Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Using TFS via the internet

January 29, 2009

My company has been slow to adopt Microsoft Team Foundation Server (TFS) since we already had an established source control process based on a mix of SubVersion and Perforce. But a combination of several recent events over the past couple of months led me to want to dig deeper into TFS. In summary, it’s an impressive product, and I’m glad I did.

The primary TFS adoption barrier for a typical small to medium sized software company, assuming they’re already a predominantly Microsoft shop, will be cost. A quick web search shows prices at $2500 and up. Compared to using file shares, BugZilla, and SubVersion, that’s pretty steep.

However - and this is what hooked us - Microsoft Gold Certified Partners are granted a TFS Workgroup license, along with a certain number of CALs. So, again, if you’re in tight with the Microsoft ecosystem, or if you’re a big Windows software shop, then TFS starts to make sense.

The secondary TFS adoption barrier is its complexity, both in terms of installation and administration. Regarding the former, this step by step guide is indispensible. If you follow it carefully - and read it through once before you start - then installation complexity won’t be an issue.

I needed to go a step further with TFS, though, and expose its source control capabilities securely over the internet for authorized users working remotely. The first step is enabling SSL/TLS access to the TFS server; there’s a walkthrough here for setting that up. I didn’t follow those instructions entirely, though, because

Actually, I didn’t follow those instructions entirely, because the process for moving TFS and all of its dependent components (including SQL and SharePoint) over to requiring TLS is really painful and error prone. Instead, I just setup a server certificate and a port (443) binding in IIS to allow TLS (as in, HTTPS) into the TFS web services.

Then, at the corporate firewall, designate a high port for secure remote TFS access and configure it to forward traffic to 443 on the TFS server. Assuming that integrated Windows authentication is enabled in IIS, that allows external users to attempt to login by entering the password only over an encrypted channel. Equally important, assuming TFS is your source control server, that data travels encrypted as well.

You can always use the same URL to exchange encrypted data with the TFS server from behind the firewall as well, but it’s not enforced.

Anyway, so far, it’s working and I’m glad we migrated.

Installing AuthenTec fingerprint drivers on Windows 7

Looks like the best bet for 64-bit AuthenTec fingerprint reader device driver for the latest (January 2009) Windows 7 Beta is here. I installed that driver and have successfully enrolled - the latter experience was smooth and pretty cool.

Confusingly, you can’t use Device Manager to find a driver (I’m using device model AES2810), even though you can use Windows Action Center (via the systray) to find one. Unfortunately, at least for 64-bit, the driver that Action Center found for me wouldn’t install correctly.

What kind of credential was used to logon?

We’re in the research phase for the Secure Purchase Order System code sample (aka Bio Approval Workflow). A question came up regarding the use of the built-in Windows Credential UI, aka CredUI.

Namely, we’re considering using CredUIPromptForWindowsCredentials with the CREDUIWIN_SECURE_PROMPT flag on Win 7 in order to gather a user fingerprint biometric credential. The trick is, for this demo, we want to ensure not only that the user provides a valid Windows credential, but that it’s specifically a fingerprint.

Unfortunately, that doesn’t seem to be possible using CredUI. For one thing, Win 7 Bio doesn’t use its own authentication package, so we can’t use the auth package filtering feature of CredUI. And for another thing, it appears that unmarshaling the returned credential would require being in a system context.

Technically, we shouldn’t be relying on the user application to enforce fingerprint usage anyway, since the user could write his or her own client and bypass that check. But I don’t really want to add an NT service to the code sample just to handle prompting, and it doesn’t appear that there’s another good option. Stay tuned as we work this one out …

What does Windows logo testing entail?

As we prepare for the main development phase of the Secure Password Storage project, the primary purpose of which is to serve as a guide for Windows logo testing, an excellent question was raised: what exactly does logo testing entail?

Mainly, logo testing is a question of designing and implementing the target software, as well as its installer package, so that it passes a list of official test cases. We’ll be pursuing the Certified for Windows Vista logo for this project. The test case list for that logo is here. There’s a higher-level rationale document here.

If you write software for Windows, and you read nothing else about the logo program, I recommend at least skimming that test case list, because it raises several important points. These are points that apply to all Windows software and can have a considerable effect on usability.

For example, test case 3, “Verify Least-Privilege user is not able to save files to Windows System directory.” In other words, does your software introduce a potential elevation of privilege security bug? Lots of products use a thin client application to interface with the user, mated with an NT service to perform heavy lifting. But does the service expose functionality that might allow regular user accounts to do things that they wouldn’t be able to do directly (after all, that’s generally why the service is introduced in the first place)?

Another example - test case 23 - “Verify the application rolls back the install and restores machine back to previous state.” Don’t you hate it when you un-install a software package and it leaves behind data in the registry and files on disk?

In the Vista list linked above, there are 32 test cases total, each of which includes detailed instructions on how to perform the test. Again, it’s a useful document, and once you give it a quick scan, you’ll know exactly what you’re getting into. But, more importantly, you’ll have a better idea of the bar for the highest quality software.

Back to the other original question - what does Windows logo testing entail - the certification process is actually more than just the test cases. In order to obtain the “Certified” logo, you have to engage with a 3rd party test lab, and you have to follow the WHQL submission process. But if you’ve confirmed in advance that you pass all of the test cases (which you should do if you want to save time and money), then the rest is really just a question of waiting for the gears to turn.

The Secure Purchase Order System Project

January 26, 2009

The Secure Purchase Order System (SPOS) is the next project in the “Samples 2009” series introduced in this post. In brief, the purpose of SPOS is to showcase the use of the biometrics features of Windows 7 for creating a purchase order approval system.

The initial developer specification for SPOS is available here. As always, comments are welcome.

SPOS will be similar in architecture to WPS. That is, it will consist of a WPF client application, a web service, and a SQL database. SPOS will also use the Windows Biometric Framework.

SPOS-related blog posts will be tagged with “SPOS” and “Samples 2009”.

First GUI mock-up available for SPS

For an introduction to the Secure Password Storage (SPS) project, see this post.

The latest specification document for SPS is available here. It now includes a GUI (graphical user interface) mock-up for the SPS client.

Some comments about that mock-up:

1. It’s relatively simple. It includes the interface controls and a sample layout for what I expect will be the “main” screen of the SPS client.
2. It was done using Visio. While that’s generally not the tool of choice for graphic designers, it’s one of the best tools for software designers. Once you’ve done a couple of component diagrams, and, yes, GUI mock-ups, it becomes natural and convenient.
3. It uses the Win32 GUI templates from Visio. I did that just because it’s what I’m used to and it’s what Visio has to offer. Since we’re using WPF, and will be paying professional designers, I’ll expect them to come up with something more attractive.

Given how low-tech the GUI mock-up is, why is it worthwhile to do it? In my experience, it will pay for itself many times over, since it reduces the initial communication burden from requirements gathering, graphic design, and implementation. The same applies to the component graphic included in the spec.

The Secure Password Storage Project

January 22, 2009

Introduction

I introduced the “Samples 2009″ project series in this post. This - Secure Password Storage (SPS) - is the first project of the series. An introduction to SPS, and some of the initial design considerations, follows.

Before that, though, it’s important to note that the primary requirement for this project is that it must complete the Certified for Windows Vista logo process. We will document everything we do to prepare for and accomplish the logo certification.

Why should we do a sample project for logo certification? Well, we’re doing it because the Windows logo program is important, both to Microsoft and to the Windows ISV (Independent Software Vendors) community. First, the logo program helps to solidify the bond between Microsoft and the ISVs. Second, the program helps steer ISVs into the Microsoft Partner Program (and vice-versa). Speaking from personal experience, ISVs can benefit from these programs just as much as Microsoft does.

The third reason for undergoing logo certification is the most important: it improves the end-user experience by testing for common mistakes. On Vista, those mistakes tend to be related to UAC (User Account Control), both at install time (MSI) and run-time (elevation).

Fourth: as critical as the logo program is, it can be a complex process, with a steep learning curve for first-time users. First-timers tend to be small companies with significant time and budget sensitivity.

Thus, this project will demystify the logo program by completing it and documenting each step in detail.

In addition to the certification requirement, we need to build a sample that’s interesting and useful in its own right. As stated in the introductory post above, we’ll be including a professionally designed WPF user interface.

Secure Password Storage

With those requirements in mind, SPS is the software that we’ll be developing for this project. SPS will allow companies, or teams, to securely store website passwords for accounts that must be accessible to multiple people. Examples include MSDN (for a software team) or an online business checking account (for management or an accounting team).

SPS will use a three-tier architecture: there’s a WPF client that allows access to and management of the stored passwords, there’s a web service that exposes the data and enforces access control, and there’s a SQL database that stores the user data and encrypted passwords.

As an aside, I’d like to thank fellow Enterprise Security MVP Dana Epp for the idea of SPS.

The current developer specification draft can be found here.

Per-Password Security for SPS

As early as we are in the design phase for SPS, we’ve already identified what I believe will be the primary architectural question for the application: namely, how to control per-user access to each stored password. We’ve researched a few alternatives:

AzMan: For an introduction to the use of the Windows Authorization Manager feature in .NET, see this article. It’s not clear that AzMan, which is primarily for role-based access control, is the best solution for WPS, though, because we really only have two roles: regular users and the application administrator. The problem we face is a proliferation of data items, each of which requires its own ACL (Access Control List).

SQL row security: There’s a good article here about how this can be done. This approach involves creating a view for the sensitive table that consists only of rows for which the requesting user is listed as a reader (for example in a “Readers” column, or elsewhere). This introduces complexity in the form of SQL programming. It may be the way to go, but we need to do more research.

Enforcement via the web service: Finally, we could implement basically what SQL does, but instead process the approved lists of per-row readers and writers “manually” in the web service. This is a common approach and would move the complexity out of the SQL stored procedures and into ASP.NET. But it’s still nasty to have to roll your own access control. Again, more research is needed.

Additional SPS Project Notes

Since we’re still in the design phase, and don’t have any source code to publish yet, I haven’t created the CodePlex site for the SPS project. However, again, a link to the current dev spec is above, and comments are welcome.

The tag for blog posts relating to SPS is “Secure Password Storage”.

New Sample Code Projects

Introduction

I’m happy to announce that JW Secure is writing a few new sample code projects for Microsoft. The goal of these projects is to provide timely and useful information to line-of-business (LOB) developers who write code for Windows.

We’re taking a novel approach to preparing and delivering this content. Specifically, each project will include the following resources:

1. Sample code: This includes the full code and Visual Studio solution files required to build each project.
2. CodePlex site: The development and release for each project will be driven entirely from CodePlex. We’ll be seeking community interaction in the form of questions, comments, feature requests, bug reports, etc. via the CodePlex Discussion and Feature Tracker pages.
3. Architectural whitepaper: An article that gives an overview of the project and includes diagrams.
4. Developer’s blog: A blog kept by the author of the sample, discussing the tradeoffs and learning encountered while writing it.

Why will be providing all of those resources? Because we recognize that different people learn in different ways. Some people, when learning a new technology, like to just dig in and read code, and only read documentation when they’re absolutely stuck! Other people like the MSDN magazine model: you read a textual introduction to the technology and code sample, and then if you’re interested, you download and run the sample. If you’re still interested, you modify the sample and go from there.

In any case, software development is all about learning. And there’s a lot of learning that goes on when researching new technologies and writing new code samples. There are design tradeoffs even in the smallest piece of code, and there will inevitably be “dead ends” as well - that is, a direction or approach that just didn’t work out.

One thing that differentiates senior developers from junior ones is knowing how to make those design tradeoffs, and how to recognize dead ends, even in the context of a new technology. That knowledge comes from hands-on experience, but it can be documented and taught as well.

That’s where CodePlex and the developer’s blog come in. CodePlex is convenient for this because of its Discussion and Feature Tracker features, in addition to its built-in publicly-accessible source control. The blog will, I hope, give us a peak into the developer’s brain (ew!). Plus, the blog posts will be tagged for each project, so that at the end you’ll be able to view all of the posts for each project in sequence.

Blogging

Speaking of blog tagging, the tag “Samples 2009″ will be applied to all posts (including this one) relating to this effort overall. Blog posts relating to the individual projects will use that tag plus another per-project tag. I’ll provide the per-project tag when I post about the separate projects. Those posts will also include pointers to the CodePlex sites.

Design

One final point about what we hope to accomplish with these projects. LOB developers frequently get left behind when it comes to having the tools, training, and budget to create software that not only gets the job done, but also has an attractive and professional-looking user interface. There are several good reasons for this, including prioritization of development effort and budget, as well as lower expectations among consumers of business software, especially when it comes to internal tools.

Those expectations are changing, however. Ten years ago, an enterprise software package for the Windows system administrator would have been expected to include an MMC (Microsoft Management Console) snap-in. Now, as often as not, that management interface is exposed via the browser. The proliferation of Web 2.0 sites and reusable design toolkits is raising the bar on browser-based user interfaces.

How should LOB developers meet those changing expectations, especially in light of the aforementioned budgetary constraints placed on graphic design, as well as the fact that there are some operations that just shouldn’t (for security reasons) be exposed via the browser? Well, there are times when the MMC snap-in is still the way to go. And there are times when other non-browser, Win32 graphical technologies such as MFC (Microsoft Foundation Classes) are most appropriate, especially when it comes to prototyping.

But the future is in technologies such as WPF (Windows Presentation Foundation) and Silverlight: they’re more interoperable, reusable, cross-platform, and offer better separation between design and development. And, importantly for the LOB developer, WPF offers native Win32 execution and browser-like rendering capabilities without having to expose dangerous capabilities in the form of a browser object (such as an ActiveX control).

In light of this, for each of these samples, we’ll be providing a professionally designed WPF client. The hope is that LOB developers can adapt and extend these interfaces for their own purposes, and that next time they prepare a demonstration of a new internal application for their managers or users, the response will be, “Wow!”

Talking to web services from Windows Mobile

January 9, 2009

My team has been preparing a demo for a customer that involves web application access from a custom client running on Windows Mobile 6. Overall, the experience has been quite positive, and I found a couple of resources on the net that were very helpful, so I wanted to share.

The development environment is Visual Studio 2008. We’re using mostly C# with a little native C for some low-level computation. We installed the Windows Mobile 6 Professional SDK after VStudio and the WM build environment and emulators worked without any problems.

For debugging the web app, we installed IIS on Vista and used the built-in VStudio option to create a virtual directory and deploy the web app automatically to the local box. Don’t try using the built-in web development server instead of IIS; I was never able to get the emulator or device to see it. Although, as an aside, I was also never able to get WM to do DNS resolution for local names (internet names worked fine). So maybe if I’d tried using the “server” IP address, instead of the DNS name, with the dev web server, it would have worked fine.

This post provides lots of detail about the challenges encountered when, first, attempting to give the WM emulator network access and, second, attempting to expose the web application to it while in development.

However, that post refers to ActiveSync, where what you actually want to install these days is the latest Windows Mobile Device Center. Be sure to enable DMA network access in the WMDC configuration options (Mobile Device Settings | Connection Settings | Allow connections to one of the following | DMA), if you want the emulator to have network access that way.

One drawback about using WMDC for emulator network access is that you have to keep re-cradling the emulator every time you re-run it from within Visual Studio (Tools | Device Emulator Manager | right-click on Windows Mobile 6 Professional Emulator, or whichever emulator you happen to be using | Cradle). Not sure if saving the emulator state avoids that problem, but I don’t think so. Anyone have a better way?

My better way was to install Virtual PC 2007 and enable the NE2000 interface in the emulator (File | Configure | Network | Enable NE2000 …). I don’t necessarily like having VPC installed on Vista, because its VNICs seem to confuse the Windows Firewall, but for mobile development purposes it seems to be the best option.

Once the emulator scenario is debugged, I moved over to a physical device. I found an old Sprint PPC phone, but it happened to be running WM5. No matter - there’s an (unsupported) upgrade here that worked like a charm.

For security reasons, we don’t run WiFi, so I had to go back to WMDC in order to test network access from the old phone. I believe network access via USB is enabled by default, and the phone was detected by Vista after the upgrade completed, although I remember waiting a minute or so for the driver to get loaded. Still, it was nice to see the application running on “real” hardware. It worked the very first time, which shows how useful a tool the emulator is.

One final note, as I mentioned, I’m not getting local DNS from the device, so I’ve just been testing via the server IP address. Anyone solved that? Obviously, I’ll want to test the DNS name scenario eventually, so that may require moving to a web development server in the cloud. That has other advantages, since it sometimes makes things easier to demo offsite.

I’m an MVP!

January 5, 2009

The 2009 Microsoft MVP list from has been announced, and I’m on it - woohoo! I received the award in the area of Enterprise Security. It’s quite an honor.

An introduction to the MVP program is here. A link to my profile on the MVP site is here.

Search:

Archives

Recent Posts

• Cloud developers
• Microsoft Security Intelligence Report v8
• Windows LNK bug and SCADA vuln
• Mobile devices + Cloud
• Concurrency, Security, and Windows

RSS Feed

Blogroll

Security Focus: