Ever run into a situation where you are an administrator on a machine, but your account is not an administrator in SQL server? Read below for my situation and the solution I found to fix it!

The project I’m on currently has a shared virtual machine that is given to new developers when they come onto the project. It’s done this way because of some legacy software SDKs that are installed that only work on Windows XP, as well as some legacy VB6 code that requires the IDE to compile properly. I’m not complaining about this, but the virtual machine was created with Microsoft VirtualPC and I happen to be working on a Mac. Rather than booting my bootcamp VM, and starting the VM inside there (tedious and slow), I opted to migrate the VPC image to a VMWare Fusion image.

The transition was not easy, and required several steps that were not intuitive, but I finally got there and the VM is responsive and performs fairly well now. But I ran into a problem – the VM relied on share Windows authentication that mapped my Bootcamp user with a user in the VM called ‘dev’. Dev had administrative rights to the SQL Server, but during the transition the account disappeared and I lost all rights to do anything in the database other than connect!

I found a script that will map a given user to a given SQL server instance with the sysadmin rights. This saved me a ton of time and got me up and working again. The script does require administrative rights to the machine, so it should not be a security concern. All in all, I’m very happy to have regained access to my 2008 SQL Express instance so SSMS can enable intellisense on this rather complex database!

First Computer Memories – When I Got Started…

Remember when you sat down in front of your first personal computer? I vaguely remember sitting there as a pissed off eight year old in 1991, starring at a DOS prompt. I was trying to play a 16-bit race car game and it kept complaining about HIMEM being unavailable.

That’s how it all started for me – I wanted to be Mario Andretti, and be damned if that big cold metal box was going to get in my way. No one else in the house could figure out what was wrong, so my grandfather handed me the user manual for the IBM 386/DX Personal Computer and told me to figure it out. After all, Wheel of Fortune was on and it was much higher priority than these “computers” were ever going to be. That was the day I learned that RTFMing is probably the best way to go when problems happen. I’ve been RTFMing ever since.

Teaching An Old Dog

Nineteen years later – about a month ago – I gave my father his first computer to help him run a convenience store he recently bought (his first business). Nineteen years after sitting at my first computer in 1991, he’s in the same situation of not knowing a damn thing about computers other than he has to use them to stay in business. But he’s got a much harder learning curve to deal with, and I’m sadly unprepared to help him through that journey.

I take the last 19 years for granted. Computer jargon is almost it’s own language now. What IS a link? What IS a URL? What IS a tab? More importantly, how MUCH knowledge is required to be effective when using a computer?

What is a Link? How Do I Plug In a Galvanized Chain Link?

ME: A link is a URL…
DAD: URL? Ugly Rearrangement of Letters?
ME: …yes, that tells the browser…
DAD: I hate trousers! I prefer blue jeans.
ME:  …the BROWSER…how to request content…
DAD: Like those slow people at the Luby’s line? Why would I want those in my computer?
ME: …oh boy. Let’s start over. It’s like an index card in the card catalog at the library.
DAD: Well if the internet just tells me to go to the library, what the hell good is it?

Who The Hell Is Windows Defender? Is He Hitting On My Girlfriend?!

DAD: Why does this guy named Windows Defender keep telling me to run a scan? The only scan I have to run is with my shotgun when the dogs bark at night!
ME: Please, don’t point your shotgun at the computer! Windows Defender is a great guy once you get to know him. He’s the Trojan Man’s second cousin – he helps keep the good times rolling and the viruses at bay!

How Do You Make a Computer Stutter? Ask It To Define Itself!

So the question my father asked that I can’t answer:

“How do I learn how to use a computer without spending 19 years and giving up what’s left of my social life?”

The knock on my social life aside, what are the best resources to give new computer users, and what is the best way to teach them? Do we order him some of those DVD’s I see on late night TV? A Computers for Dummy’s book? What’s considered a “good enough” level of knowledge for beginners? Give him an abacus and pray? Any help would be appreciated!

One of the first tips in The Pragmatic Programmer: From Journeyman to Master is about broken windows. The theory is that if you leave a broken window in a house, you’re less inclined to fix anything else and eventually the house is abandoned or otherwise abused. This of course relates originally to software development – leaving a bug in the system you know about will cause you to value the software less and will lead to other bugs that are left unfixed.

This principle however applies to anything in life that must be maintained vigilantly. I’m afraid I’ve fallen into this trap with my blog recently. I stopped posting daily and then I stopped posting weekly and now I’m barely posting at all. I can’t believe I let myself do this! I’ve been busy, but 5 minutes a day to post something isn’t a huge sacrifice and it pays for itself.

I’ve been working on a lot of PHP code lately (Zend, Dwoo, etc) that I’ll be blogging about soon. I’ve also been working on some .NET related stuff (CC.NET, NCover) that I’d like to post about as well. I’m having very interesting results now that I’ve put Windows XP x64 on my desktop. Sometimes the software – NCover – is getting confused trying to run in 64 bit mode and profiling a 32 bit application.

Finally, the most time consuming event I’ve been working on was the Collegiate Cyber Defense Competition (CCDC). It happened this past weekend and Texas A&M won the region and will be headed to nationals. I ended up being red team for this competition and I had a blast. I dusted off some skills I haven’t used in quite a while and put a bit of a polish on them again. However, I realize just how badly I’ve let that skillset diminish and I’m vowing to myself to bring them back.

My wife has also been having a rough time with the new baby that is on the way so I’ve been helping out with our daughter Kaylyn more. We’ll both be glad when the new baby arrives and we can turn this pregnancy leaf over for quite a while. So that’s my life in a nutshell right now. What’s going on in your neck of the woods?

The other day in Part I of this series I said I was going to write up some more articles about automating code review tools in your build process. Today I spent some time looking over CAT.NET and figuring out how it fits into my build process. CAT.NET is a static code analysis tools that analyzes data flow through a .NET library or executable and tries to identify common security problems such as cross site scripting (XSS) and SQL Injection (SQLi) vulnerabilities. My process is not perfect but it does the job well enough. Remember, you should always augment automated tools with a human review to catch things automation cannot.

CAT.NET Installation

The first thing to do is download the CAT.NET MSI installer. Then either unpack it or do what I did and install it, copy the files from C:\Program Files\Microsoft\CAT.NET to your project directory, and uninstall. I like to keep all tools contained within the svn repositories for a project so they can be utilized on any development computer without having to set it up first.

One funny thing with CAT.NET (CISG take note) is that it has to live in a specific path within the project repository. When it was put in {root.dir}\tools\CAT.NET it failed to find the config files, default rules files, etc. It was looking for them at Microsoft\CAT.NET so I broke with my standards (laziness really) and moved it to {root.dir}\Microsoft\CAT.NET. The tool is much happier there and still available in the build file.

Basics of The Project

The demo project is a website that takes in a cat’s name, tail length, and color and then repeats them back to the page (“You have entered: <name>, <tail length>, <color>”). When the user fills in the textboxes and clicks submit, the page creates a CatContext object, fills it with the values taken from the page, and passes it to a CatEngine object. The CatEngine.GetMyCat() method returns the values and they are put in ASP Labels on the page – lblName.Text = cEngine.GetMyCat().Name, etc etc. The CatEngine and CatContext classes are defined in the ClassLibrary1 project (original eh?) and the website code (Default.aspx) is in the WebApplication1 project.

The important thing to note with this project is that the CatEngine does not do any cleaning or validation on the input or output. This is a clear cut example of a Cross Site Scripting vulnerability (and possibly a SQLi vulnerability if the input were eventually put in a database). Both of these situations are caught with CAT.NET, so it is a good tool to have in your build process.

Project Repository Layout

The following is the layout of the project repository (in the root.dir):

• ClassLibrary1\
  • bin\
  • CatContext.cs – A value object for holding information about a cat (name, tail length, and color)
  • CatEngine.cs – The “business object” that takes in a CatContext object and has a method – CatContext GetMyCat() that returns the object
  • ClassLibrary1.csproj
• Microsoft\CAT.NET\
  • Config\
  • Rules\
  • CatNetCmd.exe
  • Other CAT.NET files (from the download) *
• tools\
  • nant\
    • nant.exe
    • Other nant files
• WebApplication1\
  • Default.aspx – The page with the XSS vulnerability in it
  • Default.aspx.cs – The code behind for the page
  • web.config
  • WebApplication1.csproj
• build.bat – Easy way to run nant – (Tools\nant\NAnt.exe -buildfile:default.build %* -nologo)
• default.build – The build file for the solution
• Solution1.sln

The Build File

The build file is a typical NAnt build file with the following properties and targets

• Properties
  • build.dir – Directory to put the output from the csc task (C# Source Compiler)
  • dist.dir – Directory to put all file that are necessary for a deployment of the application to a webserver (also where the local IIS is configured to look when manually testing the site)
  • artifacts.dir – Directory to hold reports generated from NUnit, CAT.NET, FxCop, and other tools that generate XML and HTML reports
• Targets
  • init – Creates the build.dir and dist.dir
  • clean – Deletes build.dir, dist.dir, and artifacts.dir for a clean environment
  • compile.catengine – Compiles the ClassLibrary1 project into ${build.dir}\ClassLibrary1.dll
  • compile.web – Compiles the website code behind files into ${build.dir}\WebApplication1.dll
    • This target depends on compile.catengine
  • build – Runs all the necessary targets to build the libraries and put them in the build directory
    • Depends on clean, init, compile.catengine, compile.web (in that order)
  • dist – Depends on ‘build’ and copies the libraries and the website pages (Default.aspx) to the ${dist.dir} for deployment
    • Depends on ‘catnet’
  • catnet – Runs the CAT.NET code analysis tool on the libraries and checks for errors. If any are found the build if failed and the distribution package never completes.

The ‘catnet’ Target

This is the bread and butter of the CAT.NET automation. You can get a sense of the command line options we use by running CatNetCmd.exe /?. Here is the code:

<target name=”catnet” description=”Runs the CAT.NET static code analysis tool on a set of libraries”>
<exec program=”Microsoft\CAT.NET\CatNetCmd.exe” workingdir=”.” output=”catnetout.log”>
<arg value=”/file:${build.dir}\ClassLibrary1.dll” />
<arg value=”/file:${build.dir}\WebApplication1.dll” />
<arg value=”/report:${artifacts.dir}\CatNetReport.xml” />
<arg value=”/reportxsloutput:${artifacts.dir}\CatNetReport.html” />
</exec>

<!– Check for errors since the command doesn’t throw error codes –>
<loadfile file=”catnetout.log” property=”catnetout” />
<fail if=”${string::contains(catnetout, ‘ERROR’)}” message=”There was an error running CAT.NET Static Analysis” />
<!– Clean up if we didn’t error out –>
<delete file=”catnetout.log” />

<xmlpeek file=”${artifacts.dir}\CatNetReport.xml”
property=”hasErrors”
xpath=”//Rule[TotalResults>0]/Results/Result/ProblemDescription” />

<fail if=”${string::get-length(hasErrors) &gt; 0}” message=”CAT.NET found at least one problem: ${hasErrors}” />
</target>

This target runs the CAT.NET tool over the libraries produced from the ‘build’ target. It uses the default rule set and outputs the reports to ${artifacts.dir}\CatNetReport.xml and CatNetReport.html. Because the CAT.NET command line tool does not return an error code (CISG again), the build file sends the output to catnet.log file, read it in, and check for the word ‘ERROR’. If that is found, the build is failed because something went wrong with the command itself.

If the command completes successfully it cleans up the standard output file (delete catnet.log) and then performs an XMLPeek on the CatNetReport.xml file. The xmlpeek xpath looks for a <TotalResults>#</TotalResults> where # is greater than zero. Unfortunately the xmlpeek command only pulls the first record it comes across that matches the xpath, but that is enough to know that the build needs to be failed. If even one error is reported from this utility, the build should stop anyway and a manual check of the report shoud be performed. The CI process should include some way of notifying developers of errors like this but for this is an example those targets were not included.

Analyzing the Output

When the build is run (‘build dist’), the output of the catnet target looks like the following:

catnet:

[exec] Application Assurance
[exec] Static Analysis Tool
[exec] 1.0.3272.32340
[exec]
[exec] 12/31/2008 4:13:38 PM:Info : Starting analysis [2 modules]
[exec] 12/31/2008 4:13:38 PM:Info : Analyzing module ClassLibrary1…
[exec] 12/31/2008 4:13:38 PM:Info : Analyzing module WebApplication1…
[exec] 12/31/2008 4:13:39 PM:Info : 2 Cross-Site Scripting issues found.
[exec] 12/31/2008 4:13:39 PM:Info : Analysis completed.
[delete] Deleting file C:\Dev\CatNetExample\catnetout.log.
[xmlpeek] Peeking at ‘C:\Dev\CatNetExample\reports\CatNetReport.xml’ with XPath expression ‘//Rule[TotalResults>0]/Results/Result/ProblemDescription’.
[xmlpeek] Found ’2′ nodes with the XPath expression ‘//Rule[TotalResults>0]/Results/Result/ProblemDescription’.

BUILD FAILED

C:\Dev\CatNetExample\default.build(70,4):
CAT.NET found at least one problem: A cross-site scripting vulnerability was found through a user controlled variable that enters the application at Default.aspx.cs:27 through the variable stack0 which eventually leads to a cross-site scripting issue at Default.aspx.cs:29.

Total time: 3.1 seconds.

The tool finds an XSS defect and fails the build. There are a few more errors found, but it stops on the first occurance of an error. CAT.NET can be customized to find all kinds of coding problems and it is recommended to customize the configuration for your specific needs. Once it is configured don’t forget to include it in the build process!

Conclusion

CAT.NET is a great tool and it should only get better over time. I sleep better at night knowing that I am catching common security errors, my junior developers (if I had any) learn from their mistakes using automation, and I can cut down the time I spend doing manual code reviews. The next article will look at the use of FxCop to help your project adhere to coding standards. I use the default Microsoft standard set because I’m insane, but you can also customize this tool to your liking.

The Connected Information Security Group blog at Microsoft recently published a couple of articles (part 1, part 2) about a tool recently released called CAT.NET. This is a static code analysis tool which reads a compiled programs code and looks for security problems such as null pointers, null references, and other problems specific to interpreted languages.

I’ve started to put this tool, as well as FxCop, into my build process. The biggest headache in the CAT.NET automation process is defining the sources and sinks necessary for the tool to be effective. Some of this can be autogenerated using XML comments in the code, and as I explore this more I’ll give some details here.

Over the next week I’m going to be publishing a series of articles detailing how to automate these tools to make your code more secure and best practices compliant. It will also help reduce your manual code review process (you do have a code review process in place, don’t you?) because these tools are designed to catch the most common errors that take up a lot of time during a human review.

A few days ago I wrote about some of the software I use for personal password management. Today I’d like to write about a movement that could very well replace the need for all those passwords. I’m talking about identity federation using OpenID. Identity federation simply means that a user can log into one site, and use that login as their identification for other websites.

Other sites then trust the one site for authentication, and then they have their own mechanisms for authorization. I use SignOn.com as my identity provider. The way this happens is as follows:

1. Sign up for an account at SignOn.com and provider a custom username, which then turns into a URL (for example: http://myusername.signon.com)
2. Head over to a website that support OpenID and put in the URL you were assigned as the OpenID username
3. The website will use the last part of the URL (signon.com) to identify the identity provider
4. It will then redirect your browser to the site so you can either sign on, or be given the okay to continue back to the requesting site
5. Once you come back to the site, it validates your ID and adds an account using the URL as the username
6. You continue to use the website without having to authenticate to them with a password

There are several benefits to this kind of authentication management. One benefit is that you are only trusting one site with a password to your account. If you make this password very secure and trust their service to be secure you are minimizing the chances that your password will be compromised as you put it into many websites. The second fringe benefit is, of course, that you aren’t entering that password all over the web.

Community Support

OpenID has been gaining traction for several years and may become one of the major ways we authenticate to the web in the future. There are OpenID plugins for WordPress (OpenID Plugin), Joomla (OpenID Plugin), and many many more. Nearly all the open source projects I use that have a plugin framework have a plugin that support OpenID federation for user management.

Programmatic Support

As a programmer, I’ve also taken a few shots at implementing identity federation. Some of the standards used in OpenID can be confusing, but once you have a thorough understanding of them, it becomes easy to implement. An understanding of Single Sign On (SSO) helps, and visiting OpenID.net’s Developer Resources area will complete the process.

As a web technology person, I sign up for a lot of online accounts. Everything from personal photo sites to online banking, security wikis to open source projects. Recently I decided my password security was not the best because I only had about 8 standard passwords I would use across all my website accounts. I based the complexity of my passwords on the danger to myself if the site were compromised. A wiki compromised in my name wouldn’t be so bad so I’d use a medium security password. My online banking, however, would be pretty bad if compromised and has a very secure password.

I decided to mix things up a bit and started looking for a way to make all my passwords complex and find an easy and secure way to keep track of them all. A collegue of mine recommended KeePass and it’s just what the doctor ordered. I keep my KeePass installation on a thumb drive that is encrypted with TrueCrypt and use a very secure password (> 50 characters) for both systems. KeePass allows me to group my accounts into categories so I can easily identify the accounts for which I’m looking. It also allows me to generate random secure passwords for new accounts when signing up for things.

While it is somewhat a hassle to learn these new passwords over time, it is much more secure that I am not using the same password across multiple sites. And if all else fails, I can open KeePass up from my thumb drive and unhide the password temporarily to remind me what it is.

I recommend this for everyone as it’s much more secure that the typical sticky note under the keyboard trick, or allowing your browser to store your passwords (I still do this for the less security sensitive sites, but not for online banking). Best of all, it would take a really long time to crack the encryption set on my thumb drive (and then the second level of security with KeePass itself). If I ever lose my thumb drive or it gets stolen, I will have ample time to reset all my passwords. I of course keep a backup copy of my KeePass database, but I’m not telling you where!

Best of all, both KeePass and TrueCrypt are open source projects, so anyone can download and look through the source code. In general, this makes them both more secure because more people can find and fix flaws in the design. They also both use the latest in encryption technology to ensure that your information is as secure as possible.