Web Security Snippets

SecureASP.NET

LANGUAGES: ALL

ASP.NET VERSIONS: ALL

Web Security Snippets

Three Hot Topics

By Don Kiely

This month I ve had security on my mind a lot mostlystuff that bothers me. Here are three topics that are important in theMicrosoft world of Web security:

Microsoft and Least Privilege

Microsoft has added what appears to be the first of aseries of articles about least privilege to its TechNet site (http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx).This is great; the more people see about it, maybe the more they ll beencouraged to go with it.

But the first article is totally lame. Here are thesections:

Sounds reasonable, eh? Except that each section has onlytwo or three short paragraphs with bland generalities. The only practical information in the article is a link to AaronMargosis least privilege blog (http://blogs.msdn.com/aaron%5Fmargosis/),which, alas, he hasn t posted to much since earlySeptember.

Up to the last section, the article is tolerable; althoughit s light on details, it s fine for awareness.

Where it really gets dodgy is in the last section, MovingForward. After a summary it states, Future articles about LUA will focus onthe experience in the Longhorn releaseof Windows and beyond. (The emphasis is mine.) Sigh. So basically, whatthe article does is say that you, dear Windows user, are out of luck for now,but as soon as we release the next version and you upgrade, all will bestellar. Apparently the TechNet folks see no reason to provide any help withcoping with today s security threats today, but just can t wait to get usupgraded to the next version.

That is, if the least privilege features of Longhorn don tjoin the many others that have been cut.

Irony of IE Security

I use Firefox for virtually all of my Web browsingactivities. The only time I knowingly use IE is when I m going to a site thatonly works with IE and I really, really want what the site has or when I mgoing to most Microsoft sites.

Because I don t use IE much, I cranked down the securityfor the Internet to High. Why take chances?

The problem is that I need to poke holes in IE s securityto do things on Microsoft s Web sites. For example, at High I can t downloadfiles. Well, right now I need to grab a fresh copy of MSDE SP3a, so I have toallow downloads. I could use Firefox to get to the MSDN Universal downloadssite, but the treeview list on the left, which is very long and always takes a minute or two to load, can t becollapsed. This makes it very hard and time consuming to find what I want, evenwhen I know the broad category of the item.

Oops! But the treeview must be an ActiveX control or someother dynamic widget, because with security set to High it doesn t collapse. SoI have to open another hole in IE, the biggest, nastiest of all: ActiveXcontrols and scripting. Now the problem is that there are so many ActiveX andscripting options under Tools | Internet Options | Security that I have toexperiment to find which ones form the magic elixir that lets me have a decentexperience with the MSDN download site. And then that magic combination willonly work for this part of the site. And if I m paranoid and asked to beprompted, I have to answer yes to a gajillion dialog boxes that say thatscripting is usually safe and do I want to run it on this page, particularly onMicrosoft s rich, dynamic sites.

Maybe it s time to take a closer look at Michael Howard sarticle, Browsingthe Web and Reading E-mail Safely as an Administrator.

Or, I can just go back to High security in IE and use Firefox,which doesn t use ActiveX at all. Done.

Secret Questions = Insecure Site

Do you know how some Web sites try to give users a hand whenthey forget their password? Usually it s a secret question of the form What is your mother s maiden name? or What are the lastfour digits of your social security number? I m particularly fond thatfinancial institutions I deal with favor these two questions, using informationthat is painfully easy for anyone to find out about me. I m sure that I m notalone in claiming many different surnames for my mother, in a lame attempt tomake this charade a bit more secure. Sorry, Mom!

Mark Burnett has a short and very interesting articleabout this subject, Using SecretQuestions over on the Open Web Application Security Project site (http://www.owasp.org/index.jsp), aproject that I m starting to pay closer attention to these days because of thegood information about Web security.

In short, secret questions are virtually always far lesssecure than passwords, providing an easy end-run around a site s authenticationprocedures. Use them with care, and avoid sites that ask for who Mom grew upas!

DonKiely, MVP, MCSD, is a senior technology consultant, building customapplications as well as providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#,ASP.NET, and Microsoft Office. He writes regularly for several trade journals,and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and readhis blog at http://www.sqljunkies.com/weblog/donkiely/.