump out the applications loaded and see their usage. For this I have a handy PowerShell script I whacked together (because I love PowerShell); So browse to your website to spin up a worker process then run the following at a PowerShell prompt:

gps -name w3wp | select -expand Modules | where {$_.Filename -like '*\inetsrv*} | ft

which should give you something like the following:

this shows the footprint of a worker module with a default install of IIS 7.0 - you can see all the various modules loaded there for authorization, authentication, gzip etc. So how big is our worker process with no modules? Well simply rip the <globalmodules> out of the applicationhost.config file - NOT RECOMMENDED - without backup up your config first of course. Now browse to your site and you will notice nothing happens...- because you've ripped out all the modules there is nothing to process the request - thus you will get a naked worker process - lets take a look:

So you can see with IIS7 you can really customize what happens in your request pipeline to make huge differences to the size of your worker processes. Neat eh?

Now I've also found out you can do the same as PowerShell script by simply running:

tasklist /fi "imagename eq w3wp.exe" /M

but where's the fun in that.. :)

-jorke

Source Code for .NET libraries released

jorkeo — Fri, 05 Oct 2007 07:14:54 GMT

via Scottgu

Now this is definitely a step in the right direction!

- jorke