When supporting a new web app in an enterprise environment, it is often necessary to log in as a specific user in order to diagnose a real or perceived problem they are having. Two opposing issues apply here: Best practice is to use hashed or encrypted passwords, not clear text. Sometimes, there is a third-party SSO (single sign-on) in...
What is the best way to store a user name and password for a Windows Service? The service has to be able to access an MS SQL Server database on a remote machine. We have to support MS SQL Server authentication (mixed mode) instead of NT Authentication. ...
Hi, I have built an application that uses SQL Express 2005 and I want to deploy it, but the problem is that anyone who has SQL Management Studio(or something like that) installed on his computer, can connect to my database and change it. Is there anyway to prevent end-users from seeing or editing the content of my database, even those w...
Is there any security issue if let say in one application we do a hidden post to another application to make use of that application functionality? ...
What is the best and/or most comprehensive book on .NET security for developers? ...
Update: Since development machine has moved to Vista, i now automatically test as a standard user. And with XP being phased out, this question isn't so relavent anymore. Since the Windows 2000 logo requirements, Microsoft has been requiring that applications run as standard user. Like everyone else i always ran my desktop as an admini...
I want to user Role based security through the authorization section in the web.config file. Using Membership, my application will allow for new Roles to be created, and thus, the pages they can access need to be set dynamically. Can I programatically alter this section in the web.config to manage this? If so, how? ...
I try to instantiate a instance of SPSite on the farm server in a custom software (MyApp.exe) and I give in parameter the whole website (http://mysite:80/). I also made sure that the account running MyApp.exe is Site Collection Administrator. However, I can't make an instance of SPSite whatever I am trying to do. I always gives back "Fi...
Hi I'm running an application (web service) in tomcat with TLS enabled (with certificates both for the client and the server). I want that my application will be able to send audit message (logging) when TLS handshake fails. for example I want to log when: the client certificate is expired, the client certificate is unknown (not in th...
I have been given two different Microsoft Word document that my virus scanner has warned me contains macros. These should be simple text files, and the person who sent them doesn't even know what a macro is; they may be a mistake on his part, but they might be signs of a malicious infection. My installation of OpenOffice.org is set not t...
Is there a way to restrict a specific sql 2005 login on a Microsoft SQL Server 2005, standard version (sql is in mixed mode) to specific IP adresses, while other logins, windows authentated ones, are unaffected? ...
Hi! I dont find any usefull website according to this API. What's the format of the String? The content? Thanks ...
I recently got a notification from a McAfee service (what used to be called HackerSafe) that my website is using SSLv2 and it should be using SSLv3. I don't know anything about the versions of SSL. My site is using IIS 6.0, is there a setting somewhere to turn on SSLv3 or do I need to install something to make this happen? Also, is there...
We have a site with personal user information. I need to know best-practices for password management. These are average users - should I impose 'hard' passwords? Is there any disadvantage to using the user's email address as a userid? How should I handle forgotten password requests? Obviously, I can't email them to the user. How should...
We're implementing a hosted Windows SharePoint Services 3.0 system and I need to limit the number of users that a customer can give access to a site collection. A customer should be able to manage his entire site collection. He should just not be able to delete the site collection itself or add more than a given number of users to the si...
Hi All, Just after a bit of confirmation really: Does XP SP3 implement the User Interface Privilege Isolation (UIPI) mechanism found in Vista? Back story for human interest :) I've recently been handed the C++ source to a fairly large application. Sadly the sole developer of this application, since its inception back in the mid 90's, ...
I'd like to be able to place all my ASP Classic include files outside of the web root. This assures no include files can be called directly via the URL. What is the best way to accomplish this? I know I can use a virtual directory to reference an includes folder outside of web root, but doesn't that still allow direct access to that d...
I am using .net2.0 and IIS6. When using .net Forms Authentication: How to limit access to resources like pdf files to authenticated users only; so in order to access a file say mysite.com/mydoc.pdf they would have to be authenticated first (go through the login page) It seems that by default only the .aspx pages are protected. E.g. to...
How can I programmatically remove a (known) password from an Excel VBA project? To be clear; I want to remove the password from the VBA Project, not the workbook or any worksheets. ...
Is it possible to intercept requests in the ASP.NET MVC Framework (beta 1) in order to interact and inspect them? I need to attach some logging and in some cases dynamically work out if the URL needs authorizing (like applying the Authorize attribute - but at run-time). ...