Security Tools

The CAT.NET 2.0 Configuration Analysis Engine

cisg — Tue, 01 Dec 2009 19:41:56 GMT

Maqbool Malik here…

One of the most significant update to CAT.NET in v2.0 is the addition of a configuration engine. The goal of the engine is to identify insecure configuration at all layers of the application (configuration files, code level configuration, etc.) which should be remediated prior to deployment on a production environment. The engine is highly configurable which enables an organization to tweak the default security baseline (out of the box implementation) to cater to their own security needs by making it more stringent or relaxed. The engine is shipped with a default set of thirty three rules which can be easily tweaked due to their XML structure and more rules can be easily added by adding additional XML files in the \Rules\ConfigurationRules directory. Take a look at any XML file in this directory to get familiar with the XML structure to understand how to author additional rules.

Another important class of configuration settings is those that are omitted in the configuration file for which the defaults are considered insecure. An example is the Role Manager cookieRequireSSL attribute for which the default settings is false, meaning that SSL is not required to return the role names cookie to the server. This class of insecure configurations will also be identified by the Engine, although the current version supports only XML tags and not attributes.

Highly Configurable
Let’s walk through an example to understand the flexibility and configurability provided by the Engine. Consider the CustomErrorConfRule.xml file below which ships with CAT.NET:

Line Number
1	<?xml version="1.0" encoding="utf-8"?>
2	<ConfigurationRule xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" typeName="Microsoft.InformationSecurity.CodeAnalysis.Engines.RulesModel.ConfigurationRule, Microsoft.InformationSecurity.CodeAnalysis.Engines.RulesModel, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b9ded31be328441b" enabled="true" comparisionType="AttributeCheck" isAndConditions="false">
3	<Information cultureName="en-US">
4	<Category>Web Security</Category>
5	<Certainity>50</Certainity>
6	<Description>Custom error is not turned on which can lead to information disclosure</Description>
7	<Email></Email>
8	<Name>Custom Error is set to off or remote only</Name>
9	<Owner></Owner>
10	<Resolution>Set mode attribute to On </Resolution>
11	<RuleId>WEBCONFSEC01</RuleId>
12	<SeverityLevel>High</SeverityLevel>
13	<Url></Url>
14	<Problem>Mode attribute is set to Off or RemoteOnly</Problem>
15	</Information>
16	<Conditions>
17	<Condition conditionId="4E9F86AD-B000-44C2-A207-0F60686AEE2D" configurationPath="/configuration/system.web/customErrors" attributeName="mode" attributeValue="Off" comparisionOperator="Equals" />
18	<Condition conditionId="946446DF-3C83-4B72-9C07-18A8E3DAD7E6" configurationPath="/configuration/system.web/customErrors" attributeName="mode" attributeValue="RemoteOnly" comparisionOperator="Equals" />
19	</Conditions>
20	</ConfigurationRule>

The first important attribute is on line 2 called “enabled”, this indicates whether the rule will be applied by the Engine. If you would like to turn off a rule, simply change the value of this attribute to “false”.

The second important attribute on line 2 is called “isAndConditions” which describes how conditions defined on lines 17 and 18 will be applied. Since it is currently set to false which implies that OR logic will be applied, meaning that if any of the conditions match listed on lines 17 and 18, the rule will match. In this particular case, the Engine will highlight cases where custom error mode is set to “Off” or “RemoteOnly”.

Sometimes it may be necessary for all conditions to be true in order for the rule to match; an example is the Authorization Deny tag. The conditions for such a rule may be as follows:

<Condition conditionId="80299E97-82BA-4ED1-8D29-FA22F0B34697" configurationPath="/configuration/system.web/authorization/deny" attributeName="users" attributeValue="*" comparisionOperator="Not,Equals"/>

<Condition conditionId="1E8A5337-9C1C-4038-B359-DEF75FD92D25" configurationPath="/configuration/system.web/authorization/deny" attributeName="users" attributeValue="?" comparisionOperator="Not,Equals"/>

Thus, the rule will only match when both conditions are true, in this case the Authorization Deny tag’s users attribute is not set to either of the values “*” and “?”. The conditionId attribute is simply a GUID that can be used by the consumer to uniquely track this issue via a bug tracking system.

Although in the above example the “Not Equals” comparison operator was used, many others are also supported by the Engine. These include:

Equivalency (comparisionOperator=“ Equals”)
Not Equivalent (comparisionOperator=“Not,Equals”)
Greater Than (comparisionOperator=”GreaterThan”)
Less Than (comparisionOperator=”LessThan”)
Existential (comparisionOperator=”Exists”)
Not Exists (comparisionOperator=”Not,Exists”)
Contains which allows keyword searches (comparisionOperator=”Contains”)
Not Contains (comparisionOperator=”Not,Contains”)
These operators can be used in conjunction with conditions and logical operators (AND/OR) to construct complex configuration rules. Happy Authoring!
Features on the horizon
The Configuration Engine is being improved to include additional rules, the set will likely increase to 50+ rules in the next release.
Code level configuration will also be analyzed and insecure settings will be reported. (I.E. Page level settings <%@ Page attribute="value" [attribute="value"...] %>)
The ability to check for absence of XML attributes for which the defaults are considered insecure. (The current version is able to check for absence of tags but not XML attributes)

Hope this helps….

How to Configure WPL v1.0 SRE

cisg — Wed, 18 Nov 2009 01:12:08 GMT

RV here...

With the release of Web Protection Library v1.0 (WPL) Security Runtime Engine (SRE) has been significantly updated. It now includes a SQL Injection Detection module which can detect certain attack vectors. It also include re-designed configuration editor which enables you to easily configure SRE. The following easy steps let you configure your application to use SRE.

Step 1 : Edit Configuration

First step is to configure your application web.config file to enable SRE modules. Star the configuration editor by going to Start –> All Programs –> Microsoft Information Security –> Web Protection Library v1.0 and clicking on SRE Configuration Editor shortcut.

The left side tree includes list of processors configured in the current config file. By default a blank web.config with all processors are loaded in the editor. Click on File –> Open to open an existing web.config file to add the processors. The configuration tree would be empty. Right Click on the “Configuration” node in the tree and select “New –> Cross Site Scripting Protection Module” to add XSS protection module to the application. Similarly, add the “SQL Injection Partial Protection Module” to the configuration node. Click on the save icon or select File –> Save to save the configuration. The following sections are added to the configuration file.

configSection/section nodes for defining processor configurations
httpModules/add for enabling the modules
processor configuration sections

Step2 : Copy SRE Binaries

Once the configuration is in place, ASP.NET will now try to resolve the httpModules defined in the configuration. In case of 64-bit windows Go to %ProgramFiles(x86)%\Microsoft Information Security\Web Protection Library v1.0\SecurityRuntimeEngine or 32-bit Windows go to %ProgramFiles%\Microsoft Information Security\Web Protection Library v1.0\SecurityRuntimeEngine directory and copy all the .dll files to \bin folder of your application. Here is a brief description of files found in this directory.

Don’t copy the SqlLibInstaller.msi as this is going to install the SQL Parser libraries on the machine.

Step 3: Test

Once you copy the binaries, SRE should automatically encode the controls being rendered on the page. It should also detect an SQL Injection Attempts as shown below. In case of XSS attack, inputs are automatically encoded by the Anti-XSS processor.

Similarly following exception is thrown when SQL queries are detected in the input.

You can handle this exception with custom errors page and provide generic information to the user. As we release new processors in WPL, we will continue to update the blog site with more how to information.

How to Run CAT.NET 2.0 CTP

cisg — Thu, 12 Nov 2009 22:54:11 GMT

RV here...

With the new build of CAT.NET available on connect.microsoft.com you must have noticed that the new version includes only a command line tool. We we will be releasing the Visual Studio rules as part of Beta1 release. So lets look at how we can use the command line version to analyze binaries and configuration files for insecure configuration.

After the installation click on Windows Start Menu and go to All Programs –> Microsoft Information Security –> Code Analysis for .NET (CAT.NET) v2.0 and select CAT.NET v2.0 Command Prompt. This will launch a command window and display all the command line options as shown below.

If you notice /file and /configdir are both required switches which are path to binary file and path to directory with .config files respectively. Optionally /report and /reportxsloutput are paths to report.xml and report.htm files which are outputs from cat.net analysis. Here is a sample command that runs the analysis on the sample application that is part of Anti-XSS distribution that identifies Cross Site Scripting vulnerabilities and some insecure configuration in web.config.

CATNetCmd.exe /file:"c:\AntiXss\Sample Application\bin\SampleApp.dll" /configdir:"C:\AntiXss\Sample Application" /report:"C:\AntiXss\SampleAppReport.xml" /reportxsloutput:"C:\AntiXss\Sample AppReport.htm"

In essence you should be using /file, /configdir, report and /reportxsloutput for your analysis. There are total 40 rules loaded by the engine which includes 33 config rules and 7 data flow rules. Generated report includes targets, time taken for analysis, summary of violations and violations details. Here is the report generated by the above sample command.

Configuration issues provide line numbers and violation xml in the report. Similarly data flow analysis rules provide the entry point and additional data to identify where the error is occurring. These will be dramatically improved in Beta1 to provide more detailed information on where violation has occurred and specific data flow paths in case of data flow rules. Keep checking our blog site for more information on CAT.NET tool.

WPL at SecurityBytes in India

cisg — Wed, 11 Nov 2009 07:05:25 GMT

If you want to come hear Anil Chintala (one of the developers on Anti-XSS) speak about the new WPL you can catch him at the OWASP / SecurityBytes conference in New Delhi later this week.

http://www.securitybyte.org/

It’s being opened by the former President of India!!

Anil Chintala currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for building security tools and security management applications. He has worked on security tools such as Anti-XSS Library. Anil currently focuses on building Connected Information Security Framework (CISF) to integrate all the security management applications supporting Information Security program at Microsoft. Solving information security problems and writing secure code are his passion.

Anil holds a bachelors degree in Mechanical Engineering. He has over ten years of experience and expertise in building applications using Java and Microsoft/.NET technologies where he has led architecture, design and development of various enterprise applications for large software services, technology and consulting companies. He enjoys playing tennis, video games and watching football.

Some New Software Security Tools for Web Developers – (CTP Releases)

cisg — Wed, 11 Nov 2009 06:56:44 GMT

Curphey here…..(follow me on Twitter @curphey if you want the breaking news!)

My wife keeps telling me I work too much. Maybe I do, maybe I don’t but if I do I am not alone. Some folks on my team have been doing some super-human stuff and we are ready to share some early preview releases with y’all. Let’s call this Anti-patch Tuesday (assuming I get to post this before mid-night tonight)!

In this little package we have;

CAT.NET 2.0 CTP
WACA 1.0 CTP
WPL 1.0 CTP

Watch our recent video “Assessment and Protection Suite,” where RV and I discuss the future of these tools.

CAT.NET 2.0 CTP – CAT.NET is being re-written from the ground up. The original tainted data analysis algorithm has now been ported to the Phoenix compiler infrastructure, along with a shiny new configuration rules engine that look in the *.config for common security mis-configurations. This CTP is a command line only single-pass data flow engine and configuration rules engine. Over the coming few month or so we will work to scale the core engine and fully integrate the tool into the Code Analysis menu of Visual Studio 2010. When Visual Studio 2010 ship the tool will be released as a power Tool free to licensed users of Visual Studio.

WACA 1.0 CTP – Web Application Configuration Analyzer – WACA is built on the Best Practice analyzers and shares the same configuration setting rules as CAT.NET 2.0. WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It includes

Over 100 security rules in total (many more in the final release)
IIS Security Configuration
.NET Framework Security Configuration
SQL Server Security Configuration
Windows Permissions
Generate HTML based report, export results to Excel and export findings as work items to TFS (“Curpheys Favorite Feature tm” )
Scan a machine remotely (Requires WMI and Remote Registry)

If you think of rules you would like to see you can always let us know via the Connect site. No promises but we will promise to consider them all.

WPL 1.0 CTP – Web Protection Library – For a while we have been building and shipping the Anti-XSS library and have been working on broader mitigations for common web application security issues beyond XSS. The WPL will act as an umbrella for several libraries and runtime modules including Anti-XSS that provide coverage for issues such as SQL Injection and CSRF as well as enforcing security settings such as SSL and HTTP_ONLY cookies. We have worked hard to make the developer experience similar to that of EntLib with a configuration utility that runs inside of Visual Studio. We expect a first release of WPL early in 2010. This CTP includes the SQL Injection protection module. Using the Security Runtime Engine you can now install the technology on your IIS servers and provide reasonable runtime protection against XSS and SQLi without any code changes. We know that it won’t catch everything but testing and experience has shown it provides a solid level of coverage against many scenarios found in the real world. Get more details on WPL in a recent video, “Enhanced Web Protection Library” where RV talks about the expansion of what used to be the Anti-XSS Library.

To download these tools for free you will need to register on our Connect site. This helps us track the number of downloads and Connect provides a way for you to submit CR’s and bugs directly to the development team.

https://connect.microsoft.com/site/sitehome.aspx?SiteID=734

When you are registered for our program at Connect you can download the tools directly

https://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=734&DownloadID=23328 – CAT.NET 2.0 CTP

https://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=734&DownloadID=23329 – WPL 1.0 CTP

https://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=734&DownloadID=23330 – WACA 1.0 CTP

We hope you enjoy the tools as much as we enjoy creating them. If you use them please let us know. Buy us beer at conferences (indeed invite us to speak at your security conferences and then buy us beer), send us “cube toys” and trinkets to put in our offices or just tell us how much you like our work in the comments section ;-)

- Curphey

PS – To my super-human team - Just cause I am sometimes grumpy doesn’t mean I am not in awe of your amazing work. I just get beaten too often on the foos-ball table to be happy all day! You all know who you are, I am super proud and honored to work with y’all. Now go get some sleep before the next sprints start!

Forefront Identity Manager 2010 (FIM 2010) Data Cache

cisg — Mon, 09 Nov 2009 16:12:20 GMT

Hi, Syam Pinnaka here. I am a Sr. SDE on the Information Security Tools Team. In one of the recent projects there is a requirement to build an audit trail of “Group” object related activities in Forefront Identity Manager 2010 (FIM 2010). FIM provides a WCF interface to program against it but building audit trail is not obvious at first look. In this blog post I will try explain how to program against FIM 2010 and also how to build audit trail of “Group” object related activities in FIM 2010.

Programming against Forefront Identity Manager 2010:

FIM provides an API in terms of a set of WCF end points to program against FIM objects. These FIM WCF endpoints are extensions to WS-* in order to enhance usability of these WCF endpoints by the client applications. One of the endpoint is “Enumeration Endpoint” using which we can query FIM objects. Queries can be constructed using “XPath Filter Dialect”. Enumeration Endpoint returns the FIM objects in xml serialized format.

More details about programming against FIM using WCF services can be found here. http://msdn.microsoft.com/en-us/library/ee652298(VS.100).aspx

Caching audit trail of activities on a FIM “Group” object:

All the requests made by different users in FIM are captured and stored as “Request” objects. Each request object contains the information about who made the request, request status indicating whether it’s a successful/failed request and some additional information required to change the state of targeted object. This additional information is passes and stored as “RequestParameter” in xml format. A sample request parameter XML for a create request looks like this.

<RequestParameter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="CreateRequestParameter"><Calculated>false</Calculated><PropertyName>DisplayedOwner</PropertyName><Value xmlns:q1="http://microsoft.com/wsdl/types/" xsi:type="q1:guid">21387668-baf1-42c9-84ab-ab68a3872311</Value></RequestParameter>

Each create “RequestParameter” has a PropertyName, Value elements and value type as an attribute.

Similarly an example update request parameter will be like this.

<RequestParameter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="UpdateRequestParameter"><Calculated>false</Calculated><PropertyName>MailNickname</PropertyName><Value xsi:type="xsd:string">amk123</Value><Mode>Modify</Mode></RequestParameter>

Each UpdateRequestParamter has a PropertyName, Value, Mode elements and value type as an attribute.

Delete request parameter will be similar to update request parameter with mode being ‘Remove’.

Each request that’s submitted to FIM can have one or more of these request parameters. These request parameters can be used to identify all the modifications that have happened to the object.

In order to find out all the changes that has ever happened to any object in FIM, we need to carry out the following the steps.

Find out all the requests that are targeted at the object that we wanted to keep track of. Use XPath query dialect to specify the object. We can specify an object meaning that we wanted to find all requests aimed at “Group” type objects.
After we find out all the requests, inspect all request parameters with each request to find out all the requested modifications.
Make a note of all these changes requested and request status in order to report back as part of the audit trail.
If we wanted to keep track of current status of an object, we need to incrementally apply all the changes (request parameter values) as we see them with each request. This is how we can incrementally re-construct an objects state by reading through request, request parameter combinations.

We are able to successfully follow this approach to construct the audit trail and keep an objects state up to date in a local database and report back all these changes to the users.

This is just an approach to follow and can be implemented in a variety of ways.

Happy coding and do ping me if you need more information.

Web Application Configuration Analyzer – WACA CTP Release Coming Soon

cisg — Fri, 06 Nov 2009 17:26:03 GMT

RV here...

Last year we developed an internal tool to review servers for security configuration issues. Microsoft offers several enterprise options for doing this such as Systems Center Configuration Manager but the requirements were for a lightweight stand-alone tool focused towards developers and testers who often developed in an unmanaged environment. The tools needed to help developers configure their local environments with security best practices and specifically target;

Windows shares access control issues
Windows services
IIS settings such as authentication settings
SSL settings
virtual directory settings
ASP.NET Web.Config settings
SQL Server authentication
extended stored procedures and database permissions

It will help developers to develop applications in secure de3velopment environments and ensure that their application works seamlessly in a similar secure production environment.

Quick summary of features included in WACA CTP.

Around 100 IIS, ASP.NET and SQL Server settings based on the MS-IT security deployment review settings
Scan a single machine locally or remotely for these settings
View an HTML report of the results
Export the results to Excel or to Visual Studio Team Foundation Server as work items
Extensible configuration option for Team Foundation Server fields mapping
Includes option to specify fixed scan credentials

Here is a screenshot of the landing screen for the tool.

This tool compliments the CAT.NET tool which performs static analysis of .NET code and infact both tools use the same configuration signature format for their configuration checks meaning you can now scan the code and check the configuration seamlessly. We are working on releasing a CTP next week which will be available on http://connect.microsoft.com (search for Information Security Tools and register).

Thanks
RV

How To: Web Service Load Testing Using VSTS 2010

cisg — Wed, 04 Nov 2009 21:54:38 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools team.

Apart from performance testing for web sites, I have done load testing on web services for many of our projects. I will show how to create a web test for web service using Visual studio team system 2010 (VSTS) which can be used in load testing.

Steps to create web test for web service:

Click on start, select VS, right click and select run as administrator

Click on File –> New –> Project
Select Test project and give appropriate name

Select the project, right click and select Add New Test

Select Web Test and give appropriate name for web test, click on ok

It will start IE in recording mode. Click on Stop

Right click on the web test and select add web service request

Select http://localhost node and set the properties

Url should be the asmx file of web service and you could also set response goal time say 5 seconds (response time of the web service should be 5 seconds)
Right click on the Url and select add header
Select headers first node

Select Name as SoapAction and enter value as shown, SoapAction indicates, its a SOAP request and the value of the header is URI

Enter value in string body, which is a soap envelop. Select content type as text/xml

Ex: String body value

   1: <?xml version="1.0" encoding="utf-8"?>

   2: <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

   3:   <soap:Body>

   4:     <GetGeneratedResponse xmlns="http://tempuri.org/">

   5:       <challenge>{{HSM1.HSM.ChallengeCode}}</challenge>

   6:       <cardGUID>{{HSM1.HSM.CardGUID}}</cardGUID>

   7:     </GetGeneratedResponse>

   8:   </soap:Body>

   9: </soap:Envelope>

You can get the soap envelop and soap action values by visiting asmx page of web service under test
The web service under test requires two values challenge and cardguid, it processes and returns response. In the above code am passing challenge code and card guid, these can be hard coded. But I have data bind them, where HSM1 is database, HSM is table name and challengecode is column name. The parameters values should be in {{ parameter name }} or simply a value without parenthesis.
Data binding is simple, click on the add data source button and select a database

Run the web test and make sure there aren’t any issues before using it for load testing
Your web test for web service is ready and your good to go ahead and use in a load test scenario ( For more information on performance testing, you can refer to my blog post on website performance testing simplified)

-Syed

How To: Use Perfmon in Windows 7

cisg — Wed, 04 Nov 2009 00:40:45 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools team.

This blog post is in continuation with How To: Identify Memory Leaks In An Unmanaged Application blog post. I will show how to setup perfmon to collect data for the selected counter in Windows 7.

Steps to configure perfmon

Click on start –> Click on Run
Enter Perfmon and press enter, click on Yes

It launches performance monitor
Click on Data Collector Sets
Select User Defined node and right click on it
Select New and Data collector Set

Enter a Name, select create manually and click on Next

Select create data logs, performance counter and click on Next

Click on Add

Select the required counters say processor Time, Add and click on OK

Click on Next
Browse to a folder, click on next

You can enter run as user details by clicking on change button
Select save and close and click on finish

The user data collector is created
Right click on the newly crated data set and click on start

Right click and select properties if you wish to change properties defined at any point of time
Once you are done with your application testing, right click and select stop

The log file is created and stored at the folder mentioned in the above steps
Open the log file and analyze the data for each counter

Publish the results

- Syed

Double Hop Windows Authentication with IIS Hosted WCF Service

cisg — Wed, 04 Nov 2009 00:35:07 GMT

Hello, Randy Evans here. I am a principal developer on the Information Security Tools Team. In a recent project, we had a intranet web site that called an IIS hosted WCF service. The WCF service, in turn, called a SQL Server Reporting Services (SSRS) web service. We wanted to utilize the authorization mechanisms of SSRS. To do this, we needed to impersonate the end user when we made the calls to SSRS. For the above scenario to work, we needed to perform an authentication double hop. Meaning, the web site needed to impersonate the user when calling the WCF service and the WCF service also needed to impersonate the user when calling SSRS. Our project was using Kerberos based authentication. By default, Windows authentication does not allow a user’s impersonated credentials to be reused when attempting to authenticate to a remote resource. The SSRS web service is considered a remote resource from the WCF service. There are many blogs and listings in social networks that explain how to impersonate a user coming to an IIS hosted WCF service. However, these articles do not explain how to perform the double hop. Once the service is set up to accept impersonation, the answer was actually quite simple.

Windows authentication supports 5 levels of impersonation. The forth, and default, level is Impersonate. The fifth level is Delegate. The default level does not allow the double hop authentication. To enable the double hop, the client calling the WCF service needs to set the impersonation level of the WCF service to Delegate. This is performed with the following code:

  Service1Client service = new Service1Client();

  //Sets the impersonation level to delegation.  Without delegation level impersonation, 
  //the WCF service would not be able to impersonate to a remote server.
  service.ClientCredentials.Windows.AllowedImpersonationLevel = 
     System.Security.Principal.TokenImpersonationLevel.Delegation;

  string retString = service.GetData(1);

In addition to setting the impersonation level to Delegate, there are two other places where changes need to occur.

Enable impersonation at the web site. Either enable ASP.NET impersonation for the entire site or temporarily impersonate the user from within the web site by using WindowsIdentity.Impersonate(token).

Add the following attribute to each method in the WCF service that needs impersonation.

[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]

Example:

[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public string GetData(int value)
{

    //This is the service call that requires the double hop.
    ReportingService2005 reportService = new ReportingService2005();
    reportService.Credentials = System.Net.CredentialCache.DefaultCredentials;

    //Get a listing of all items in the reporting service catalog that are in the root folder.
    CatalogItem[] catalogItems = reportService.ListChildren("/", false);

    StringBuilder retString = new StringBuilder();

    foreach (CatalogItem catalogItem in catalogItems)
        retString.Append("<br>" + catalogItem.Name);

    retString.Append("<br>You entered: " + value.ToString());

    return retString.ToString();
}

NOTE – ImpersonationOption.Required will work as well.

There are three modifications required in the web.config file of the WCF Service web application.

1. Add the following binding node under the <system.serviceModel> node to enforce Windows authentication.

      <bindings>
        <basicHttpBinding>
          <binding name="winAuthBasicHttpBinding">
            <security mode="TransportCredentialOnly">
              <transport clientCredentialType="Windows"/>
            </security>
          </binding>
        </basicHttpBinding>
      </bindings>

2. Reference this binding from the service endpoint node.

         <endpoint address="" 
                   binding="basicHttpBinding" 
                   bindingConfiguration="winAuthBasicHttpBinding"
                   contract="Service.Service" />

Note that the binding name string must match the bindingConfiguration string. In this example the string value is “winAuthBasicHttpBinding”.

3. Add the following node to the service’s serviceBehaviors behavior node.

         <serviceAuthorization impersonateCallerForAllOperations="true" />

Example:

        <behaviors>
            <serviceBehaviors>
                <behavior name="Service.ServiceBehavior">
                    <serviceMetadata httpGetEnabled="true" />
                    <serviceDebug includeExceptionDetailInFaults="True" />
                    <serviceAuthorization impersonateCallerForAllOperations="true" />
                </behavior>
            </serviceBehaviors>
        </behaviors>

Follow the below link for more details from MSDN on using impersonation with WCF services.

http://msdn.microsoft.com/en-us/library/ms730088.aspx

Normal Service Will Resume Soon

cisg — Wed, 28 Oct 2009 20:21:13 GMT

The coding fairies are been busy crafting code. Blogging (and maybe even Tweeting if there is a demand) will return soon and well have a few nice CTP’s for you to play with over the next few weeks.

Look for news about;

CAT.NET 2.0 CTP – Rebuilt from the ground up using Phoenix
WPL 1.0 CTP – with XSS and SQL injection protection at run-time
TAM 3.0 – Final release (with a very cool twist that we think the community will appreciate)
BitLocker Key Recovery Tool – A BitLocker key escrow system for enterprise type BitLocker deployments

CISF is also really starting to shape up and there will now be a major code drop early in the new year including a very cool security BI solution, a completely re-written portal (which also looks great), notification engine and more. All enterprise tools from our team (and there are several big ones that will be released in 2010) will require CISF moving forward.

Stay tuned!

How To: Use VSTS Code Profiler

cisg — Wed, 28 Oct 2009 20:17:47 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools team.

This blog post is in continuation with website performance testing simplified blog post. The final step in performance testing is to narrow down the faulty code which is taking lot of time or memory or CPU usage. I will show how VSTS code profiler can be used to narrow down the faulty code in a website.

Steps to configure VSTS Code Profiler:

Launch VSTS and open the website.
Run through all scenarios in the website and make sure there aren’t any errors or blockages.
Click on Analyze menu and select launch performance wizard.
It launches a wizard as shown below. It can profile current project or exe or dll or a website. Select the first one and click on next.

Select the method of profiling say instrumentation and click on next.

Click on finish button

Save the session
Performance explorer is be launched

Select launch with profiling as shown below

Execute all scenarios in the application
Click on stop button
Report is generated and is shown in the report section of performance explorer

Select the report, performance report summary is shown

The report clearly shows which functions are most called, functions taking longest..,
You can save the performance session and reports
You can change the current view and analyze the data to identify the faulty code

- Syed

Web Protection Library – CTP Release Coming Soon

cisg — Sat, 17 Oct 2009 17:35:03 GMT

RV here...

Over the last couple of months we have been actively developing the next version of Anti-XSS library and Security Runtime Engine (SRE). We have added new mitigations that go way beyond the original Cross Site Scripting (XSS) protections of the Anti-XSS Library hence the change in name to the Web Protection Library or WPL.

WPL now includes encoding methods to provide mitigations around LDAP Injection and CSS Injections (Cascading Style Sheets) with several others planned for the future. The runtime protection module includes a new HTTP Module that detects and protects from SQL Injection attempts using a specialized SQL Parser to detect any valid SQL queries in the input.

A quick summary of changes in Web Protection Library v1.0 are;

New Encoder and Sanitizer classes provide encoding and sanitization functionality respectively
AntiXss class is marked as obsolete, now generates a warning when compiled using AntiXss but methods work the same for backwards compatibility
Updated Anti-XSS Module to increase performance
New SQL Injection detection module to detect SQL Queries in input
Completely redesigned configuration UI which provides easy editing of configuration files directly from within Visual Studio
Merged configuration files into sing web.config. Separate antixssmodule.config is not required anymore
SRE exposes an extensibility API which can be used to build new mitigations

We are really pleased with the significant progress we are making in this space and excited about getting some more community feedback by way of a community technology preview. If you are building ASP.NET web sites you need to be using WPL, period.

In the next couple of weeks we will be providing more information on our blog along with download links and ways to register for the Connect site to provide bugs and DCR’s.

Thanks,

How to Integrate Risk Tracker with Internal HR Feeds

cisg — Wed, 30 Sep 2009 23:56:00 GMT

Hi, Vineet Batta here. I’m a senior software developer on the Information Security Tools (IST) team.

In my last blog I shared details on features of the Risk Tracker application focusing on the Risk Management module. Today, I will help customers who may want to deploy this in their organizations (this tool is licensed under MS-PL). First there are prerequisite integration steps that needs to be completed so that Risk tracker can be successfully deployed in an environment.

A core functionality of Risk Tracker is the AuthZ (Authentication & Authorization) component. Risk Tracker relies on the following to allow access to the Risk Tracker application based on a user’s configuration setup in the back end system. The prerequisites include:

Active Directory services are available.
Person table is populated (exists in ISRM db).
Organization table is populated (exists in ISRM db).
Security Groups Configurations are completed.
Cache Manager executable has run at least once.

Person Table

This table needs to be populated with all the employee information within an organization. Only people who have records in this table based on roles defined for them will have access to Risk Tracker. I will explain more about roles later. The records in this table need to be continuously synchronized from the actual source (HR feed system).

Example:

Internally our team implemented SISS package that did this required synchronization of employee data which helps maintain updated employee records in the Person table. You can do this for your internal implementation to maintain the records in this table.

OrganizationHierarchy table

This table holds the organization hierarchy information for your organization. Most of the organizations also have code (column OrganizationHierarchyCode) associated with it also. This column is also referenced in the ‘Person’ table.

Example:

Internally our team implemented SISS package that retrieved this organizations hierarchy from an internal HR feed which now allows the organization hierarchy to be maintained here. You can do the same for your internal implementation and maintain the records in this table as well.

Security Group Configuration

Default Roles are setup as below in the ISRM db with correct Hierarchy during installation. The data is in the Role table.

Note: Parent inherits Childs permission in this system.

Define Security groups in [AuthorizationGroup] for each role. Example: ‘Risk Manager Group’. This is a required step.

For user to have access to the application based on roles (defined above) the user should belong to one or more security groups defined in AD. Then these groups should be mapped to specific role in the ISRM database. This mapping data is stored in [RoleMapping] table.

Example of data in [RoleMapping] table:

Here the GroupID is the Foreign key referenced from primary table [AuthorizationGroup].

Cache Manager

The final step is to run the Cache Manager executable {The detailed deployment steps for Cache Manager are documented in Installation help file} . This will populate the data in the ISRM database for users with the correct role mapping based on which security group they belong to. Please verify that the data is populated in the following tables:

[AuthZUser]
[AuthZUserRole]

Hope this helps folks who are trying to integrate Risk Tracker with their internal HR data feeds for employee data. In my next blog I will do a deep dive into the service layer and authorization implementation which we did for Risk Tracker. Stay tuned…

-Vineet

InfoPath Forms submission to a SharePoint Library – Part 2

cisg — Wed, 30 Sep 2009 06:50:35 GMT

Hi, Aravindhan Rajagopal here. I am a developer on the Information Security Tools team.

This post continues form my previous blog (Part 1 here) on InfoPath form submission to SharePoint...Lets go through the web service creation and form submission methods specific to the scenario where custom codes inbuilt in an InfoPath form does not work in an organization.

Web Service Creation:

As we know, InfoPath forms are nothing but xmls. So each and every InfoPath forms submitted in email can be saved as an XML from outlook. So you can go through the xmls that gets generated for each type of form submission and come up with a web service methods real quick. I felt that this method would help you cover almost all the real time scenarios and options that the customers would do while submitting and hence the resulting xmls - that you should cover in your web service. Not to forget the xml namespace consideration in the web service code.

Please Note: This method would come handy in case your InfoPath form contains repeatable sections. I have seen many InfoPath forms that were constructed using copy/paste of controls from one place to the other. This would result in an ill formed xml, making it tricky to be considered for a web service call. The above email –> save as xml –> for all the form submit options would help you create a clean InfoPath form.

For eg.,

Assume that the InfoPath designer copy pasted the controls between repeatable sections - which is quite common during creation of InfoPath forms.

The xml might end up like below, if the designer has copy pasted the router section controls from server section controls in the InfoPath form.

<my:opt_formBody>
        <my:radioOption>2</my:radioOption>
        <my:ServerRequestSection>
            <my:textRequestor>john</my:textRequestor>
            <my:textAlias>johnabc</my:textAlias>
            <my:textTeamName>Infosec Team</my:textTeamName>
            <my:textServerName>XYZ Router Name</my:textServerName> <<--- Router name filled under server name
            <my:richtextComments>This is test data</my:richtextComments>
        </my:ServerRequestSection>
        <my:RouterRequestSection> <<---This is the section which was originally filled up by the customer
        </my:RouterRequestSection>
</my:opt_formBody>

You might understand how it would be if the router name is assigned to a server :-) The original intended xml should be like below

<my:opt_formBody>
        <my:radioOption>2</my:radioOption>
        <my:ServerRequestSection>
            <my:textRequestor></my:textRequestor>
            <my:textAlias></my:textAlias>
            <my:textTeamName></my:textTeamName>
            <my:textServerName></my:textServerName>
            <my:richtextComments></my:richtextComments>
        </my:ServerRequestSection>
        <my:RouterRequestSection>
            <my:textRequestor>john</my:textRequestor>
            <my:textAlias>johnabc</my:textAlias>
            <my:textTeamName>Infosec Team</my:textTeamName>
            <my:textRouterName>XYZ Router Name</my:textRouterName>
            <my:richtextComments>This is test data</my:richtextComments>
        </my:groupUnknownLocation>
</my:opt_formBody>

The custom action (request logging and tracking in our case) can be implemented in the web service code in its appropriate method pertaining to each of the forms. I think I need not go through that section in detail as it may not fit your requirement

Lastly, instead of having the customer go to individual form library and hit a new item button (please refer to MSDN articles on how to publish an InfoPath template to a SharePoint library), we shall list all the forms in a single page in the team site. To accomplish this, we may publish the templates to form libraries (either individual or multiple) and refer to the template form in the customer facing page like below

<%@ Page Language="C#" %>
<html dir="ltr">

<head runat="server">
<META name="WebPartPageExpansion" content="full">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Customer Engagement Forms</title>
</head>

<body>
<form id="form1" runat="server">
    <a href="../ServerEngagement/Forms/template.xsn">Server Request</a>
    <br>
    <a href="../RouterEngagement/Forms/template.xsn">Router Request</a>
    <br>
    <a href="../AccessRequest/Forms/template.xsn">Access Request</a>
</form>
</body>

Please leave comments in case you need any particular topic discussed above needs to be elaborated.