ASP.NET VERSIONS: ALL
Web Security Snippets
Three Hot Topics
By Don Kiely
This month I ve had security on my mind a lot mostly stuff that bothers me. Here are three topics that are important in the Microsoft world of Web security:
- How Microsoft views the important principle of least privilege,
- Problems trying to crank down security in Internet Explorer, and
- The illusion of security when you use secret questions in case a user forgets a password.
Microsoft and Least Privilege
Microsoft has added what appears to be the first of a series of articles about least privilege to its TechNet site (http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx). This is great; the more people see about it, maybe the more they ll be encouraged to go with it.
But the first article is totally lame. Here are the sections:
- The Security Principle of Least Privilege
- Issues When Running with LUA
- Secure Your Systems with LUA
- Moving Forward
Sounds reasonable, eh? Except that each section has only two or three short paragraphs with bland generalities. The only practical information in the article is a link to Aaron Margosis least privilege blog (http://blogs.msdn.com/aaron%5Fmargosis/), which, alas, he hasn t posted to much since early September.
Up to the last section, the article is tolerable; although it s light on details, it s fine for awareness.
Where it really gets dodgy is in the last section, Moving Forward. After a summary it states, Future articles about LUA will focus on the experience in the Longhorn release of Windows and beyond. (The emphasis is mine.) Sigh. So basically, what the article does is say that you, dear Windows user, are out of luck for now, but as soon as we release the next version and you upgrade, all will be stellar. Apparently the TechNet folks see no reason to provide any help with coping with today s security threats today, but just can t wait to get us upgraded to the next version.
That is, if the least privilege features of Longhorn don t join the many others that have been cut.
Irony of IE Security
I use Firefox for virtually all of my Web browsing activities. The only time I knowingly use IE is when I m going to a site that only works with IE and I really, really want what the site has or when I m going to most Microsoft sites.
Because I don t use IE much, I cranked down the security for the Internet to High. Why take chances?
The problem is that I need to poke holes in IE s security to do things on Microsoft s Web sites. For example, at High I can t download files. Well, right now I need to grab a fresh copy of MSDE SP3a, so I have to allow downloads. I could use Firefox to get to the MSDN Universal downloads site, but the treeview list on the left, which is very long and always takes a minute or two to load, can t be collapsed. This makes it very hard and time consuming to find what I want, even when I know the broad category of the item.
Oops! But the treeview must be an ActiveX control or some other dynamic widget, because with security set to High it doesn t collapse. So I have to open another hole in IE, the biggest, nastiest of all: ActiveX controls and scripting. Now the problem is that there are so many ActiveX and scripting options under Tools | Internet Options | Security that I have to experiment to find which ones form the magic elixir that lets me have a decent experience with the MSDN download site. And then that magic combination will only work for this part of the site. And if I m paranoid and asked to be prompted, I have to answer yes to a gajillion dialog boxes that say that scripting is usually safe and do I want to run it on this page, particularly on Microsoft s rich, dynamic sites.
Maybe it s time to take a closer look at Michael Howard s article, Browsing the Web and Reading E-mail Safely as an Administrator.
Or, I can just go back to High security in IE and use Firefox, which doesn t use ActiveX at all. Done.
Secret Questions = Insecure Site
Do you know how some Web sites try to give users a hand when they forget their password? Usually it s a secret question of the form What is your mother s maiden name? or What are the last four digits of your social security number? I m particularly fond that financial institutions I deal with favor these two questions, using information that is painfully easy for anyone to find out about me. I m sure that I m not alone in claiming many different surnames for my mother, in a lame attempt to make this charade a bit more secure. Sorry, Mom!
Mark Burnett has a short and very interesting article about this subject, Using Secret Questions over on the Open Web Application Security Project site (http://www.owasp.org/index.jsp), a project that I m starting to pay closer attention to these days because of the good information about Web security.
In short, secret questions are virtually always far less secure than passwords, providing an easy end-run around a site s authentication procedures. Use them with care, and avoid sites that ask for who Mom grew up as!
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.