Wednesday, December 24, 2008

Enabling SSL in IIS

How to Configure Certificates to Enable SSL in IIS?

Use SSL in IIS to protect the communication channel between your WCF enabled web application and the web client. SSL protects sensitive data on the network from being stolen or modified.

The following are the steps to configure certificates for Secure Sockets Layer (SSL) communication in IIS.

1. Click Start and then click Run.
2. In the Run dialog box, type inetmgr and then click OK.
3. In the Internet Information Services (IIS) Manager dialog box, expand the (local computer) node, and then expand the Web Sites node.
4. Right-click Default Web Site and then click Properties.
5. In the Default Web Site Properties dialog box, click the Directory Security tab, and then in the Secure Communications section, click Server Certificate.
6. On the Welcome screen of the Web Server Certificate Wizard, click Next to continue.
7. On the Server Certificate screen, select the Assign an existing certificate radio button option, and then click Next.
8. On the Available Certificates screen, select the certificate you created and installed in previous step, and then click Next.
9. Verify the information on the certificate summary screen, and then click Next.
10. Click Finish to complete the certificate installation.
11. In the Default Web Site Properties dialog box, click OK.

Monday, December 22, 2008

Creating Temporary X.509 Certificates

How to Create a Temporary X.509 Certificate for Message Security


Use the following steps to create a temporary X.509 certificate for message security:

1. Create a certificate to act as your Root Certificate Authority

makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer


2. Create a Certificate Revocation List File from the Root Certificate

makecert -crl -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.crl


3. Install your Root Certificate Authority on the server and client machines. Use MMC to install the RootCATes.cer on client and server machines in the Trusted Root Certification Authorities store


4. Install the Certificate Revocation List file on the server and client machines. Use MMC to install the RootCATes.crl on client and server machines in the Trusted Root Certification Authorities


5. Create and install your temporary service certificate

makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer –sr localmachine -ss my -sky exchange -pe


6. Give the WCF Process Identity Access to the Temporary Certificate’s Private Key


7. FindPrivateKey.exe My LocalMachine -n "CN=tempCert"

cacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\

4d657b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030"

/E /G "NT AUTHORITY\NETWORK SERVICE":R

The value "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030" should be the one returned by findprivatekey

Wednesday, December 17, 2008

Importance of DMBS_Assert Package for Security

The DBMS_ASSERT package was introduced in Oracle 10g Release 2 and backported to Release 1 in the Oracle October 2005 Critical Patch Update. There are currently no references to this package in the 10g Release 2 documentation or on Metalink. The package contains a number of functions that can be used to sanitize user input and help to guard against SQL injection in applications that don't use bind variables.

ENQUOTE_LITERAL Function
Enquotes a string literal
ENQUOTE_NAME Function
Encloses a name in double quotes
NOOP Functions
Returns the value without any checking
QUALIFIED_SQL_NAME Function
Verifies that the input string is a qualified SQL name
SCHEMA_NAME Function
Verifies that the input string is an existing schema name
SIMPLE_SQL_NAME Function
Verifies that the input string is a simple SQL name
SQL_OBJECT_NAME Function
Verifies that the input parameter string is a qualified SQL identifier of an existing SQL object


It is this DBMS_Assert Package that that guarantees immunity to SQL Injection.

Preventing SQL Injection in Oracle

There are three kinds of SQL literal: text, datetime, and numeric. Each deserves separate attention.

Ensuring safety of Datetime literal


  • Use the two-parameter overload, for an input of datatype date, To_Char(d, Fmt), to compose a SQL datetime literal
  • Concatenate one single quote character before the start of this value and one single quote character after its end.
  • Assert that the result is safe with DBMS_Assert.Enquote_Literal().
  • Compose the date predicate in the SQL statement using the two-parameter overload for To_Date(t, Fmt) and using the identical value for Fmt as was used to compose t.
Notice that the mandate in the third bullet is the crucial one. It is this one that guarantees immunity to injection; the first two and the fourth mandates prevent annoying run-time errors.

The procedure p_Safe(), whose first few lines are shown in code below implements this approach. Of course, date is not the only datetime datatype. The same reasoning applies for, for example, a timestamp literal.

-- Code

procedure p_Safe(d in date) is
q constant varchar2(1) := '''';

-- Choose precision according to purpose.
Fmt constant varchar2(32767) := 'J hh24:mi:ss';

Safe_Date_Literal constant varchar2(32767) :=
Sys.DBMS_Assert.Enquote_Literal(q||To_Char(d, Fmt)||q);

Fmt_Literal constant varchar2(32767) := q||Fmt||q;
Safe_Stmt constant varchar2(32767) :=
' insert into t(d) values(To_Date('
|| Safe_Date_Literal
|| ', '
|| Fmt_Literal
|| '))';
begin
execute immediate Safe_Stmt;
….


Ensuring the safety of a SQL text literal

The rules for composing a safe SQL text literal from a PL/SQL text value:

  • Replace each singleton occurrence, within the PL/SQL text value, of the single quote character with two consecutive single quote characters.
  • Concatenate one single quote character before the start of the value and one single quote character after the end of the value.
  • Assert that the result is safe with DBMS_Assert.Enquote_Literal()
Notice that the mandate in the third bullet is the crucial one. It is this one that guarantees immunity to injection; the first mandate prevents annoying run-time errors.


Ensuring the safety of a SQL numeric literal or simple SQL name

The rules for composing a safe SQL numeric literal from a PL/SQL numeric value:
  • Use explicit conversion with the To_Char() overload with three formal parameters. This overload requires that a value be supplied for Fmt. Explicitly provide the value that supplies the default when the overload with one formal parameter is used. This is 'TM'. 'TM' is the so-called text minimum number format model. It returns the smallest number of characters possible in fixed notation unless the output exceeds 64 characters.
  • Explicitly provide the value that supplies the default for the NLS_Numeric_Characters parameter when the one of the overloads with one or two formal parameters is used. This is '.,'.
  • Ensure the safety of the name with DBMS_Assert.Simple_Sql_Name().

Tuesday, December 16, 2008

How to Configure WCF for NATs and Firewalls

NATs and firewalls can impact the strategy by which your WCF clients and services communicate.
Use the following steps to determine WCF configuration for a NAT or firewall:

1. Determine the addressability of the service and client machines. If the service or the client are behind a NAT and are not directly addressable then use a technology such as Microsoft Teredo to enable communication.
2. Determine if there are protocol or port constraints on the service or client machines. For example, port 80 may be open through a firewall but other ports may be blocked.

Once you understand the addressability, protocol and port constraints on your service and its clients you can determine service and endpoint configuration. Use the table in the MSDN article “Working with NATS and Firewalls” at http://msdn.microsoft.com/en-us/library/ms731948.aspx to determine the best configuration for your scenario.

Pan India Solutions Community

The Pan India Solutions Community has been created to provide a networking platform to software professionals,business analyst,technology analyst and students planning for a career in the field of IT Solutions.

This is the first of it's kind Pan India group.The group will organize regular boot camps , on-line solution challenge contests, pod casts , sharing of white papers and articles amongst members.

You can also join the group on linkedin>groups>solutionscommunity

Presentations of First Boot Camp Organized can be found at links below:

http://www.idc.iitb.ac.in/~anirudha/ppts/HCI%20Intro.ppt
http://in.groups.yahoo.com/group/indiasolutionscommunity/

Monday, December 15, 2008

Avoiding Clear Text Passwords

Perform the following steps to avoid sending cleartext passwords over the network:

  • If possible, remove the need for a password at all by specifying ClientCredentialType=”Windows”, ClientCredentialType=”Certificate”, or a custom token that does not require a password.

  • If the user must enter a password, protect the password by specifying either to secure the channel or to secure the messages. Do not specify in the configuration as this will provide no communication security.