Thursday, September 29, 2005

An Example of Compatibility Issues with Data Execution Prevention

Data execution prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits. It's first introduced in Windows XP SP2. DEP is enforced by both hardware and software. See my notes on DEP for more detail. I never encountered any compatibility issues with DEP until recently.

We have an application written in Delphi 7. It contains a Delphi Web service and a Delphi client. This app failed on some machines supporting hardware-enforced DEP, with Win2K3 SP1 as OS. It seems to me that hardware-enforced DEP prevents executing the proxy used to communicate with the Web service and be generated at runtime. An exception with the format "Access violation at address xxxxxxxx in module 'yyy'. Read of address 00000008 ..." was thrown. If you use Windbg.exe, then you can see an access violation exception in a 0xc0000005.

To address the issue, we have to go to My Computer - Properties - Advanced - Performance Settings - Data Execution Prevention. Then add an executable file named w3wp.exe located at %SystemRoot%\system32\inetsvr if IIS doesn’t run under the isolation mode or dllhost.exe at %SystemRoot%\system32 if IIS runs under the isolation mode. Of course, this resolution is not good from the security point of view.

Monday, September 19, 2005

Some Useful Tools in Production Debugging

You can download DebugView, FileMon, RegMon, Process Explorer from www.sysinternals.com. You can download the latest MS debugging tools from http://www.microsoft.com/whdc/devtools/debugging/default.mspx. You can find ADPlus and WinDbg + SOS in the package.

It was Alan Cobb who introduced me the first link.

Sunday, September 18, 2005

Types of Network Attacks

Network attacks can be distinguished on two dimensions: passive versus active and automated versus manual.

Passive-automated—Hard to pull off, unlikely to generate much value
Passive-manual—Sometimes fruitful, but takes longer than an active attack
Active-automated—Reaches thousands of systems, but (relatively) easy to defeat
Active-manual—Extremely dangerous, but rarer than the others

Adopted from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.

How to Grant Access to SQL Server for the Network service account

To grant access to SQL Server for the network service account:
  • Create a SQL login for the Network Service account. The name appears as domainName\$ if your database is on a separate server. You can use Enterprise Manager or run the following SQL statement to create the SQL Login:
    exec sp_grantlogin [domainName\$]
  • Create a database user in the required database and map the login to the database user. Or you can run the following SQL statement:
    exec sp_grantdbaccess [domainName\$]
  • Place the database user in a database role.
  • Grant permissions to the role. Ideally, just grant execute permissions to selected stored procedures and provide no direct table access.

Within the client application, use a connection string that contains either "Trusted_Connection=Yes" or "Integrated Security=SSPI". The two strings are equivalent.

Adopted from http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGPractices0001.asp.

How to Create a Service Account for ASP.NET

To create a service account:

  • Create a Windows account
  • Run the following Aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:
    aspnet_regiis.exe -ga machineName\userName
    On Windows 2003, running the Aspnet_regiis.exe -ga command will add the account to the IIS_WPG group. The IIS_WPG group provides the Log on as a batch job permission and ensures that the necessary file system permissions are granted.
  • Use the Local Security Policy tool to grant the Windows account the Deny logon locally user right. This reduces the privileges of the account and prevents anyone logging onto Windows locally with the account.
  • Use IIS Manager to create an application pool running under the new account's identity and assign the ASP.NET application to the pool.

Adopted from http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGPractices0001.asp.