9 minutes read

The Case of the Failed Restore

As applications get more and more complex the backup and restore processes also tend to become more complex. A lot of times backup can be broken down into simple processes: Get data from various sources Database Web.config DPAPI Certificate Stores File system etc Persist data to disk in specific format Validate data in specific format isn’t corrupt A lot of times this can be a manual process, but in best case scenarios its all automated by some tool. In my particular case there was a tool that did all of this for me. Woohoo! Of course, there was a catch….

4 minutes read

AntiXss vs HttpUtility – So What?

Earlier today, Cory Fowler suggested I write up a post discussing the differences between the AntiXss library and the methods found in HttpUtility and how it helps defend from cross site scripting (xss).  As I was thinking about what to write, it occurred to me that I really had no idea how it did what it did, and why it differed from HttpUtility.  <side-track>I’m kinda wondering how many other people out there run in to the same thing?  We are told to use some technology because it does xyz better than abc, but when it comes right down to it,…

4 minutes read

ViewStateUserKey, ValidateAntiForgeryToken, and the Security Development Lifecycle

Last week Microsoft published the 5th revision to the SDL.  You can get it here: http://www.microsoft.com/security/sdl/default.aspx. Of note, there are additions for .NET — specifically ASP.NET and the MVC Framework.  Two key things I noticed initially were the addition of System.Web.UI.Page.ViewStateUserKey, and ValidateAntiForgeryToken Attribute in MVC. Both have existed for a while, but they are now added to requirements for final testing. ViewStateUserKey is page-specific identifier for a user.  Sort of a viewstate session.  It’s used to prevent forging of Form data from other pages, or in fancy terms it prevents Cross-site Request Forgery attacks. Imagine a web form that…

2 minutes read

Putting the I Back into Infrastructure

Tonight at the IT Pro Toronto we did a pre-launch of the Infrastructure 2010 project.  Have you ever been in a position where you just don’t have a clear grasp of a concept or design?  It’s not fun.  As a result, CIPS Toronto, IT Pro Toronto, and TorontoSQL banded together to create a massive event to help make things a little more clear.  To give you a clearer understanding of how corporate networks work.  Perhaps to explain why some decisions are made, and why in retrospect, some are bad decisions. Infrastructure 2010 is about teaching you everything there is to…

16 minutes read

Six Simple Development Rules (for Writing Secure Code)

I wish I could say that I came up with this list, but alas I did not.  I came across it on the Assessment, Consulting & Engineering Team blog from Microsoft, this morning.  They are a core part of the Microsoft internal IT Security Group, and are around to provide resources for internal and external software developers.  These 6 rules are key to developing secure applications, and they should be followed at all times. Personally, I try to follow the rules closely, and am working hard at creating an SDL for our department.  Aside from Rule 1, you could consider…

10 minutes read

Security, Security, Security is about Policy, Policy, Policy

The other day I had the opportunity to take part in an interesting meeting with Microsoft. The discussion was security, and the meeting members were 20 or so IT Pro’s, developers, and managers from various Fortune 500 companies in the GTA. It was not a sales call. Throughout the day, Microsofties Rob Labbe and Mohammad Akif went into significant detail about the current threat landscape facing all technology vendors and departments. There was one point that was paramount. Security is not all about technology. Security is about the policies implemented at the human level. Blinky-lighted devices look cool, but in…

4 minutes read

Creating a new Forest and Domain on Server Core

Over the weekend, good friend, Mitch Garvis decided it was necessary to rebuild his home network.  Now, most home networks don’t have a $25,000 Server at the core.  This one did.  Given that, we decided to do it right.    The network architecture called for Virtualization, so we decided to use Hyper-V.  The network called for management, so we decided to install SCCM and Ops Manager.  The network called for simplicity so we used Active Directory. However, we decided to up the ante and install this all on Server Core.  Now, the tricky part is that we needed to install Active…

4 minutes read

Roles and Responsibilities for Managing an Enterprise Web Site

The intent of this post is to create a summary definition of roles required to adequately manage an enterprise website. It is designed to be used in tandem with a RACI (Responsibility, Accountability, Consultable, and Informed) document to provide a unified management model for the web Infrastructure developed. Each role is neither inclusive nor exclusive in that any one person can qualify for more than one role, and more than one person can qualify for the same role, as long as each role has been fulfilled adequately. In a future post I will discuss the creation of a RACI document….

7 minutes read

ASP.NET Application Deployment Best Practices – Part 1

Over the last few months I have been collecting best practices for deploying ASP.NET applications to production.  The intent was to create a document that described the necessary steps needed to deploy consistent, reliable, secure applications that are easily maintainable for administrators.  The result was an 11 page document.  I would like to take a couple excerpts from it and essentially list what I believe to be key requirements for production applications. The key is consistency. Generate new encryption keys The benefit to doing this is that internal hashing and encrypting schemes use different keys between applications. If an application…

6 minutes read

ASP.NET Application Deployment Best Practices – Part 2

In my previous post I started a list of best practices that should be followed for deploying applications to production systems.  This is continuation of that post. Create new Virtual Application in IIS Right-click [website app will live in] > Create Application Creating a new application provides each ASP.NET application its own sandbox environment. The benefit to this is that site resources do not get shared between applications. It is a requirement for all new web applications written in ASP.NET. Create a new application pool for Virtual App Right click on Application Pools and select Add Application Pool Define name:…