Application Security Arena

What to do When IIS MMC doesn't do the work

2007-05-22T00:36:00Z

for example- if you want to use WCF and windows integarted security you will need to conifgure the IIS for windows integrated authentication.

even when you do that you can get an execption like:

System.ServiceModel.ServiceHostingEnvironment+HostingManager/27836922

Exception: System.ServiceModel.ServiceActivationException: The service '/internetbanksignon.svc' cannot be activated due to an exception during compilation. The exception message is: Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service.. --->

in this case you will need to set windows authentication and change the iis metabase manualy

On your IIS server, start Notepad, and then open the \system32\inetsrv\Metabase.xml file located on the hard disk.
In the <IIsWebServer> section, locate the following line:
NTAuthenticationProviders="NTLM"
Modify the line so that it reads exactly as follows:
NTAuthenticationProviders="Negotiate,NTLM"

Check also the <AuthFlags> attribute of the solution vdir at the metabse.xml.

WCF Security References

2007-05-20T19:03:00Z

WCF security

http://msdn2.microsoft.com/en-us/library/ms732362.aspx

WCF with x509

http://msdn2.microsoft.com/en-us/library/ms733137.aspx

Using client credentials

http://www.theserverside.net/tt/articles/showarticle.tss?id=SecuringWCFService

Delegation and Impersonation with WCF

http://msdn2.microsoft.com/en-us/library/ms730088.aspx

Specifying the Identity of a Service for Authentication

http://msdn2.microsoft.com/en-us/library/ms733130.aspx

X509 - http://blogs.msdn.com/suwatch/default.aspx

client certificates - http://msdn2.microsoft.com/en-us/library/ms731899.aspx

wcf and x509 - http://blogs.msdn.com/suwatch/archive/2007/04/06/x509-and-wcxf-security.aspx

x509 between services : http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=164756&SiteID=1

WCF team blog - http://wcf.netfx3.com/blogs/wcf_team_bloggers/

IIS certificate authorization - http://staff.newtelligence.com/sergeys/WCFIISCertificatesAuthorization.aspx

MSMQ

http://msdn2.microsoft.com/en-us/library/ms731172.aspx

SetSPN - http://msdn2.microsoft.com/en-us/library/ms735117.aspx

Hosting Services

http://msdn2.microsoft.com/en-us/library/ms730158.aspx

Hosting and Consuming WCF Services

http://msdn2.microsoft.com/en-us/library/bb332338.aspx

working with certificate

http://msdn2.microsoft.com/en-us/library/ms731899.aspx

WCF performance

http://msdn2.microsoft.com/en-us/library/ms735098.aspx

http://msdn2.microsoft.com/en-us/library/bb310550.aspx

The Silverlight Security Model

2007-05-10T13:50:00Z

Since the v1.1 release of Silverlight includes a slimmed down version of the CLR, you might be wondering what the managed security story for Silverlight is and how it compares to CAS on the desktop version of the CLR.

Where is my private key ?

2007-03-20T03:00:00Z

A lot of errors are coming up while working with X509. there is a lot of confusion of where do I need to store the certificate ? where is my private key ?

the common error is that developers installs the private key to a location that the program not allowed to access.

It can be difficult to find the location and name of the private key file associated with a specific X.509 certificate in the certificate store. The FindPrivateKey.exe tool facilitates this process.

X.509 certificates are installed by an Administrator or any user in the machine. However the certificate may be accessed by a service running under a different account (for example the ASPNET on Windows XP or the NETWORK SERVICE accounts on Windows Server 2003).

This account may not have access to the private key file because the certificate was not installed by it originally. The FindPrivateKey tool gives you the location of a given X.509 Certificate's private key file. You can add permissions or remove permissions to this file once you know the location of the particular X.509 certificates' private key file.

to get this tool go to http://msdn2.microsoft.com/en-us/library/aa717039.aspx
click on download sample and then browse to
%InstallDir%\WCF_Samples\TechnologySamples\Tools\FindPrivateKey\CS

Developing Applications to Use Group Policy

2007-03-20T02:52:00Z

are we at the time when IT pro's will start talking to the dev team about security ?
it's seems like now dev teams and IT pro's CAN and hopefully WILL work together.

Applications can be developed to take advantage of the most common type of policy setting, namely registry-based policy. For example, a programmer can create a component that includes “available” and “unavailable” functionality based on registry-based policy. Administrators then have a well-defined and simple process: They can use the GPMC to turn functionality on or off by for all affected users and computers. This type of policy is implemented using a built in registry client-side extension on every Group Policy client to process the data and manage the appropriate registry keys. Registry-based policy settings are stored in one of four secure Group Policy keys, which cannot be modified without administrative rights on the machine.

For more information, see the Implementing Registry-Based Group Policy article at http://www.microsoft.com/windows2000/techinfo/howitworks/management/rbppaper.asp.

How to report a bug for WCF, WF and .NET 3

2007-03-09T00:53:19Z

you can effect the way that .NET 3.0 will be. you have three main spots where you can report a bug or even report a wish list.

.NET Framework 3.0

WCF: http://connect.Microsoft.com/wcf/Feedback

WF: http://connect.Microsoft.com/wf/Feedback

Visual studio:

https://connect.microsoft.com/visualstudio/feedback

those places are completely open to the public and all feedback items go straight into our the product studio DBs for servicing !!

Fundamental Computer Investigation Guide For Windows

2007-03-09T00:37:45Z

http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx

X509 specifications for those who need the low level info.

2007-03-06T14:54:12Z

You might will be interest to read this RFC if you need to develop applications that need to handle encryption.

for an example if you have a legacy system (e.g. MF) and you need to write your own low level procedures to handle encryption then

this RFC is for you.(RFC2527)

February 2007 CTP of Enterprise Library 3.0.

2007-03-04T18:35:00Z

Includes a preview of the new Policy Injection Application Block, and release candidate of all other application blocks.

can be downloaded here:

http://www.codeplex.com/entlib/Release/ProjectReleases.aspx?ReleaseId=2081

WCF Supporting Tokens

2007-03-04T16:23:00Z

The Supporting Tokens sample demonstrates how to add additional tokens to a message that uses WS-Security.

The example adds an X.509 binary security token in addition to a username security token. The token is passed in a WS-Security message header from the client to the service and part of the message is signed with the private key associated with the X.509 security token to prove the possession of the X.509 certificate to the receiver.

This is useful in the case when there is a requirement to have multiple claims associated with a message to authenticate or authorize the sender. The service implements a contract that defines a request-reply communication pattern.

The sample demonstrates:

How a client can pass additional security tokens to a service.
How the server can access claims associated with additional security tokens.
How the server's X.509 certificate is used to protect the symmetric key used for message encryption and signature.

code can be downloaded here: http://msdn2.microsoft.com/en-us/library/ms751480.aspx

Migration path to WCF

2007-02-28T10:53:00Z

From .NET Remoting to the Windows Communication Foundation (WCF) http://msdn.microsoft.com/library/en-us/dnvs05/html/NETremoteWCF.asp?frame=true

ASP.NET Web services to the Windows Communication Foundation

http://wcf.netfx3.com/content/TheFutureofASPNETWebServicesintheContextoftheWindowsCommunicationFoundation.aspx

WSE->WCF

http://wcf.netfx3.com/content/WindowsCommunicationFoundationWCFInteroperabilityandMigrationwithWSE20.aspx

General WCF resources

http://wcf.netfx3.com/files/default.aspx

how to get AlternativeName and UPN from X509 certificate

2007-02-27T23:23:00Z

using X509NameType Enumeration you can extract all the fields from a x509 certificate. this enum is new for .net 2.0

here is the code:

using System;
using System.Security.Cryptography;
using System.Security.Permissions;
using System.IO;
using System.Security.Cryptography.X509Certificates;

class CertSelect
{
    static void Main()
    {
        try
        {
            X509Store store = new X509Store("MY",StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
            X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
            X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByTimeValid,DateTime.Now,false);
            X509Certificate2Collection scollection = X509Certificate2UI.SelectFromCollection(fcollection, "Test Certificate Select","Select a certificate from the following list to get information on that certificate",X509SelectionFlag.MultiSelection);
            Console.WriteLine("Number of certificates: {0{1",scollection.Count,Environment.NewLine);
                foreach (X509Certificate2 x509 in scollection)
                {
                    byte[] rawdata = x509.RawData;
                    Console.WriteLine("Content Type: {0{1",X509Certificate2.GetCertContentType(rawdata),Environment.NewLine);
                    Console.WriteLine("Friendly Name: {0{1",x509.FriendlyName,Environment.NewLine);
                    Console.WriteLine("Certificate Verified?: {0{1",x509.Verify(),Environment.NewLine);
                    Console.WriteLine("Simple Name: {0{1",x509.GetNameInfo(X509NameType.SimpleName,true),Environment.NewLine);
                    Console.WriteLine("Signature Algorithm: {0{1",x509.SignatureAlgorithm.FriendlyName,Environment.NewLine);
                    Console.WriteLine("Private Key: {0{1",x509.PrivateKey.ToXmlString(false),Environment.NewLine);
                    Console.WriteLine("Public Key: {0{1",x509.PublicKey.Key.ToXmlString(false),Environment.NewLine);
                    Console.WriteLine("Certificate Archived?: {0{1",x509.Archived,Environment.NewLine);
                    Console.WriteLine("Length of Raw Data: {0{1",x509.RawData.Length,Environment.NewLine);
                    X509Certificate2UI.DisplayCertificate(x509);
                    x509.Reset();

            store.Close();

        catch (CryptographicException)
            {
                   Console.WriteLine("Information could not be written out for this certificate.");

more info at: http://msdn2.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509nametype(VS.80).aspx

more about ajax security

2007-02-25T20:06:00Z

http://blogs.ittoolbox.com/security/dmorrill/archives/billy-hoffman-on-ajax-security-11141

some videos can be found here: http://www.asp.net/learn/videos/#ajax

defend - protect - detect - recover - manage !

2007-02-25T20:01:00Z

in order to know how do detect and attack and protect you should first understand the attack !

a very useful link for that:

http://www.attacklabs.com/

Netmon 3 - Nmcap.exe

2007-02-25T19:31:00Z

Network monitor 3.0 has a command line tool as well to capture traffic. You can use the ‘Nmcap.exe’ tool to capture frames without the GUI. This tool is available in the Network Monitor 3 installation directory.

I'm looking for a way now to intercept the traffic on real time - like breakpoints on fiddler

more info can be found here: http://blogs.technet.com/netmon/

and here: http://blogs.msdn.com/anmolm/archive/2007/02/18/security-tools-for-testers-part-ii.aspx