One of our clients use a 3rd party authentication tool called AuthentiX, which allows directory level authorisation and the use of multiple data sources to be used for IIS. Although ASP.NET has Forms Authentication, AuthentiX has been in use by the client for over 10 years and so co-existence with ASP was required to allow the retrieval of the username. Its usage is quite simple. If the code is executing on your page, they have been authenticated (or have they?) and given access to it. A code snippet of this COM component looks like this: protected void Page_Load(object sender, Event... [More]

Now many people will argue that it is a stupid idea to store clear text credentials in web.config, and in some respects they are right. Obviously the credentials for the website is as clear as day, BUT .config files are not served by ASP.NET, so there are some precautions in place. But if you are writing a test app for the Membership provider and you really can’t be bothered with setting up a SQL Local Data Source and really just want to get your proof of concept out of the way, it really is brilliant. However, although you normally set up Membership once per project, I became a little bit r... [More]

Since yesterday, and my post about Google Chrome, Google has updated its terms and conditions and removed the clauses.  See my previous post here: Security: How much do you trust Google?. Privacy clauses Section 11 has been completed rewritten.  Note that this is the only change in the terms of service, even the date has not been changed: 11. Content license from you 11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. Looks a bit different to the previous clause.  Specifically, the following has be... [More]

Google has just released a beta of its Google Chrome web browser.  Make sure you read the terms and conditions.  Have a look at the privacy clauses... [Note: Google has updated its terms and conditions.  Read my blog post here: Security: Google retracts its privacy clauses] Privacy clauses 11. Content license from you 11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive li... [More]

I'm currently conducting a due-diligence review of a technical system.  The system is a classic distributed, two-tier system with data held centrally and business-logic delegated to an application tier.  I've been asked to perform a security analysis as part of my review.  I can't tell you anything about the project itself, for confidentiality (and security) reasons, but I thought I'd share some of the thought processes behind what I've been doing. Reviewing security The foremost rule of security assessment is to include the entire system.  Don't just look at technical aspects of security bu... [More]

UPDATED: 16-MAY-2008 Overview How can you get the PageData object for a page when the current user doesn't have access.  It took me a while to find out, but you can just read on... Context I have been implementing a redirect facility.  Only editors and administrators are allowed access to the page and everyone else is redirected according to a property on the page.  The ACL on the page does not give Read access to the Everyone group.  How can I get the property? Solution The easy solution is to use EPiServer 5.  Then you can use the GetPage method of the DataFactory class to get a page, ... [More]

Overview Have you ever wondered how to view object permissions using a query? Simple example Try this on a database: select o.name, u.name, p.permission_name, p.state, p.state_desc   from sys.database_permissions p        inner join sys.all_objects o          on p.major_id = o.object_id        inner join sys.database_principals u          on p.grantee_principal_id = u.principal_id References sys.database_permissions (Microsoft TechNet) sys.database_principals (Microsoft TechNet) sys.all_objects (Microsoft TechNet) Versions Microsoft SQL Server 2005... [More]

Overview Sometimes, old code doesn't seem to work with the new Data Execution Prevention feature in Microsoft Windows.  It's easy to turn it off for non-system applications and services, but how do you do it for system components, and why would you? Warning: Data Execution Prevention is a security feature.  Disabling DEP reduces the security of your system. Context On our Microsoft Commerce Server 2002 system, running on Windows Server 2003, we were getting "COM Surrogate" errors, which relate to DEP errors with the dllhost.exe system program.  Adding it to the exception list didn't solve ... [More]

Overview What is a malicious trigger?  What can it do?  How can you protect yourself and your database server? Background I've been reading the Microsoft Press MCITP training book for the Microsoft 70-441 exam: Designing Database Solutions by Using Microsoft SQL Server 2005 and I came across an interesting comment about trigger security.  I'm describing it here, because it is quite easy for a malicious database developer to use against an unsuspecting DBA. You can find the book here: http://www.amazon.com/MCITP-Self-Paced-Training-Exam-70-441/dp/0735623422/ref=sr_1_1?ie=UTF8&s=books&... [More]