This blog is moving!

New location http://www.aniltj.com/blog

RSS Feed @ http://www.aniltj.com/blog/SyndicationService.asmx/GetRss

When I wrote about Reliability and Security in a home network environment earlier, I never realized that I would have to put it to the test so soon!

About a week ago, my SBS 2003 server started hootin' and hollerin' at me. It turned out that the 200GB hard drive that held all of my data was the culprit. I rebooted the machine, came into the drive diagnostics and found out that the new drive that held all of my data had just given up the ghost!  But since that drive was configured in a RAID 1 (Mirrored) configuration I had a bit of a reprieve. I broke the array, took the defective drive out of the drive caddy and rebooted.  Everything just came up just fine!  Sweet!

I immediately increased the frequency of my backups to my external USB drive to daily instead of weekly and called the drive manufacturer to request a replacement. I got the replacement drive today, loaded it into the drive caddy, brought up the RAID controller console, and asked it to rebuild my RAID 1 array. It took more than 2 hours, but I just got notified that the drive array rebuild was complete and that my RAID 1 array was functioning properly.  My paranoia.. ah.. excuse me.... My disaster recovery and contingency plan just got validated big time! :-)

I am looking for some drive imaging software that I can use to take a snap-shot of both my Windows 2003 server and my XP Pro clients. After looking over the online specs for both True Image and Ghost, I am not exactly clear if taking an image of Windows 2003 is supported (XP is) in both products WITHOUT upgrading to the "Enterprise-class" version of both products.

In short, I want to do manual images of both Windows 2003 and XP Pro. I am not at this point looking for live/incremental snap shots of Windows 2003. Will the entry level versions of True Image and/or Ghost do this job? Any practical experiences to share on the usage of one or both?

I am currently running SBS 2003 with ISA Server. One of the reasons I wanted to do this was that SBS by default comes with a Windows SharePoint Services site ("Companyweb") and I wanted to explore custom web part development.

Well.. I have not even gotten to that point yet. Playing around with third party web parts, I installed SmilingGoat's FeedReader web part to bring up some RSS feeds on my SharePoint site and I am consistently getting the following error message:

Searching for your RSS feed has timed out.
If you use a proxy server, please make sure the address and port are correct in the Web Part settings.
If you do not use a proxy server, please validate the RSS feed URL is correct.

I have configured the proxy name and the proxy port on the web part settings within the shared view of the web part AND this is a stable feed that I am going against (The KBAlertz SharePoint RSS feed) AND I have no issues accessing the Internet via the browser that is configured with the same proxy settings.

So I put that on hold for a bit and deployed the SmartPart 1.0.0.0 web part which enable you to host ASP.NET user controls within it. After installation of the SmartPart in the GAC via the install routine, I drop the SmartPart List onto the "Companyweb" page and choose the provided "Dropdown Navigation Sample" example. The site at that point dies with the following error:

The "UserControlWebpart" Web Part appears to be causing a problem.

I have to go and disable/delete the web part in order for the "Companyweb" SharePoint site to come up again.

I am wondering at this point if there is anything unique about the SharePoint installation on the SBS 2003 box or if anyone has encountered such an error before. Bit frustrating!

I would very much appreciate any pointers anyone can provide to troubleshooting this issue.

Came across an interesting comment on one of the lists that I am on. 

It would appear that Michael Howard and David LeBlanc, the authors of Writing Secure Code, are working on a new book with John Viega (Building Secure Software) and David Wheeler which is scheduled to hit the shelves in about 6 months.  According to LeBlanc, they specifically chose this set of authors to provide really good cross-platform coverage.

Looks like a must have book!

Gary McGraw has a series of articles in IEEE Security & Privacy that address secure coding issues. As a service to the community, he has made the articles available to the community. The current article in the series ".... is on Penetration Testing.  This article was co-authored by Brad Arkin (Symantec) and Scott Stender."

Previous articles in the series:
http://www.cigital.com/papers/download/bsi5-static.pdf
http://www.cigital.com/papers/download/misuse-bp.pdf
http://www.cigital.com/papers/download/risk-analysis.pdf
http://www.cigital.com/papers/download/j2oth-qxd.pdf
http://www.cigital.com/papers/download/software-security-gem.pdf
http://www.cigital.com/papers/download/bsi6-pentest.pdf

Check them out!

I just got back from the CMAP .NET User Group meeting during which I did 2 short presentations. At CMAP's December meetings we have a "10 Tips & Tricks for the Holidays" presentation format in which members do short 10-15 minute presentations on various topics. This year's topics ranged from my stuff to a demo of how to use client side script in ASP.NET.  My topics were "Instrumenting .NET Code with Log4Net" and "Applying Defense-in-Depth to protecting admin sections of web sites". 

During the instrumenting & logging presentation I mentioned that K. Scott Allen has a great write-up on Diagnostics and Logging in ASP.NET and that people should check it out to get a background on the "Why?" regarding instrumenting applications. Then I went into a short description of what Log4Net brought to the table and compared it to the PAG's Exception Management Block and the Logging Block.  In addition, I also had an earlier blog entry about incorporating logging into a web application.

My Defense-in-Depth short presentation was an expansion of an earlier blog entry that I had made on this topic.

Lot's of buzz around it, and I am going to add to this, as this is very important to me in the InterOp space.

Christian Weyer and crew have released the latest version of thinktecture's free Contract-First VS.NET Add-in. Pure goodness! Check it and take the walk-through!

Jerry Bryant [MS] has an excellent post with links to Security resources that are provided by Microsoft. I am copying this here so that I do not have to go looking for them later:

Tools

• Microsoft Baseline Security Analyzer (MBSA)
  Use this tool to identify common security misconfigurations and missing security updates. MBSA runs on the Windows Server™ 2003, Windows® 2000, and Windows XP operating systems and will scan for vulnerabilities in multiple products and technologies, including Microsoft Internet Information Services (IIS) and SQL Server™.
• Software Update Services (SUS) / Windows Update Services (WUS)
  Quickly and reliably deploy the latest security updates, and service packs with Software Update Services. This new site now has the latest info on WUS.
• Windows Update
  Scans your computer and provides a selection of updates tailored for your operating system, software, and hardware.
• Microsoft Office Product Updates
  Scans and updates Microsoft Office products.
• IIS Web Server Lockdown Wizard
  Reduces the attack surface of Internet Information Services (IIS) and includes URLScan to provide multiple layers of protection against attackers.
• UrlScan Security Tool
  Helps prevent potentially harmful HTTP requests from reaching IIS Web servers.

• Mydoom, Zindos and Doomjuice worms
• Blaster Removal Tool for Windows XP and 2000
• Sasser (A-F) Worm Removal Tool
• MS04-028 Enterprise Scanning Tool    

• http://www.microsoft.com/technet/security/tools/default.mspx
• Security Risk Self-Assessment for Midsize Organizations

• Understanding Update Management: Microsoft’s Software Update Strategy
  Updated white paper talks about the need for strong update management process.
• Other Update Management info in the TechNet Topics Page

• Listing of resources for the IT Pro to evaluate and deploy XP SP2
• Network Access Protection
• Internet Security and Acceleration (ISA) Server 2004 whitepapers updated
  Read about secure remote Outlook access in the Unique Protection for Microsoft Exchange Server whitepaper, a very viable business scenario with ISA Server

• Trustworthy Computing: Security
• Whitepapers on Security Enhancements:
  Describes the Trustworthy Computing initiative as applied to the Windows Server, Office 2003 and Exchange Server 2003 development processes respectively.
  Windows Server 2003
  Office 2003
  Exchange Server 2003
• Get the Facts:
  Windows and Linux
• SQL

• Security Guidance Centers on Microsoft.com
  Worldwide
  US
  Prescriptive guidance to help provide defence-in-depth security.
• E-Learning Security Training
  E-Learning self-paced clinics - 4 Developer and 8 ITPro modules
  Now available in French, German, Spanish and Japanese
  XP SP2
• Security Guidance Kit CD (now shipping in US and Canada)
  CD-ROM with tools, templates, and how-to guides
• Microsoft IT Security Showcase
  An insider view into Microsoft's process of deploying, and managing its own enterprise solutions.
• Security Newsletter
  Register for our free monthly e-mail newsletter that's packed with security news, guidance, updates, and community resources to help you protect your network.
• Security Program Guide: Events and Training Information
  Events, webcasts and training ivailable for both IT Professionals and Developers.
• US Security Summit Keynote and Training Content
• Security Notifications via e-mail
  Sign up today to get e-mail alerts when an important security bulletin or virus alert has been released.
• Security Update RSS Feed
• Security Bulletin Search Page
  Search on product, technology or KB article
• Security Bulletin Webcast
  Join Microsoft experts on the day after bulletin announcements to get the latest information and have the opportunity to ask questions.
• How to Tell If a Microsoft Security-Related Message Is Genuine
• Writing Secure Code, 2nd edition
  Best practices for writing secure code and stopping malicious hackers.
• Building and Configuring More Secure Web Sites
  Best Practices used at OpenHack.
• Recent Security Guidance Center additions:
  Windows XP Guide, includes SP2
  New Security Risk Management Guide
  Windows NT 4.0 and Windows 98 Threat Mitigation Guide
  Microsoft Identity and Access Management Series
  Antivirus Defense-in-Depth
  Securing Wireless LANs with PEAP and Passwords
• Small Business Guidance
  Guidance specifically for the smaller business
• Configuring Windows XP 802.11 Wireless Networks for the Home / Small Business
• Consumer Information:
  http://www.microsoft.com/security/protect
  http://www.microsoft.com/athome/security/default.mspx
• Newsletter for home users
• Security bulletin notifications for home users
  

Now this shows maturity in the industry! 

Microsoft has invited Sun, IBM, BEA and the Open Source folks to talk about what it would take to make all of the various vendor technologies work together in the customer environment.  It would appear that a majority of them, with the notable exception of IBM and the Open Source guys, have accepted!

They are going to kick off a series of about 40 webcasts in January. Find out more about it and pre-register.

Very, Very Cool!

Part 2 of this series is out.  Delve into the contract patterns that illustrate the behavioral specifications required to maintain smooth communications between service provider and service consumer.

Part 1 of the series can be found here.

Michael Howard discusses how you can run as an administrator and access Internet data safely by dropping unnecessary administrative privileges when using any tool to access the Internet.

He has created an application called DropMyRights to help users who must run as an administrator run applications in a much-safer context—that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process, such as Internet Explorer or Outlook. This tool works just as well with Mozilla's Firefox, Eudora, or Lotus Notes e-mail.

Check out the article...

Like most computer savvy folks these days, the amount of digital "stuff" in my house is growing rather rapidly. That includes:

• MP3 music files that I've ripped from my CDs
• Photos from my digital camera
• Videos that I've taken
• Documents and Papers
• Source Code stored in my CM system
• Virtual Machine Images
• and more...

1. I need a redundant and reliable file storage for my network. A lot of the content that I have on the network is simply things I cannot afford to lose.
2. I want to lock down my wireless network.
3. ASP.NET Development environment.
4. I am seriously getting into collaboration via Windows SharePoint Services. So I am looking to make sure that I have an environment that I can play a bit with it.. A personal goal, at least for the home, is to have a shared calendar for the family.

I live and work in the state of Maryland in the U.S. which is classified as the Microsoft Mid-Atlantic district. If you want to get information and help at a local level from Microsoft, you need to know the local players. And the level of support and engagement you get is often very subjective and dependent on the perspectives of the local representatives of the Empire.

Unfortunately, all too often what you run into is a pure sales driven attitude with no thought given to any type of long term relationship building.  Even though there is more transparency at the Home Office (Redmond) level, I personally do not believe that Microsoft, especially at the local level, really get relationship management and long term relationship building. But that is a topic for another day. 

Fortunately, there are exceptions to every rule and we in the Mid-Atlantic district are fortunate that we have TWO exceptions to the rule. And those exceptions go by the name of Geoff Snowman, our local Developer Community Champion and G. Andrew Duthie, our local Developer Evangelist. 

These guys DO get it and are simply awesome!

Together, their responsibilities cover everything from User Group Support to Enterprise Customer Support.  With the wide variety of technologies and products that I've been looking at recently, there have often been questions that I needed answered and these guys have come through every time with information or pointers to resources who have the information. I just wanted to take this opportunity to say a very public "Thank You" to both Geoff and Andrew.

.... is that you become very engaged at work. And this is a good thing!

These days I am focusing a great deal on Collaboration (Both real-time and asynchronous), Business Process Management, Service Oriented Systems implemented via web services and more, all within a framework that has very high security needs.

On top of that I am also Blogging internally, which on some levels draws in some of the energy that I used to spend on Blogging externally.  I could blog to my external blog from work and I know that my employer would not have any issues with it (yup, we've talked about it).  But I've made a conscious decision to NOT blog to my personal blog from work simply to separate my work voice from my personal voice.  Which means going forward I have to make a more conscious effort to put more of a balance between Blogging at work and Blogging at home.

But, I do like going to work... :-)