Earlier this week Microsoft IIS team released its URLScan 3.0 (beta) to help fight SQL injection attacks at the Web Server, now Microsoft has put out another tool, this time in the form of a Code Analyzer. Microsoft Source Code Analyzer for SQL Injection should help out to quickly analyze and secure any existing ASP code.

Microsoft Source Code Analyzer for SQL Injection [Community Technology Preview (June 2008)]
Static code analysis tool for finding SQL Injection vulnerabilities in ASP code.

Also, there is this tool from HP that allows you to check your sites against these types of vulnerabilities.

Scrawlr (offered as-is and is not a supported product by HP)
Developed by the HP Web Security Research Group in coordination with the MSRC will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities.

Those nasty SQL Injection attacks have not stopped. They’ve probably just started!

If you’re still in the process of going through your SQL code and making sure it’s not susceptible to SQL injection attacks that means your websites are still wide open to the attack.

However not to worry, the Microsoft IIS team has come to the rescue with the announcing of the shiny new Microsoft Urlscan Filter v3.0 Beta release. It includes a GoLive license, so you can deploy it on your production servers.

Here are some of the cool new features:

• Support for query string scanning, including an option to scan an un-escaped version of the query string.
• Change notification for configuration (no more restarts for most settings.)
• UrlScan can be installed as a site filter.  Different sites can have their own copy, with their own configuration.
• Escape sequences can be used in the configuration file to express CRLF, a semicolon (normally a comment delimiter) or unprintable characters in rules.
• Custom rules can be created to scan the URL, query string, a particular header, all headers or combination of these.  The rules can be applied based on the type of file requested.

One thing important to remember is although this will protect websites against this latest form of SQL injection attack, any poorly written code still needs to be fixed. No escaping on that.

Since Merill has migrated to Australia, it looks like he wont be positing his usual "Add 200x Sri Lanka Holidays" to Outlook post this year. So this year I've compiled the list of holidays, and copied the instructions on how to add them into Outlook. Hope this helps.

Holidays

– – – – – – – – –  Start Copy – – – – – – – – –

[Sri Lanka] 25
Tamil Thai Pongal Day (BPM),2008/1/15
Duruthu Full Moon Poya Day (BPM),2008/1/22
National Day (BPM),2008/2/4
Navam Full Moon Poya Day (BPM),2008/2/20
Mahasivarathri Day (BP),2008/3/6
Milad-Un-Nabi (Holy Prophet’s Birthday) (BPM),2008/3/20
Medin Full Moon Poya Day (BPM),2008/3/21
Good Friday (BP),2008/3/21
Day Prior to Sinhala & Tamil New Year Day (BPM),2008/4/12
Sinhala & Tamil New Year Day (BPM),2008/4/13
Bak Full Moon Poya Day (BPM),2008/4/19
May Day (BPM),2008/5/1
Vesak Full Moon Poya Day (BPM),2008/5/19
Day following Vesak Full Moon Poya Day (BPM),2008/5/20
Poson Full Moon Poya Day (BPM),2008/6/18
Esala Full Moon Poya Day (BPM),2008/7/17
Nikini Full Moon Poya Day (BPM),2008/8/16
Binara Full Moon Poya Day (BPM),2008/9/14
Id-Ul-Fitr (Ramazan Festival Day) (BP),2008/10/01
Vap Full Moon Poya Day (BPM),2008/10/14
Deepavali Festival Day (BP),2008/11/27
Il Full Moon Poya Day (BPM),2008/11/12
Id-Ul-Alha (Hadji Festival Day) (BP),2008/12/9
Unduvap Full Moon Poya Day (BPM),2008/12/12
Christmas Day (BPM),2008/12/25

– – – – – – End Copy – – – – – – –

Instructions

A) Backup the existing Holiday file
   1. Exit Outlook if it is running.
   2. Locate Outlook.hol file and create a backup of it.
 Outlook 2007: drive:\Program Files\Microsoft Office\Office12\1033\Outlook.hol
 Outlook 2003: drive:\Program Files\Microsoft Office\Office11\1033\Outlook.hol

B) Update the Outlook Holiday file
   1. Exit Outlook if it is running.
   2. Open the Outlook.hol file in a text editor, such as Notepad.
   3. If you're doing this for the first time, copy and paste the above section between "Start Copy" and "End Copy" to the end of the Outlook.hol file. Update your existing list with the above if you've already have a section for the Sri Lanka Holidays.
   4. Save and close Outlook.hol.

C) To update the Outlook calendar
   1. Start Outlook.
   2. On the Tools menu, click Options.
   3. On the Preferences tab, under Calendar, click Calendar Options.
   4. In the Calendar Options dialog box, under Calendar options, click Add Holidays.
   5. Select the check box "Sri Lanka" and click OK.

Note: If a set of holidays or events observed has already been selected in the Add Holidays to Calendar dialog box and you try to add the same again, you see the message, "Holidays for country are already installed. Do you want to install them again?" Click No. If you click Yes, the holidays and events are installed a second time, and you will see duplicate holiday and event entries in your calendar.
  
  
Links:
 Customize the Outlook calendar
 2006 Sri Lanka Holidays
 2007 Sri Lanka Holidays

Recently a friend of mine complained that he was unable to login into his PC. Windows kept logging him out just after validating the user name and password.

In summary this is what happened (Windows XP Professional)
-Booted up the PC. The Windows login screen appears without any problem.
-Entered valid domain accounts/local accounts with and without administrative privileges
-Credentials got validated.
-Immediately after, Windows started logging out.

Booting up in "Last Known Good Configuration", "Safe Mode" and "Safe Mode with Command Prompt" or remotely connecting via "Remote Desktop" all had the same problem.

Since this PC was connected to a LAN, it was possible to remotely connect to the Windows "Event Viewer" to see what could be happening, but unfortunately it didn't reveal any secrets. Connecting remotely to the Windows "Registry" of the effected PC was however much more productive; after a little bit of looking around I found an empty value for the Userinit entry. Adding it back solved the problem. If this happened on a PC that is not connected to a network, there is another way to fix the missing entry by getting windows to add the missing "userinit.exe" entry while booting up.

---
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"
---

This is what was happening: When a user presses CTRL+ALT+DEL and enters their username and password, the Windows Graphical Identification and Authentication component (GINA) will get an authentication package to verify the credentials and establish a session. Then GINA passes on the job of setting up the user environment to the programs specified in the WinLogon's registry key for "Userinit". Usually that would be "C:\WINDOWS\system32\userinit.exe,". So, with no program specified to do the setting up, you immediately get logged out again.

Have you ever run command line programs that claimed to be "too big to fit in memory"? I have.

Recently when I ran the cmd line tool gacutil.exe (Global Assembly Cache Utility) to install a .NET assembly I came across a message saying "Program too big to fit in memory". It was strange because the error came on a machine that had enough free RAM (~2GB) and HD space on it. Surely the gacutil.exe doesn't need that much memory!

Microsoft kb 316573 article says that this kind of error could happen for a Visual Studio .NET product installation file from the MSDN Web site if the installation file was corrupted during the download or the installation file is not complete.

A quick look at the file properties of the gacutil.exe showed that the one I was trying to run was corrupt. So the problem was easily fixed. But the question remained as to why the error message said what it did. It should have said the program may be corrupt?

A quick search on Google solved the mystery. The "Program too big to fit in memory" error comes if any one of the following is true
1) The part of the program header that should tell the memory requirements where indicating absurd values 
2) The header contains no memory requirement; in which case the program should fit in a 64KB chunk of memory.

More details here http://blogs.msdn.com/oldnewthing/archive/2006/01/30/519388.aspx

We can easily check out the second case by renaming a file (say a text file) to .exe. If the file is larger then 64KB you'd see the "Program too big to fit in memory" error and a "...is not a valid Win32 application" error if it were less.

 

I was surprised that Microsoft Live Search had managed to gain market share from Google and Yahoo according to recent comScore ratings. It was attributed to the Live Search Club. A place where you play games, earn tickets and get prizes.

The games were setup with a search box at the bottom so that when you were looking for information you could continently do the search within the same page. So during a game a player would do many searches on the internet. Also once in a while, it would do a search on its own and show the results (for example, when you’ve solved something, it would do a related image search).

I guess this is an effective way to get people to use live search and get used to it. However, to me it only

How? ...

When I was trying out Dingbats and wanted to find an answer, I did a few searches on live.com and then thought of checking out what Google could tell me. Google quickly gave me a full answer sheet for the Dingbats games.

Maybe that’s why Google has lost some market share, you don’t need to do multiple searches to get what you’re looking for, Google will give it to you in one search! (or at least it's pretty close to that level of seach quality)

 

Here is a little command that I came across when I was looking for a quick and easy way to delete some old log files from my system.

C:\>forfiles /?

FORFILES [/P pathname] [/M searchmask] [/S]
         [/C command] [/D [+ | -] {MM/dd/yyyy | dd}]

Description:
    Selects a file (or set of files) and executes a
    command on that file. This is helpful for batch jobs.

As the command descriptions suggests, its great for using in a .bat file, so I put following line in a cleanLogs.bat file, and scheduled a task to run the batch job every weekend to clean up my system of old and unwanted logs.

forfiles /p E:\Logs\ /s /m *.log /d -60 /c "cmd /c del @path"

forfiles.exe is a tool that has existed in old res kits and has been moved to the standard installation of the newer Microsoft operating systems like Windows Vista and Windows 2003.

A very exciting technology that Microsoft calls “Microsoft Surface” was unveiled at the All Things Digital conference by Microsoft Corp. CEO Steve Ballmer. It’s a “coffee table” that not only is a multi touch interface but it can also recognize what’s kept on it.

Although multi-touch interfaces like the ones that Jeff Han from Perceptive Pixel has been developing for years or the iPhone interface have been around now, what sets the “Microsoft Surface” apart is its unique ability to recognize objects like cell phones, cameras or even a beer glasses that are kept on top of it. Not only recognizing but knowing what to do with it!

If you thought new Apple iPhone was cool, this is going to blow your mind! It may essentially revolutionize the way we interact with computers in the future.

The product is currently being targeted at Restaurants, Hotels, Retail Locations and Casino Resorts, so we’d not be able to get our hands on one just yet. But eventually the prices would come down we’d have one at every household. In Sri Lanka we’re still working on getting electricity to every home. So it may take a while.

Recently I had some time to look into the built-in HTTP compression abilities that IIS6 has. I was impressed to find that IIS6 is very much capable in handling compression than what meets the eye. So be deceived by the 2 checkboxes that the IIS management GUI shows for HTTP compression (screenshot below); it is nothing but a hint of what can be done.

There seemed to be too much incorrect/misleading information floating around on this subject, especially about things like needing "Web Service Extension" and about dynamic compression not working without enabling static compression and so on, so let’s try to clear things up a bit.

When we make a request for a web page, our browser needs to tell types of compressions schemes it understands and accepts (if any) via a header such as 'Accept-Encoding: gzip' [or 'Accept-Encoding: gzip,deflate' if it supports both gzip and deflate and so on.]. If the browser does not tell IIS this, IIS will only send the raw files as they are. It's the same for any client application that requests for content from a web server.

Now, assuming a request has been made from a client that supports compression, let's take a look at a simplified summary of what happens with IIS.

If the requested page was for dynamic content:
IIS compresses the response and sends the compressed response to the client if the following are true
* If 'Compress application files' is enabled [HcDoDynamicCompression="TRUE" at server level or DoDynamicCompression="TRUE" at file/folder level] 
* If IIS is able to compress the requested file type using the particular compression scheme the client supports  ['HcScriptFileExtensions'] 
It's also important to note that a copy of the compressed file will not be cached, so the compression has to take place for each request which costs CPU resources of the server.

If the request for static content:
IIS will send a compressed responce only if the following are true
* If 'Compress static files' is enabled [HcDoDynamicCompression="TRUE" at server level or DoStaticCompression="TRUE" at file/folder level]
* If IIS is able to compress the requested file type using the particular compression scheme the client supports ['HcFileExtensions']
* A valid compressed version of the requested file is already available in the 'Temporary directory' [HcCompressionDirectory].
If a valid compressed version of the requested file is not available, IIS will send a uncompressed version of the requested file to the client, after which it will check if the compresssion scheme is to compress static content on demand [HcDoOnDemandCompression="TRUE"]. If it is, IIS will start a background thread to compresses the requested file and store in the 'Temporary directory' to serve for future requests.

Now let's look at how we can configure all the stuff we talked about above. We can't do much with the GUI we have got with IIS6 for configuring compression.

GUI for the IIS6 HTTP compression configuration
[Web sites -> Properties -> Service tab]

This means that we'll need to get into the configuration settings inside the Metabase.xml file located at "%windir%\system32\inetsrv\Metabase.xml" to get compression working properly.

There are a couple of ways to edit this file; we could use the adsutil.vbs, or directly open the file in a text editor and edit it. However, before directly editing this file while IIS is running, we have to make sure that we've enabled direct metabase edit.

Like we talked about earlier, the client must first let the server know what compression methods its cable of handling, if the server also knows how to compress in a method that the client understands compression can happen. IIS by default supports both gzip and deflate compression schemes.

The following nodes in the Metabase.xml file is where you can configure how each of these compression schemes work.

<IIsCompressionScheme Location ="/LM/W3SVC/Filters/Compression/deflate"
     HcCompressionDll="%windir%\system32\inetsrv\gzip.dll"
     HcCreateFlags="0"
     HcDoDynamicCompression="TRUE"
     HcDoOnDemandCompression="TRUE"
     HcDoStaticCompression="FALSE"
     HcDynamicCompressionLevel="0"
     HcFileExtensions="htm
            html
            txt"
     HcOnDemandCompLevel="10"
     HcPriority="1"
     HcScriptFileExtensions="asp
            dll
            exe"
    >
</IIsCompressionScheme>
<IIsCompressionScheme Location ="/LM/W3SVC/Filters/Compression/gzip"
     HcCompressionDll="%windir%\system32\inetsrv\gzip.dll"
     HcCreateFlags="1"
     HcDoDynamicCompression="TRUE"
     HcDoOnDemandCompression="TRUE"
     HcDoStaticCompression="TRUE"
     HcDynamicCompressionLevel="0"
     HcFileExtensions="htm
            html
            txt"
     HcOnDemandCompLevel="10"
     HcPriority="1"
     HcScriptFileExtensions="asp
            dll
            exe"
    >
</IIsCompressionScheme>

We need to tell the types of extensions that each scheme is to support and compress. The static types need to go under the 'HcFileExtensions' and the dynamic under 'HcScriptFileExtensions'. You'd probably want to get aspx, and asmx extensions also under 'HcScriptFileExtensions' in addition to the defaults. xml, css and even consider adding 'deploy' files if you have clickOnce under the 'HcFileExtensions'. We need to add this for both gzip and deflate compression schemes (or you could add it to only one if you don't want a particular compression scheme to support that extension.

If you'd like to use the adsutil.vbs to set these values here is an example to add static file types css, xml, htm, and txt to the gzip compression scheme:

cscript adsutil.vbs set /w3svc/filters/compression/gzip/HcFileExtensions "css" "xml" "htm" "txt"

to view the change:
cscript adsutil.vbs get /w3svc/filters/compression/gzip/HcFileExtensions

The level of compression for dynamic content is set to 0 by default. This could be increased to a maximum of 10 depending on your available CPU resources. Generally setting it to 10 is bad; in most cases it will have a negative impact on your throughput. This is something you'd need to do some test to figure out what works best for you. It's also worth noting that setting it to 0 does not mean no compression, it just is a lower compression (which also means it will be the fastest).

Now that we've got the two compression methods configured let's take a look at the 'IIsCompressionSchemes' node, this is what basically sets up the server-wide HTTP compression configuration settings.

<IIsCompressionSchemes Location ="/LM/W3SVC/Filters/Compression/Parameters"
    HcCacheControlHeader="max-age=86400"
    HcCompressionBufferSize="8192"
    HcCompressionDirectory="%windir%\IIS Temporary Compressed Files"
    HcDoDiskSpaceLimiting="FALSE"
    HcDoDynamicCompression="FALSE"
    HcDoOnDemandCompression="TRUE"
    HcDoStaticCompression="FALSE"
    HcExpiresHeader="Wed, 01 Jan 1997 12:00:00 GMT"
    HcFilesDeletedPerDiskFree="256"
    HcIoBufferSize="8192"
    HcMaxDiskSpaceUsage="100000000"
    HcMaxQueueLength="1000"
    HcMinFileSizeForComp="1"
    HcNoCompressionForHttp10="TRUE"
    HcNoCompressionForProxies="TRUE"
    HcNoCompressionForRange="FALSE"
    HcSendCacheHeaders="FALSE"
   >
</IIsCompressionSchemes>

If you'd like to enable compression server wide, we can change HcDoDynamicCompression="FALSE" to "TRUE" for dynamic content and HcDoStaticCompression="FALSE" to "TRUE" for static content. However, if we don't want to enable http compression server wide, we simply leave these as "FALSE" and add a property DoStaticCompression="TRUE" and/or DoDynamicCompression="TRUE" to the specific file or folder properties in the metabase where you'd like to enable compression.

For example if you we want to enable http compression on a virtual directory called "CompressMe" under your "Default Web Site", we'd simply locate the following node in theMetabase.xml file:

<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CompressMe"
  AccessFlags="AccessRead"
  DirBrowseFlags="DirBrowseShowDate | DirBrowseShowTime | DirBrowseShowSize | DirBrowseShowExtension | DirBrowseShowLongDate | EnableDefaultDoc"
  Path="C:\Inetpub\CompressMe"
 >

and add the property DoStaticCompression="TRUE" as follows:

<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CompressMe"
  AccessFlags="AccessRead"
  DirBrowseFlags="DirBrowseShowDate | DirBrowseShowTime | DirBrowseShowSize | DirBrowseShowExtension | DirBrowseShowLongDate | EnableDefaultDoc"
  DoStaticCompression="TRUE"
  Path="C:\Inetpub\CompressMe"
 >

If a node does not exist for the folder you're trying to configure, you could simply add a node manually, or make IIS add it for you using a small trick. What we do is change a property for the required file/folder and then undo the change. For example for a folder we could just enable "Directory browsing" and then disable it again. Restart IIS and it would have created a node for you in the Metabase.xml file.

Well that should get compression to work, but as you can see lots of other configuration parameters that you could configure to get the best out of your server.

A lot of the above has changed with IIS7. Static compression is even enabled by default!

Happy compressing!

If you have a ClickOnce application that is deployed in several environments, for example a staging environment and a production environment, you would have come across the fact that you can't simply install the application on a client PC from both environments even though you try to install from different URL's.

This can be overcome by using different certificates to sign the manifest files of each environment and by using a different name so that you'd get a different menu item for each environment. You'd have a "production.pfx" and a "staging.pfx" to sign the manifests of the production and staging environments respectively. By doing this now you can have side-by-side installations of the ClickOnce applications for each of your environments.

If you build your applications using visual studio itself, then changing the signing certificate file and name is one of the things you'd have to do before each build. But what if you've got a automated build environment, how do you do it then?

One way is to use the Manifest Generation and Editing (Mage.exe) command line tool to manually deploy the ClickOnce applications. If NAnt is what use Neil's blog post on ClickOnce deployment using NAnt should get you started.

If you're using CruiseControl.NET for your builds and you could do all this from the MsBuild task and pass in all the necessary changes for each environment as buildArgs. In this case we need to change the ManifestKeyFile and the ManifestCertificateThumbprint (This is the certificate thumbprint, in Visual Studio you can see this by clicking on the "more details" button on the "Signing" tab on the "Properties" page of your project)

Example of a CCNet MsBuild Task block where we change these values:

<!--Staging-->

<msbuild>
<executable>C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe</executable>
<workingDirectory>C:\MyClickOnce\</workingDirectory>
<projectFile>MyClickOnce.csproj</projectFile>
<buildArgs>/p:Configuration=Release
/p:InstallUrl=https://www.staging.url/
/p:PublisherName="Staging App"
/p:ManifestKeyFile="Staging.pfx"
/p:ManifestCertificateThumbprint="9DAAADE32307C99743FC74A475D6008370C65642"
</buildArgs>
<targets>Build;Publish</targets>
<timeout>15</timeout>
</msbuild>

Then you'd have another MsBuild task block to create the Production application.

I hope this helps someone, or points to some direction of a way of achieving a side-by-side ClickOnce installations of multiple environments.