Scott Hanselman

Windows Server 2003, and something called...being a Security Expert

March 3, '03 Comments [2] Posted in Web Services | ASP.NET
Sponsored By

Windows Server 2003, and something called security.

I must admit, the Microsoft security push is more than just marketing mojo.  Take a look at Windows Server 2003. 

  • There are over 20 services that are not started by default. 
  • IIS isn't installed by default (a good thing). 
  • When you install IIS, front page server extensions aren't installed by default. 
  • IIS6 has been recompiled with the /GS switch to prevent many buffer overrun attacks. (ok, it makes me a little uncomfortable to hear MS say "we've prevented buffer overruns that we don't even know are there!", but it's still better than no /GS)
  • Web sites run as Network Service by default (including ASP.NET web sites), and Network Service has pretty restricted permissions.
  • No network authentication for accounts with blank passwords.
  • MS stopped production for 2 months and examining every single line of code, documented and fixed a bunch of threats.

[Sean 'Early' Campbell & Scott 'Adopter' Swigart's Radio Weblog]

I'm a huge MSFT fan, and I'm very excited about Windows Server 2003.  But for it to be truly secure, to the point where I can use it in a Financial arena, it still needs an Security Expert to lock it down and really harden it.  It's not completely locked down by default.  This is why we need to be completely aware of what it does and doesn't.  And certainly the same goes for Linux.  Linux is fairly locked to start, but it depends on the distro. 

Here's a just a few things to think about removing or locking down with a Windows Server 2003 default install.  I want people to go into this with their eyes OPEN.   We have extensive security lock down checklists, and a team of specialists (I'm mean that they live and breathe this), as everyone should have for every OS within their company. 

This is only about 5% of the things that we do to truly lock down a Windows Server 2003 box for hosting a Web Application:

  • Remove SMTP service
  • Remove Update Root Certificates
  • Disable Alerter
  • Disable Applicaiton Layer Gateway Service
  • Disable Automatic Updates (I'm surprised that someone let that go in enabled!)
  • Disable Computer Browser
  • Disable File Replication
  • Disable Help and Support
  • Disable Indexing
  • Disable Messenger
  • Disable Remote Registry
  • Disable Volume Shadow Copy
  • Disable Window Audio
  • Disable Windows Image Acquisition (what were they thinking for a Server OS?)
  • Disable Wireless Configuration

No doubt, Windows Server 2003 ships more locked down than Windows 2000, but don't let yourself get lulled into a sense of security.  You can't just install and go.  Slammer was a perfect example that the software is only 1% of it, and the other 99% was knowing how to configure and update it. 

Eyes open my friends!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Changing the HTML editor used by the Edit button on the IE Toolbar

March 2, '03 Comments [1] Posted in Web Services | Tools
Sponsored By


I was asked by my good friend Adam Cogan from down-under how to change the HTML Editor that Internet Explorer uses for the Edit Button in the Toolbar. 

It seems that the list is the same as when you right-click (see image below) on the file in Windows Explorer and select "Open With."   More details on adding Editors (or any editors for that matter) at MSDN's Internet Explorer Client Registry Layout, also included below. A picture named ieeditbutton.JPG

Adding HTML Editors

The steps for adding HTML editors to the drop-down list on the Programs tab of the Internet Options dialog box in Internet Explorer 5 and later are slightly different than the steps for adding client applications like mail and news.

  1. Register the friendly name of the HTML editor by adding a new key to HKEY_CLASSSES_ROOT\.htm\OpenWithList.
    HKEY_CLASSES_ROOT\.htm\OpenWithList\friendly name
  2. Add shell, edit, and command keys to the editor's registry entry.
    HKEY_CLASSES_ROOT\.htm\OpenWithList\friendly name\shell\edit\command
  3. Enter the fully formed path of the .exe file that launches the editor in the command key's "Value data" field. Enclose the path in quotes if it contains spaces. The following example shows the Value data entry for a typical installation of FrontPage Express. Include %1 as a parameter. This parameter refers to the file name of the active Web page.
    "c:\program files\microsoft front page express\bin\fpxpress.exe %1"

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

The erosion of society and Internet as society's desparate attempt at a Virtual Third Place

February 28, '03 Comments [0] Posted in Musings
Sponsored By

The social scientist Ray Oldenburg talks about how humans need a third place, besides work and home, to meet with friends, have a beer, discuss the events of the day, and enjoy some human interaction. Coffee shops, bars, hair salons, beer gardens, pool halls, clubs, and other hangouts are as vital as factories, schools and apartments ["The Great Good Place", 1989]. But capitalist society has been eroding those third places, and society is left impoverished. In "Bowling Alone," Robert Putnam brings forth, in riveting and well-documented detail, reams of evidence that American society has all but lost its third places. Over the last 25 years, Americans "belong to fewer organizations that meet, know our neighbors less, meet with friends less frequently, and even socialize with our families less often." [2000] For too many people, life consists of going to work, then going home and watching TV. Work-TV-Sleep-Work-TV-Sleep. It seems to me that the phenomenon is far more acute among software developers, especially in places like Silicon Valley and the suburbs of Seattle. People graduate from college, move across country to a new place where they don't know anyone, and end up working 12 hour days basically out of loneliness.

So it's no surprise that so many programmers, desperate for a little human contact, flock to online communities - chat rooms, discussion forums, open source projects, and Ultima Online. In creating community software, we are, to some extent, trying to create a third place. And like any other architecture project, the design decisions we make are crucial. Make a bar too loud, and people won't be able to have conversations. That makes for a very different kind of place than a coffee shop. Make a coffee shop without very many chairs, as Starbucks does, and people will carry their coffee back to their lonely rooms, instead of staying around and socializing like they do in the fantasy TV coffeehouse of "Friends," a program we watch because an ersatz third place is less painful than none at all. [Joel on Software]

All I have to say is wow.  I think it will take a while for me to digest this.  It's yet another of those "doh" moments from Joel when he's expressed something that's obvious, but unsaid.   Sure, we talk about the decline of family values, and that people just aren't "as nice" these days; but when I think back to the "third places" that were mine...small sub shops owned by friends, non-Starbucks coffee houses, greasy spoons, etc...they've all slowly been pushed out by Subway, Starbucks, and IHOP. 

I can really start to understand why someone who feels marginalized by society (re: erds, geeks, wonks, dweebs) would flock to the Dark Side - the ease of a chat room, compared to the compartive difficulty of a dance club or bar. 

Also, once one has started working 12 hours a day, sometimes it's all the energy one can muster to come home and receive your daily dose of "programming" from the idiot box (which apparently is offiically the MOST PASSIVE thing possible...it uses less energy than sleep!)  I don't think I watch THAT much TV, but then again, there's three different Law and Order series on TV right now, and with the help of my ReplayTV I don't think my wife and I have missed one in a while...I'll need to work on that...maybe go see what this "outside world" everyone is talking about has to offer...

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Time to get on the bus...

February 28, '03 Comments [0] Posted in Web Services | XML
Sponsored By

I've seen the future and it will be.

InfoPath may become for XML, what the Basic language was and is for binary stuff. 

Thinking that technical knowledge about all the odd stuff around angle brackets and infosets alone will remain to be a sufficient foundation for a career or even a whole business may be as fatal as thinking in the 1980's that your x86 assembly skills will be enough to support your family for the next 30 years. It works for a few, it won't work for most. Ladies and Gents, it seems like XML is growing up and is getting all dressed up for prime time -- get over it. [Clemens Vasters]

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

.NET Rocks! - The Internet Audio Talk Show for .NET Developers (Scott Hanselman)

February 27, '03 Comments [0] Posted in Web Services
Sponsored By

I had the good fortune this evening to talk to my friend and fellow RD Carl Franklin, and I'm featured in an audio interview on his very popular Internet Audio Talk Show for .NET Developers - .NET Rocks.

Check out my interview for the Week of March 3, 2003 in both Windows Media (WMA) and MP3 formats at Franklins.NET Rocks!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.