Month: November 2008

Disabling Weak Ciphers

This week I disabled weak ciphers on our production web server. This vulnerability was escalated again this last week. This vulnerability exists when your server allows communication using SSL version 2. Less than six months ago it was identified and classified as a low risk. SSLV2 is obsolete and is not available in some of newer browsers. Most new browsers use SSLV3 by default and it is my best guess that no customer is using SSLV2. A quick survey showed that most of the major ecommerce sites do not allow SSLV2. Despite the survey my boss was reluctant to turn off SSLV2. That was solved when the PCI folks mandated that SSLV2 should not be allowed. This may sound cruel but if a customer is using a really old browser that only supports SSLV2, they must update to a new browser if they want to buy stuff off of the Internet. That just the way it is.

Here is a good resource describing the problem and how to harden a variety of web servers, “WebApp Sec: RE: SSL Ciphers”. Since I was primarily interested in IIS I used “How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll” and created a registry file to apply the changes. Here is the registry file I used. It works with all of the browsers I test with. Both Foundstone SSL Digger and our PCI scan folks like the results.

 
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

Quick Picks and Pans: Right Click Menu

The folks at MakeUseOf.com have a nice article on Right-Click Menu utlities, 3 More Tools to Bring Power to the Right Click Menu (Windows). One of the tasks I perform often is changing folders so any improvement in this area is always appreciated. I had been using QTAddressBar to quickly change between folders. It looks like Vista but the process of selecting the target folder is slower than the standard address bar. So I uninstalled it and replaced it with the first utility mentioned in the article, FolderGuide. FolderGuide looks intuitive and quick. It looks like a winner for me.

System.Management.Automation.dll missing?

Recently I have been playing around with Windows PowerShell. I had this desire to synchronize the date modified field between identical files in two directories. Awhile back I had created a repository with the copied code and during the copy the date modified had been set on all of the files to the current date. Since I am working on “other people’s code” the date the code was last modified is a helpful clue in troubleshooting. Now I wanted the repository to show the correct “old” date and this looked like a good way to write my first PowerShell script. The script objective is pretty simple. For every file in my source directory I wanted to update the date modified field in my target directory with the date modified if the date modified field in the target directory is less than my cut off date. The cut off date is the date I created the repository. So if a file has not been changed since the cut off date I wanted to set it to the original date modified. After a few fumbles I got it to work. Now I can change the date modified back to the original value for the unchanged files in the directory.

Then I started thinking about comparing directories and MD5 hash files. I knew my source and target directories were good matches since WinMerge told me but I was curious whether PowerShell natively supported MD5 hashes. After a little searching I found this Bart’s post about creating a file hasher cmdlet. This was interesting and looked like a very short task so I tried to create my first cmdlet. The instructions were simple but I fumbled over a lot of minor issues.

  1. You need to set the execution policy. I set my code signing to RemoteSigned.
  2. You need to compile the cmdlet.
  3. You need to create/modify your profile.ps1 so you can use it every time you get into PowerShell.

The hardest one of these tasks was the second task. Trying to find the System.Management.Automation.dll took me on a wild goose chase. I knew it was probably on my machine but I could not find it. When I gave up looking for it and tried to download the Windows SDK 2008, the download barfed on me. Finally I found Raj’s post about viewing the GAC. This confirmed that the System.Management.Automation.dll was in the GAC on my machine. To make things very simple I copied the file to my PowerShell default directory and compiled the cmdlet. Later I found this recommendation by Oisin Grehan in a Vista forum in which he says since it is in the GAC, the compiler will find it without any fancy path statements.

csc.exe cmdlet.cs … /r:System.Management.Automation.dll

Re: System.Management.Automation.dll missing? – Vista Forums

I tried it and it did not work. I was able to compile using a reference to the actual GAC location. So if we combine this all together we get something like this. You execute these statements inside PowerShell.

$ref = "$env:windir\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll"
$compiler = "$env:windir/Microsoft.NET/Framework/v2.0.50727/csc"
&$compiler /target:library /r:$ref hashcmdlet.cs

I had to install the plugin outside of PowerShell with:
%windir%\Microsoft.NET\Framework\v2.0.50727\installutil -i hashcmdlet.dll

Finally I had to create a profile.ps1 in the PowerShell directory to load the snap-in and extend type system every time you get into PowerShell. This post was a great help. This is so Unix it makes me chuckle! I have not figured out what I am going to do with this new found knowledge but I learned a lot about creating custom cmdlets and it was fun!



 

	


	





	

		
		
Frequently Forgotten Fundamental Facts about Software Engineering
	


	
	
	

		
Here are some jewels about Software Engineering that are worth reviewing. I recommend the rest of the article. It’s an oldie but goody! 


Recently I have been doing a lot of work deciphering “other people’s code”. I would say the largest part of the work has been in error detection and removal. Even a seemingly comprehensive test plan does not make me terribly confident. I have been humbled by logic problems and faulty design requirements too many times.




Reliability


RE1. Error detection and removal accounts for roughly 40 percent of development costs. Thus it is the most important phase of the development life cycle.


RE2. There are certain kinds of software errors that most programmers make frequently. These include off-by-one indexing, definition or reference inconsistency, and omitting deep design details. That is why, for example, N-version programming, which attempts to create multiple diverse solutions through multiple programmers, can never completely achieve its promise.


RE3. Software that a typical programmer believes to be thoroughly tested has often had only about 55 to 60 percent of its logic paths executed. Automated support, such as coverage analyzers, can raise that to roughly 85 to 90 percent. Testing at the 100-percent level is nearly impossible.


RE4. Even if 100-percent test coverage (see RE3) were possible, that criteria would be insufficient for testing. Roughly 35 percent of software defects emerge from missing logic paths, and another 40 percent are from the execution of a unique combination of logic paths. They will not be caught by 100-percent coverage (100-percent coverage can, therefore, potentially detect only about 25 percent of the errors!).


RE5. There is no single best approach to software error removal. A combination of several approaches, such as inspections and several kinds of testing and fault tolerance, is necessary.


RE6. (corollary to RE5) Software will always contain residual defects, after even the most rigorous error removal. The goal is to minimize the number and especially the severity of those defects.




Frequently Forgotten Fundamental Facts about Software Engineering

	


	





	

		
		
How do I run sp_spaceused for all tables in a database? – TechNet Forums
	


	
	
	

		
I was looking for a way to list the size of all the tables in database again and I found this nice bit of code. I made a small change on the select statement to create a calculated integer field so I could get a nice descending sort on size. It worked for me!


    
select 'Database Name: ', db_name()

set nocount on

if exists(select name from tempdb..sysobjects where name='##tmp')

drop table ##tmp

create table ##tmp(nam varchar(50), rows int, res varchar(15),data varchar(15),ind_sze varchar(15),unsed varchar(15))

go

declare @tblname varchar(50)

declare tblname CURSOR for select name from sysobjects where xtype='U'

open tblname

Fetch next from tblname into @tblname

WHILE @@FETCH_STATUS = 0
	BEGIN
	insert into ##tmp
	exec sp_spaceused @tblname
	FETCH NEXT FROM tblname INTO @tblname
	END

CLOSE tblname

deallocate tblname

go

select 
	nam Table_Name
	,rows Total_Rows
	,res Total_Table_Size
	,data Data_size
	,ind_sze Index_Size
	,unsed Unused_Space
	,CAST(replace(res,'KB','') as int) as Total_Table_Size_KB
from ##tmp
ORDER BY Total_Table_Size_KB desc

drop table ##tmp



 –Vidhya Saga  


How do I run sp_spaceused for all tables in a database? – TechNet Forums