Software and web application security

September 16, 2007

IIS7 security guide

Filed under: IIS7, security — chrisweber @ 12:26 pm

To understand the main concepts that will affect host and application security in IIS 7.0, I’ve done some research and compiled a small paper.  This should help break the ice and give security consultants like myself, developers and architects a quick view into some of the important security concepts around configuration and development in IIS7.

ETA 1 day.

September 14, 2007

Bitlocker setup process almost complete

Filed under: general, security — chrisweber @ 3:04 pm

Okay it’s on, I ran the preparation tool fine, rebooted, turned Bitlocker on (the TPM was already on via the BIOS).  The TPM ownership password was set during TPM initialization, which I might change later, but there’s not much point now.  I set the PIN I’ll use to boot up the computer, and copied the Recovery Key to a USB drive.  The Recovery Key is useful if the computer has problems and I need to move the drive to a new machine.

All in all, so far it’s smooth.  The drive is currently encrypting which takes a while – at about 11% one hour later.  I have a 7200 rpm 200 GB drive.  Even unallocated space gets encrypted but they’ve optimized performance in that area –

Bitlocker on Vista – speed, performance, review

Filed under: general, security — chrisweber @ 12:51 pm

Been running 64 bit Vista for a few weeks now, my reliability score’s pretty low (lots of red-balls and app crashes).  But things overall seem pretty normal and fast.  Running on a Thinkpad T61.

I didn’t prepare for Bitlocker though, only creating a single huge partition.  Luckily the Bitlocker Drive Preparatin Tool handles this.  As I’m writing it just finished preparation – it took some free space from C: and created an S: partition of 1.5gb which will be the active partition.  Hopefully I’ll reboot and things will work.

I’m interested in Bitlocker’s affect on speed and performance.  So I’ve created a few informal tests to time things, though I expect the difference to be low – as the product team says, it’s in the single digit percentages.

September 30, 2006

ViewStateUserKey to prevent XSRF (CSRF or cross-site request forgery) in ASP.NET

Filed under: security, web apps — chrisweber @ 1:59 pm

ViewStateUserKey has been around for many years and is an easy solution to prevent the infamous XSRF or cross-site request forgery class of attack.

It’s documented:

ViewStateUserKey mitigates XSRF by including a unique identifier in the user’s request.

This protection mechanism has been available for many years when Microsoft identified the one-click attack, now more commonly referred to as XSRF.

Blog at