Tales of an Evangelist

Paul Maher, Technical Evangelist at Microsoft in the UK and author of this website, will deliver regular posts covering useful material, events, webcasts and anything that would be useful to YOU in the area of Application Security.

Introduction

Paul Maher Hello and welcome to my page – 'Tales of an Evangelist'. As the name suggests, I am a Technical Evangelist at Microsoft in the UK. I focus on Microsoft's next generation technologies and Application Security. On this page I will talk about anything and everything Application Security-related. My goal is to provide you with useful information to help you 'Write Secure Code'. Paul's blog

New This Month!

User Account Control in Windows Vista

I'm sure most of you are aware that Microsoft have a new operating system soon to be released called Windows Vista. This is the next generation desktop operating system which will supersede Windows XP. If you would like to find out more take a look at the Windows Vista homepage.

One of the first things that you will notice when you use Windows Vista and begin to launch applications is User Account Control (UAC). So what is UAC? UAC is a core security component of Windows Vista. The goal of UAC is to reduce the attack surface of the operating system by requiring that all users run in standard user mode and limiting administrator-level access to authorized processes.

With UAC you can run most applications, components and processes with limited privilege, but have "elevation" for specific administrative tasks and application functions. This significantly reduces the attack vector for malware (viruses, spyware...). Depending on configuration, privileges you have as the logged user and whether or not an application you are trying to run is signed or unsigned, determines your visual interaction with UAC.

Let's review some scenarios:

Case 1 – You are logged on as a user who is part of the Administrators group, trying to run an unsigned application that requires Administrator privileges. Even though you are part of the Administrators group, you will be running as a Standard User. You will have to allow an elevated privilege if this is required. By default UAC is configured for Administrators to prompt for consent to allow elevation of privileges to occur.

Case 2 – You are logged on as a user who is not part of the Administrators group, trying to run an application that requires Administrator privileges. This time to allow the application to run because the user is not part of the Administrators group, the prompt is asking for Administrator credentials – UserName/Password.

UAC elevation prompts are run on a secure desktop, which only allows trusted processes to run. This mitigates the opportunity for spoofing attacks.

It's safe to assume that UAC will have a considerable impact on applications running on Windows Vista. If you are in the business of writing software you should be making provision now for testing your applications for compatibility under UAC on Windows Vista.

It is worth being aware that the file system and registry are protected by UAC and so if your applications are writing to the file system "Program Files" or to the registry "HKLM", then this is considered bad practice under Windows Vista. For backward compatibility something called virtualiztion re-directs writes to "Program Files" and "HKLM" to a virtualized file and registry location.

If you are writing an application to be UAC aware, you need to add an application manifest. This immediately indicates to UAC, not to use virtualization. Inside the manifest it is possible to define required application privileges – set by the "requestedExecutionLevel" element in the manifest. This can take three values; requireAdministrator (Administrator privilege), highestAvailable (Highest privilege available for logged in user), asInvoker (Inherit privileges of parent process).

There are several great resources to get you up and running with UAC:

1. User Account Control - Homepage – Comprehensive overview of UAC
2. UAC Blog – Blog regularly updated by UAC product team
3. Microsoft Standard User Analyzer – This tool helps diagnose issues that would prevent a program from running properly as a Standard User.
4. Microsoft Application Security Website – UK Application Security website containing a wealth of Application Security resource

Security Nuggets

Have you heard of a Nugget before? Don't have the time to read a 10-page how-to article or watch a full length webcast? Try an MSDN Nugget, a webcast that takes you step-by-step to discovering new functionality or exploring a hot developer topic, all in 10-15 minutes.

• View MSDN Nuggets

Below is a list of the current security related Nuggets that exist on the MSDN Nuggets Home Page:

Using Windows CardSpace with a Web Page
This Session shows how to build Windows CardSpace authentication into a simple HTML page. It also illiustrates the process of creating a new personal card in Windows CardSpace.
(duration approx. 9mins 36secs, published on 10/08/2006)
Watch as a streaming file | Download as a zip file

Integrating Your Application with Windows Vista User Account Control
User Account Control will probably impact every application on Windows Vista. This nugget shows how to offer your users a consistent experience to the one they will get form the OS and fundamentally how to work with UAC.
(duration approx. 15mins, published on 26/06/2006)
Watch as a streaming file | Download as a zip file

Client Certificates
In this session we'll take a look at how we can use X509 certificates to authenticate clients to IIS-hosted web applications. We'll look at picking up details of the client certificate from .NET code and also how to set up certificates within IIS itself.
(duration approx. 21mins, published on 26/06/2006)
Watch as a streaming file | Download as a zip file

Impersonation
Windows is inherently multi-threaded, and it is possible that within a single process there are threads running in a security context that differs from that of the process itself. In this session we'll take a look at how to go about this process of impersonation and how to do that in ASP.NET, and we'll discuss some 'gotchas' around using impersonation.
(duration approx. 21mins, published on 26/06/2006)
Watch as a streaming file | Download as a zip file

Protected Data
In this session we look at using the Data Protection API (DPAPI) for protecting data stored on the machine, using information already stored in a secure way by the operating system. We'll also take a look at how to protect application configuration files using similar techniques.
(duration approx. 31mins, published on 26/06/2006)
Watch as a streaming file | Download as a zip file

Storing Passwords
Storing passwords is dangerous and to be avoided unless you cannot find another mechanism. When you do have to store passwords, you'll benefit from this session, which walks through topics such as hashed password, salted hashes and iterated salted hashes using the .NET Framework.
(duration approx. 23mins, published on 26/06/2006)
Watch as a streaming file | Download as a zip file

And More...

How to Use CAS with ASP.NET
(duration approx. 21mins 05secs) (published on 23/02/2006)
Watch as a streaming file | Download as a zip file (5.9 MB/14 mins 28 secs at 56 Kbps)

ASP.NET Database Connection
(duration approx. 18mins 21secs) (published on 23/02/2006)
Watch as a streaming file | Download as a zip file (5.1 MB/13 mins 45 secs at 56 Kbps)

Securing Web Services with WSE2.0
(duration approx. 19mins 27secs) (published on [18/05/2005])
Watch as a streaming file | Download as a zip file (5.09 MB/18 mins 26 secs at 56 Kbps)

WSE 3.0 Preview: Securing Web Services
(duration approx. 19 mins 23secs) (published on 03/10/2005)
Watch as a streaming file | Download as a zip file (11.9 MB/43 mins 16 secs at 56 Kbps)

How to Encrypt Part of a Soap Message Using WSE 3.0
(duration approx. 20 mins 02secs) (published on 13/03/2005)
Watch as a streaming file | Download as a zip file (8.35 MB/29 mins 49 secs at 56 Kbps)

Integrated Code Coverage
(duration approx 14mins 09secs) (published on 23/02/2006)
Watch as a streaming file | Download as a zip file (3.0 MB/10 mins 49 secs at 56 Kbps)

Using the Permissions Calculator in Visual Studio 2005
(duration approx 13mins 15secs) (published on 23/02/2006 )
Watch as a streaming file | Download as a zip file (2.6 MB/9 mins 31 secs at 56 Kbps)

Windows Communication Foundation: Message Encoding
(duration approx. 09mins 30secs) (published on 30/11/2005)
Watch as a streaming file | Download as a zip file (5.97 MB/14 mins 12 secs at 56 Kbps)

Windows Communication Foundation: HTTPS Transport Security
(duration approx. 28mins 55secs) (published on 27/02/2006)
Watch as a streaming file | Download as a zip file (15.1 MB/55 mins 03 secs at 56 Kbps)

Windows Communication Foundation: Message Security
(duration approx. 8mins 24secs) (published on 27/02/2006)
Watch as a streaming file | Download as a zip file (5.18 MB/15 mins 25 secs at 56 Kbps)

Windows Communication Foundation: Authorisation
(duration approx. 15mins 54secs) (published on 27/02/2006)
Watch as a streaming file | Download as a zip file (8.45 MB/30 mins 11 secs at 56 Kbps)

Windows Communication Foundation: Auditing
(duration approx. 9mins 00secs) (published on 13/03/2006)
Watch as a streaming file | Download as a zip file (4.32 MB/15 mins 25 secs at 56 Kbps)

Upcoming Website Content

• To wet your appetite here are some of the more exciting features, material and events we have coming in future months:
• Webcasts and nuggets on VS2005, SQL Server 2005 Security features and using VSTS to protect what you build

Security audio casts that you can listen to on the go, either on CD or your favourite MP3 player

• Writing Secure Code Community Days – industry experts exploiting code in front of your eyes in interactive sessions, and showing you how to resolve those vulnerabilities

Top Three Security Takeaways this Month

1. Keep a watchful eye on this website

2. Consider purchasing copies of the following books:

• Writing Secure Code, 2nd Edition
• The .NET Developers Guide to Windows Security
• .NET Framework Security

3. Review the Security patterns & practices

• http://msdn.microsoft.com/practices

Other Useful Resources

• The Ghost of Programming's Past Gets Busted with Latest Developer Technology

Programmer gains an insight into past encryption, revealing the major advances in developing secure systems rapidly.

• SQL Injection Dangers

The dangers of SQL injection can often be forgotten, and sometimes it takes 'living proof' to raise awareness and instil caution.

• Read the 'WS-Federation and Single Sign On' white paper
• Read the 'Levels of Security in Windows Communication Foundation' paper

Have you seen 'The Code Room' The Code Room is a 1/2 hour internet TV show that exposes technologists to the latest tools and technologies for tackling real-world software development issues. This professionally produced & directed TV show highlights the social, teaming and technical challenges faced when attempting to complete a software development project. Our latest installment is all about developer security. Breaking into Vegas In this episode of The Code Room a small group of rogue hackers finds its way into the systems for High Rollers at the famous Plaza Hotel & Casino in Las Vegas Nevada. When the Casino finds out they call in the 'A Team' to get to the bottom of this. Watch the games as the Black Hats go for high stakes against the White Hats and the games unfold in this episode.

Thank you!

I would like to say a BIG thank you for visiting the website. I hope you like the look and feel as much as we do and have found the resources useful.

Come back again soon.

–Paul Maher.