Scott Hanselman

A series of new YouTube Videos - Please Subscribe

March 31, '20 Comments [4] Posted in Musings | Win10
Sponsored By

Hey friends, in this time of remoteness, I've been making a lot more YouTube videos and they're pretty decent, IMHO. I'd love it if you'd subscribe, share them, and encourage your friends and colleagues to subscribe as well. Head over to https://youtube.com/shanselman and click Subscribe and then the BELL.

Here's just a taste of the kinds of videos I'm making. My main focus is How-To videos.

Scott's YouTube has a lot of interesting content

I'm enjoying doing videos on topics like:

If you have ideas for videos I can make that could help you out, please let me know in the comments! And subscribe!


Sponsor: This week's sponsor is...me! This blog and my podcast has been a labor of love for over 18 years. Your sponsorship pays my hosting bills for both AND allows me to buy gadgets to review AND the occasional taco. Join me!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

How to remote desktop fullscreen RDP with just SOME of your multiple monitors

March 26, '20 Comments [25] Posted in Win10
Sponsored By

I saw this over on the Microsoft Remote Desktop Uservoice

Allow ability to choose subset of local monitors for RDP session (full screen)

Allow ability to select a subset of current monitors with full screen. Currently can choose all or 1 but cannot choose for instance 2 of 3 (full screen).

That seems useful, I wish it did that. I know about this checkbox that says "Use all my monitors" but I can't say just use 1 and 2 but not 3, right?

Remote Desktop

Turns out that you CAN span n monitors but it's just buried/internal and has no UI.

Save your RDP file, and open it in Notepad. Everyone's RDP file is different but yours may look like this:

full address:s:x.x.x.x:3389
prompt for credentials:i:1
administrative session:i:1
screen mode id:i:2
span monitors:i:1
use multimon:i:1
selectedmonitors:s:0,1

I can put on selectedmonitors:s:x,y and then use the zero-based numbers to indicate my monitors. To get a list of monitors, I can run mstsc /l to LIST out all my monitors on my machine. I can also use mstsc /multimon as a command line to use multiple monitors.

MSTSC /l showing a list of my monitors

So I set my selectedmonitors:s:0,1 to use my left and middle monitor and skip my right one.

In this picture, I'm RDP'ed into a remote Windows 10 machine in Azure on Monitors 1 and 2 while Monitor 3 is my local one.

RDP on 1,2 and 3 is my local one

Sweet.


Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Mention HANSELMAN for savings on a professional license!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Easily adding Security Headers to your ASP.NET Core web app and getting an A grade

March 24, '20 Comments [17] Posted in ASP.NET | Linux
Sponsored By

Well that sucks.

Score of F on SecurityHeaders.com

That's my podcast website with an F rating from SecurityHeaders.com. What's the deal? I took care of this months ago!

Turns out, recently I moved from Windows to Linux on Azure.

If I am using IIS on Windows, I can (and did) make a section in my web.config that looks something like this.

Do note that I've added a few custom things and you'll want to make sure you DON'T just copy paste this. Make yours, yours.

Note that I've whitelisted a bunch of domains to make sure my site works. Also note that I have a number of "unsafe-inlines" that are not idea.

<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="X-Xss-Protection" value="1; mode=block"/>
<add name="X-Frame-Options" value="SAMEORIGIN"/>
<add name="Content-Security-Policy" value="default-src https:; img-src * 'self' data: https:; style-src 'self' 'unsafe-inline' www.google.com platform.twitter.com cdn.syndication.twimg.com fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com cse.google.com cdn.syndication.twimg.com platform.twitter.com platform.instagram.com www.instagram.com cdn1.developermedia.com cdn2.developermedia.com apis.google.com www.googletagservices.com adservice.google.com securepubads.g.doubleclick.net ajax.aspnetcdn.com ssl.google-analytics.com az416426.vo.msecnd.net/;"/>
<add name="Referrer-Policy" value="no-referrer-when-downgrade"/>
<add name="Feature-Policy" value="geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';"/>
<remove name="X-Powered-By" />
<remove name="X-AspNet-Version" />
<remove name="Server" />
</customHeaders>
</httpProtocol>
...

But, if I'm NOT using IIS - meaning I'm running my ASP.NET app in a container or on Linux - this will be ignored. Since I recently moved to Linux, I assumed (my bad for no tests here) that it would just work.

My site is hosted on Azure App Service for Linux, so I want these headers to be output the same way. There are several great choices in the form of Open Source NuGet libraries to help. If I use the ASP.NET Core middleware pipeline then these headers will be output and work the SAME on both Windows AND Linux.

I'll be using the NWebsec Security Libraries for ASP.NET Core. They offer a simple fluent way to add the headers I want.

TO BE CLEAR: Yes I, or you, can add these headers manually with AddHeader but these simple libraries ensure that our commas and semicolons are correct. They also offer a strongly typed middleware that is fast and easy to use.

Taking the same web.config above and translating it to Startup.cs's Configure Pipeline with NWebSec looks like this:

app.UseHsts(options => options.MaxAge(days: 30));
app.UseXContentTypeOptions();
app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseXfo(options => options.SameOrigin());
app.UseReferrerPolicy(opts => opts.NoReferrerWhenDowngrade());

app.UseCsp(options => options
.DefaultSources(s => s.Self()
.CustomSources("data:")
.CustomSources("https:"))
.StyleSources(s => s.Self()
.CustomSources("www.google.com","platform.twitter.com","cdn.syndication.twimg.com","fonts.googleapis.com")
.UnsafeInline()
)
.ScriptSources(s => s.Self()
.CustomSources("www.google.com","cse.google.com","cdn.syndication.twimg.com","platform.twitter.com" ... )
.UnsafeInline()
.UnsafeEval()
)
);

There is one experimental HTTP header that NWebSec doesn't support (yet) called Feature-Policy. It's a way that your website can declare at the server-side "my site doesn't allow use of the webcam." That would prevent a bad guy from injecting local script that uses the webcam, or some other client-side feature.

I'll do it manually both to make the point that I can, but also that you aren't limited by your security library of choice.

NOTE: Another great security library is Andrew Lock's NetEscapades that includes Feature-Policy as well as some other great features.

Here's my single Middleware that just adds the Feature-Policy header to all responses.

//Feature-Policy
app.Use(async (context, next) =>
{
context.Response.Headers.Add("Feature-Policy", "geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';");
await next.Invoke();
});

Now I'll commit, build, and deploy (all automatic for me using Azure DevOps) and scan the site again:

Score of A on SecurityHeaders.com

That was pretty straightforward and took less than an hour. Your mileage may vary but that's the general idea!


Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Mention HANSELMAN for savings on a professional license!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Windows Terminal 1.0 is coming - Update now and set up your split pane hotkeys!

March 20, '20 Comments [11] Posted in Win10
Sponsored By

The Windows Terminal is free and in the Windows Store and you should go make sure you have the latest update. The v0.10 is out and it's got a number of lovely quality of life improvements, not the least of which is Mouse Support!

Mouse Support

What's that mean, doesn't it already support mice? This means Text-Mode mouse support. So your apps like tmux and Midnight Commander can receive and react to mouse events, event when you're ssh'ed in remotely! That's because it's using VT (virtual terminal) textual commands under the covers.

Mouse Support for text mode is super useful if you use apps like Midnight Commander under Linux, or if you split plans with tmux.

Split Pane

You can change Windows Terminal in any way with themes, colors, gifs, key bindings and more. Many of you use screen or tmux under Linux and you can and should do that.

Terminal also supports splitting natively and for any shell (remember terminal != console != shell) and they just added a lovely splitMode=duplicate that makes a copy of the shell/profile in focus.

NOTE: You might consider starting with a fresh profile if yours is getting out of control.

{
"keys": ["ctrl+shift+d"],
"command": {
"action": "splitPane",
"split": "auto",
"splitMode": "duplicate"
}
}

Here's my whole keybindings section right now, including the part above.

"keybindings": [
{
"command": "closeTab",
"keys": ["ctrl+w"]
},
{
"command": "newTab",
"keys": ["ctrl+t"]
},
{
"command": {
"action": "splitPane",
"split": "auto"
},
"keys": ["ctrl+|"]
},
{
"keys": ["ctrl+shift+d"],
"command": {
"action": "splitPane",
"split": "auto",
"splitMode": "duplicate"
}
}
],

So I can split with ctrl+shift+d and get a copy of whatever is in front. I can use ctrl+| to get my default terminal, and I can use ctrl+shift+w to close the pane in focus, while ctrl+w close the current tab. Yummy.

Currently, the Terminal teams says they are fixing bugs to prepare for the release of v1. Windows Terminal v1 will be released in May!


Sponsor: Couchbase gives developers the power of SQL with the flexibility of JSON. Start using it today for free with technologies including Kubernetes, Java, .NET, JavaScript, Go, and Python.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Take Remote Worker/Educator webcam video calls to the next level with OBS, NDI Tools, and Elgato Stream Deck

March 17, '20 Comments [16] Posted in Remote Work
Sponsored By

Changing cameras dyamically with OBSOver the years I've collected a few webcams, some quality and some not. If you're interested in creating the ultimate remote worker webcam setup on a budget, I've written a blog post on the topic.

However, now that we are a remote workers - my entire company has everyone working remotely until further notice - I've found that an extra webcam or two can really be helpful if I want to point a camera at something on my desk, or get a wider view, look at a whiteboard, etc.

Of course, you can always change video inputs in any application but there's that...pause...that...hang...that moment. You have to switch into your apps Device Settings, do the dropdown, switch, wait, and then you've changed the camera.

What if you could change cameras - scenes - like you were a movie director. But, you have minimal budget. What can you do for nothing or next to nothing? A lot.

What's the goal?

With minimal setup, you can feed all your webcams, your desktop itself, and really anything you can express as a 'scene' into a software video compositor and then output them as a virtual webcam.

Then you select and use that Virtual Webcam in your remote video conferencing tool of choice! The results are amazing.

Setup

First, get OBS and NDI Tools, specifically NDI Virtual Input.

  • OBS (Open Broadcaster Software) is free and open source software for video recording and live streaming.
  • NDI Tools and NDI Virtual Input.
    • This is a software package that creates a virtual camera input.
    • NDI Plug for OBS : obs-ndi - This allows the OBS software to send its output to NDI, the virtual camera.
  • ALTERNATE:
    • You can avoid using NDI Tools (which is an extra hop) and use OBS-VirtualCam as plugin instead. It will create a Virtual Camera locally and directly send 1080p video to a Virtual Cam called OBS-VirtualCam.
  • OPTIONAL: Elgato Stream Deck and the Stream Deck Software
    • They've got 6- and 15-key decks. The have full color LCD keys and you can make the icons look however you want. Ya, it's a portable hotkey button machine, but it's amazing. Note in the upper right corner of my Stream Deck I have three OBS buttons, one for each scene and the active one lights up. I've also made buttons to change my primary monitor's resolution. More on that in a future blog post. I've also got Elgato Stream Deck buttons to change my audio inputs an outputs as well, with a how-to.
      My Elgato Stream Deck
    • Don't want to buy a physical device? Use your phone as a Stream Deck with Stream Deck Mobile
    • You could also buy Touch Portal for about $12 and use any old Android phone you have laying around as a remote control for this purpose!

Install these three things and run OBS. When you run OBS after installing the NDI plugin, you'll need to go to Tools, NDI Output Settings and select Main Output. Leave OBS running.

NDI Output Settings in OBS

Then run Virtual Input and right click on it in your tray (near the clock) and set it's output to your computer name | OBS. Mine is IRONHEART in the picture below. If you see None, you likely don't have OBS running.

Taking output from OBS and feeding it into Virtual Input

Define your Scenes. Scenes are a collection of sources.

Add and name a scene, then add a Video Capture Device for your camera. I also like to set the Resolution manually.

BRIO 1080p in OBS

I made one Fullscreen Scene per webcam, and one for my desktop that also includes my camera in PIP in the corner.

NOTE: If you're a teacher, perhaps you share just your lesson plans or browser window and yourself in video another way. You can be split screen, pip, or whatever makes you happy! Your scenes can be as complex as you'd like and include lesson plans, links, resources, and more!

PIP inside OBS

To review:

  • OBS is a compositor that feeds into
  • NDI Virtual Input
  • And Scenes can be changed dynamically (see animation at top of this post) by a Stream Deck, hotkey, or Stream Deck Mobile
  • Select "NewTek NDI Video" as your webcam in Teams or Skype or Zoom!

At this point you can change camera angles and select scenes when you're on a call! The transitions will be be instant and smooth for your viewers. This also works great for workshops and teachers teaching classes!

image

Thanks Jeff Fritz for your help with this! Do you have any OBS teams, dear reader?


Sponsor: Couchbase gives developers the power of SQL with the flexibility of JSON. Start using it today for free with technologies including Kubernetes, Java, .NET, JavaScript, Go, and Python.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.