Thursday, December 18, 2014

WCF Security guidelines

I have been working on various WCF based service implementation and have a good working knowledge on security considerations.  I have selective readings from MSDN and posting for myself to have a better understanding.  (All the information below are excerpts from MSDN site)

Design considerations

different end points
custom binding for legacy WSE Clients
interoperability with non-Microsoft clients
Consider Transport Security as your preferred security mode
authentication/authorization options
binding options (choose right binding)
---
Auditing and logging

WCF auditing to audit your service
consider using SuppressAuditFailure to false (non-repudiation)
use message logging only for debugging
Instrument for user Management events
Instrument for significant business operations
Protect log files from unauthorized access
do not log sensitive informaition
Protect info in log files
custom trace listener only when message filtering is needed
------
Authentication

available authentication options
use windows authentication
users in AD but cant use windows authentication consider using usernam authentication
membership provider for usernam
SQL Server membership provider
custom validator
partner apps to be authenticated, use client certificate authentication
usernam authentication validate user login information
protect access to your credential store
limit certificates
---------
Authorization

WCF PrincipalPermissionAttribute class for role authorization
for ASP.Net roles, use the ASP.NET Role Manager for role authorization
ASPNETWindowsTokenRoleProvider -> windows groups authorization
SQL Server role provider for role authorization
Authorization Manager role provider for ADAM
custom authorization policy for a custom store
declarative authorization for WCF operations
imperative authorization for fine-grained authorization based on business logic
----
Bindings

over the internet - wsHttpBinding
expose to legacy clients using ASMX - basichttpbinding
clients within intranet - nettcpbinding
clients in the same machine - netNamedPipeBinding
disconnected queued calls, use netMsmqBinding
bidirectional communication - wsDualHttpbinding or netTcpBinding
-----------
Configuration Management

replay detection to protect against message replay attacks
host is a windows service, expose metadata exchange (mex) binding
not to expose your WSDL turn off HTTPGetEnabled and mex
Ecrypt configuration sections that contain sensitive data
------------
Exception Management

Use structured Exception handling
donot divulge exceptoin details to client in production
use a fault contract to return error information to clients
use a global exception handler to catch unhandled exceptions
----------
Hosting

Run service in a least privileged account
Use IIS to host your service, unless need to use a transport that IIS does not support
--------
Impersonation/Delegation

tradeoffs involved in impersonation
impersonation options
impersonation methods
programmatic instead of declarative impersonation
impersonating programmatically be sure to revert to the original context
impersonating declaratively, only impersonate on the operations that require it
cannot use windows mapping, use S4U feature for impersonation and delegation
WCF service cannot be trusted for delegation, consider using LogonUser API
constrained delegation for to flow the original caller to the back-end services
-----------
Message Validation

validate Parameters use parameter inspectors
use schemas with message inspectors to validate messages
use regular expressions in schemas to validate format, range or length
inbound messages on the service implement AfterReceiveRequest
outbound messages on the service implement BeforeSendReply
inbound messages on the client AfterReceiveReply
outbound messages on the client BeforeSentRequest
validate operation parameters for length, range, format and type
not only rely on client-side validation
avoid user-supplied file name and path input
do not echo untrusted input
----------
Message Security

clients over the internet -> message security
intermediaties between the client and service -> message security
support selective message protection -> message security
multiple transactions per session using secure conversation -> message security
donot pass sensitive information in SOAP headers when using HTTP transport and message security
support interoperability, consider setting negotiateServiceCredentials to false
streamline certificate distribution to your clients, consider negotiating the service credentials
need to limit the clients that will consume your service, consider setting negotiateServiceCredentials to false
------
Transport Security

 use when possible
 support clients in an intranet, use transort security
 need to support interoperability with non-WCF clients, use transport security
 use a hardware accelerator when using transport security
------
Proxy considerations

publish WCF Service metadata only when required
publish WCF service metadata over the https protocol
publish WCF service metadata over a secure binding
if you turn off mutual authentication, be aware of service spoofing
---------
Sensitive Data

avoid plain-text passwords or other sensitive data in config files
use platform features to manage keys where possible
Protect sensitive data over the network
Do not cache sensitive dat
Minimize exposure of secrets in memory
basicHTTPbinding will not protect sensitive data by default
use appropriately sized keys
----------
Deployment considerations

do not use temporary certifications in production
If you use Kerberos authentication or delegation, create an SPN
Use IIS to host your WCF service where possible
use a least-privileged account to run your WCF service
Protect sensitive data in your config files

Wednesday, December 17, 2014

URLs

http://www.spdockit.com/blog/sharepoint-2013-best-practices/

http://adtmag.com/articles/2014/12/16/java-cloud-security.aspx

SharePoint Admin Tools

Microsoft's SharePoint Admin Toolkit 2.0 (for 2010 and 2007 versions)

1) SPDiag 3.0 utility
2) Free SharePoint health monitor tool
3) Microsoft's SharePoint Designer (for 2007, 2010 and 2013)
4) Idera's Free SharePoint Performance Monitor
5) Idera's Free SharePoint Admin Toolset
6) IntLock's CardioLog Analytics Free Edition
7) McAfee's Network Discovery for MS SharePoint
8) SharePoint SUSHI
9) Axceler's ViewPoint for SharePoint
10) Quest's Server Administrator for SharePoint

SharePoint Tools

I started playing with these tools, ever since I migrated to SharePoint 2013 and learnt about these tools from internet.

1) CAML Designer 2013
2) ULS Viewer
3) CKS Dev
4) Color Palette Tool for Banding
5) Debugger Canvas
6) SharePoint 2013 Search Tool
7) Fiddler
8) SharePoint Code Analysis Framework (SPCAF)
9) .NET Reflector from Red Gate
10) F12 Debugging experience in your browser
11) Powershell tools for Visual Studio
12) SPFastDeploy
13) Advanced Client plugin for Google Chrome
14) Postman - REST client plugin for Google chrome
15) SharePoint 2013 Client Browser
16) smtp4dev

I will keep adding as I learn more. 

Tuesday, December 16, 2014

Some senior level questions with answers

1. What is your experience in leading projects that integrate with multiple systems?

 I have a couple of years of experience in integrating with multiple systems. I have taken the lead in designing and help in building the projects like an SOA architecture which used WCF services to talk to a .NET Remoting service (NICE APIs) and the front end CRM system built using Java.. Another application was in bringing in Peoplesoft data to the SQL Server business Intelligence server for various Microsoft Excel PowerPivot services.

2. What challenges exist when managing internal and external partner relationships, and how do you address these challenges?

Keeping a good relationship with the customer, protect their data as per the company's policies, make sure Data retention policy is strictly enforced.

3. How do you personally manage and track task assignments to your development teams? We had couple of systems like JIRA and SharePoint to track task assignments. So if the project has issues, we have daily calls with the QA team and assign the various issues to the developers and then those independent developers are responsible for fixing the issues. By having some reports built in, we can know what issues are handled by which developers. Used JIRA for some Project Task assignments and also later used SharePoint Project list to track down various projects and their corresponding risks/issues. There is also a RAG status for each task. Try to identify all the Red status and pay attention on a daily basis.

4. How do you address low performing team members?

Try to understand the member's problem by talking with them. If anything from my side can be done for them to correct, I will do. If they lag in Technical understanding route them to proper internal Route2Learn classes. If budget allows, send them to proper training seminars, else, I will try to do research based on the member's problem and try to address it in a positive manner. Coach them and train them till they get it.

5. Imagine you are brought in on a project where the client is complaining that their site is too slow. While investing this issue, what questions would you ask the internal project team? What would you ask the client?

For the client:
1) When do you experience the problem (any specific time of the day?)
2) How big is the data loading ? (like a few 100 or a few 1000)?
3) Exactly on what application or pages you face this issue?
4) What is the environment they use (if it is a web app, browser versions etc)
5) Network speed (though understand lot of clients cannot answer directly,

For the project team:
1) Can we simulate the issue?
2) If so, where is it happening? In the frontend, middle layer, database layer or network ?
3) If database layer, try to work on the queries used (Performance tuning)
4) If front end, make sure viewstates are properly enabled for pages?
5) middle layer - make sure the objects are not the cause

6. Given that most of our clients are financial institutions, it's vital that we protect their data by training our developers to avoid introducing security vulnerabilities. Can you name the most common security vulnerabilities and the practices that you follow to ensure that your applications are secure?
1)SQL Injection -> Make sure no adhoc query is sent thru the wire (ensure stored proc)
2) XSS Vulnerabilites (Cross site scripting) - making sure proper validations from the input are made, encode url output, review potentially dangerous html tags and attributes, validating Unicode characters, try to use the frame security attribute, avoid using innerHTML,property,

Please post your thoughts/comments!

Node.js

Microsoft Link Node.js is a means to develop both client side and server side app effectively and efficiently. Node.js stacks, such as the MongoDB, Express, AngularJS, Node.js (MEAN) stack bring many benefits to building apps. All the layers of the app can be developed easily. (Front-end, middle-tier and the back-end)

NoSql

I am trying to understand NoSql and as well compiling some of the available NoSql dbs out there.

A NoSQL (Not Only SQL) database provides a mechanism for storage and retrieval of data that is modeled in means other than the tabular relations used in relational databases.

A NoSQL database environment is, a non-relational and largely distributed database system. It enables rapid analysis of extremely high-volume, disparate data types. NoSql dbs do not provide a high-level declarative query language like SQL. Querying these databases is data-model specific. Many of the NoSQL allow for RESTful interfaces to the data.

There are 4 categories of NoSQL.

1) Key-values Stores - using Hash table where there is a unique key and a pointer. It is simplest and easy to use. (Tokyo Cabinet/Tyrant, Redis, Voldemort, Oracle BDB, Amazon Simple DB, Riak are some examples)

2) Column Family Stores - created to process very large amount of data distributed over machines. Keys are pointed to multiple columns and columns are arranged by column family. (Cassandra, HBase are examples)

3) Document Databases - semi structured documents are stored in formats like JSON. Next level of key/value, allowing nested values associated with each key. supports querying more efficiently (CouchDB, MongoDb are examples)

4) Graph Databases - a flexible graph model is used, can scale across multiple machines. (Neo4J, InfoGrid, Infinite Graph)

Major companies implementing NoSQL databases are:
StackOverflow, GitHub, Twitter, Blizzard, Flickr, Digg, Instagram


Downloading Redis for windows: This shows how to use Vagrant to run the latest stable version of Redis.
-----------------------
RavenDB

RavenDB from Ayende is a .NET based backend and client NOSQL (specifically document database). The source is freely available. Indexing is done in a very clever way using LINQ. Rest interface, Web UI. Very very smart in fact. RavenDB can run as a Service, in IIS or via a console (exe).
REquires .NET 4 for server-side Documentation for RavenDb
--------------
Memcachedb
MemcacheDB is a distributed key-value storage system designed for persistent. It is NOT a cache solution, but a persistent storage engine for fast and reliable key-value based object storage and retrieval. It conforms to memcache protocol (not completed, see below), so any memcached client can have connectivity with it. MemcacheDB uses Berkeley DB as a storing backend, so lots of features including transaction and replication are supported.