Firewall or die…

There was a time when I believed that I could keep a server secure enough that I could get away with not putting it behind a firewall.  This used to entail just having a security plan and minimizing the attack surface.  Then it got harder and harder to keep up.  I held out for as long as I could, but sometime in the last year I got to the point where I won’t put anything I care about directly on the Internet.  The Internet has experienced what seems like the fastest neighborhood slide in history! 


This may seem obvious, but the important point here is the progression toward this point.  Where next?  Will we be taking things like smartcards for granted the way firewalls are now?


Security is a game that evolves, if you can get ahead of the next evolutionary turn you can prevent unpleasant surprises.


What do you think will be taken for granted in 18 months relative to security?

My New York City .Net User Group Presentation…

went well, except for the 7 hour drive to get there that should have been 3.5! 


OK, back to the intent which is technology entry…  I spoke on Sharepoint Programming and the crowd was varied (never heard of SharePoint to SharePoint guru), but engaged. 


Single Sign On was the big thing since it has such potential to be misused.  What if someone wires up Single Sign On for a backend system using an over endowed account and then provides a web part that is unconstrained in its actions?  Same answer for all these kinds of questions, you die!


I am actually heading back toward New England now (aircard is such a great tool) so that we can make it back for an earlyish meeting back at the office tomorrow.


Back to Security postings tomorrow if I stay on plan.

ASPNET_WP.exe, .Net 1.0 and a Domain Controller…

Jeopardy Answer:  What are 3 things that don’t go together easily!


If you feel the need to host ASP.Net on a windows domain controller and can’t bring yourself to upgrade to version 1.1 then at least read this KB article. The crux of the problem is that domain controllers on IIS 5.0 servers (i.e. on Windows 2000) don’t have local accounts for the ASPNet_WP.exe process to run under.  You have to create your own weak account or assign more privileged accounts (bad idea).


I heard as recently as tonight about someone fighting this issue (it is always tough when the solutions are all security tradeoffs to some extent), but reportedly with .Net 1.1 (we are verifying).  As a rule I don’t put ASP.Net apps on domain controllers, maybe that is just a rule we should all accept if we don’t like the other options presented?

Start with the Administrator Account

Alot of sources say that you should rename your administrator account on your windows systems and windows network.  While I agree with this wholeheartedly, you need to take the war to the hacker.


First, renaming the administrator account to admin or adm or something equally obvious when seen doesn’t cut it.  You need to get evil.  If you rename the account (and you should) then rename it to something indistinguishable from the rest of your accounts.  Remember that internal threats are real and your uses can usually see the entire user list.  Pick someone you went to school with that will never work for your company (at least not while you work there) and rename the administrator as if it were that person’s account according to your standard naming practices.  SJones for instance for Susan Jones.  Also fill out the record with a description, etc.  For larger companies you want to make this impossible to discern by a typical user from someone working in a remote office or maybe a temp that never got deleted.  Understand that this is easiest when you first setup the machine or network, but can be done long after if you can bring yourself to do away with using the Administrator account for services or regular network maintenance.


So now you have an administrator that no one can identify from just looking at the user list.  The SID for the administrator account is still the same and we can’t do much about that, but we take what we can get.


Next move is to create a new account named Administrator.  Give it a nightmare password (14 or more characters with mixed case and symbols everywhere) and then turn on auditing for failed logins at a minimum.  Now you have setup a scenario where no one has any business using the administrator account for anything except hacking.


If you follow this tactic for all privileged accounts so that Exchange runs under MKelly and SQL Server runs as PRobinson then you have just taken a lesson from Sun Tzu and applied it to your system security.  Machiavelli would be proud!

WSE 1.0 Revisited

More than a year ago, I spent a day or two wading through WSE 1.0 (hence the title) to prepare a nice demo for a talk on GXA that Andrew Brust and I did at CeBit held in NYC.  In my travels, I reviewed Tim Ewald’s white paper called “Programming with Web Services Enhancements 1.0” and soon thereafter I found a wonderful resource courtesy of Dan Wahlin at http://www.xmlforasp.net/codeSection.aspx?csID=81.  Dan has put together a streaming demo that I classify as the moral equivelent of a WSE Hello World (I mean that in a good way in case you miss my meaning).  I consider Don Box’s “Understanding GXA” the primer that the above resources really compliment if you want to know from a developer’s perspective what the deal is with WSE.  


I often get asked how a developer can go about getting security savvy.  Understanding the concepts of WSE is an important stop along the way.


I haven’t seen a valid link to “Understanding GXA” lately.  You will have to settle for the latest found at http://msdn.microsoft.com/webservices/building/wse/default.aspx.

Blogging enters the battle…

I have been considering starting to blog for a long time.  There were false starts and pronouncements that I would begin that were left unfulfilled.  As I write this first entry I realize that I picked the correct name for this journal – Tech Siege.  The reason is that since before I left the military I have been trying to grok it all.  The more I assimilated the more I realized I was clueless.  I have a family and non-technical interests, but I find them shunted to the side often as I pursue that next concept that will finally round out my knowledge.


So with luck this blog will help me (and you maybe) focus on striking the balance.  I don’t expect to be gushing very often about non-technical topics, but I assume they will slip in without my being lynched.  If I do it right then I will learn as much (if not more) than anyone else who reads here.  Isn’t it true that when we look at code we wrote last year, that is when we realize how we have grown as a developer.


Computer Security will be a common theme and that allows for mammoth tangents.  We will see how it goes, only time will tell.