Skip to main content
Installing .Net 3.5.1 on Windows 2008 R2
Attack Surface Analyzer
My team here at Microsoft Security Engineering Center just released our latest tool for the SDL, Attack Surface Analyzer. Dave has already blogged about the tool: https://blogs.msdn.com/b/sdl/archive/2011/01/17/announcing-attack-surface-analyzer.aspx.
In the new few weeks, the team and I will be blogging a little bit more about what the tool does and how the tool's functionality can be extended.
Attack Surface Analyzer x86 and x64 Download Link
Our original download link for the tool only had x64 msi. We had since fixed it with a new download link. However, most of the search engines have the original link as the top result. If you need the x86 version of the tool, please use this go link: https://go.microsoft.com/?linkid=9758398.
Automated Runs on Start Up
Note: this is for a non domain joined computer.
This is the scenario that I want. Once windows boot up, it logs onto a specific account automatically and then runs a program automatically. Once that finishes, the operating system shuts down.
First step is to run "control userpasswords2" on xp or "netplwiz" on vista. Do this via start->run or the windows+R key combo. This app allows you to set up auto logon with a specific user. When the top checkbox is checked, select a user, and then uncheck that checkbox. Now enter the password and click ok. Now, when the computer boots up, it will always automatically log on to the selected user.
To run a program on logon, there are actually a couple of options. The easiest one is to just add a shortcut/batch file into the startup folder inside the start menu. You can see a list of locations by running the autorun program from sysinternals at https://technet.microsoft.com/en-us/sysinternals/default.aspx.
To shut down the os once the designated program is done running, we want to have a batch file inside the startup folder. That batch file will start the designated program and shutdown the os. We can perform the shutdown portion by running the shutdown command. For a full list of options, simply run "shutdown /?" inside the commandline.
Best Codeplex Project Ever?
Have you ever wanted an open source library that implemented hello world? Neither have I, but someone went ahead and did it anyway:https://simplehelloworld.codeplex.com/. Note one of the reviews came from the author himself.
Best Tech Ad of 2009?
Possibility the best tech Ad I've ever seen: https://www.everythingusb.com/intel-usb-rock-star-16620.html. Good job, intel!
Bouncing Circle with HTML5 Canvas
This should work in ie9 and chrome. However, if you use ie9, make sure you set the browser and document mode to IE9 standards. There could be some refactor done on this code, but I wrote this in a few hours without any prior javascript or html5 experience:
test.html:
<html>
<head>
<style type="text/css">
canvas { border: 1px solid black; }
</style>
</head>
<body>
<script type="text/javascript" src="test.js"></script>
<button onclick="StartCircle()">startit!</button><br />
</body>
</html>
test.js:
var circle;
var path;
var canvas
var context
var keepgoing = true;
var maxwidth;
var maxheight;
var radius = 50;
var interval;
function StartCircle() {
if (canvas == null) {
canvas = document.createElement('canvas');
document.getElementsByTagName('body')[0].appendChild(canvas);
}
maxwidth = Math.floor(Math.random() * 700 + 100);
maxheight = Math.floor(Math.random() * 700 + 100);
canvas.setAttribute("width", maxwidth);
canvas.setAttribute("height", maxheight);
context = canvas.getContext('2d');
startwidth = Math.floor(Math.random() * (maxwidth - radius*2)) + radius;
startheight = Math.floor(Math.random() * (maxheight - radius*2)) + radius;
path = new Path(startwidth, startheight);
circle = new Circle(startwidth, startheight, radius);
if (interval != null)
clearInterval(interval);
interval = setInterval(Draw, 1);
}
function BorderSwitch(x, y)
{
var flipx = false;
var flipy = false;
if ((x+radius) == maxwidth || (x-radius) == 0)
flipx = true;
if ((y+radius) == maxheight || (y-radius) == 0)
flipy = true;
return new Flip(flipx, flipy);
}
function Flip(flipx, flipy)
{
this.flipx = flipx;
this.flipy = flipy;
}
function Path(x, y) {
this.x = x;
this.y = y;
deltax = Math.floor(Math.random() * 2) == 0? -1: 1;
deltay = Math.floor(Math.random() * 2) == 0 ? -1 : 1;
this.GetNext = function () {
var directionswitch = BorderSwitch(this.x, this.y);
if (directionswitch.flipx == true)
deltax *= -1;
if (directionswitch.flipy == true)
deltay *= -1;
this.x += deltax;
this.y += deltay;
};
}
function Circle(x, y, radius) {
this.x = x;
this.y = y;
this.radius = radius;
}
function Draw() {
path.GetNext();
circle.x = path.x;
circle.y = path.y;
context.clearRect(0, 0, maxwidth, maxheight);
context.strokeStyle = "#000000";
context.fillStyle = "#FFFF00";
context.beginPath();
context.arc(circle.x, circle.y, circle.radius, 0, Math.PI * 2, true);
context.closePath();
context.stroke();
context.fill();
}
Building Both VS2008 and VS2010 on the Same TFS 2008 Server Using MSBuild
My team recently upgraded some of our Visual Studio solutions to be 2010 based in order to take advantage some of the new features in the IDE. However, we quickly found out that the upgrade broke our build system. In order to build both vs2010 projects and vs2008 projects on one machine, you want to have a side by side build system. Here are some brief instructions that I used to get the whole thing working.
1. On your TFS 2008 build agent/controller/server, the one running tfsbuildservices.exe as the service "Visual Studio Team Foundation Build", install Visual Studio 2010 and the latest .NET 4.0.
2. Inside C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies, created a copy of tfsbuildservice.exe and the config file.
3. Inside the new config file, changed the ports to 9193 and
9194 and added msbuild to point to msbuild 4.0 binary under
windows\microsoft.net\framework\v4xxx\:
<add key="MSBuildPath" value="c:\windows\microsoft.net\Framework\v4.0.21006\" />
4. We need to reserve the port to be used by the user that will run our new service, in most cases, that is going to be Network Service:
wcfhttpconfig.exe reserve "NT AUTHORITY\NETWORK
SERVICE" 9193
5. Run the following to create the service
sc create "Visual Studio Team Foundation Build
VS2010" binpath= "C:\Program Files\Microsoft Visual Studio
9.0\Common7\IDE\PrivateAssemblies\tfsbuildservce2.exe"
6. Change the startup to automatic and logon account to NETWORK
SERVICE
7. Manually start service the first time around.
8. In windows(or whatever custom app) firewall, create a rule that allows tfsbuildservice2.exe
and port 9193
9. Create a new build agent that points to the build server but using port 9193 instead of the default 9191.
10. Now try to build a vs2010 solution using the new build agent.
If you get any error during the build, try some of the following.
Back up and make these changes to C:\Program Files\MSBuild\Microsoft\VisualStudio\TeamBuild\*target file:
1. Not getting the reason property -> deleted the reason node in xml
2. Rolled back the WorkspaceName to the TFS Build 2008 version:
After VS 2010 installation:
$(COMPUTERNAME)_$(BuildDefinitionId)_$(BuildAgentId)
TFS Build 2008:
$(COMPUTERNAME)_$(BuildDefinitionId)
Changing Executable Dll Characteristics Flags: DynamicBase, NX, AppContainer
Inside the PE header of all executables, there is something called DLL Characteristics which contains a set of flags that could tells Windows a little more about the application. You can view all the flags by using dumpbin.exe /headers <targetbinary>. This applies to more than just .exes, such as .ocx, .dll, etc. Sometimes, you might want to change a dll characteristic. To do that, just run link.exe /edit /dynamicbase:NO <targetbinary>.
Delete Remote Files Via WMI and Powershell
Ever wanted to delete a file on a remote computer without using the net use/shared folder stuff? Well, with powershell, or more accurately, with WMI, you can:
PS C:\Program Files\Microsoft\> $a = Get-WMIObject -query "Select * From CIM_DataFile Where Name ='C:\\test.txt'" -computer "meng-test1"
PS C:\Program Files\Microsoft\> $a.Delete()
What the first line says is get me all CIM_DataFile whose name is C:\test.txt on the computer whose name is meng-test1.. That returns you a CIM_DataFile object which has a method called Delete that does exactly what the name suggests.
Enable Missing Kernel Debugging Transport in Visual Studio 2012
By default, when you install Visual Studio 2012, you won't have Kernel Debugging in the list of transports as described in https://msdn.microsoft.com/en-us/library/windows/hardware/hh439359%28v=vs.85%29.aspx and in https://msdn.microsoft.com/en-us/library/windows/hardware/jj149675.aspx. To fix this, install the WDK.
Error 80040200 When Regsvr Registering Com/Activex Controls
Sometimes when I try to register a com control, I get the following error dialog.
[Window Title]
RegSvr32
[Content]
The module ".\crash.ocx" was loaded but the call to DllRegisterServer failed with error code 0x80040201.
For more information about this problem, search online using the error code as a search term.
[OK]
On Vista/Win 7 boxes, normal command prompt run without admin privilege. Registering com control requires admin rights because it makes an entry in the overall system registry. This error message is basically an error message on the lack of rights the current user has. To fix, simply start an admin command line prompt and regsvr the control binary again.
!exploitable Extension for WinDBG
Continuing the trend of giving plugs to my coworker's software. 2 months ago, a couple of my coworkers took what was a in house security project to the open source world. Since then, the tool has been getting pretty good comments/reviews due to the positive impact it can have on the security ecosystem. It is called !exploitable and it's available here: https://www.codeplex.com/msecdbg. Like !analyze, this tool works within the Microsoft debugger WinDBG. It basically analyzes a crash file, and tell you whether that crash is potentially exploitable.
Exploiting Online Games
At RSA last week, there was an interesting panel on hacking games(woot!) https://news.cnet.com/8301-10797_3-10226485-235.html
Back in the days of playing Asheron's Call in high school, bots and certain hacks existed to bypass the set rules that the designer tried to put in place. These were normally done by professional programmers with some spare time at night. However, a billion dollars a year now exchange hands in online gaming communities. With this kind of money, I can see some really efficient medium sized corporations spring up to do what amatuer game hackers use to do in the 90s. I do know about the small shops(normally 1-10 people) that made glider bot and contracted Chinese players. But what I am imagining soon is the existence of 100+ employee companies that have wow division, everquest division, eve online division, etc. I can see a whole new industry behind this.
What differentiate online games from normal client/server application is the ratio of the number of attack surfaces in games versus the size of the game. A game developed by a 30 people team can have as many attack surface as an application pair like exchange/outlook, which I imagine has thousands of people behind. Attack surface is basically any place where an input is accepted. Ie if in the game a virtual vendor, or an NPC, can accept items and give players money back. That interaction there is an attack surface. What would happen if you give the vendor 2^32-1 sticks?
Facinating Talks That Everyone Could Benefit From
So about a year or two ago, I found and discovered PBS' frontline online. You can check it out at www.pbs.org/frontline. But more importantly, around the same time, I found TED talks. The best video I've seen on TED is probably the one by Hans Rosling on global health and economy at https://www.ted.com/index.php/talks/hans_rosling_shows_the_best_stats_you_ve_ever_seen.html. Check it out.
File ACL Vulnerability 101
The most basic scenario when it comes to file ACL attacks is the lay in wait attack. In Windows, for each file, there is a security description for the users allowed to touch or disallowed to touch that file. The description involves things such as read ability, write ability, modify ability, and so on. Most files in Windows have read ability set to on for all users. However, there are certain folders that by default do not have write privilege granted to all users. The examples are the Program Files folder and the Windows folder. This is done so that a regular user does not have the access to modify applications installed or the windows binaries.
Imagine a scenario at a university lab. As the lab admin, you want to grant students the ability to run Matlab, but you do not want them to modify the Matlab executable into some malicious trojan for the next user that uses the computer. So you grant read access and deny write access to the Matlab folder for students. File ACL vulnerability could happen if that admin forgets to deny write access to the Matlab folder. Student A could then overwrite matlab.exe with a keylogger that has the same name. Now, when student B logs on, or even better, when the lab admin logs on and attempt to run Matlab, you now have a keylogger running on the lab computer. The cleaver hackers will start the keylogger and then start Matlab, so none of this is ever detected.
File ACL Vulnerability Part 2
In this post, I will attempt to explain and expand on what I talked about in my previous post on File ACL Vulnerability.
ACL - Access Control List
What I previously described applied to Windows. But the concept and similar attacks could be made against any operating system that allows more than one user to log on and off of the system. There is a pretty descriptive article on Linux File ACL at UNC's website https://www.cs.unc.edu/cgi-bin/howto?howto=linux-file-acls. Or check out the generic MSDN Windows ACL article at https://msdn.microsoft.com/en-us/library/ms229742.aspx.
Expanding on the scenario discussed in my previous File ACL post, the problem extends to more than just executables with "bad" ACLs. At CanSecWest 2008, Sun Bing discussed a vulnerability in VMWare where the configuration file has a bad ACL. Coincidentally the configuration file also contained the location to one of the service exes. A regular user then can modify this configuration file and get admin privilege when the admin runs VMWare. The exactly details of the attack escapes me at the moment, but the problem was fixed prior to Bing's talk.
Finally Fast the Scam?
This commercial rocked my world: https://www.youtube.com/watch?v=atd8dowrbNI&feature=player_embedded
So apparently these malware detection programs have finally begin to advertise on TV in addition to their traditional annoying <$!!@$$>! pop up ad campaign. Anyway, everything this program does can be done by another program that is free. Just search for "Finally Fast scam" in Google or Live. The blog posts in the results contain hundreds of free alternatives.
NOTE: i did not go into the security concerns related to this product because #1 it's too much typing #2 it should be pretty obvious from that ad.
First Post/Introduction
I am a 20 some year old software engineer working within the security group here at Microsoft. Things I work on include: Threat Modeling Tool, attack surface analysis, COM, ActiveX, binary analysis, and some fuzzing throwing in there. I will post articles regarding security, Microsft, and most importantly, myself.
Google "Office" Taking Over Microsoft Office
Nothing could stop Google from taking over Microsoft Office except these 5 items:
1. The amount of sheer work involved. Microsoft Office has been in development for well over a decade now. Even just cloning it would take a huge amount of labor and financial investment. And then add on top of that, making it actually better than what Microsoft has would take even more time, planning, strategizing, and investment. Google is big, but they bought so many companies and have so many projects going I question whether they would have the manpower for such an investment.
2. Infrastructure is stopping Google. Animations, eye candy, processing power... all of those are subpar when you are talking about the Internet. Yes, you have flash which looks good, but the downloading of the swf files embeded in the pages can be quite slow, and it would get even slower if lots of people started using it (unless Google made some more monstrous server farms, and that would be another huge economic investment). Some things are simply resource intensive enough that they are just better done on the desktop. (And yes, wordprocessing seems simple, but when you start packing in lots and lots of features, animations, etc, you generate a large memory and resource footprint)
3. Security is stopping Google. Corporations are not going to start editing their sensative files over the Internet. They aren't going to transmit that data all over the web, and they aren't going to store it on Google's servers. They just won't, regardless of whether encryption is used. It will be viewed as too big a risk. Although leaving it on your desktop is only marginally safer:)
4. Entrenchment is stopping Google. Microsoft Office is entrenched. I'm not just talking about users being comfortable and used to it (and therefore not wanting to change), I'm talking about being entrenched corporately. Most corporations have built innumerable applications that integrate and work with office, and you can't just rip out one suite and replace it with another without causing the majority of enterprise processes and applications to break. Very few corporations are going to be willing to switch unless Google somehow comes up with some undeniable, overwhelming reason that they must use the Google product. And I can't think of any scenario that would fit that bill (this very issue, btw, is why Open Office is not, and probably never will be, adopted at the corporate level).
5. Lack of financial gain is therefore stopping Google. Unless Google can think of ways to overcome all of these issues, they are not going to recoup their investment (and make no mistake, developing an Internet Office application that is better than MS Office is an incredibly large investment). There are many other areas less dominated by competitors where the pickings are easier and the return on investment is higher. They may make simple spreadsheet apps that may drive a few private users to their site (and generate some advertising dollars from the extra traffic), but trying to truly trying to take dominance from Microsoft in the Office arena simply isn't going to be in their gameplan. It just isn't worth it.
My 2 cents.
Installing .Net 3.5.1 on Windows 2008 R2
Sometimes when you try to install .Net 3.5 on Windows 2008 R2, you would get an error message:
You must use the Role Management Tool to install or configure Microsoft .NET Framework 3.5 SP1.
To get around this, right click on computer, select manage. Select Server Feature node and add a new feature. The first one on the list should be .NET 3.5 Features. Install that and voila.
Popular posts from this blog
Windows Azure:新计划程序服务,读取访问同步冗余存储以及监测更新 [原文发表地址] Windows Azure: New Scheduler Service, Read-Access Geo Redundant Storage, and Monitoring Updates [原文发表时间] December 12, 2013 12:41 PM 今天早上我们推出了windows Azure的另一组增强功能。今天的新功能包括: 程序调度:新的windows Azure计划程序服务 存储:新的同步读写冗余存储方案 监测:windows Azure服务的监测及诊断的增强功能 所有的这些改进现在都可以使用(注意有些功能仍然是在预览)。下面是有关他们的更多详细信息: 程序调度:新的windows Azure计划程序服务 我很高兴宣布我们可以预览新的Windows Azure调度服务。Windows Azure调度服务允许你安排启用HTTP/S端点的任务或者按你制定的任何计划向存储队列上发送信息。使用调度程序,你可以创建可靠的调用Windows Azure内部或外部服务的任务并且按照常规计划立刻运行或者设置他们在未来某刻运行。 想要开始使用调度程序,首先你需要在 Windows Azure Preview 页面上为预览进行注册。一旦在预览页中注册成功后,你可以登陆到管理门户并且开始使用它。 创建一个调度任务 一旦你在你的订阅中启用调度预览,你可以用以下几个简短步骤很容易的创建一个新的任务。 在Windows Azure门户管理网站内单击 新建-> 服务程序 -> 调度 –> 自定义创建: 选择一个你想要运行任务的Windows Azure 区域,之后选择一个已有的任务收集器或者创建一个新的并把任务加进去: 之后你就能定义你的任务操作。在本例中,我们会创建一个向web站点发送GET 请求的HTTP 操作(你也可以使用其他的HTTP协议,像HTTPS)。 对于处理长时间的请求或者在脱机状态启用某项服务,你也许更期望给存储队列添加一些信息而不是坚持启用一个Web 服务。要给存储队列添加信息你只需要选择存储队列作为你的操作,之后创建或选择一个存储帐号及队列用来发送请求: 一旦你定义了你要
Command option update
AD RMS to AD RMS to Azure Information Protection Part 1 The Scenario: So, you have read my previous blog posts about AD RMS side-by-side migration and Enterprise Migration from AD RMS to AIP using SCCM but unfortunately both of those articles assume best case scenario for the original AD RMS cluster. Sadly, that is not always the way things work. In the real world, the AD RMS instance may have been initially installed on Windows Server 2003 using RMS 1.0 and was subsequently upgraded to 2008 R2 keeping all of the settings pretty much the same. This usually means using http only and having no CNAMEs for AD RMS or SQL. This makes my happy articles on upgrading to newer versions of AD RMS or to AIP a lot less straightforward. Let's fix that. The Setup: Luckily, most of the concepts for migration are the same as what I documented in the previous two articles, so I am going to happily plagerize reuse the content in those articles to make something new. This a
Enhancements to SQL Server Backup to Cloud in SQL Server 2012 SP1 CU4
SQL Server 2008 R2 Feature Pack is now available https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ceb4346f-657f-4d28-83f5-aae0c5c83d52 This includes SQL Server Native Client 2008 R2. SQL Server code-named "Denali" Native Client supporting ODBC 3.8 We're excited to announce that Denali SNAC CTP1 adds support for the ODBC 3.8 features of the Microsoft ODBC DM (Driver Manager) introduced in Windows 7 and Windows Server 2008 R2. Please refer to https://blogs.msdn.com/b/data/archive/2009/07/06/odbc-dm-3-80-in-windows-7-and-windows-server-2008-r2.aspx for a blog posting detailing the ODBC DM changes. The ODBC 3.8 features supported in Denali SNAC are: Streamed Output Parameters Support retrieving output parameters in parts via SQLGetData when the output parameter was bound using SQLBindParameter . This is extremely valuable when working with large data objects, such as varbinary(max), varcha
Comments
Post a Comment