April 2007 - Posts

.Net Security How To's

patterns & practices Security How To's Index ASP.NET 2.0 Security Questions and Answers Tamper detection Authentication Hub Enjoy Read More...

Posted 30 April 07 01:14 by alikl | 2 Comments   
Filed under Security, Implementation

My Favorite Shortcuts

Using mouse is inefficient and slow - for detailed explanation go here These are my favorite (those I actually use) shortcuts. [Ed. - I am updating it constantly as I find more useful shortcuts I actually use] Visual Studio Ctrl + Shift + B - build Ctrl Read More...

Posted 29 April 07 09:28 by alikl | 6 Comments   
Filed under Practices

Threat Modeling Big Chunks

When three years ago I started to practice Threat Modeling I thought it is most boring part of security (which itself is not the most fascinating thing to most of people). I hated it since it seemed too boring - interview folks, read tones of specs, and Read More...

Posted 27 April 07 07:34 by alikl | 7 Comments   
Filed under Security, Practices, Planning Phase, Threat Modeling

"It's the perfect crime, both low-risk and high-profit"

NYT - http://www.nytimes.com/2007/01/07/technology/07net.html?ex=1325826000&en=cd1e2d4c0cd20448&ei=5090 How high the profit? Criminals are offering up to $75,000 for a Windows XP vulnerability and $50,000 for a Windows Vista vulnerability, Genes Read More...

Posted 25 April 07 10:30 by alikl | 0 Comments   

IIS 7 Configuration File - applicationHost.config - Password Management

From my learning of IIS7 I understand that IIS7's metabase is actually XML configuration file very familiar to me and similar to ASP.NET's web.config. It is called applicationHost.config and sits in C:\Windows\System32\inetsrv\config My first interest Read More...

Posted 24 April 07 08:52 by alikl | 0 Comments   
Filed under Security, Sensitive Data, Deployment Phase, IIS 7

Reduce Distraction

Focus is the key for me to have things done, although I have my technique to manage my work pipeline ( My Pipeline Is My Inbox ) there are many distractions that prevents me to focus on my work items pipeline - phone calls, small talks, etc. When I set Read More...

Posted 22 April 07 09:02 by alikl | 0 Comments   
Filed under Practices

Coincidence?

My life Definitely Changed When I understood that Focus Is The Key , I just realized that Ford, my car, I drive is of FOCUS model... When I was asking for that model I just wanted Ford Focus since I liked it because of feature richness. Turns out it expresses Read More...

Posted 20 April 07 08:58 by alikl | 1 Comments   

Calculate Security Breach Cost Yourself

That is both amazing and amusing (I will leave "why" to myself....) but now CxO does not have to think twice whether security services are too expensive. Check out this Security Breach Cost Calculator. via http://news.com.com/2061-10789_3-6176074.html?part=rss&tag=2063-10789_3-0&subj=news Read More...

Posted 19 April 07 10:35 by alikl | 1 Comments   
Filed under Security, Information Gathering, Inception Phase

Security Development Session In The UK

Imagine if security was cool like Silverlight .... But security is not that cool, so the biggest challenge I faced was presenting security topics in a way that people enjoy it. Here are some techniques I used while I was delivering number of security Read More...

Posted 18 April 07 06:47 by alikl | 2 Comments   
Filed under Practices, Inception Phase

Adding Shared SNK File In Visual Studio 2005

“Prior to Microsoft Visual C# 2005, you specified the key file using CLR attributes in source code. These attributes are now deprecated . Beginning in Microsoft Visual C# 2005, you should use the Signing Page of the Project Designer or the Assembly Linker Read More...

Posted 16 April 07 03:24 by alikl | 1 Comments   
Filed under Security, Development Phase, CAS, Implementation, Authentication

Live Search Hacking Is Dead

I've used a bit dirty technique to promote Exception Handling as a security countermeasure: This is How They will Hack Your Web Site In the post I explain how to use Live Search to find vulnerable pages. The idea is not new rather adapted version of Google Read More...

Posted 15 April 07 08:44 by alikl | 2 Comments   

Waste No Time For Meeting Summaries

I always do meeting summaries. It keeps track for what/who/when. I do not care to do summaries for someone else, even better - it puts me in control. But I never spend my time to summarize after the meeting but during the meeting. The moment the meeting Read More...

Posted 13 April 07 08:39 by alikl | 1 Comments   
Filed under Practices

My Pipeline Is My Inbox

I keep seeing folks with thousands emails inside their Inbox... I hardly can get it. Actually I do not get it. I cannot imagine actual mail box getting filled with thousands of letters - so why making your Outlook Inbox a trash can? As a consultant I Read More...

Posted 12 April 07 10:01 by alikl | 13 Comments   
Filed under Practices

Authentication Hub

Windows Authentication Identity Flow Through Physical Tiers Identity Flow Through Physical Tiers - Impersonation Identity Flow Through Physical Tiers - Delegation Identity Flow Through Physical Tiers - Protocol Transition Certificates Different Ways To Read More...

Posted 11 April 07 09:04 by alikl | 8 Comments   
Filed under Security, Implementation, Authentication

My life Definitely Changed - Focus Is The Key

Today I am much more efficient and I feel that it gets me more effectiveness. Every minute counts - EVERY. Sometimes I think I am stopping being a human but programmed machine. The only thing that gets me relief is that the programmer is me (trying not Read More...

Posted 11 April 07 08:07 by alikl | 4 Comments   
Filed under Practices

Identity Flow Through Physical Tiers - Protocol Transition

If these articles: How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 Using Protocol Transition—Tips from the Trenches are your friends then do not waste your time on this post, please. The scenario is the same where user sits behind Read More...

Posted 10 April 07 01:27 by alikl | 3 Comments   
Filed under Security, Development Phase, Implementation, Authentication

I Thought Security And ROI Are Nonsense When Used Together

How wrong I was ( Security and ROI )!! My basic breakdown was like "OK, ROI is return on investment - how much do I get if I invest in deploying IPSEC? Well, not much - I definitely can lose a lot when not doing it but ROI - hmm?..." Now take a look at Read More...

Posted 10 April 07 05:16 by alikl | 1 Comments   

Basic Steps To Make ASP.NET Web Site CardSpace Aware

From short investigation and a lot of information from Richard Turner's screencasts Here is what I get. To make my ASP.NET app I need: Write ASP.NET server side code to validate the token that holds end user's data, further processing might include checking Read More...

Posted 09 April 07 01:26 by alikl | 1 Comments   
Filed under Security, Implementation, Authentication, Vista, IIS 7, CardSpace

Identity Flow Through Physical Tiers - Delegation

If these articles: How To: Implement Kerberos Delegation for Windows 2000 How To: Use Impersonation and Delegation in ASP.NET 2.0 Credentials and Delegation are your friends then do not waste your time on this post, please. I have still the same scenario Read More...

Posted 08 April 07 05:53 by alikl | 3 Comments   
Filed under Security, Development Phase, Implementation, Authentication

IIS 6.0 Was True Love, New Romance Is About To Begin - IIS 7

I just could not hold it back - it is midnight and I am watching Richard Turner's screencast - New Screencast: How to configure IIS7 for Windows CardSpace sites It was humiliatingly :) easy to set up test server cert, so I've done it, here is the prove: Read More...

Posted 07 April 07 10:01 by alikl | 6 Comments   
Filed under Security, Deployment Phase, Vista, IIS 7

Identity Flow Through Physical Tiers - Impersonation

There are scenarios where actual windows identity of end user needs to be flowed to the server so that server can perform action on end user's behalf - that is in nutshell Impersonation. In previous post Identity Flow Through Physical Tiers - one might Read More...

Posted 06 April 07 07:54 by alikl | 7 Comments   
Filed under Security, Development Phase, Implementation, Authentication

Identity Flow Through Physical Tiers

Identity story with .Net really rocks, but along with great extensibility it also brings a lots of confusion ( One Identity - Many Faces :IIdentity ). I am building now workshop for developers that concentrates on authentication only. It talks about concepts, Read More...

Posted 05 April 07 10:23 by alikl | 4 Comments   
Filed under Security, Development Phase, Implementation, Authentication

Who Access My File?

In my post File Access Auditing - I Am Not Afraid Of GPO I've digested technet documentation on how to set Active Directory Group Policy Object (AD GP) to enable file access auditing as security measure to prevent repudiation. It is heavy weight techniques Read More...

Posted 03 April 07 07:02 by alikl | 7 Comments   
Filed under Test Phase, Security, Tools, Development Phase, Deployment Phase, Authentication

One Identity - Many Faces :IIdentity

User security context in .Net is abstracted by implementation of IPrincipl and IIdentity interfaces. Sometimes, it represents windows account by WindowsIdentity implementation, sometimes not, like with ADFS' SingleSignOnIdentity or forms based authentication Read More...

Posted 02 April 07 06:54 by alikl | 2 Comments   

File Access Auditing - I Am Not Afraid Of GPO

Security logging and auditing mitigates repudiation threat (the "R" in STRIDE, see also Auditing and Logging threats). The lesser coding the better security. Here is the no coding auditing for file access using Group Policy From http://support.microsoft.com/kb/324739 Read More...

Posted 01 April 07 10:45 by alikl | 6 Comments   
Filed under Security, Development Phase, Implementation, Auditing and Logging

Search

This Blog

• Home
• Email