Welcome to MSDN Blogs Sign in | Join | Help

September 2004 - Posts

Microsoft Exchange 5.0's credential cache security problems

The other day, I wrote about the Exchange 5.0 NNTP (and POP3, and Exchange 5.5 IMAP) server’s credential cache. Well, the credentials cache was my first experience with a customer reported security vulnerability. As reported in Windows IT Pro magazine, Read More...
Posted Thursday, September 30, 2004 11:11 PM by LarryOsterman | 5 Comments

Desigining an authentication system

I ran into this a while ago, and thought it was a wonderful discussion of how to go about designing a high quality authentication system. As I’ve mentioned in the past, authentication is one of the hardest problems in security – authorization Read More...
Posted Wednesday, September 29, 2004 8:47 PM by LarryOsterman | 8 Comments

Hey, why am I leaking all my BSTR's?

IMHO, every developer should have a recent copy of the debugging tools for windows package installed on their machine (it's updated regularly, so check to see if there's a newer version). One of the most useful leak tracking tools around is a wonderfully Read More...
Posted Tuesday, September 28, 2004 4:22 PM by LarryOsterman | 11 Comments

When I moved my code into a library, what happened to my ATL COM objects?

A caveat: This post discusses details of how ATL7 works. For other version of ATL, YMMV. The general principals apply for all versions, but the details are likely to be different. My group’s recently been working on reducing the number of DLLs that Read More...
Posted Monday, September 27, 2004 5:15 PM by LarryOsterman | 6 Comments
Filed under:

Cleaning up shared resources when a process is abnormally terminated

This post came into my suggestion box yesterday from Darren Cherneski: We have a system that has an in-memory SQL database running in shared memory that is created with CreateFileMapping(). Processes start up, attach to it via a DLL, do some queries, Read More...
Posted Friday, September 24, 2004 4:53 PM by LarryOsterman | 16 Comments

Types of testers and types of testing

In yesterday’s “non admin” post, Mat Hall made the following comment : "Isn't testing the whole purpose of developing as non-admin?" Remember, Larry is lucky enough that the REAL testing of his work is done by someone else. The last time I did any development Read More...
Posted Thursday, September 23, 2004 5:59 PM by LarryOsterman | 15 Comments

Running Non Admin

There’s been a fascinating process going on over here behind the curtains. With the advent of XP SP2, more and more people are running as non administrative users. Well, it’s my turn to practice what I preach, I’ve taken the plunge on my laptop and my Read More...
Posted Wednesday, September 22, 2004 4:38 PM by LarryOsterman | 37 Comments
Filed under:

Why is there a GENERIC_MAPPING parameter to the AccessCheck API?

Ok, back to techie stuff. I recently received the following piece of mail sent to an internal mailing list: How is GenericMapping used by AccessCheck function? I thought it would be used to map GENERIC_XXX rights in the ACEs contained by the security Read More...
Posted Tuesday, September 21, 2004 4:45 PM by LarryOsterman | 1 Comments

On the "Day of Caring"

Well, I spent Friday morning (and part of the afternoon) at the Center for Career Alternatives , down in the Rainier Valley. I wasn’t going to write about it, but this comment from Mat Hall pushed me over the top (profanity removed) A lesser man Read More...
Posted Monday, September 20, 2004 4:17 PM by LarryOsterman | 7 Comments

Putting Pants on an Elephant.

Valorie's enrolled in City University to get her Masters in Teaching. Yesterday was her orientation class, and one of the lectures was entitled "How to put pants on an Elephant". My first reaction on hearing the title of the lecture was "Huh?" That makes Read More...
Posted Saturday, September 18, 2004 1:37 PM by LarryOsterman | 2 Comments

Going Dark Tomorrow.

Sorry about not posting anything significant today, I've been swamped. And tomorrow's the "Day of Caring" so I'll be talking at a local career center (along with a bunch of co-workers) about working at Microsoft, so I'm not likely to have anything. Sorry Read More...
Posted Friday, September 17, 2004 12:11 AM by LarryOsterman | 3 Comments
Filed under:

I figure this is redundant, but...

If there's anyone reading my blog that's not reading Raymonds , Raymond has finally proven for once and for all that he is THE uber geek. One of todays blog posts is this gem - it's a visual analysis of the spam that he's received over the past ten years. Read More...
Posted Thursday, September 16, 2004 7:18 AM by LarryOsterman | 2 Comments

Proudly Serving our corporate masters...

Adam Barr, a friend and former co-worker of mine (and currently an employee over in another part of Longhorn) is the author of a wonderful book on the development process at Microsoft called “ Proudly Serving My Corporate Masters ”. The story on page Read More...
Posted Wednesday, September 15, 2004 7:55 PM by LarryOsterman | 6 Comments

Access Checks, part 2

Yesterday I discussed the format of an ACL. For todays post, I want to talk about how the system uses ACLs to perform access checks. Once again, the post on security terms is likely to be helpful. There are two forms of access check accessable from the Read More...
Posted Tuesday, September 14, 2004 9:36 PM by LarryOsterman | 4 Comments
Filed under:

Access Checks

Before I begin today’s post, a caveat: In this discussion, when I use the term “security”, I don’t mean “security defect free”, instead I mean “using the NT security subsystem”. The two often become confused, Read More...
Posted Monday, September 13, 2004 8:29 PM by LarryOsterman | 6 Comments
Filed under:

I thought I could avoid writing this today but...

For 9/11, Joel's gone dark . It won't be there after 9/11, but today, his blog has been replaced with a Vietnam Veterans Memorial style listing of all of the 9/11 victims (edit: Updated to permalink of memorial page). It's been 3 years, and my images Read More...
Posted Saturday, September 11, 2004 2:18 PM by LarryOsterman | 2 Comments
Filed under:

Structured Exception Handling Considered Harmful

I could have sworn that I wrote this up before, but apparently I’ve never posted it, even though it’s been one of my favorite rants for years. In my “ What’s wrong with this code, Part 6 ” post, several of the commenters Read More...
Posted Friday, September 10, 2004 8:20 PM by LarryOsterman | 31 Comments

What's wrong with this code, part 6 - the answers

In yesterdays post I presented a trace log writer that had a subtle bug. As I mentioned, the problem had nothing to do with the code, but instead, the problem had to do with the directory in which the trace log file was written. My second hint to the Read More...
Posted Thursday, September 09, 2004 4:58 PM by LarryOsterman | 6 Comments

What's wrong with this code, part 6

Today, let’s look at a trace log writer. It’s the kind of thing that you’d find in many applications; it simply does a printf and writes its output to a log file. In order to have maximum flexibility, the code re-opens the file every time the application Read More...
Posted Wednesday, September 08, 2004 4:39 PM by LarryOsterman | 45 Comments

Dare on cost cutting at Microsoft

Dare Obasanjo has an insightful post here about Microsoft’s cost cutting strategies. Dare and I’ve had some rather vocal disagreements in the past (mostly about XML, and mostly in private ☺ ) but IMHO, he’s 100% right on here. I fully support Microsoft Read More...
Posted Tuesday, September 07, 2004 9:57 AM by LarryOsterman | 8 Comments

How Exchange's role SIDs work (aka. NT's security on Psychotropic Drugs)

Now that we've seen some of the things you can do with SIDs when you use them in the way they were intended to be used, now let's see what you can do with SIDs when you’re willing to work outside the box. For Exchange 2000, we had a product requirement Read More...
Posted Friday, September 03, 2004 4:35 PM by LarryOsterman | 5 Comments

Fun things to do with SIDs

As I mentioned in my previous article , SIDs are fascinating beasts. Consider domain SIDs. As I mentioned yesterday, domain SIDs have the form S-1-5-5-X-Y. But where do X and Y come from? S-1-5-5-X is the “domain” SID (X is the domain RID). It turns out Read More...
Posted Thursday, September 02, 2004 2:15 PM by LarryOsterman | 6 Comments
Filed under:

What is this thing called, SID?

One of the core data structures in the NT security infrastructure is the security identifier, or SID. NT uses two data types to represent the SID, a PSID, which is just an alias for VOID *, and a SID, which is a more complicated structure (declared in Read More...
Posted Wednesday, September 01, 2004 3:46 PM by LarryOsterman | 24 Comments
Filed under:
 
Page view tracker