http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/

Having spent a good couple of hours this week cleaning up XP Antivirus 2008 and one case having to do it twice..Sigh It is was very interesting to see this article. Everyone should read it, the quality of the attack that XP Antivirus 2008 uses is quite scary and will probably start to set a bench mark for coming attack. It will require a lot of education to protect user for this time of threat.

I have been experimenting with finding quick fixes on an existing site with Xss and using the browser file in ASP.NET to get a system wide Anti XSS implementation without have to go through each bit of code.

By no means is this a perfect solution you should go through all of the code that you are working on but sometimes you need to get up running defence.

Also this technique I am experimenting would be potentially useful for starting off with a new site with, a set of basic controls that have Microsoft Anti Scripting library by standard applied to.

Links to Microsoft Anti Scripting Library.

http://www.microsoft.com/downloads/details.aspx?familyid=EFB9C819-53FF-4F82-BFAF-E11625130C25&displaylang=en

Example:
http://msdn.microsoft.com/en-us/library/aa973813.aspx

This is the code I am tinkering with:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web;
using Microsoft.Security.Application;
using System.Web.UI.WebControls;

namespace UnwindSoftwareLtd.Web.StandardAxss
{
public class LabelControl : System.Web.UI.WebControls.Adapters.WebControlAdapter
{

protected override void Render(System.Web.UI.HtmlTextWriter writer)
{
((Label)base.Control).Text = AntiXss.HtmlEncode(((Label)base.Control).Text);
base.Render(writer);
}
}
}

Ideally though I would like Anti Scripting Lib to be applied to all MS controls, it would be switched on by default. I accept though there applications that need to use for example Label control to output Java Script, but it would be great if you could use switch to say don't use the Anti Scripting library or I want to output Javascript format for that.

James

Been meaning to post this for a while.

When I pick up a HostingUK dedicated box. Some of the tips I give to customers when
they start with a dedicated box.

Disclaimer.

I am not a Windows expert by any means. PLEASE MAKE SURE YOU REVIEW
EVERYTHING.

Shut down All Services not needed

Unless you are using it shutdown all services.

These are the standard services that I shutdown on HostingUK box.

IIS :

Sharpoint Services

Report Server

Default Website

Administration Server (No Web Admin on)

Get a static IP Address to admin the box

Get a static ip address so that you can admin the box from only a selected set of addresses.

Confirm the Firewall rules to the ISP

Most you will need is normally:

WWW 80 / 443

FTP

HostingUK will have open a standard list.

Download and install Microsoft Baseline Security

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Run it and follow it.

Windows Update

Setup a Patch schedule and make sure you auto update regularly.

Uninstall un-needed software

If you don’t need it on the box delete it ASAP.

Change the Administrator Password

Change the administrator password. Make sure it is considerably strong
password.

Use http://www.pctools.com/guides/password/ and generator one with a reasonable length of maybe 12 chars.

Switch on Logging

Switching on logging for both SQL Server, Windows and give yourself full logging on IIS.

http://www.visualwin.com/Log-in/logging-failed-logins.html

Sql Server

Read The following:

http://download.microsoft.com/download/8/5/e/85eea4fa-b3bb-4426-97d0-7f7151b2011c/SQL2005SecBestPract.doc

Take offline used Websites

SQL Server 2005

Take Offline the following :

AdventureWorks
AdventureWorksDW
ReportServer
ReportServerTempDB

Rename your sa account on SQL Server and disable it.

The command used is:

ALTER LOGIN sa DISABLE;

ALTER LOGIN sa WITH NAME = [saNewAccountName];

Switch off TCP/IP access for SQL Server

SQL Server TCP/IP is at the moment for security reasons is switched off. No point having it on until we need it on. It is on shared memory.

Admin your SQL Server directly on the box

Means you don’t need to have a TCP/IP connection open.

These are just some general rules I follow when just starting with a box, hopefully it will be a good point for anyone taking over a dedicated box from HostingUK.

Just because I have run into this one this week. Under no circumstance use

Selection.Find.Execute

in the word object model, it is horribly buggy. It may work on your development box and 80% of the boxes you deploy it on but for 20% of them it will fail on with a lovely com death.

You have to if you need to use the find / replace command in Word. Late bind to it, don't early bind under any circumstance.



object searchText = @"\<\<*_*\>\>";
object myFind = wd.Selection.Find;


object[] Parameters;
Parameters = new object[15];
Parameters[0] = searchText;
Parameters[1] = wdFalse;
Parameters[2] = wdFalse;
Parameters[3] = wdTrue;
Parameters[4] = wdFalse;
Parameters[5] = wdFalse;
Parameters[6] = wdFalse;
Parameters[7] = wdFalse;
Parameters[8] = n;
Parameters[9] = n;
Parameters[10] = wdFalse;
Parameters[11] = wdFalse;
Parameters[12] = wdFalse;
Parameters[13] = wdFalse;
Parameters[14] = wdFalse;


while ((bool)myFind.GetType().InvokeMember("Execute", BindingFlags.InvokeMethod, null, myFind, Parameters))
{


Microsoft have released a KB also. Which took me a while to find searching through google.

http://support.microsoft.com/kb/313104/en-us
http://support.microsoft.com/kb/292744/en-us

Hopefully this one stops someone else having the same nightmare.

Just reading Scott Gu posting
http://weblogs.asp.net/scottgu/archive/2008/02/19/net-3-5-client-product-roadmap.aspx

It outlines some of the major improvements that they are trying to make.
This sentence is music to my ears..

"We’ll also be delivering improvements that enable a more integrated application install experience for both MSI and ClickOnce based solutions, and support a more consumer friendly user experience that is easy to build."

Were do I sign to get onboard on this one.. I have crossed my toes they don't drop this idea. It is essential to pushing WPF out and making Winform deployment smoother than it is at the moment . I deploy one application at the moment by ClickOnce and I can tell you it is seriously painful in places..

Looking forward though to the changes.

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2060651&SiteID=1

Some of the changes that are coming from Beta 2 to RTM have been published.

Some good news such as .

"Correct handling of database-generated GUID key values" Horray.

Some interesting news..

Previous Method
(Beta1 and Beta2)
Renamed Method
(VS 2008 RTM)

Add()
InsertOnSubmit()

AddAll()
InsertAllOnSubmit()

Remove()
DeleteOnSubmit()

RemoveAll()
DeleteAllOnSubmit()


I know exactly why they are changing this when you first start linq you believe that an Add() would actually add to the database in Linq SQL .. That in fact is not true till you actually submit a change. I.e

using (YYYDatabaseDataContext rdb = new YYYDatabaseDataContext())
{
RssFeed rssFeed = new RssFeed();

rssFeed.CopyRightNotice = "bbc.co.uk/news";
rssFeed.DateAdded = DateTime.Now;
rssFeed.RssUrl = urlFeed;
rssFeed.RssXML = xmlString;
rssFeed.Title = "BBC News";


rdb.RssFeeds.Add(rssFeed);
rdb.SubmitChanges();


}


When you don't add SubmitChanges() your code does not throw any exception or warning it just does not add/change anything to DB. Most devs when first starting with Linq will assume the rdb.RssFeeds.Add(rssFeed) would be good enough, because it is in everything else in .NET such as collections.

This cause serious dev risk in terms of code problems and it is something that I starting to think maybe worth writing a tool to look for this potential issue in large codes basis. I have already come across the issue myself, I have forgotten to add SubmitChanges(). You code looks fine but you seem to lose a record into table through your process.

Although in my heart I welcome the change because it will solve alot of the confusion it is going to be one of those changes that early adaptors will be very frustrated with.

Search and replace for Add is not actually that simple beacuse you use .Add in all sorts of contexts . I.e Generics Lists, collections. So it looks like one of my projects I will be adding a couple of days to project time to move from Beta 2 to RTM. Fair enough the risk of being in early, but it just important lesson to all Devs when building frameworks that naming things correctly from start, gives you alot less pain latter both in support of product but also in making a change late in the day if you have customers out in beta/alpha developing on the platform