I've created a windows forms control, which is hosted in a web page viewable with Internet Explorer. My control reads from a com port and it writes to the event log. Both of these operations by default fail when the framework requests proper permissions. This web application will always be running in the intranet zone, how do I enable...
There are a few questions about configuring Apache for local development, such as this one, but I didn't see anything about IIS. Suggestions for locking down IIS without crippling it's functionality? In response to a comment, I'm looking to do ASP.NET development using the IIS server that comes with Windows XP Pro SP3 (IIS 5 or 6, I bel...
Is there any way to restrict users with administrative privileges from managing specific Windows service based applications? I would like to restrict administrators from stopping or re-starting my service very similar to the Windows event log service. What are some of the more popular approaches or recommended approaches to securing serv...
What's the secret to getting ClaimsResponse working with DotNetOpenId? For example, in this bit of code (from Scott Hanselman's blog) the ClaimsResponse object should have lots of nice little things like 'nickname' and 'email address', but the ClaimsResponse object itself is 'null': OpenIdRelyingParty openid = new OpenIdRelyingParty()...
What are others ASP.NET Security Best Practices? So far identified are listed here: Always generate new encryption keys and admin passwords whenever you are moving an application to production. Never stored password directly or in encrypted form. Always stored one ways hashed passwords. Always store connection strings in tag of Web.c...
Hello, I have a program that is running a basic RMISecurityManager in all its threads. But I would like to do more control to several threads and set another SecurityManager specially for these threads. How can I do that ? ...if this is possible !? thank you by advance. Edit : I have found my solution. See here for more details. ...
I need to display external resources loaded via cross domain requests and make sure to only display "save" content. Could use Prototype's String#stripScripts to remove script blocks. But handlers such as onclick or onerror are still there. Is there any library which can at least strip script blocks, kill DOM handlers, remove black l...
Our team is using a SecureRandom to generate a list of key pairs (the SecureRandom is passed to a KeyPairGenerator). We cannot agree on which of the following two options to use: Create a new instance every time we need to generate a key pair Initialize a static instance and use it for all key pairs Which approach is generally bette...
I'm curious, is there a way to tell the SQL Server that a specific group has access to the database only from a single location/application. I have an SQL Server and a Web Server. Our applications use stored procedures and access for each stored procedure is based on the role that is allowed to access it. Then user groups are assigned...
Aside from executing XP_CmdShell, which I have disabled in my SQL 2005 installation, what could a malicious user who gains DBO rights to my database do: to my database, to my server? I'm assessing the worst-case security risk of someone obtaining DBO to justify running a "least-privileged" user account in an application. Some allege ...
I have a .NET application distributed through ClickOnce. Security within the application is implemented through the WindowsPrincipal.IsInRole(GroupName) method using a set of groups as resources. This structure works well for us for users within the same domain as the groups. Unfortunately we now have users that need to use the applicati...
I am wondering if it is possible to use Code Access Security, and a custom permission class (and attribute), without having to register the assembly that the attribute is in, in the GAC. At the moment, I get a TypeLoadException when the method with my attribute is called, and I can't seem to get around it. Everything i've read seems to ...
In PHP 5.2 there was a nice security function added called "input_filter", so instead of saying: $name = $_GET['name']; you can now say: $name = filter_input (INPUT_GET, 'name', FILTER_SANITIZE_STRING); and it automatically sanitizes your string, there is also: FILTER_SANITIZE_ENCODED FILTER_SANITIZE_NUMBER_INT FILTER_SANITIZE_EM...
Hi all, In linux, if I have a file I'm sharing with a group, and I put the file on a USB memory stick, for example, and copy it to a computer that doesn't have the same group or users, does the file have no permissions for anyone on that new computer? What if I bring a linux file that only lets user X to read it to a windows machine? ...
Are there some help resources, or can anyone give me a brief Idea how I would configure the .net 2 runtime security policies for the following scenario: I have a windows forms control hosted in IE. The control tries to read from a serial port and write to the event log. Both of these operations fail due to security restrictions in the...
Joomla has a built-in function on its login screen "I've forgotten my user name", so that you can type in your email address and the username is sent to you via email. I was thinking of changing it so that the username was displayed on screen immediately, without any form of authentication. This would greatly reduce the friction for our...
Hello everybody, I am thinking hard about how to play with access rights on several platforms. Now I am reaching Microsoft Windows and permissions on NTFS files/directories. I must say that I am working in C language. My question is pretty general. I have a username and a file path. Do I need more information to check if the user has ...
I have a bunch of objects in my application (Organisations, Individuals, Orders, etC) and I need a nice clean way to decide which users can and can't view/edit these objects. User have a range of permissions such as 'Can edit own contacts' and 'Can view team's contacts' and can also be members of groups such as 'Account Manager' so vario...
I want to know if I'm missing something. Here's how I would do it: For SPFolder I would change the associtaed item's permissions (SPFolder.Item). So I suppose managing SPFolder permissions boils down to managing SPListItem permissions. For SPListItem I would frist break role inheritance with SPListItem.BreakRoleInheritance() and then wor...
I am tasked with developing a web application and am thinking of using the Struts framework as it seems to be a standard and is easy to implement. However, before making a decision I need to know the security features available in Struts. Is there effective ways to handle the OWASP Top 10 using Struts? And if so, how would I accompl...