I have written a Windows service that spawns a separate process. This process creates a COM object. If the service runs under the 'Local System' account everything works fine, but if the service runs under the 'Network Service' account, the external process starts up but it fails to create the COM object. The error returned from the COM ...
I would like to get a user's group memberships in an ActiveDirectory, without being in the domain. When I run this inside the domain, all is well. var context = new PrincipalContext(ContextType.Domain); var principal = UserPrincipal.FindByIdentity(context, IdentityType.Name, "administrator"); foreach (var authorizationGroup in principa...
I work as the departmental programmer for the Education department in a county Health System. I'm looking for some input on an online presentation that has been (re)tasked to me. Outside of the key points in company policy, what are the top five topics you would include in a short, internal, company presentation on E-Mail/Internet safet...
What is your must have defence methods to common web attacks like XSS, Sql Injection, Denial of Service, etc. ? Edit : I collected your responses under descriptions from Wikipedia. And I add some extra questions to have a complete reference. Sql Injection SQL injection is a code injection technique that exploits a security ...
I have a generic proof of concept WCF service that is using forms authentication to secure access. All works great when my client is .NET (vb code below) Dim client As SupplierServiceClient = New SupplierServiceClient() client.ClientCredentials.UserName.UserName = "[email protected]" client.ClientCredentials.UserName.Password = "password"...
Sorry if the question is confused, as I'm confused myself. I'm working around these requirements: I'm building a public website where I need to display video. I need to control what the player looks like I'm the sole publisher of the video, meaning it can't be on YouTube for example I need as much protection as possible in terms of pro...
Hey Everyone, Are there any good examples out there of how the following webservice would work? I would like a windows/web client to be able to access a webservice, but the client should pass a username, password, and ip address and the webservice should be able to determine if it is on the list of allowed users or not before taking the...
Our SSO login process uses Forms Authentication against a custom user store in SQL Server. One of our new security requirements is to only allow an account to have one active session at a time. So any time a user logs in, we will check to see if the login credentials are already active, and preferably prevent the new user from logging i...
I'm some what lost as to why spring isn't enforcing the @Secured("ROLE_USER") on my service interface. My controllers are established using annotations. An example of my service Interface public interface MyServiceManager { @Secured("ROLE_USER") public void delete(int cid); @RolesAllowed({"ROLE_USER"}) public Contact...
In asp.net I am implementing an IHttpModule to mitigate CSRF attacks. It injects into the response html a hidden form parameter with the asp.net SessionID on GETs. On POSTs it then checks to make sure that hidden parameter's value matches the current SessionID. As far as I know, the only way to get the SessionID value is from the cook...
I've got a console program written in C# which runs under user foo. The program creates a file. In some situations a web application running under the IUSR needs to be able to delete the files created by the console app. I'd like to grant DELETE (or anything equivalent) to IUSR when the file is created. How can I do that in C# ? I've f...
I am a web developer that is very conscious of security and try and make my web applications as secure as possible. How ever I have started writing my own windows applications in C# and when it comes testing the security of my C# application, I am really only a novice. Just wondering if anyone has any good tutorials/readme's on how to ...
I have a control that I'm writing where I want to turn off .NET's inbuilt request validation that prevents XSS attacks and similiar sort of nasties. The control allows the owner of a web-site to adjust the content on that page. They can potentially enter markup if they want to. Since it's their site to edit, they must be able to stick w...
We have an existing Web application and we want to migrate from a custom authentication solution to Active Directory Federation Services so that our partner organizations can manage the authorization of their users on their side. Right now the site is using custom database tables to manage users and custom logic to manage authentication...
Are they sufficient in terms of security for use in a public site? OR so I need to make modifications? ...
I'm considering ditching PHP's $_SESSION (i.e. the server-side session handling, to add some language-agnostic flavor) and using signed cookies instead, since I've heard so much good about them (Flickr uses them, so they ought to be good enough for me too). I understand the basic context of the technique: Use cookies freely to pass key-...
I've heard of security features in the framework and the BCL, but does this have anything to do with preventing malicious programmers from writing harmful software, or preventing malware from running on the CLR? For example, is it possible to write a program in C# that makes harmful changes to the Windows folder? ...
Is there any way to safely include pages without putting them all in an array? if (preg_match('/^[a-z0-9]+/', $_GET['page'])) { $page = $_GET['page'].".php"; $tpl = $_GET['page'].".html"; if (file_exists($page)) include($page); if (file_exists($tpl)) include($tpl); } What should I add to make this pretty safe? I'm doing it this wa...
Implementing a 'sandbox' environment in Python used to be done with the rexec module (http://docs.python.org/library/rexec.html). Unfortunately, it has been deprecated/removed due to some security vulnerabilities. Is there an alternative? My goal is to have Python code execute semi-trusted Python scripts. In a perfect world, calls to...
I can obtain the Weblogic InitialContext from a JNDI Client using the following properties as the Environment parameters for InitialContext Hashtable jndiProps = new Hashtable(); Hashtable.put( the below 4) java.naming.factory.initial "t3://localhost:7001" java.naming.provider.url "weblogic.jndi.WLInitialContextFactory" java.naming.secu...