.NET news » Search results

Adds another layer of security to your Word or Excel documents. Can search for and bulk process documents to add a protection password or change your protection password.

Vista's User Account Control (UAC) improves security, but making it work smoothly requires a little more developer work. Find out what you need to know to code Vista UAC-aware applications.

Microsoft security expert Bryan Sullivan believes denial-of-service blackmail attacks will become more common as privilege escalation attacks become more difficult to execute. He demonstrates how to protect your apps against regular expression DoS threats.

One of the most important security principles for software development is least privilege. Simply put, least privilege means that an application, process, or user should have the least access to resources required to accomplish a task and no more. By following this principle, even if your application is attacked or a user goes on the payroll of your nastiest competitor, you'll have limited the potential damage. Bottom line: implementing partial trust in ASP.NET is the single biggest thing you can do to make your applications secure.

Visual Studio LightSwitch is an exciting new product that helps developers quickly and easily build business applications. This article explores the challenge of securing three-tier applications and describes how developers can use the access control features in LightSwitch to secure their applications.

As the attacks in which hackers use become more and more sophisticated, and the programs in which they attack become increasingly complex, encryption is becoming the last line of defense in database management system (DBMS) security.

In this article we will look at how, specifically, to encrypt the data in a SQL Server 2005 database using symmetric encryption techniques. We'll start with examining the facilities for managing keys in SQL Server and then explore symmetric encryption in SQL Server 2005.

While certain HTTP Headers are necessary, the web server's identifying HTTP Headers are not necessary. Their inclusion inflates each HTTP response by around 100 bytes. Granted, 100 bytes is not much when taken alone, but when taken in the context of thousands or millions of requests over the course of time, those 100 bytes add up. Furthermore, providing identifying information can pose a security risk. An attacker who knows of a vulnerability in a particular web server and ASP.NET version combination could hunt for targets making HTTP requests to many different servers and flagging those that return the particular web server/ASP.NET version numbers.

This article looks at how to remove these identifying HTTP Headers in both IIS 6 and IIS 7.

Recently I added a new thin laptop to the fleet of Windows 7 laptop and workstations that I have in active use. The other devices run Windows 7 Ultimate 32 bit with Bitlocker security encryption enabled. However I ran into a problem getting Bitlocker to work on the 64 bit version of Windows 7 Professional.

Yes I know I should not be using Windows and I also have plenty of iDevices and other Apple products lying around. Likewise to the security pros and security arm-chair quarterbacks I know I should not be using Bitlocker, instead using Truecrypt of which I have done some testing and may migrate too in the future along with self-encrypting device (SED). However lets stay on track here ;).

Image courtesy of Lenovo.com

The problem that I ran into with my new Lenovo X1 was that it came with Windows 7 Professional 64 bit, which has a few surprises when trying to turn on Bitlocker drive encryption. Initializing and turning on the Trusted Platform Module (TPM) management was not a problem, however for those needing to figure out how to do that, check out this Microsoft TechNet piece.

The problem was as simple as not having a tab and easy way to enable Bitlocker Drive Encryption with Windows 7 Professional 64 bit. After spending some time searching around various Microsoft and other sites to figure out how to hack, patch, script and do other things that would take time (and time is money), it dawned on me. Could the solution to the problem be as simple as upgrading from the Professional version of Windows 7 bit to Windows 7 Ultimate?

Windows 7 image courtesy of Amazon.com

The answer was going to the Microsoft store (or Amazon among other venues) and for $139.21 USD (with tax) purchase the upgrade.

Once the transaction was complete, the update was automatically and within minutes I had Bitlocker activated on the Lenovo X1 (TPM was previously initiated and turned on), a new key was protected and saved elsewhere, and the internal Samsung 830 256GB Solid State Device (SSD) initializing and encrypting. Oh, fwiw, yes the encryption of the 256GB SSD took much less time than on a comparable Hard Disk Drive (HDD) or even an HHDD (Hybrid HDD).

Could I have saved the $139.21 and spent some time on work around? Probably, however as I did not have the time or interest to go that route, however IMHO for my situation it was a bargain.

Sometimes spending a little money particular if you are short on or value, your time can be a bargain as opposed to if you are short on money however long on time.

I found the same to be true when I replaced the internal HDD that came with the Lenovo X1 with a Samsung 256GB SSD in that it improved my productivity for writing and saving data. For example in the first month of use I estimate easily 2 to three minutes of time saved per day waiting on things to be written to HDDs. In other words 2 to three minutes times five days (10 to 15 minutes) times four weeks (40 to 60 minutes) starts to add up (e.g. small amounts or percentages spread over a large interval add up), more on using and justifying SSD in a different post.

Samsung SSD image courtesy of Amazon.com

If your time is not of value or you have a lot of it, then the savings may not be as valuable. On the other hand, if you are short on time or have a value on your time, you can figure out what the benefits are quite quickly (e.g. return on investment or traditional ROI).

The reason I bring the topic of time and money into this discussion about Bitlocker is to make a point that there are situations where spending some time has value such as for learning, the experience, fun or simple entertainment aspect, not to mention a shortage of money. On the other hand, sometimes it is actually cheaper to spend some money to get to the solution or result as part of being productive or effective. For example, other than spending some time browsing various sites to figure out that there was an issue with Windows 7 Professional and Bitlocker, time that was educational and interesting, the money spent on the simple upgrade was worth it in my situations.

Ok, nuff said for now

Cheers Gs

Greg Schulz - Author Cloud and Virtual Data Storage Networking (CRC Press, 2011), The Green and Virtual Data Center (CRC Press, 2009), and Resilient Storage Networks (Elsevier, 2004)

twitter @storageio

All Comments, (C) and (TM) belong to their owners/posters, Other content (C) Copyright 2006-2012 StorageIO All Rights Reserved

read more

The Health Monitoring system in ASP.NET 2.0 is designed to monitor the health of a running ASP.NET application in a production environment. It works by recording event information to a specified log source. The .NET 2.0 Framework includes a variety of built-in events that can be used by the Health Monitoring system, including events for monitoring application re-starts and stops, unhandled exceptions, and failed authentication attempts, among others. The .NET Framework also include support for logging these events to the Windows event log, to a Microsoft SQL Server database, via WMI, in an email, and to the ASP.NET page tracing system.

In this article we will continue our exploration of the built-in events and log sources. In particular, we will look at the WebFailureAuditEvent event, which is raised when there is a security audit failure. We will also look at the SimpleMailWebEventProvider event provider, which, as its name implies, sends event information via email.

Cross-site scripting attacks are platform and browser independent, and can allow malicious users to perform malicious actions such as gaining unauthorized access to client data like cookies or hijacking sessions entirely. Simple steps that developers can take to prevent XSS attacks in their ASP.NET applications include doing the following: 1. Validating and constraining input 2. Encoding output For defense in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The principle of inclusions approach provides a high degree of protection against XSS attacks and is suitable for Web applications with high security requirements.