Deepak (Moderator): Good evening!
Mohan: good evening
Ramesh: GE
OppsIDidItAgain: Very good evening Deepak
Deepak (Moderator):
Welcome to the Web Chat on ASP.NET Security Model.
Deepak (Moderator): Today, we shall discuss about
• Role based security
• Authentication & Authorization
• Code Access
• Data Access
• Auditing/Logging
• Session Management
Deepak (Moderator): To share with us their valuable knowledge, may I
now invite our esteemed experts on to the Chat?
Deepak (Moderator): We have with us…
Deepak (Moderator): Sasidhar V., SDET, Connected Services Framework
Team - IDC
Sivakumar A., SDET, Communicator Mobile Team - IDC.
Sravanthi Andhavarapu, Software Design Engineer/Test, IDC WinFS
team.
Arun Mehta, SDET, SQL Mobile Team.
Saravanavel B, Software Design Engineer/Test - SQL Mobile Team;
Laxmi Oruganti, Software Design Engineer - SQL Mobile Team;
Madhumita Jena, Software Design Engineer - System Center Service
Desk Team & Srinivasulu P, Software Design Engineer/Test – Office
Live Team, IDC
Deepak (Moderator): To give a brief of each of them…
Deepak (Moderator): Sasi has been working in Microsoft for nearly 3
years. He has worked on projects like MSN Toolbar, Excel Mobile,
Information Rights Management and now on My Mobile Media.
Deepak (Moderator): Siva has been here in Microsoft for the past 1+
year working with the Communicator Mobile team.
He is primarily responsible for Security in the team. His primary
interest is on buffer overruns.
Deepak (Moderator): Sravanthi Andhavarapu did bachelors in Computer
Science Engineering from NIT Warangal and joined Oracle Corporation
as an Applications Engineer and after a year at Oracle, joined
Microsoft. Here at Microsoft Sravanthi have been working close to a
year in WinFS team and is part of the Security focus group in
Microsoft which aims to spread the importance of security in
software systems both internal and external to Microsoft.
Deepak (Moderator): Madhumita has worked in Microsoft for 11 months,
this being her first job. She is working on a new product called
System center service desk.
Deepak (Moderator): Saravanavel has been working in Microsoft for
more than a year. He has got 5+ years of work experience and has
worked extensively on ASP.Net web projects. He is currently working
in SQL Mobile team.
Deepak (Moderator): Before we begin with the Chat, some basic
information for all.
Deepak (Moderator): When you want to ask a question to the Experts,
please ensure that you check the checkbox that says “Ask The
Experts”
Deepak (Moderator): Please DO NOT ask questions on topics besides
the topic of the Chat.
Deepak (Moderator): Remember, we have two special prizes today. One
for the Best Technical Question and the other for a Lucky
Participant, who shall be randomly chosen.
Deepak (Moderator): We may now begin the Chat. We shall have an hour
to go.
Deepak (Moderator): Experts...
Deepak (Moderator): Welcome once again to the Chat!
OppsIDidItAgain: How do I display the children of some specific
directory in asp.net page?
Deepak (Moderator): Ramesh, not to worry
Deepak (Moderator): Sometimes the check box
doesn't work but then you
sure can post the query
Srinivasulu [MSFT] (Expert): OppsIDidItAgain: How do I display the
children of some specific directory in asp.net page? -> you can
enable directory browsing in IIS.
shailender: if there are two sites hosted on a same server can the
session of one site could be passed across to the another
application?
sreenath_ambassador: i am making a sort of a query forum, for which
i need three types of logins. one is administrator, one is
doctors/professionals and other is ordinary patients
Guru: yes we can pass that via webgardan
shailender: could you explain the approach?
Srinivasulu [MSFT] (Expert):
shailender: if there are two sites
hosted on a same server can the session of one site could be passed
across to the another application? -> Session variables can be
shared across sites by storing them in the central db.
Guru: yes sure
sreenath_ambassador: if a patient posts a query on the forum, he
must be able to mark it as either public or private. In case its
private, only ppl with doctor logins must be able to view the post
sreenath_ambassador: can someone help me on how to do this?
OppsIDidItAgain: Srinivasulu, If my client machine dosent have IIS
and I want to programmatically display the children through ASP,
what should be the security constraints on the client machines
Guru: u can use asp.net state server to store the state in a sql
server and with the help of web garden u can pass the states
Guru: pls check with the implementation regarding state server
Deepak (Moderator): Dear experts, as the checkbox is not appearing
on the client side of the tool, may I request you to address the
questions from the Live Cat page.
Deepak (Moderator): I am sorry, the Live Chat tab
Deepak (Moderator): The inconvenience is deeply regretted
Srinivasulu [MSFT] (Expert): OppsIDidItAgain: Srinivasulu, If my
client machine dosent have IIS and I want to programmatically display
the children though ASP, what should be the security constraints on
the client machines -> Most of the webservers have this option of
allowing directory browsing, But you should avoid enabling this
option
Madhumita [MSFT] (Expert): sreenath_ambassador: if a patient posts a
query on the forum, he must be able to mark it as either public or
private. In case its private, only ppl with doctor logins must be
able to view the post
- You can have a role based access, define roles for patients,
doctors and doctors
funkster_smokey: Hey Can some one please put on the light on what
are new security features available with ASP.NET 2.0
Sasi [MSFT] (Expert): funkster_smokey: Please find the new security
features in ASP.Net 2.0 at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnvs05/html/secfeatnt2.asp
OppsIDidItAgain: Can you explain why the directory option should be
disabled? any security threats? if so what?
Guru: how can i create ACCESS CONTROL LIST?
Madhumita [MSFT] (Expert): @Sreenath - i meant
patient/doctors/administrator
ReenaAnand: I have number of tables in datatable .In one table there
is a field city . How i will search the data for finding a city name
namely 'ABC '.
Ramesh: yes opps, the person can know, how and where the files are
stored, what other files are in the directory..
sreenath_ambassador: Madhumita: yes, i want the patient to be able
to mark his/her post as private/public. the query's visibility must
depend on that.. can i know how that can be done
Ramesh: Reena: public System.Data.DataRow[ ] Select(string
filterExpression) Member of System.Data.DataTable
Srinivasulu [MSFT] (Expert): OppsIDidItAgain: Can you explain why
the directory option should be diabled? any security threats? if so
what? -> Its a security threat, if users can see the files
(including the config files that you are using to store the
passwords) that are present in webroot directory.
funkster_smokey: Can i use Kerberos Authentication in ASP.NET app,
if yes than how?
Sivakumar GA[MSFT] (Expert): funkster, You can use kerberos
authentication in ASP .NET app. But you would have issues if you
want to access the ASP .NET app from an external network as
typically the kerberos KDC will not be accessilble.
manikandan: hi everyboday! How To: Protect Forms Authentication in
ASP.NET 2.0 ?
Srinivasulu [MSFT] (Expert): manikandan: hi everyboday! How To:
Protect Forms Authentication in ASP.NET 2.0 ? -> Do you want to know
about forms authentication in Asp.Net 2.0?
manikandan: yes
Ramesh: how can i, enable this option :
http://websitename/tagname
where tagname can be any string. (Normally the IIS takes you to the
Virtual Directory with tagname, else display 404 error)
Guru: Srinivasulu,is it possible to implement single signon with the
help of Forms Authentication?
shailender: I am confused here. Session is specific to user that is
accessing application or it is teh user with IIS server. What i need
to know is that IIs creates sessions specific to Applications then
how could tweo application share the same sessions
Sivakumar GA[MSFT] (Expert): funkster, You can use kerberos
authentication in ASP .NET app. But you would have issues if you
want to access the ASP .NET app from an external network as
typically the kerberos KDC will not be accessilble. You can find
more details at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT05.asp
shailender: and what could we achieve by doing so?
shailender: if we can share sessions across applcations?
Saravanavel [MSFT] (Expert): @Shailendar - Sessions can be stored in
a State server or in SQL server and multiple web applications can
use this to share the session information.
Guru: i think in case of session sharing ..we can use process model
as web garden
shailender: I could guess out, an example could be single sign on
for multiple applications? Correct me f I am wrong..
Saravanavel [MSFT] (Expert): @Shailendar - Yes, you can do that.
Mostly the SQL server approach is used when multiple web servers are
involved for load balancing and you want to share the session across
the servers. You can read here for more information -
http://support.microsoft.com/default.aspx?scid=kb;en-us;815162
Vinay: hi buddy... i want to create a intranet site and i need to
check the user information thru his network login... what is the
best way to develop it
Madhumita [MSFT] (Expert): @Sreenath- where are u going to store the
queries?
Srinivasulu [MSFT] (Expert): Difference between the forms
authentication in ASP.NET 1.0 AND 2.0 is there are custom auth
controls that are provided in asp.net 2.0 that reduces the pain of
the developers to develop the login pages. And asp.net 2.0 provides
membership providers that allows where the user information can be
stored.. Essentially asp.net 2.0 reduces the pain of developers in
providing forms authentication.
Priya: hi buddy... i want to create a intranet site and i need to
check the user information thru his network login... what is the
best way to develop it ---> Hi Vinay. You can use windows
authentication method .
funkster_smokey: How to can i prevent details of error sending back
to client?
Madhumita [MSFT] (Expert): Sreenath- where are you going to store
the information?
manikandan: how to secure the web service ?
funkster_smokey: Instead that big Stack
shailender: I have got it, thanks for your inputs.
Sivakumar GA[MSFT] (Expert): funkster, you should use the
customerrros option in web.config so that the details of exceptions
are not shown to the end user and also u can show a custom error
page.
funkster_smokey: Trace can i put something else
sreenath_ambassador: wouldnt it be best if we store the queries in a
SQL table as well?
Sravanthi [MSFT] (Expert): Guru, yes it is possible to have single
sign on using forms authentication
ReenaAnand: I am having Three Layers in my Project namely
Presentation, Business and Datalayer. In Datalayer i am Getting SOme
DB Exception How to Print it in Presentation layer ?
Srinivasulu [MSFT] (Expert):
Ramesh: how can i, enable this option :
http://websitename/tagname
where tagname can be any string. (Normally the IIS takes you to the
Virtual Directory with tagname, else display 404 error) -> IF you
want to redirect this url to some other url, Create a virtual
directory with the name "tagname" and set the redirection properties
to the url you want to redirect
Guru: then Saravanthi..what's the difference that we have with
passport authentication and forms?
Sushant: Hi all, Some time I am facing "aspnet_wp.exe (PID: 2768)
was recycled because memory consumption exceeded the 306 MB (60
percent of available RAM). "
Sasi [MSFT] (Expert): manikandan: You can use WSE, Web Services
Enhancements 3.0. More information can be found at
http://msdn.microsoft.com/webservices/webservices/building/wse/
Ramesh: srinivasulu : If i am making a website with tag (just like
technorati), i cannot create virtual directory for each tag
specified by the user
OopsIDidItAgain: can somebody tell me what is Canonical ACL and
non-Canonical ACL please?
Srinivasulu [MSFT] (Expert):
Guru: then Saravanthi.. what's the difference that we have with
passport authentication and forms? -> Through passport auth,
Microsoft takes care of storing the critical user credentials and
provides single sign on where as with Forms auth you need to store
user credentials in the database.
Vasan: guru , Passport Authentication will only authenticate the
email ids of whosever register the passport
Guru: only mailsid's
Priya: ReenaAnand: I am having Three Layers in my Project namely
Presentation, Business and Datalayer.In Datalayer i am Getting SOme
DB Exception How
to Print it in Presentation layer ? --- > you can
store it in stack and pass it to presentation layer
shailender: Can we do authorization/authentication through HTTPModule? if yes how
Sivakumar GA[MSFT] (Expert): ReenaAnand, you can pass
back an error
code from the db layer which you can use to show an appropriate
error message on the presentation layer. I believe you are not
looking at showing the complete exception stack to the end user.
Vasan: yes only email ids , co branding also possible
Guru: ok
Srinivasulu [MSFT] (Expert): Ramesh: srinivasulu : If i am making a
website with tag (just like technorati), i cannot create virtual
directory for each tag specified by the user -> If you want to
implement multiple tagnames and redirect based on that, You can
implement an ISAPI extension for this that reads all the requests
and then parses the tagname and redirects to the correct url based
on the tagname..
Madhumita [MSFT] (Expert): @sreenath - ok... in that case you can
have two tables - one that stores the private and public questions-
doctors have access to both the private and public tables. the
patients should be able to access only the public table. in addition
to that they must be able to access their own private question -
this can be done by sending the user information in the query to
database
Vinay: Also, guru passport authentication is used whenever there are
multiple web applications and you require a single sign-on for it
Sravanthi [MSFT] (Expert): Sushant, you can refer to
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/DBGch02.asp
for more details about the error you are getting
ReenaAnand: ok
Vasan: for example, go to any msn.com special sites or msn.co.uk
special site and register their contest, u will know the exact
difference
Guru: sravanthi: can u tell me how can we the access
control list? for
FileAuthorizationModule?
Narasimha Murty: Hi One and All. What is the significance of
IUSR_MachineA/c and IWAM_MachineA/c. Will will be the impact of my
application if I change it to some other domain user account ?
Please clarify.
sreenath_ambassador: ok... that should be pretty easy. thanks
Madhumita.
Guru: IUSR_MACHINE is for windows authentication
Guru: its a windows access token
Srinivasulu [MSFT] (Expert): Narasimha Murty: Hi One and All. What
is the significance of IUSR_MachineA/c and IWAM_MachineA/c. Will
will be the impact of my application if I change it to some other
domain user account ? Please clarify -> IWAM_Machine A/c is the
account in which the IIS service runs. IUSR_Machine A/c is the
account under which that particular app pool runs
Saravanavel [MSFT] (Expert): @Guru - FileAuthorizationModule is used
for checking the ACL for ASP.Net registered file types like - .aspx,
.ascx etc
Guru: yes
Sushant: Thanks Sravanthi, Actually I have to use very large amount
of data , Is it ok if I keep that data in session. Is there any
method to increase the size of the Session.
Guru: iam asking how ACL is created?
shailender: Expert Please: Can we do authorization/authentication
through HTTPModule? if yes how
Srinivasulu [MSFT] (Expert): Narasimha Murty: Hi One and All. What
is the significance of IUSR_MachineA/c and IWAM_MachineA/c. Will
will be the impact of my application if I change it to some other
domain user account ? Please clarify - You can change it to any
domain user account you want But you need to make sure that the
domain user account has right privileges (Not more, Not less)
sreenath_ambassador: I have one more question, i tried using the
login feature provided in vs2005. according to that a database file
should be automatically created in the app_data folder when i use
the create_ user control right? but its not happening here. any idea
why?
manikandan: how to do role based security in web service ?
Vinay: IUSR_Machine A/c is used by IIS for anonymous logins. You can
see this account under your my computer -->manage--> users
Ramesh: thanks, Srinivasulu. But it would be more simple if ASP.NET
has simpler way to do this. Can this be made a feature request?
Narasimha Murty: Srinivasulu --- What all privies do the domain
user need to have. Any info or URL that you have that provides me
that info ?
Srinivasulu [MSFT] (Expert):
Ramesh: thanks, Srinivasulu. But it would be more simple if ASP.NET
has simpler way to do this. Can this be made a feature request? -
Thanks for the feedback Ramesh
Guru: VINAY,not only for anonymous users bit also for
FileAuthorizationModule.. FOR AUTHENTICATED USERS
Vinay: I agree
funkster_smokey: Hi All, i came across problem whenever any error
occurring my app it writes to windows event log? why?
funkster_smokey: occur
Abu: When u r talking to Security - obviously question will come
about cryptography... I have implemented SSO using Asynchronous
Cryptography – In this regards I don’t want to store Private Key in
a file. Continued...
Abu: There I used KeyStore but I faced problem when I have deployed
in web farm / garden environment. Is there any solution?
Srinivasulu [MSFT] (Expert): sreenath_ambassador: I have one more
question, i tried using the login feature provided in vs2005.
according to that a databse file should be automatically created in
the app_data folder when i use the create_ user control right? but
its not happening here. any idea why? -> Did you create user using
the create_user control by going to the page that has the control.
If yes and still the database file is not created. Please check the
ASP.Net configuration in the IIS and check the membership provider
you are using, You might not be using access membership provider
Panasaram: actually what is event log?
Deepak (Moderator): We have another 30 minutes to go!
Guru: Experts :pls tell me how ACL is created?
manikandan: how Use SSL to Secure Communication with SQL Server
2005?
Guru: Experts please tell me how ACL is created?
Abu: What is the best way to Protect Key for Symmetric Cryptography?
Sravanthi [MSFT] (Expert): Sushant, SQL Server is a solution that is
well-suited to large amounts of session state.
Srinivasulu [MSFT] (Expert): Narasimha Murty: Srinivasulu --- What
all privies do the domain user need to have. Any info or URL that
you have that provides me that info ? - It depends on the app and
privileges that your app needs. But the minimum privilege it needs
is it should be part of IIS_WPG group.
Sushant: thanks Sravanthi, I will try
Sivakumar GA[MSFT] (Expert): Abu, You should look at storing the key
in registry and securing it with a proper ACL.
srikar: Can any one focus light on additional features in VS2005 eg.
login control.
Vasan: Hi Panasa, In Windows XP, an event is any significant
occurrence in the system or in a program that requires users to be
notified, or an entry added to a log. The Event Log Service records
application, security, and system events in Event Viewer.
Sasi [MSFT] (Expert): Abu: You can use AES >=128 bit for symmetric
Cryptography
Srinivasulu [MSFT] (Expert): Srikar : I found this article to be
pretty useful
http://msdn.microsoft.com/msdnmag/issues/04/06/ASPNET20Security/
Vasan: more example can be shared in windows event log dialog
Vinay: I am using ASP.NET 1.1. I am trying to send mail
through
Outlook. I have added Outlook Com component from Add References. Now
when I am trying to run the application its giving me error when I
am creating the Com object in line 1. I tried impersonation but i
Outlook.Application objOutlook = new
Microsoft.Office.Interop.Outlook.Application();
Outlook.MailItem objMessage;// = new
Microsoft.Office.Interop.Outlook.MailItem();
objMessage = (Outlook.MailItem)objOutlook.CreateItem(Microsoft.Office.Interop.Outlook.OlItemType.olMailItem);//
(olMailItem);
objMessage.To = "vinaykumar_singh@satyam.com"; objMessage.Subject =
"Youve Got Mail !"; objMessage.Body = "Hello world."
Guru: Experts: please tell me the difference between manually
configuring security and programmatic security? which one is more
advanced? or advantageous?
Sivakumar GA[MSFT] (Expert): manikandan, you can either use IPSec /
TLS in order to secure your communication between the database
server and the web server.
Vasan: There r 2 types of log, one is application log and another
one is security log
sreenath_ambassador: @Srinivasulu-> does it modify or add anything
to the web.config file that we can verify with?
srikar: thank you i ll go thru it..
Vasan: The application log contains events logged by programs. For
example, a database program may record a file error in the
application log. Events that are written to the application log are
determined by the developers of the software program.
Guru: please tell me the difference between manually configuring
security and programmatic security? which one is more advanced? or
advantageous?
funkster_smokey: Event log is log of all events that your app has
created
Vasan: The security log measures valid and invalid login
Vinay: but in vain. Its giving me error in line 3 at CreateItem() as
System error RUntime.Com.Interop error. Please help
Abu: It's my general practice to keep columns - CreatedBy,
CreatedOn,LastModifiedBy and Last ModifiedOn - for Auditing/Logging
Purpose of every record... Is there any standard procedure which
will take care these without adding new columns???
Vasan: There is one more log called as system log where you will get
the logon information of windows components
Vasan: that's it
Srinivasulu [MSFT] (Expert): Vinay: but in vain. Its giving me error
in line 3 at CreateItem() as System error RUntime.Com.Interop error.
Please help -> I am sorry its not easy to debug just looking at the
code. I think its better to use SMTP to send a mail rather than
using an outlook object.
Madhumita [MSFT] (Expert): securing a web
service- please use this
link
http://www.microsoft.com/learning/syllabi/en-us/2524Cfinal.mspx#EWBAC
. Module 7 here deals with the security aspects
Sivakumar GA[MSFT] (Expert): Guru, Security features should be
enabled by means of correct configuration and using the appropriate
security techniques in your program. It may not be correct to look
at these in isolation.
srikar: can any one suggest me a url for using .net
remoting?
Vinay: the problem is I don't have SMTP access in my company. This
code is working fine in Windows application but not in Web
application
Guru: ok Siva.. but my doubt is that, if we just use configurable
security, will that be a problem if more users are added dynamically
to the system
Sushant: Hi Srinivasulu but the same Outlook code is working fine in
windows application
funkster_smokey: For .net remoting: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndotnet/html/hawkremoting.asp
shailender: I have SMTP server i'm trying to send mail through that
but my mail lying in the queue folder and not going anywhere from
that folder
Abu: Asynchronous Cryptography - There I used KeyStore but I faced
problem when I have deployed in web farm / garden environment. Is
there any solution?
Ramesh: What will be the effect of WinFx in ASP.NET?
sri: Hi, I want to control my window services from an aspx page. The
code is working for listing the services running on local system,
but when trying to list the services on remote system it is giving
an error message
Panasaram: srikar .net remoting is clearly given in the help of
mircosoft.
sri: I am unable to start or stop services running on my local
system also
Saravanavel [MSFT] (Expert): @Shailendar - You need to make sure
your smarthhost and other entries are configured correctly
Guru: Siva: we use config and we may hav specified only for ex: 10
users and roles,but if i add more than 10 users? will they get
access?
Abu: KeyStore - This is for one particular machine private/public
key works fine but not for multiple machine
srikar: thanks panasaram for your advice
Saravanavel [MSFT] (Expert): @Shailendar - You can do a telnet
connection to the SMTP server (at whichever port the server is
running, the default is 25) and make sure that the relaying is
enabled at your SMTP server level
Vinay: Shailendar --> may be this site can help you......
http://www.windowsitlibrary.com/Content/141/09/1.html
Sivakumar GA[MSFT] (Expert): Guru, by configurable security, i was
referring to the configurations on your app and the IIS. Otherwise,
yes you need to consider whether your solution will scale when the
number of users increase.
CoolBreeze: Hi everybody, sorry to interrupt. I have a question
regarding sqlxml and security.
Srinivasulu [MSFT] (Expert): Sri : IN which account is your web app
running under. The account under which the web app is running should
have administrator privileges to the machine in which you want to
control the services.
OopsIDidItAgain: Saravanavel, Telnet to port 25, isnt considered a
threat as most of the rook kit attacks are done through this
vurnerabliltiy?
sri: i added aspnet account to administrator group, but still I am
getting the problem
Priya: Sri, check you Windows login Id has enough permissions to
start/stop the windows services
shailender: what all are the entries I have to modified for that?
what is smarthost?
Vinay: Hi Srinivasulu... I have done this also(adding aspnet to
admin acc), application is running under ASPNET account and still I
am getting problems
Saravanavel [MSFT] (Expert): @OopsIDidItAgain -> If you are
connecting to a SMTP server to relay your messages, you need to know
where the SMTP server is running. The default port is 25 but if your
smtp server is running on some other port, you need to connect to
it.
CoolBreeze: I have stored procs to get data based on criteria and
xsl to filter it and show it as html into my page.
sri: I am able to start and stop services from
AdministrativeTools->Services. my system and remote system has same
password also
Ramesh: Sravanthi: My Project deals is Relational Distributed File
System
(http://www.microsoft.com/india/nationalfinals/Acad_RDFS.aspx) . I
want to know more about Win FS.How can i interact with Win FS Team?
(Sry for asking the question not related to the topic)
Abu: Security Guidelines: ASP.NET 2.0
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGGuidelines0001.asp
Deepak (Moderator): May I request the attendees to please stick to
the topic in discussion?
Srinivasulu [MSFT] (Expert): sri: I am able to start and stop
services from AdministrativeTools->Services. my system and remote
system has same password also -> Same password doesn't suffice the
user under which your webapp is running should be domain user
account that has administrator privileges to both the machines.
CoolBreeze: In this case do we need to consider any specific
security aspects other than the default?
sri: I faced similiar problem while my window service is trying to
create a file on a remote machine. But, the problem was solved when
the service is running as Administrator Account (Changed logon as to
Administrator Account from local system)
OopsIDidItAgain: Saravanavel, but some security polices say
don't
listen on stand ports, so they used to have port forwarding for
protecting the servers.
Srinivasulu [MSFT] (Expert):
sri: I faced similiar problem while my window service is trying to
create a file on a remote machine. But, the problem was solved when
the service is running as Administrator Account (Changed logon as to
Administrator Account from local system) -> Yes as i said you should
add the user under which the web app is running to the
administrators group
OopsIDidItAgain: what will happen if 100000 ppl do telnet to your
SMTP server, SMTP server is not designed to handle telnet queries
right?
Abu: ASP.NET 2.0 Security FAQs - From Channel 9. This is a very nice
collection.
http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.ASPNET2SecurityFAQs
sri: I added the account to Administrator account and tried, but it
didn't worked
Priya: sri,if your asp account has admin permission. you can
start/stop the windows services in server, but not in the
client/local machines.Priya: sri,if your asp account has admin permission, you can
start/stop the windows services in server, but not in the
client/local machines.
Guru: Experts: how ASP.NET authentication and authorization helps in
a distributed environment, like we have a multiple platform servers
ITVIDYA: ?
Madhumita [MSFT] (Expert): @coolBreeze - use stored procedures for
accessing the database- don't allow any sql injection and validate
data before displaying to aviod XSS
sri: Priya, does it mean that I cannot start/stop services on a
remote machine?
Srinivasulu [MSFT] (Expert): Guru: Experts: how ASP.NET
authentication and authorization helps in a distrubuted environment,
like we have a multiple platform servers -> Can you explain me what
you meant by multiple platform servers
Guru: Experts:for ex (scenario like asp.net interacting with j2ee for
getting a file?
ITVIDYA: HI
Mohan: hi vidya
funkster_smokey: madhumita : what is SQL injection?
ITVIDYA: Hi Mohan..Ajay from ITVidya.com : India's first technology
blogging network
Mohan: okay
Saravanavel [MSFT] (Expert): @OopsIDidItAgain: We are discussing
about configuring your IIS SMTP service to send mails through SMTP.
If you are designing the application, then you need to have a server
to relay your mails. We are not discussing about attacking an
external SMTP server.
Deepak (Moderator): We have 10 minutes to go
Ramesh: funkster : SQL injection is a security vulnerability that
occurs in the database layer of an application. Its source is the
incorrect escaping of dynamically-generated string literals embedded
in SQL statements. It is in fact an instance of a more general
Sankar: I am using .Net framework 1.1. PageLoad is calling twice
eventhoug I set AutoEventWireUp to False. What could be the possible
reason?
Srinivasulu [MSFT] (Expert): Guru: Experts:for ex (scenario like
asp.net interacting with j2ee for getting a file? -> No You need to
write Java code in J2EE environment to understand the cookies
written by ASP.Net forms auth. I am not sure any one in commuinity
has code to do this ..
Mohan: sri: Priya, does it mean that I cannot start/stop services on
a remote machine? u can stop an windows services on a remote machine
also
Sravanthi [MSFT] (Expert): Sql injection: go through this:
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
sri: Priya, does it mean that I cannot start/stop services on a
remote machine? u can stop an windows services on a remote machine
also -> How is that possible
Guru: Experts: a clear scenario like we have a webapplication
running with asp.net,its connected with so many servers(linux and
windows),its like server1(asp.net) needs to check the credential of
the user belong to server2(j2ee).. how can v do that?
CoolBreeze: @Mahdumita - By using xmlhttp post we can execute
storedprocs and transform to show html. Assume that this happens
onclick of a button/link. Why shouldn't we use this technique?
Deepak (Moderator): 5 Minutes to go!
Ramesh: Experts, I am not sure, but cant webservices do what guru
wants to do?
Srinivasulu [MSFT] (Expert):
Guru: Experts: a clear scenario like we have a webapplication
running with asp.net,its connected with so many servers(linux and
windows),its like server1(asp.net) needs to check the credential of
the user belong to server2(j2ee).. how can v do that? -> Then you
can't use ASP.Net forms auth, You need to write your custom auth
code in ASP.Net to understand the cookies generated by your java
code.
sri: Mohan: sri: Priya, does it mean that I cannot start/stop
services on a remote machine? u can stop an windows services on a
remote machine also -> How is that possible
Deepak (Moderator): Last 2 minutes to go
Kri: guru, the only way of passing credentials info in an interop
way today is to ws-security
Deepak (Moderator): font> The Experts may please make this their last
question
Guru: what if the server which uses j2ee doesn't support cookies?
bala: I am working some kind of web and distributed applications,
right now
Sankar: I am using .Net framework 1.1. PageLoad is calling twice
eventhough I set AutoEventWireUp to False. What could be the
possible reason?
Ramesh: sri: This might help you
http://www.codecomments.com/archive300-2005-2-400208.html
Deepak (Moderator): Dear participants, we are done.
Deepak (Moderator): That was a great Chat that we had.
Deepak (Moderator): Incase the experts wish the participants contact
them directly, you are free to share your Email IDs with them.
Guru: ok we shall continue with the next session
Guru: happy week end
Mohan: sri have a look at this document might help u out
http://www.codeguru.com/Cpp/W-P/system/ntservices/article.php/c5787/
Sravanthi [MSFT] (Expert): ccolbreeze, always use
parameterized sql
queries and encode output before displaying
Ramesh: Thank you experts, Moderator and fellow participants
Deepak (Moderator): A warm thanks to all the experts for
joining us
today
Deepak (Moderator): Before we sign out, may I announce the two lucky
winners of the Chat?
Vinay: When is next Session.................
Deepak (Moderator): The Best Technical Question asked during the
Chat is
Mohan: thannx deepak
shailender: thanks
Deepak (Moderator): if there are two sites hosted on a same server
can the session of one site could be passed across to the another
application
Guru: happy weekend pals
sri: Thanks Mohan
Abu: Deepak We have an exciting prize for the "Best Technical
Question" during the session, as well as one for a "Lucky
Participant".
Deepak (Moderator): And the recipient of this prize is
Abu: Who rc the winners?
Deepak (Moderator): Shailendar
shailender: thanks deepak
Deepak (Moderator): And
funkster_smokey: Thnak you experts, attendees and moderator.......
Mohan: congrats shailendar
ITVIDYA: Congrats Shailendra , well done
Deepak (Moderator): The Lucky recipient of the surprise gift is
CoolBreeze: Congradulations Shailendar
Abu: Congrats... Shailendar
Deepak (Moderator): Priya
Ramesh: Congratz shailender
Deepak (Moderator): May I request both of you to please write to me
at v-deraje@microsoft.com to claim
your prizes.
Mohan: congrats priya
funkster_smokey: Congrates to all the winners
Ramesh: congratz Priya
bala: congrats winners
shailender: thanks everybody
sri: Thanks Ramesh and Priya
ITVIDYA: Hey Priya , congrats ..
Abu: Conrats Priya 2
Priya: Thank you, Deepak
Srinivasulu [MSFT] (Expert): Thanks guyz
ITVIDYA: when is the next chat ?
Deepak (Moderator): Thanks a lot for joning us today
sri: Deepak (Moderator): if there are two sites hosted on a same
server can the session of one site could be passed across to the
another application -> What is
the answer
Saravanavel [MSFT] (Expert): Thanks people. It was a great time
chatting with you all.
Deepak (Moderator): Till we meet again...
Deepak (Moderator): Good bye and take care
Sasi [MSFT] (Expert): Thanks Guys. You can mail me on
sasiv@online.microsoft.com if you have any questions on Code Access
Security model
Priya: Thanks everybody
Sravanthi [MSFT] (Expert): Thanks guys. you can contact me
srandhav@microsoft.com for any queries
Saravanavel [MSFT] (Expert): if you have any more questions, you can
reach me at saravanb
Saravanavel [MSFT] (Expert):
saravanb@online.microsoft.com
Sivakumar GA[MSFT] (Expert): Thanks all for participating in the
chat... In case you have any more questions you can contact me at
sivaa@online.microsoft.com
Srinivasulu [MSFT] (Expert): for more questions on ASP.net auth,
send it to srip@online.microsoft.com
Mohan: thanx madhumitha,sarvan,sasi,sivakumar, sravanthi,srinivasulu
Madhumita [MSFT] (Expert): if
you have any more questions please mail me at
mjena@online.microsoft.com
Vinay: thanks to all experts
|
