|
|
Browse by Tags
All Tags » Security (RSS)
-
Norton Labs have created a utility that removes a lot the UAC annoyances you may be experiencing in Windows Vista. It allows you to configure a list of applications that can be launched in admin mode without incurring a UAC prompt. Great for everyday applications like Visual Studio. A better solution than disabling it completely ;) There is a free beta version available at Norton Labs , both X86 and X64 editions. Read More...
|
-
Last time, I talked a bit about SAML and Federated Identity . It turns out this is a subset of a general area, an area commonly referred to as Identity Management . The issue is how to protect and manage credentials across a wide array of network applications that have different authentication methods and requirements. I talked about SSO last time, mostly around SSO in browsers and web applications. As Pablo reminded me , it's not just web browsers; SAML is trying to solve the problem of SSO in general so that the user can log in once for multiple applications. This is, of course, critical in Real-World services or SOA. All of this points to an effective identity management infrastructure. The Elements of an Identity Management System Such a solution would be made up of the following capabilities as services [1]: Identity Provisioning Services - Set up users easily; Provision users and roles typically in LDAP compliant sources; Policy definition and enforcement Identity Data Synchronization Services - This is all about synchronizing identity data across a wide range of heterogeneous apps, directories, databases and other stores Access Management Services - SSO access to apps and services across heterogeneous apps, Web Services and resources running on diverse platforms local or network Federation Services - This is one place where SAML comes in to provide a federated framework and authentication -sharing mechanism that is interoperable with existing systems Directory Services Read More...
|
-
Here is my usual post-conference post with updated code samples related to the topics I presented on. I did 2 full day tutorials, and 4 sessions...enjoy! Many of the demos come from my book, Learning WCF. Since there is setup required for most of the samples that illustrate security or rely on a database, it is best you download the entire package of samples and follow the setup instructions provided in the appendix. Here's the link: http://www.thatindigogirl.com/LearningWCFCode.aspx TUTORIAL: Improve Your SOA: Designing a Secure, Reliable and Scalable System with WCF Samples from my book (see above) illustrate exception handling, MTOM, streaming, MSMQ, pub-sub, transactions, security for intranet/Internet/mutual certificate/claims-based/federated, multithreading, and throttling Get my latest routing samples here: http://www.dasblonde.net/downloads/Routers.zip Additional error handler code here: http://www.dasblonde.net/downloads/ErrorHandlers.zip I have additional samples related to proxies here, including a proxy wrapper to address timeouts and uncaught exceptions that fault the channel: http://www.dasblonde.net/downloads/Proxies.zip The chunking channel is in the SDK extensibility samples. TUTORIAL: .NET Roadmap The following link has instructions for machine setup used for the demos, and numerous references to resources, and code samples demonstrated: http://www.dasblonde.net/downloads/TechnologyRoadmap0308.zip SESSION: ADFS and ASP.NET: Supporting Single Sign-On in your Web Read More...
|
-
I recently spent a painful 30-40 hours setting up VPCs according to the Tech Net lab "Step-By-Step Guide for AD FS in Windows Server 2008. The lab is located online here: http://technet2.microsoft.com/windowsserver2008/en/library/87e1a178-4d8a-4e89-98b0-d125f9c84c221033.mspx?mfr=true In fact, the process didn't have to be so painful except that there are just a few instructions that are less than clear, incomplete or incorrect. Of course, when things don't work as expected I automatically assume that I missed a step, executed a step incorrectly, or just plain didn't know something that the lab instructions assumed everyone knows. So, my natural instinct was to repeat the steps, which I did several times spending many hours since there are 4 VPCs and lengthy installation steps involved for each. As it turns out, just a few fixes to the lab instructions could have avoided all that. A document summarizing the issues can be downloaded from here, with additional screenshots beyond what is discuss below: http://www.dasblonde.net/downloads/ADFSServer2008LabErrata.pdf . I hope you find this helpful if you are trying to follow the lab. If you encounter different problems, please do let me know so I can post updates here. Step 1: Preinstallation Tasks Section: Configure computer operating systems and network settings Before you get started, make sure to turn off the firewall settings on all VPCs. The firewall gets in the way of DNS resolution between machines which causes problems with Read More...
|
-
WCF/Security/BizTalk/WF/BPEL There are at least 14 distinct Security Scenarios in WCF. It is easily the most confusing area in WCF in my experience, simply because of the many options available. If you combine that with the current industry focus out there on Identity solutions, Federation, and SAML, you have one confusing area. It is good then that P&P is addressing this area with WCF Security application as part of the patterns & practices WCF Security guidance project . Nick also has a post on this. Matzev comments on a serious limitation present in the RTM version of WCF 3.0/3.5 regarding control of WS-RM retry messages. We have encountered this as well. My distinguished colleague, Brian Loesgen , on the West Coast side of our practice has a post on two very useful new BizTalk Resources to make our lives easier BPEL support has come up quite loudly in several engagements lately. It is good to see the BPEL for Windows Workflow Foundation March CTP . Technorati Tags: WCF , Security , BizTalk , WF , BPEL Read More...
|
-
P&P is putting together guidance for WCF security and is looking for feedback from the community. Now is the time to influence the results from your own practical experience so get in there and review the whole thing or the areas of your greatest interest over the next few weeks! The feedback will be really useful! J.D. Meier's blog has a link here: http://blogs.msdn.com/jmeier/archive/2008/03/27/patterns-and-practices-wcf-security-guidance-now-available.aspx Or, go direct to the CodePlex site: http://www.codeplex.com/WCFSecurity/ Technorati Tags: WCF , Security Read More...
|
-
Thank you very much for attending the presentation last night, I enjoyed all the great questions and discussion, and as promised here is a link to the slides, and resources for the presentation. Get the slides here. Get the code samples from my .NET Roadshow presentations on security, and this includes the federation samples, here: http://www.dasblonde.net/2007/09/15/NET35RoadshowSampleCode.aspx Enjoy! Technorati Tags: WCF , Security Read More...
|
-
I have working with, writing about and presenting on CardSpace for over 2.5 years now...and in the process refining how I describe to people the benefits of information cards for improving security for end-users. In particular, end-users that are not like us developers...every day people that don't know how to choose which sites are unsafe, which links to click in email, and so on. Consider the following malicious PayPal email: You can see that the "Click here to verify your information" link is not really sending you to the PayPal site. I see this because I hover over the link to verify the destination...but most non-developers won't know to do this. For those unsuspecting users the story might play like this: They go to the destination site, which might look just like the PayPal site. They try to log in, it fails repeatedly. In the meantime, they enter every combination of username and password they use in various sites...perhaps including their online banking site. The malicious site collects these combinations of username and password. The user gives up logging in. The malicious sites now tries to log in to the real PayPal account, or worse, to some of the major well-known online banking sites. If they are lucky, and the user is unlucky, one of those username and password combinations will work at the online banking site, and they can write themselves a check, or otherwise play havoc on the user's bank account. It is that easy to lift a username and password combination. So, Read More...
|
-
As some of you may know, several of us at IDesign (Juval, Brian and myself) are in the midst of a two-week .NET 3.5 Roadshow - six cities in two weeks where we collectively cover WCF, WF, WPF, CardSpace, federated and claims-based security concepts, and some key aspects of .NET 3.5 such as new C# 3.0 language features and ADO.NET 3.5 including LINQ and the Entity Framework. I'm personally covering WCF security, federated and claims-based security, C# 3.0 and ADO.NET 3.5. For those of you attending (or, not) here are links to the code samples I'm presenting: VS 2005 samples WCF Security Fundamentals - these samples come from the \Security directory from my book code Federated and Claims-Based Security in WCF - these samples come from the \Security\ClaimsBased directory from my book code CardSpace Samples Download VS 2008 Samples (UPDATED 10/11/07) This download includes all samples referenced above, in addition to .NET 3.5 samples for C# 3.0 and LINQ, and IDesign's declarative security model including a recent version of our ServiceModelEx library. Other relevant resources discussed: My WCF webcast series CardSpace controls for ASP.NET IDesign articles Any questions? Email me. -Michele Technorati Tags: CardSpace , WCF , LINQ , C# 3.0 Read More...
|
-
It is great to see that someone has a taken an interest in the WSE compression filters I’ve been working on. Rodolfo Finochietti has added several new features to the code base. Compress attachments More algorithms (Deflate, Zip) Compression level (set through compression context) Threshold. Compresses according to the minimum message size (body size plus all attachments size) Several other improvements and code cleaning. This is really exciting news. Great work Rodolfo! You find a list of download links here , or you can download it directly from this link . Read More...
|
|
|
|