Maung²'s Technical Adventures

Tech.Ed SEA 2007 Sessions

2007-09-22T17:10:00Z

Here is the links to download the presentation decks and demo code for my Tech.Ed SEA 2007 sessions.

Web Client Software Factory, The Proven Way
Building Rich Web Applications with ASP.NET AJAX

PS: To all Tech.Ed SEA 2007 audience who have attended my sessions, please accept my sincere apologies for the delay on making these materials available.

Blended Express Home-made Applications (JobStreet Presentation)

2007-07-14T07:53:00Z

Download the deck and the demo of my presentation "Blended Express Home-made Applications" for JobStreet event held at Microsoft Auditorium.

The compiled executable is not included in the zipped file to reduce the file size.

JobStreet Industry Nites Presentation Deck

2007-06-12T05:02:00Z

I know I can't give any satisfactory excuse for being unable to make the deck available within the two weeks from my presentation date.

Nevertheless, here is the deck in PDF format. If you are keen to get the deck in the original PPT file format, you can try digging http://www.netfx3.com/. There are lots of resources, hands-on-labs, samples, presentation, technical articles, being shared from this official .NET Framework 3.0 site.

If you are keen to get your hands on the demo which I used during my presentation, let me know. I will contact you to pass the demos.

LOVE 2007 Windows WF Presentation

2007-05-03T15:22:00Z

As promised, here is the deck and demo for my Windows WF presentation at LOVE 2007 Singapore.

I greatly appreciate all the attendees for their valuable time and undivided attention given during my session.

Following up from my presentation, you can learn more about Windows Workflow Foundation from the following resources.

FREE one-year Subscription for Windows WF eLearning (Clinic 5136)
Official Windows WF Community Site
Windows WF on MSDN Forums
Hands-on Labs for Windows® Workflow Foundation

Protect Your Web Site with Asirra

2007-04-25T12:25:00Z

All web applications exposed on the Internet are vulnerable to brute-force password cracking, spammed posting, or denial of service attacks.

The solution to prevent such attacks is to use CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) or HIP (Human Interactive Proof). One of the most commonly used techniques is requiring the user to identify the letters or digits from the randomly generated, distorted or obscured pictures. This technique is only effective if you have extremely large number of pictures, which make impossible for the attacker to reconstruct the image database. Otherwise, the attacker can easily analyze and hard code all the possible combination of letters or digits in the attack program and easily bypass your HIP protection.

So, you might be wondering how one can handle such security issue and protect their web applications effectively. Worry not!

Here is the solution, Asirra (Animal Species Image Recognition for Restricting Access), a research project from Microsoft and its partner PetFinder.com, and currently it is available for beta testing. It is available as free web service and you can easily integrate with your web applications built on any platform.

Asirra will randomly display 12 pictures of cats and dogs from the large image database and requires the user to simply identify either all the cats or dogs pictures. If only one picture were displayed, attacker has 50% chance of guessing it right, but fortunately, requiring the attacker to select all cats or dogs from 12 given pictures will greatly reduce the probability to 1/4096 chance. There were similar HIP solutions which use animal pictures to tell Human and Computers apart, but they were not successful due to relatively small image databases as compared to Asirra, which has more than 2 million images of cats and dogs.

Visit Microsoft Research site to learn more about Asirra and try it out yourself how Asirra works.

Here is an extract from Microsoft Research site.

Asirra consists of two components:
A JavaScript client component that you add to your web page inside a form. Our code will add an Asirra challenge to your web page. If the challenge is solved correctly, the client code gets an Asirra Ticket from our server, and adds it to your form as a hidden input field.
A web service at Microsoft Research that your form processor should call each time a user form is submitted, to check that the ticket provided is valid.
The JavaScript works in all major browsers; it has been tested in IE6, IE7, Firefox 2, Safari, and Opera 9.

Don’t forget you are not just securing your web applications, but also you are helping those cute little animals to find their next owner and the home-sweet-home.

Windows Vista Harden Security (Part 3)

2007-03-30T03:52:00Z

Various Microsoft Windows Operating Systems support varieties of network authentication protocols, such as LM (LAN Manager), NTLM, NTLMv2 and Kerberos. The obvious thing is that the older OS won’t be able to use the newer and more secure authentication protocols such as NTLMv2 and Kerberos, unless they are upgraded with service packs, or patches (only if made available by Microsoft) to support the newer technologies.

The less obvious issue is that the newer operating system, especially Windows Vista, which we expect to be backward compatible with all the older and less secure authentication protocols, such as LM and NTLM. But that wasn’t the case with Windows Vista because Microsoft has decided to disable those protocols, by default, in view of reducing attack surface area in this release of Windows. Well, that’s expected as Microsoft is putting all the security best practices in place in their product development lifecycle.

So what is the problem? If you have any system or device, such as old Network Attached Storage (NAS) device, Macintosh, or Samba, that does not support NTLMv2, you cannot access to those file shares using Windows Vista, where you were able to do so in Windows XP.

The solution is fairly simple. We just need to configure Windows Vista local security policy to accept/response to LM and NTLM challenge. The default LAN Manager Authentication level in Windows XP is “Send LM & NTLM responses” but in Windows Vista, it has been defaulted to “Send NTMLv2 response only”, thus, denying access to the systems that do not support NTLMv2 authentication challenge. Follow the below steps to configure Windows Vista Local Security Policy to response to LM and NTLM.

Go to Start Menu, and type secpol.msc in the Start Search and press <ENTER>.
There might be an UAC elevation prompt. Just allow the action and proceed with the next step.
Under Security Settings in Local Security Policy Editor, expand Local Policies, select Security Options.
In the right pane, double-click on the setting “Network Security: LAN Manager authentication level”
Set its value to “Send NTLM response only” or even lower if necessary (at your own discretion).
Click OK and run gpupdate command to refresh the new configured security policy.

After the refresh, you should be able to connect to your NAS devices, Mac OS or Samba share folders with no difficulty.

Here is an alternative solution to those who can't get their hands on secpol.msc (Vista Home Basic/Premium users), but this solution involves risk as you will need to edit registry value directly.

Launch "Registry Editor" (regedit.exe)
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Create DWORD registry value and name it "LMCompatibilityLevel"
Set its value to 2 (Send NTML response only) or lower 1/0 (again at your own discretion)
Quit the Registry Editor

More information on LMCompatibilityLevel values, check out the below links.

http://support.microsoft.com/kb/239869

http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/

Windows Vista Harden Security (Part 2)

2007-03-29T15:22:00Z

If you are using Windows Vista as your primary operating system, you are likely to encounter problem in accessing some SSL enabled sites, which you have been surfing smoothly using Windows XP in the past. Internet Explorer 7 in Windows Vista will simply throw an error message saying "Internet Explorer cannot display the webpage” when you browse to certain HTTPS URLs. I am NOT talking about the warning of an un-trusted or an expired certificate. If you encounter this problem before, you know how frustrating you can get. ;)

To understand this problem, let's start with the fundamentals of SSL communication.

SSL communication starts with a simple handshake between server and client, in which, asymmetric encryption is used to exchange symmetric encryption key or also known as session key. Session key is used in subsequent communication between client and server to encrypt and sign the HTTP packets. SSL has been evolved over many versions, starting from 1.0, then 2.0 and now we have SSL 3.0 as well as TLS 1.0, also known as SSL/TLS. Both SSL 3.0 (http://home.netscape.com/eng/ssl3/draft302.txt), and TLS 1.0 (RFC2246) with INTERNET-DRAFT allow different asymmetric / symmetric encryption and hashing algorithm to be used within SSL/TLS session.

In Windows Vista operating system, cipher suites – pre-defined combination of encryption and hashing algorithm use for SSL communication, that uses DES encryption are disabled by default, thus, browsing to SSL sites which supports only DES encryption will result in the above-mentioned error.

The ideal solution would be to reconfigure the web site to support other encryption algorithm such as AES, or 3DES other than the DES. But unfortunately, we won’t have much say over how the web server is setup or being configured, and hence, the only workaround is to configure our Windows Vista to support DES encryption over SSL/TLS communication till the SSL site is updated to use other algorithms.

To enable DES support for SSL/TLS in Windows Vista, try the following steps at your own discretion.

Go to Start Menu, and type gpedit.msc in the Start Search and press <ENTER>.
There might be an UAC elevation prompt. Just allow the action and proceed with the next step.
Under Computer Configuration in Group Policy Object Editor, expand Administrative Templates, expand Network, expand SSL Configuration Settings, and then double-click SSL Cipher Suite Order.
Select Enable and append “TLS_RSA_WITH_DES_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,” at the beginning of the pre-populated string value. Beware of the ending comma and there should not be any embedded space inside the string.
Click OK and restart your computer. (Note: gpupdate command will update the Group Policy settings but reconfiguration of SChannel.dll requires restart.)

Here is an alternative solution to those who can't get their hands on gpedit.msc (Vista Home Basic/Premium users), but this solution involves risk as you will need to edit registry value directly.

Launch "Registry Editor" (regedit.exe)
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\
Configuration\SSL\00010002
(If the key does not exist, you will have to create accordingly)
Create String registry value and name it "Functions"
Set its value to
"TLS_RSA_WITH_DES_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_RC4_128_MD5,
SSL_CK_RC4_128_WITH_MD5,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5,
TLS_RSA_WITH_NULL_MD5,TLS_RSA_WITH_NULL_SHA"
(There should not be any line break nor embeded space)
Quit the Registry Editor and restart the system

If you trust me , you can download the attachment from this post and apply the registry patch. That would be the easiest way.

After the restart, you should be able to happily browse the SSL sites which you were not able to do so in Windows Vista.

References:
http://support.microsoft.com/kb/929708
http://support.microsoft.com/kb/245030

This is the price you have to pay for more secure operating system.

TechEd SEA 2007 is coming back!

2007-03-16T18:37:00Z

TechEd SEA 2007 is back again! Make yourself available from 11th Sept 2007 to 13th Sept 2007. Yes, this event will again be traditionally hosted in Kuala Lumpur, Malaysia. What can you expect this time round?

· You can update yourself with newly released products such as Windows Vista, Exchange Server 2007, ASP.NET AJAX, and the 2007 release of Microsoft Office along with content about upcoming releases such as Windows Server code name "Longhorn"

· You can choose from 6 technical tracks with more than 100 breakout sessions

· You can experience 120 Hands-on Labs & Instructor-Led Labs at more than 100 stations

· You can meet 2,000 IT pros and developers with 2,000 opinions to consider

· You can mix around with Microsoft product team members and industry gurus

Early bird registration price is RM599.

Crystal Edge Sdn Bhd. will be providing all official registration services just as last year event. Here are the contact details:

Event Email: techedsea@crystaledge.net
Malaysia Telephone: +60 (3)-7958 5155
Malaysia Fax: +60 (3)-7954 4037
Office Hours: Monday till Friday 9:00am - 5:00pm (GMT+08:00) Kuala Lumpur

Official TechEd SEA 2007 site: http://www.microsoft.com/malaysia/techedsea2007/

Multiple Network Adapters May Cause Socket Operation Failure

2007-03-16T16:42:00Z

This applies to .NET Framework 1.1. If your computer has multiple network adapters resulting in more than 50 network bound protocols, you will receive error while trying to perform network operations, directly or indirectly, using System.Net.Socket class, such as consuming XML web services.

My personal experience was quite frustrating. I was trying to add Web Reference in Visual Studio 2003 by entering the web service Url, but it took a very long time and the control didn't return to Visual Studio 2003. After waited for some time, I decided to manually stop the operation.

And I tried to use wsdl.exe to generate proxy class and I got this exception.

Unhandled Exception: System.TypeInitializationException: The type initializer for "System.Net.Sockets.Socket" threw an exception. ---> System.Net.Sockets.SocketException: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full at System.Net.Sockets.Socket.InitializeSockets() at System.Net.Sockets.Socket..cctor()

After some googling, I managed to find the solution to my problem. Multiple network adapters with more than 50 protocol bindings (I didn't actually count them though) were causing the unpatched .NET Framework 1.1 to throw the above exception. I immediately uninstalled some unused adpaters (of course temporarily). I tried again and finally managed to get it work.

For more information, check out the site below.

http://support.microsoft.com/kb/815209

http://support.microsoft.com/kb/826757

Happy patching...

Multiple (SSL) Web Sites in IIS (Part 2)

2007-01-22T09:01:00Z

Stop! Have you read my previous post on “Multiple Web Sites in IIS – Part 1”? If you have not, I strongly recommend that you spend some time reading my previous post.

As I’ve discussed in my previous post, you can configure IIS to host multiple web sites in varieties of techniques. The next thing you might want to do is to configure SSL on those web sites.

If you are using unique IP addresses for each web site, you can have port 443, default SSL port, for all the web sites at the cost of maintaining and securing multiple IP addresses on the server.

If you are using a single shared IP address, then you will have to configure different SSL ports on each web site, which will result in unfriendly URL addresses, such as “https://www.maungphyo.com:444/default.aspx”.

If you are not keen in managing multi-home web server, or dislike the idea of having unfriendly URL addresses, the last implementation technique you can depend on is to use custom host headers. But how? If you go to Web Site Properties dialog and click on “Advanced” button on “Web Site” tab, you will instantly realize that there is no place for you to configure custom host header for SSL bindings.

You can configure custom host header for SSL bindings only using command line tool (technically speaking, it is the script file provided with default IIS installation), or other tools such as Metabase Explorer from IIS Resource Kit.

Here is the procedure for enabling custom host headers in SSL sites.

1) Firstly, find out the Metabase Path of the site to be configured. "iisweb.vbs" is in %SystemRoot%\System32.

C:\>iisweb.vbs /query

For instance, metabase path for “Default Web Site” is “W3SVC/1”.

2) Navigate to folder where the Visual Basic admin scripts are stored.

C:\>CD\Inetpub\AdminScripts

3) Set the metabase property “SecureBindings” using “AdsUtil.vbs” to any desired value. Take note of the starting character “:”.

C:\Inetpub\ AdminScripts>AdsUtil.vbs SET W3SVC/1/SecureBindings “:443:www.maungphyo.com”

4) You can repeat it for all the sites, using the default SSL port 443 with different custom host headers.

Just remember one thing, on Windows Server 2003 with Service Pack 1, you will need to add all the custom host headers to “BackConnectionHostNames” registry key in order to work with Integrated Windows Authentication on those host headers enable site. Read my previous post "IIS Security Enhancement in Windows Server 2003 SP1"on this issue.

Good luck!

Orcas January 2007 CTP (Installable Bit)

2007-01-13T03:53:00Z

I am not really a big fan of virtualization technologies and I have been waiting for the installable bit of Visual Studio codename 'Orcas'. Yes! Finally...

I am very glad to see Microsoft has released installable bit of the next version of Visual Studio codename 'Orcas' together with the usual Virtual PC image release.

Installable Bit download: http://www.microsoft.com/downloads/details.aspx?FamilyID=69055927-458B-4129-9047-FCC4FACAE96C&displaylang=en

Virtual PC Image download: http://www.microsoft.com/downloads/details.aspx?FamilyId=1FF0B35D-0C4A-40B4-915A-5331E11C39E6&displaylang=en

Above are the links for the public downloads which are divided into multiple parts for your own convenience. The filenames says it is Dec2006 CTP although the heading clearly stated that it is January 2007. But who cares...

Multiple Web Sites in IIS (Part 1)

2007-01-03T10:34:00Z

Microsoft Internet Information Services can be configured to host multiple web sites. I knew everybody knew this.

So why am I wasting my time writing this? Or why should you waste your time reading this? Well... I am just trying to make sure that you are ready for my Part 2, in which I will be discussing multiple SSL sites configuration on the same server. You should read this to understand the basics before proceeding to part 2.

Multiple web sites can be hosted in IIS using one of the following techniques.

1) Using a single IP address with different port numbers assigned to each site, meaning that you can only have one site running with the default TCP port 80. Other sites using non-default port will have to be accessed using unfriendly URLs, such as http://www.mydomain.com:70. Another drawback of this technique is that it violates the security best practices as your firewall will be required to allow all the incoming traffics for all the ports that are used by your server. To implement this technique, assign an unique port number to each site in the Web Site Properties dialog.

2) Another technique is to use multiple IP addresses with different sites running on the default port. Firstly, you will need to configure your server with multiple IP addresses in Network Connection properties. Then, assign an unique IP address to each site in the Web Site Properties dialog. Managing of multiple addresses allocation for the server requires additional administrative task. The more IP addresses the server is allocated, the larger is the attack surface, thus, it is not recommended (by me ). Furthermore, if you are using public IP addresses, you will have to waste additional IP addresses for the server.

3) The last one is my favorite as we can use a single IP address and yet all the sites running with the default TCP port 80. All we need is to configure an unique host header for each site. Click "Advanced..." button on Web Site Properties dialog to configure host header for each site. You will just need to register multiple host records in the DNS server to map all the host names to the same IP address. But using this technique will have an issue using Integrated Windows Authentication on the web site due to Windows Server 2003 Service Pack 1 enhancement. I have posted something on IIS Security Enhancement in Windows Server 2003 Service Pack 1 for your reference.

Try these out and see which one best fits your requirements!

Stay tuned for Part 2 on which I will be discussing the options to host multiple SSL sites on the same IIS server.

IIS Security Enhancement in Windows Server 2003 SP1

2007-01-03T09:35:00Z

Ever wonder why Integrated Windows Authentication (IWA) does not work or stops working for custom host header enabled sites after installing Windows Server 2003 Service Pack 1?

You have ensured that you did include the site URL in the Local Intranet site list in your browser configuration and yet it still doesn't work!!!

Keep receiving HTTP error 401.1 even if you typed in the correct user name and password when prompted?

IWA will not be successful on custom host header enabled sites due to the loopback check security feature of Windows Server 2003 SP 1. Worry not! Check out this must-to-read Knowledge Base article for more details. http://support.microsoft.com/kb/896861.

Remember one thing before you try the trick. Back up your registry .

DevCon2006 Slide Deck (VSTO 2005 Second Edition)

2006-12-27T16:58:00Z

Attached is the deck for Visual Studio Tools for Office session, which I presented in DevCon2006, organized by SgDotNet committee for student community.

Guess what! The attached PDF file is generated using Microsoft Office 2007 add-on "Save as PDF". Pretty cool!

In the past, I used to export the slides as pictures and inserted them into Word document for distribution because I don't have PDF writer software. That was not productive at all as I have to manually export and paste them into the document. But with this new trick, I can easily convert my decks into PDF files in a few clicks, and most importantly the quality is beyond my expectation.

Here is the link for the add-on.

http://www.microsoft.com/downloads/details.aspx?FamilyId=4D951911-3E7E-4AE6-B059-A2E79ED87041&displaylang=en

Are you an Accountant?

2006-12-04T14:10:00Z

Setting up a business/company? Looking for an Accountant?

Okay, okay... I am not talking about jobs and recruitments, or even business partnership.

If you are looking for some user-friendly tools and mostly importantly FREE stuffs, here is the deal.

Microsoft offers FREE (no strings attached) licensed software, Microsoft Office Accounting Express 2007, for managing accounts for companies. This one requires .NET Framework 2.0, which is installed automatically as part of the package if you do not have it yet. If you intend to store data locally rather than using it as a client to connect to a centralized database, then SQL Express is required and it will be installed automatically, too.

The download is about 208MB. Here is the link.
http://www.ideawins.com/

For those who are professional accountants, you may consider the real deal. Check it out what you are missing in Microsoft Accounting Express 2007 as compared to Microsoft Accounting Professional 2007.
http://office.microsoft.com/en-us/accountingexpress/FX102097791033.aspx

Enough! Time for me to go and learn accounting concepts from the finance team, so that I can play with this FREE toy.