Pages

Sunday, November 27, 2011

Insecure Security

Your password must be at least 12 characters, and include capital and lowercase, numbers, and punctuation marks.  It cannot be any of your last 10 passwords.  Also, you must change it every 10 days.
And, since we all have online accounts at 25 or more websites, all with different password strength requirements, that means that most of us either...
  • program our browsers to remember our passwords
  • create a text document to keep all our passwords
  • or, write them on a sticky note and paste them all over our desk.
Now, many sites are actively seeking to defeat password memory by waiting 1 second and blanking the login fields, just in case you programmed your browser to remember it.

Why?  Clearly this can't be in the name of security, because you're forcing everyone to make records of their passwords.  A password like grommet would be adequate for most web sites.  It just doesn't make any sense to force people to use passwords like L9We&$KjU88.  That is a GUARANTEED breach of security policy because the user is going to write it down somewhere.

Designers take heed.  Let the users determine what passwords are secure enough.  Other than banking and medical stuff, there is nothing requiring this strong a password.

...


Bryan Valencia is a contributing editor and founder of Visual Studio Journey.  He owns and operates Software Services, a web design and hosting company in Manteca, California.

Tuesday, November 22, 2011

Reinstalling the .NET Framework on a WebServer: No Picnic


Windows SBS 2003 used as a webserver.


Ok, I was getting the same Autoupdate from Windows Update everyday, so I posted a question about it, and was advised to reinstall the .NET Framework as something had become banjaxed.

I put this off, because installing the .NET Framework (3 versions of it) had initially taken me hours.  But, being sick of the repeated updates, I finally scheduled maintenance time and went for it.

Here is the procedure that eventually worked for me to get from point A to point A (as it turns out) eating more than an entire day in the process.

Uninstall
The .NET Frameworks must be uninstalled in order, according to Microsoft, I had to guess that meant 4.0, 3.5, 2.0.  This process was handled easily from the Add/Remove Programs window, even though there are numerous blog posts out there claiming that this does not work, and there is some program out there that does it better. Regardless, here is the sequence I used.
  1. Open C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322 and edit MACHINE.CONFIG. Capture the username and password, if any in the <processModel node.
  2. Open C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 and edit MACHINE.CONFIG. Capture the username and password, if any in the <processModel node.
  3. Open C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319 and edit MACHINE.CONFIG. Capture the username and password, if any in the <processModel node.
  4. Stop IIS
  5. Uninstall 4.0
  6. Uninstall 3.5
  7. Uninstall 2.0
  8. Reboot

Download and Install
 Make sure when you download the new versions, that you get the FULL .NET Framework, not the "client" ones.
NOTE THAT THIS PROCESS TAKES MANY HOURS (around 12) TO COMPLETE
  1. Install 2.0
  2. Install 3.5 --This is exceedingly slow
  3. Install 4.0 --less slow than 3.5, but still... bring a book.
  4. Reboot.
  5. Let Windows update install all it's patches.--this takes a couple hours, as the 'full installs' of the .NET Framework are not the latest, they need lots of patches.
Re-register

Use this rereg.bat file to re-register all the .net frameworks
This may need to be adjusted as more frameworks come out.




This will mean you must re-enable the frameworks.
Open IIS manager, and look in Web Service Extensions.
Make sure to re-enable all the frameworks.

Now all your web sites are back, but they all give 

Server Application Unavailable


...errors.

This is because you need to re-grant your aspnet worker processes access to the server, which is off by default.  Last time this happened, you created an ASPNET user and granted him access to do his job, because some nutjob at Microsoft decided that not allowing the webserver to do anything would be more secure.

Navigate to C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322 and edit MACHINE.CONFIG.
Around line 633 there is a line that looks like this: make sure the user is valid.

userName="[user]" - Windows user to run the process as.
      Special users: "SYSTEM": run as localsystem (high privilege 
admin) account.
      "machine": run as low privilege user account named "ASPNET".
      Other users: If domain is not specified, current machine name is assumed to be the domain name.

Next, Navigate to C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 and edit MACHINE.CONFIG.

Around line 135 there should be a line that starts with <processModel . Make it say this...

<processModel userName="ASPUSER" password="whatever" />

... of course use the password you used to create the account.

Then go to C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319, and do the same, the <processmodel line is around line 250.

Yes, I left out 3.0 and 3.5, as they do not have a machine.config file.

Use IISRESET or just reboot the server to complete the task.

...
In my case, I still get the repeated update requests (hence the 'point A to point A' comment), but since I figured there are legitimate reasons to reinstall the framework and others might get caught in this horrible trap.  Hopefully this will save you some aneurisms.


Bryan Valencia is a contributing editor and founder of Visual Studio Journey.  He owns and operates Software Services, a web design and hosting company in Manteca, California.

Saturday, November 19, 2011

Using Return Values From Stored Procedures in C#.NET

Ok, let's say you have a stored procedure that returns a value.


Now lets say you want to test it in SQL Server Management Studio...


This gives us a value of 1, as expected.

Now if we want to call this from C#, there is a little trick we have to play with Parameters.


Note the trick we had to play here (line 19) to access the return value after the procedure runs.  At first, I tried using:
i=myCommand.ExecuteNonQuery();
...but that always yielded a value of -1.



Bryan Valencia is a contributing editor and founder of Visual Studio Journey.  He owns and operates Software Services, a web design and hosting company in Manteca, California.

Share This!

Contact Us

Name

Email *

Message *