Wednesday, 16 April 2014

Techdays NL 2014 Resources Part 1

Thanks to all that came to my session at Defensive Programming. It was great to have such an interactive audience.

Code download: Here

The excellent haveibeingpwnd.com by Troy Hunt

ASP.NET Resources

• OWASP Top 10 by Troy Hunt - http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

• Basic Security Practices for Web Applications - http://msdn.microsoft.com/en-us/library/zdh19h94(v=vs.100).aspx

• ASP.NET MVC Security - http://www.asp.net/mvc/overview/security

• Combating ClickJacking With X-Frame-Options - http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

• AntiXSS Toolkit - http://wpl.codeplex.com/

• ASafaWeb - https://asafaweb.com/

• ASP.NET Security Wiki - http://wiki.asp.net/page.aspx/27/security/

IIS Resources

• Security Guidance for IIS - http://technet.microsoft.com/en-us/library/dd450371.aspx

• IIS Lockdown tool - http://technet.microsoft.com/en-us/library/dd450372(v=ws.10).aspx

• URLScan – http://www.iis.net/learn/extensions/working-with-urlscan

• IIS Configuring security - http://learn.iis.net/page.aspx/88/configuring-security/

• IIS Security Tools - http://www.iis.net/community/Security

• Penetration Testing Tools list - http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List

Thursday, 13 June 2013

Defensive Programming 101 at NDC 2013 Resources

Thanks to all who came to my session at NDC.

The following is the list of resources that I suggested at the end of my talk

ASP.NET Resources

• OWASP Top 10 by Troy Hunt - http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

• Basic Security Practices for Web Applications - http://msdn.microsoft.com/en-us/library/zdh19h94(v=vs.100).aspx

• ASP.NET MVC Security - http://www.asp.net/mvc/overview/security

• Combating ClickJacking With X-Frame-Options - http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

• AntiXSS Toolkit - http://wpl.codeplex.com/

• ASafaWeb - https://asafaweb.com/

• ASP.NET Security Wiki - http://wiki.asp.net/page.aspx/27/security/

IIS Resources

• Security Guidance for IIS - http://technet.microsoft.com/en-us/library/dd450371.aspx

• IIS Lockdown tool - http://technet.microsoft.com/en-us/library/dd450372(v=ws.10).aspx

• URLScan – http://www.iis.net/learn/extensions/working-with-urlscan

• IIS Configuring security - http://learn.iis.net/page.aspx/88/configuring-security/

• IIS Security Tools - http://www.iis.net/community/Security

• Penetration Testing Tools list - http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List

Project Swiss Cheese will be on GitHub within the week.

Tuesday, 16 October 2012

DDD North 2 Resources

At the end of my talk at DDD North 2 there was a massive amount of URLs for people to reference later. Here is a copy of all of those links

ASP.NET Resource

•Web session management security - http://www.isecpartners.com/files/web-session-management.pdf

•OWASP Top 10 by Troy Hunt - http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

•ASP.NET Security Guidance - http://wiki.asp.net/page.aspx/48/security-guidelines-and-recommendations/

•MSCASI tool - http://support.microsoft.com/kb/954476

•AntiXSS Toolkit - http://wpl.codeplex.com/

•ASP.NET Security Guidance - http://blogs.msdn.com/b/nunoc/archive/2006/03/04/543631.aspx

•Advice from SDL - http://blogs.msdn.com/b/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx

•ASafaWeb - http://www.asafeweb.com

IIS Resources

•Security Guidance for IIS - http://technet.microsoft.com/en-us/library/dd450371.aspx

•IIS Lockdown tool - http://technet.microsoft.com/en-us/library/dd450372(v=ws.10).aspx

•URLScan – http://www.iis.net/learn/extensions/working-with-urlscan

•IIS Configuring security - http://learn.iis.net/page.aspx/88/configuring-security/

•IIS Security Tools - http://www.iis.net/community/Security

Additional Resources

I will upload a copy of the source files later as a separate post as worked through examples.

Tuesday, 10 July 2012

Fixing an SCSM System.Security.Cryptography.CryptographicException

Whoa, that’s a long title!

This morning, I was asked to check our System Center Service Manager portal as it wouldn’t load at all. The error was the banal Internet Explorer cannot display the webpage.

There were a few issues that had to be sorted once I read through the event logs. I sorted them and thought, no problem, the portal should be running again and tried it. IE did its usual spinning circle thingy and I waited while it decided what it would do. Eventually when it did return it said the usual error .. Internet Explorer cannot display this webpage.

When I checked the event logs, I noticed that there was an ASP.NET error repeating itself .. (warning long error coming)

An unhandled exception occurred and the process was terminated.

Application ID: /LM/W3SVC/2/ROOT/CustomEndUser

Process ID: 6820

Exception: Microsoft.EnterpriseManagement.ConfigurationReaderException

Message: Feature of type 'Microsoft.EnterpriseManagement.ServiceDataLayer.ISecureStorageManagerFeature, Microsoft.EnterpriseManagement.DataAccessService.Core, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' cannot be added to the container.

StackTrace:    at Microsoft.EnterpriseManagement.ConfigurationReaderHelper.ReadFeatures(XPathNavigator navi, IContainer container)
   at Microsoft.EnterpriseManagement.ConfigurationReaderHelper.Process()
   at Microsoft.EnterpriseManagement.ServiceDataLayer.DispatcherService.Initialize(InProcEnterpriseManagementConnectionSettings configuration)
   at Microsoft.EnterpriseManagement.ServiceDataLayer.DispatcherService.InitializeRunner(Object state)
   at System.Threading.ExecutionContext.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart(Object obj)

InnerException: Microsoft.EnterpriseManagement.ComponentActivationException

Message: The constructor for the component threw an exception. Please see the inner exception for more details.

StackTrace:    at Microsoft.EnterpriseManagement.ComponentActivator.Activate[T](ActivationContext`1 context)
   at Microsoft.EnterpriseManagement.SingletonLifetimeManager`1.GetComponent[K]()
   at Microsoft.EnterpriseManagement.LifetimeManagerWrapper`2.GetComponent[K]()
   at Microsoft.EnterpriseManagement.FeatureContainer.GetFeatureInternal[T](Type type, String featureName)
   at Microsoft.EnterpriseManagement.FeatureContainer.AddFeatureInternal[T,V](ActivationContext`1 context, String featureName)

InnerException: System.Security.Cryptography.CryptographicException

Message: The profile for the user is a temporary profile.


StackTrace:    at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.RSACryptoServiceProvider.ImportParameters(RSAParameters parameters)
   at System.Security.Cryptography.RSA.FromXmlString(String xmlString)
   at Microsoft.EnterpriseManagement.Security.AsymmetricKeyManager.Initialize(Byte[] publicKey)
   at Microsoft.EnterpriseManagement.Security.AsymmetricKeyManager..ctor(Byte[] key, Boolean self)
   at Microsoft.EnterpriseManagement.Security.SecureStorageManager.Initialize()
   at Microsoft.EnterpriseManagement.ServiceDataLayer.SecureStorageManagerFeatureImplementation..ctor()

Yeah its a lot!

The main thing that stood out amongst all this was the InnerException

InnerException: System.Security.Cryptography.CryptographicException

Message: The profile for the user is a temporary profile.

A quick check online about temporary profiles revealed how to check and find these profiles in the registry. Browsing to the following registry key, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList I could see that there were a couple of keys with the extension .bak. The keys are the SIDs for the user accounts. The application pool account was there and the normal account had a .bak extension. I deleted the existing one, and removed the .bak from the old key.

I recycled the application pool and the portal resumed working as normal.

One of those weird and wonderful errors that pop up to confuse you.