CyberForge

This blog is moving! - New location http://www.aniltj.com/blog

Anil John — Tue, 10 May 2005 04:03:00 GMT

This blog is moving!

RSS Feed @ http://www.aniltj.com/blog/SyndicationService.asmx/GetRss

Whew!!

Anil John — Tue, 21 Dec 2004 09:30:00 GMT

When I wrote about Reliability and Security in a home network environment earlier, I never realized that I would have to put it to the test so soon!

About a week ago, my SBS 2003 server started hootin' and hollerin' at me. It turned out that the 200GB hard drive that held all of my data was the culprit. I rebooted the machine, came into the drive diagnostics and found out that the new drive that held all of my data had just given up the ghost! But since that drive was configured in a RAID 1 (Mirrored) configuration I had a bit of a reprieve. I broke the array, took the defective drive out of the drive caddy and rebooted. Everything just came up just fine! Sweet!

I immediately increased the frequency of my backups to my external USB drive to daily instead of weekly and called the drive manufacturer to request a replacement. I got the replacement drive today, loaded it into the drive caddy, brought up the RAID controller console, and asked it to rebuild my RAID 1 array. It took more than 2 hours, but I just got notified that the drive array rebuild was complete and that my RAID 1 array was functioning properly. My paranoia.. ah.. excuse me.... My disaster recovery and contingency plan just got validated big time! :-)

Acronics True Image or Norton Ghost?

Anil John — Sat, 18 Dec 2004 23:53:00 GMT

I am looking for some drive imaging software that I can use to take a snap-shot of both my Windows 2003 server and my XP Pro clients. After looking over the online specs for both True Image and Ghost, I am not exactly clear if taking an image of Windows 2003 is supported (XP is) in both products WITHOUT upgrading to the "Enterprise-class" version of both products.

In short, I want to do manual images of both Windows 2003 and XP Pro. I am not at this point looking for live/incremental snap shots of Windows 2003. Will the entry level versions of True Image and/or Ghost do this job? Any practical experiences to share on the usage of one or both?

Webpart troubles on the SBS2003 SharePoint "Companyweb" site

Anil John — Sat, 18 Dec 2004 08:39:00 GMT

I am currently running SBS 2003 with ISA Server. One of the reasons I wanted to do this was that SBS by default comes with a Windows SharePoint Services site ("Companyweb") and I wanted to explore custom web part development.

Well.. I have not even gotten to that point yet. Playing around with third party web parts, I installed SmilingGoat's FeedReader web part to bring up some RSS feeds on my SharePoint site and I am consistently getting the following error message:

Searching for your RSS feed has timed out.
If you use a proxy server, please make sure the address and port are correct in the Web Part settings.
If you do not use a proxy server, please validate the RSS feed URL is correct.

I have configured the proxy name and the proxy port on the web part settings within the shared view of the web part AND this is a stable feed that I am going against (The KBAlertz SharePoint RSS feed) AND I have no issues accessing the Internet via the browser that is configured with the same proxy settings.

So I put that on hold for a bit and deployed the SmartPart 1.0.0.0 web part which enable you to host ASP.NET user controls within it. After installation of the SmartPart in the GAC via the install routine, I drop the SmartPart List onto the "Companyweb" page and choose the provided "Dropdown Navigation Sample" example. The site at that point dies with the following error:

The "UserControlWebpart" Web Part appears to be causing a problem.

I have to go and disable/delete the web part in order for the "Companyweb" SharePoint site to come up again.

I am wondering at this point if there is anything unique about the SharePoint installation on the SBS 2003 box or if anyone has encountered such an error before. Bit frustrating!

I would very much appreciate any pointers anyone can provide to troubleshooting this issue.

Upcoming Secure Coding Book by authors of Writing Secure Code!

Anil John — Sat, 11 Dec 2004 09:42:00 GMT

Came across an interesting comment on one of the lists that I am on.

It would appear that Michael Howard and David LeBlanc, the authors of Writing Secure Code, are working on a new book with John Viega (Building Secure Software) and David Wheeler which is scheduled to hit the shelves in about 6 months. According to LeBlanc, they specifically chose this set of authors to provide really good cross-platform coverage.

Looks like a must have book!

IEEE Security & Privacy: Building Security In

Anil John — Sat, 11 Dec 2004 09:30:00 GMT

Gary McGraw has a series of articles in IEEE Security & Privacy that address secure coding issues. As a service to the community, he has made the articles available to the community. The current article in the series ".... is on Penetration Testing. This article was co-authored by Brad Arkin (Symantec) and Scott Stender."

Previous articles in the series:
http://www.cigital.com/papers/download/bsi5-static.pdf
http://www.cigital.com/papers/download/misuse-bp.pdf
http://www.cigital.com/papers/download/risk-analysis.pdf
http://www.cigital.com/papers/download/j2oth-qxd.pdf
http://www.cigital.com/papers/download/software-security-gem.pdf
http://www.cigital.com/papers/download/bsi6-pentest.pdf

Check them out!

Presentation on Instrumenting .NET Code & Defense-in-Depth

Anil John — Wed, 08 Dec 2004 09:08:00 GMT

I just got back from the CMAP .NET User Group meeting during which I did 2 short presentations. At CMAP's December meetings we have a "10 Tips & Tricks for the Holidays" presentation format in which members do short 10-15 minute presentations on various topics. This year's topics ranged from my stuff to a demo of how to use client side script in ASP.NET. My topics were "Instrumenting .NET Code with Log4Net" and "Applying Defense-in-Depth to protecting admin sections of web sites".

During the instrumenting & logging presentation I mentioned that K. Scott Allen has a great write-up on Diagnostics and Logging in ASP.NET and that people should check it out to get a background on the "Why?" regarding instrumenting applications. Then I went into a short description of what Log4Net brought to the table and compared it to the PAG's Exception Management Block and the Logging Block. In addition, I also had an earlier blog entry about incorporating logging into a web application.

My Defense-in-Depth short presentation was an expansion of an earlier blog entry that I had made on this topic.

Web services Contract-First Design & Development

Anil John — Wed, 08 Dec 2004 08:51:00 GMT

Lot's of buzz around it, and I am going to add to this, as this is very important to me in the InterOp space.

Christian Weyer and crew have released the latest version of thinktecture's free Contract-First VS.NET Add-in. Pure goodness! Check it and take the walk-through!

Microsoft Security Resource Guide - November 2004

Anil John — Thu, 25 Nov 2004 22:06:00 GMT

Jerry Bryant [MS] has an excellent post with links to Security resources that are provided by Microsoft. I am copying this here so that I do not have to go looking for them later:

Tools

Microsoft Baseline Security Analyzer (MBSA)
Use this tool to identify common security misconfigurations and missing security updates. MBSA runs on the Windows Server™ 2003, Windows® 2000, and Windows XP operating systems and will scan for vulnerabilities in multiple products and technologies, including Microsoft Internet Information Services (IIS) and SQL Server™.
Software Update Services (SUS) / Windows Update Services (WUS)
Quickly and reliably deploy the latest security updates, and service packs with Software Update Services. This new site now has the latest info on WUS.
Windows Update
Scans your computer and provides a selection of updates tailored for your operating system, software, and hardware.
Microsoft Office Product Updates
Scans and updates Microsoft Office products.
IIS Web Server Lockdown Wizard
Reduces the attack surface of Internet Information Services (IIS) and includes URLScan to provide multiple layers of protection against attackers.
UrlScan Security Tool
Helps prevent potentially harmful HTTP requests from reaching IIS Web servers.

Removal Tools:

Other Tools:

Updating

Understanding Update Management: Microsoft’s Software Update Strategy
Updated white paper talks about the need for strong update management process.
Other Update Management info in the TechNet Topics Page

Isolation and Resiliency

Listing of resources for the IT Pro to evaluate and deploy XP SP2
Network Access Protection
Internet Security and Acceleration (ISA) Server 2004 whitepapers updated
Read about secure remote Outlook access in the Unique Protection for Microsoft Exchange Server whitepaper, a very viable business scenario with ISA Server

Engineering Excellence

Trustworthy Computing: Security
Whitepapers on Security Enhancements:
Describes the Trustworthy Computing initiative as applied to the Windows Server, Office 2003 and Exchange Server 2003 development processes respectively.
Windows Server 2003
Office 2003
Exchange Server 2003
Get the Facts:
Windows and Linux
SQL

Guidance and Training

Security Guidance Centers on Microsoft.com
Worldwide
US
Prescriptive guidance to help provide defence-in-depth security.
E-Learning Security Training
E-Learning self-paced clinics - 4 Developer and 8 ITPro modules
Now available in French, German, Spanish and Japanese
XP SP2
Security Guidance Kit CD (now shipping in US and Canada)
CD-ROM with tools, templates, and how-to guides
Microsoft IT Security Showcase
An insider view into Microsoft's process of deploying, and managing its own enterprise solutions.
Security Newsletter
Register for our free monthly e-mail newsletter that's packed with security news, guidance, updates, and community resources to help you protect your network.
Security Program Guide: Events and Training Information
Events, webcasts and training ivailable for both IT Professionals and Developers.
US Security Summit Keynote and Training Content
Security Notifications via e-mail
Sign up today to get e-mail alerts when an important security bulletin or virus alert has been released.
Security Update RSS Feed
Security Bulletin Search Page
Search on product, technology or KB article
Security Bulletin Webcast
Join Microsoft experts on the day after bulletin announcements to get the latest information and have the opportunity to ask questions.
How to Tell If a Microsoft Security-Related Message Is Genuine
Writing Secure Code, 2nd edition
Best practices for writing secure code and stopping malicious hackers.
Building and Configuring More Secure Web Sites
Best Practices used at OpenHack.
Recent Security Guidance Center additions:
Windows XP Guide, includes SP2
New Security Risk Management Guide
Windows NT 4.0 and Windows 98 Threat Mitigation Guide
Microsoft Identity and Access Management Series
Antivirus Defense-in-Depth
Securing Wireless LANs with PEAP and Passwords
Small Business Guidance
Guidance specifically for the smaller business
Configuring Windows XP 802.11 Wireless Networks for the Home / Small Business
Consumer Information:
http://www.microsoft.com/security/protect
http://www.microsoft.com/athome/security/default.mspx
Newsletter for home users
Security bulletin notifications for home users

Interop, Interop, Interop.....

Anil John — Mon, 22 Nov 2004 07:51:00 GMT

Now this shows maturity in the industry!

Microsoft has invited Sun, IBM, BEA and the Open Source folks to talk about what it would take to make all of the various vendor technologies work together in the customer environment. It would appear that a majority of them, with the notable exception of IBM and the Open Source guys, have accepted!

They are going to kick off a series of about 40 webcasts in January. Find out more about it and pre-register.

Very, Very Cool!

Messaging Patterns in Service Oriented Architecture, Part 2

Anil John — Mon, 22 Nov 2004 07:42:00 GMT

Part 2 of this series is out. Delve into the contract patterns that illustrate the behavioral specifications required to maintain smooth communications between service provider and service consumer.

Part 1 of the series can be found here.

Browsing the Web and Reading E-mail Safely as an Administrator

Anil John — Sat, 20 Nov 2004 08:41:00 GMT

Michael Howard discusses how you can run as an administrator and access Internet data safely by dropping unnecessary administrative privileges when using any tool to access the Internet.

He has created an application called DropMyRights to help users who must run as an administrator run applications in a much-safer context—that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process, such as Internet Explorer or Outlook. This tool works just as well with Mozilla's Firefox, Eudora, or Lotus Notes e-mail.

Check out the article...

Reliability and Security in a Home Network Environment...

Anil John — Mon, 15 Nov 2004 08:40:00 GMT

Like most computer savvy folks these days, the amount of digital "stuff" in my house is growing rather rapidly. That includes:

MP3 music files that I've ripped from my CDs
Photos from my digital camera
Videos that I've taken
Documents and Papers
Source Code stored in my CM system
Virtual Machine Images
and more...

Needless to say I have multiple computers in the house that are connected via both wired and wireless networks. Currently I am running a Windows 2000 Domain in the house as my server class machine, which is a bit old, is not one I have upgraded to Windows 2003. All my Windows 2003 machines are Virtual Machines :-)

Recently, I've bitten the bullet and am in the process standing up a server class machine that can run Windows 2003 at home. My requirements are that:

I need a redundant and reliable file storage for my network. A lot of the content that I have on the network is simply things I cannot afford to lose.
I want to lock down my wireless network.
ASP.NET Development environment.
I am seriously getting into collaboration via Windows SharePoint Services. So I am looking to make sure that I have an environment that I can play a bit with it.. A personal goal, at least for the home, is to have a shared calendar for the family.

(1) Starting out with the basics, I picked up a Dell server on sale. The only thing I upgraded was to bump up the memory and add a second network card to it. Redundant and reliable for me means that the storage in my machine needs to be configured either as a RAID 1 or RAID 5. For various reasons, I chose RAID 1. So, I also picked up a HighPoint RocketRaid IDE controller and two 200GB hard disks.

I am also picking up an external USB hard disk to which I intend to back up my RAID array on a weekly basis. I will be keeping this at work; a poor man's version of off-site backup. This way, at most I am not losing more than a week of data if something untoward happens to my entire home system.

(2) I love my Tivo but when it comes to security, it has some issues. My Tivo is set up with the Home Media Option such that I can play all of my MP3s, which are stored on my W2K server, via my Home Theater system. In addition, I can display all of my photos, again stored on my W2K box, on my TV. The Tivo is connected to my home network via a USB Wireless adapter and goes out over the network for program updates etc.

The issue I have is that the highest level of encryption Tivo supports is 128 WEP. It does not support WPA at all! This has limited my ability to upgrade the security of my Wireless network. So, I've gotten irritated enough that I am pulling wires to my Tivo to convert it from wireless to a hard line. Once this is done, my plan is to implement 802.11x authentication with certificates and lock down the the network.. Now, if I you ask me if I REALLY need to do this, the answer would be, probably not.. But I can, so I will :-)

(3) (4) Now this is the interesting part, I could install Windows 2003 with WSS and get *some* of the functionality that I want (ASP.NET/Collaboration). But why bother? There is a solution out there that will give me all of the components that I am looking for (Windows 2003, WSS, Exchange, SQL2K) supposedly integrated rather well and designed to run on a single box. Windows Small Business Server 2003.

From what I've seen of and heard about this product, it seems to be ideal for what I am looking for within the house. I am thinking that if I install SUS on top of the standard SBS 2003 install, I would also get the ability to update and patch the machines on my network as well.

The only decision I have not made as of yet, is where to put the SBS server on the network. I am currently connected to the Internet via a cable modem, which in turn is coming into a Wireless router with hard line ports. The router has NAT capabilities and has a built in simplistic firewall that has done the job for me so far. But SBS 2003 premium comes with ISA server and I have 2 NICs in the box, so I could hook it up to be Internet facing. Or I could simply hook up the SBS machine to the internal network behind the Router. I'll have to think a bit more about it..

One resource that I am finding extremely helpful is "Windows Small Business Server 2003 Administrator's Companion" by Charlie Russel, Sharon Crawford and Jason Gerend.

Our Man in the Mid-Atlantic ...

Anil John — Wed, 10 Nov 2004 08:41:00 GMT

I live and work in the state of Maryland in the U.S. which is classified as the Microsoft Mid-Atlantic district. If you want to get information and help at a local level from Microsoft, you need to know the local players. And the level of support and engagement you get is often very subjective and dependent on the perspectives of the local representatives of the Empire.

Unfortunately, all too often what you run into is a pure sales driven attitude with no thought given to any type of long term relationship building. Even though there is more transparency at the Home Office (Redmond) level, I personally do not believe that Microsoft, especially at the local level, really get relationship management and long term relationship building. But that is a topic for another day.

Fortunately, there are exceptions to every rule and we in the Mid-Atlantic district are fortunate that we have TWO exceptions to the rule. And those exceptions go by the name of Geoff Snowman, our local Developer Community Champion and G. Andrew Duthie, our local Developer Evangelist.

These guys DO get it and are simply awesome!

Together, their responsibilities cover everything from User Group Support to Enterprise Customer Support. With the wide variety of technologies and products that I've been looking at recently, there have often been questions that I needed answered and these guys have come through every time with information or pointers to resources who have the information. I just wanted to take this opportunity to say a very public "Thank You" to both Geoff and Andrew.

The side-effect of having an interesting job ....

Anil John — Wed, 10 Nov 2004 08:09:00 GMT

.... is that you become very engaged at work. And this is a good thing!

These days I am focusing a great deal on Collaboration (Both real-time and asynchronous), Business Process Management, Service Oriented Systems implemented via web services and more, all within a framework that has very high security needs.

On top of that I am also Blogging internally, which on some levels draws in some of the energy that I used to spend on Blogging externally. I could blog to my external blog from work and I know that my employer would not have any issues with it (yup, we've talked about it). But I've made a conscious decision to NOT blog to my personal blog from work simply to separate my work voice from my personal voice. Which means going forward I have to make a more conscious effort to put more of a balance between Blogging at work and Blogging at home.

But, I do like going to work... :-)