for example- if you want to use WCF and windows integarted security you will need to conifgure the IIS for windows integrated authentication.
even when you do that you can get an execption like:
System.ServiceModel.ServiceHostingEnvironment+HostingManager/27836922
Exception: System.ServiceModel.ServiceActivationException: The service '/internetbanksignon.svc' cannot be activated due to an exception during compilation. The exception message is: Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service.. --->
in this case you will need to set windows authentication and change the iis metabase manualy
- On your IIS server, start Notepad, and then open the \system32\inetsrv\Metabase.xml file located on the hard disk.
- In the <IIsWebServer> section, locate the following line:
- NTAuthenticationProviders="NTLM"
- Modify the line so that it reads exactly as follows:
- NTAuthenticationProviders="Negotiate,NTLM"
Check also the <AuthFlags> attribute of the solution vdir at the metabse.xml.
Since the v1.1 release of Silverlight includes a slimmed down version of the CLR, you might be wondering what the managed security story for Silverlight is and how it compares to CAS on the desktop version of the CLR.
read more here:
http://blogs.msdn.com/shawnfa/archive/2007/05/09/the-silverlight-security-model.aspx
A lot of errors are coming up while working with X509. there is a lot of confusion of where do I need to store the certificate ? where is my private key ?
the common error is that developers installs the private key to a location that the program not allowed to access.
It can be difficult to find the location and name of the private key file associated with a specific X.509 certificate in the certificate store. The FindPrivateKey.exe tool facilitates this process.
X.509 certificates are installed by an Administrator or any user in the machine. However the certificate may be accessed by a service running under a different account (for example the ASPNET on Windows XP or the NETWORK SERVICE accounts on Windows Server 2003).
This account may not have access to the private key file because the certificate was not installed by it originally. The FindPrivateKey tool gives you the location of a given X.509 Certificate's private key file. You can add permissions or remove permissions to this file once you know the location of the particular X.509 certificates' private key file.
to get this tool go to http://msdn2.microsoft.com/en-us/library/aa717039.aspx
click on download sample and then browse to
%InstallDir%\WCF_Samples\TechnologySamples\Tools\FindPrivateKey\CS
are we at the time when IT pro's will start talking to the dev team about security ?
it's seems like now dev teams and IT pro's CAN and hopefully WILL work together.
Applications can be developed to take advantage of the most common type of policy setting, namely registry-based policy. For example, a programmer can create a component that includes “available” and “unavailable” functionality based on registry-based policy. Administrators then have a well-defined and simple process: They can use the GPMC to turn functionality on or off by for all affected users and computers. This type of policy is implemented using a built in registry client-side extension on every Group Policy client to process the data and manage the appropriate registry keys. Registry-based policy settings are stored in one of four secure Group Policy keys, which cannot be modified without administrative rights on the machine.
For more information, see the Implementing Registry-Based Group Policy article at http://www.microsoft.com/windows2000/techinfo/howitworks/management/rbppaper.asp.
you can effect the way that .NET 3.0 will be. you have three main spots where you can report a bug or even report a wish list.
.NET Framework 3.0
WCF: http://connect.Microsoft.com/wcf/Feedback
WF: http://connect.Microsoft.com/wf/Feedback
Visual studio:
https://connect.microsoft.com/visualstudio/feedback
those places are completely open to the public and all feedback items go straight into our the product studio DBs for servicing !!
You might will be interest to read this RFC if you need to develop applications that need to handle encryption.
for an example if you have a legacy system (e.g. MF) and you need to write your own low level procedures to handle encryption then
Includes a preview of the new Policy Injection Application Block, and release candidate of all other application blocks.
can be downloaded here:
http://www.codeplex.com/entlib/Release/ProjectReleases.aspx?ReleaseId=2081
The Supporting Tokens sample demonstrates how to add additional tokens to a message that uses WS-Security.
The example adds an X.509 binary security token in addition to a username security token. The token is passed in a WS-Security message header from the client to the service and part of the message is signed with the private key associated with the X.509 security token to prove the possession of the X.509 certificate to the receiver.
This is useful in the case when there is a requirement to have multiple claims associated with a message to authenticate or authorize the sender. The service implements a contract that defines a request-reply communication pattern.
The sample demonstrates:
-
How a client can pass additional security tokens to a service.
-
How the server can access claims associated with additional security tokens.
-
How the server's X.509 certificate is used to protect the symmetric key used for message encryption and signature.
code can be downloaded here: http://msdn2.microsoft.com/en-us/library/ms751480.aspx
using X509NameType Enumeration you can extract all the fields from a x509 certificate. this enum is new for .net 2.0
here is the code:
using System;
using System.Security.Cryptography;
using System.Security.Permissions;
using System.IO;
using System.Security.Cryptography.X509Certificates;
class CertSelect
{
static void Main()
{
try
{
X509Store store = new X509Store("MY",StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByTimeValid,DateTime.Now,false);
X509Certificate2Collection scollection = X509Certificate2UI.SelectFromCollection(fcollection, "Test Certificate Select","Select a certificate from the following list to get information on that certificate",X509SelectionFlag.MultiSelection);
Console.WriteLine("Number of certificates: {0{1",scollection.Count,Environment.NewLine);
foreach (X509Certificate2 x509 in scollection)
{
byte[] rawdata = x509.RawData;
Console.WriteLine("Content Type: {0{1",X509Certificate2.GetCertContentType(rawdata),Environment.NewLine);
Console.WriteLine("Friendly Name: {0{1",x509.FriendlyName,Environment.NewLine);
Console.WriteLine("Certificate Verified?: {0{1",x509.Verify(),Environment.NewLine);
Console.WriteLine("Simple Name: {0{1",x509.GetNameInfo(X509NameType.SimpleName,true),Environment.NewLine);
Console.WriteLine("Signature Algorithm: {0{1",x509.SignatureAlgorithm.FriendlyName,Environment.NewLine);
Console.WriteLine("Private Key: {0{1",x509.PrivateKey.ToXmlString(false),Environment.NewLine);
Console.WriteLine("Public Key: {0{1",x509.PublicKey.Key.ToXmlString(false),Environment.NewLine);
Console.WriteLine("Certificate Archived?: {0{1",x509.Archived,Environment.NewLine);
Console.WriteLine("Length of Raw Data: {0{1",x509.RawData.Length,Environment.NewLine);
X509Certificate2UI.DisplayCertificate(x509);
x509.Reset();
store.Close();
catch (CryptographicException)
{
Console.WriteLine("Information could not be written out for this certificate.");
more info at: http://msdn2.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509nametype(VS.80).aspx
in order to know how do detect and attack and protect you should first understand the attack !
a very useful link for that:
http://www.attacklabs.com/
Network monitor 3.0 has a command line tool as well to capture traffic. You can use the ‘Nmcap.exe’ tool to capture frames without the GUI. This tool is available in the Network Monitor 3 installation directory.
I'm looking for a way now to intercept the traffic on real time - like breakpoints on fiddler
more info can be found here: http://blogs.technet.com/netmon/
and here: http://blogs.msdn.com/anmolm/archive/2007/02/18/security-tools-for-testers-part-ii.aspx
