Archive

Archive for June, 2009

IT Infrastructure Threat Modeling Guide

June 22nd, 2009 Comments off

The IT Infrastructure Threat Modeling Guide is now available.
Organizations today face an increasing number of threats to their computing environments. You need a proactive approach to assist you in your efforts to protect your organization’s assets…(read more)

Categories: Compliance, Risk Magement, SA Tags:

Microsoft Security Advisory (969898): Update Rollup for ActiveX Kill Bits – Version: 1.1

Revision Note: V1.1 (June 17, 2009): Added an entry to Frequently Asked Questions to communicate that for the purpose of automatic updating, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (950760) that is described in Microsoft Security Bulletin MS08-032.
Summary: Microsoft is releasing a new set of ActiveX kill bits with this advisory.

Categories: Uncategorized Tags:

Microsoft Security Advisory (960715): Update Rollup for ActiveX Kill Bits – Version: 1.2

Revision Note: V1.2 (June 17, 2009): Added an entry to Frequently Asked Questions to communicate that for the purpose of automatic updating, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (950760) that is described in Microsoft Security Bulletin MS08-032.
Summary: Microsoft is releasing a new set of ActiveX kill bits with this advisory.

Categories: Uncategorized Tags:

Microsoft Security Advisory (956391): Update Rollup for ActiveX Kill Bits – Version: 1.3

Revision Note: V1.3 (June 17, 2009): Added an entry to Frequently Asked Questions to communicate that for the purpose of automatic updating, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (950760) that is described in Microsoft Security Bulletin MS08-032.
Summary: Microsoft is releasing a new set of ActiveX kill bits with this advisory.

Categories: Uncategorized Tags:

Microsoft Security Advisory (956391): Update Rollup for ActiveX Kill Bits – 6/17/2009

June 17th, 2009 Comments off

Revision Note: V1.3 (June 17, 2009): Added an entry to Frequently Asked Questions to communicate that for the purpose of automatic updating, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (950760) that is described in Microsoft Security Bulletin MS08-032. Advisory Summary:Microsoft is releasing a new set of ActiveX kill bits with this advisory.

Categories: Uncategorized Tags:

Microsoft Security Advisory (960715): Update Rollup for ActiveX Kill Bits – 6/17/2009

June 17th, 2009 Comments off

Revision Note: V1.2 (June 17, 2009): Added an entry to Frequently Asked Questions to communicate that for the purpose of automatic updating, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (950760) that is described in Microsoft Security Bulletin MS08-032. Advisory Summary:Microsoft is releasing a new set of ActiveX kill bits with this advisory.

Categories: Uncategorized Tags:

Microsoft Security Advisory (969898): Update Rollup for ActiveX Kill Bits – 6/17/2009

June 17th, 2009 Comments off

Revision Note: V1.1 (June 17, 2009): Added an entry to Frequently Asked Questions to communicate that for the purpose of automatic updating, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (950760) that is described in Microsoft Security Bulletin MS08-032. Advisory Summary:Microsoft is releasing a new set of ActiveX kill bits with this advisory.

Categories: Uncategorized Tags:

Secure online photo sharing with Windows Home Server and Community Add-Ins

June 17th, 2009 No comments

Don’t you love to share your photos with your friends and family? Those great shots of your little kids wearing their strained carrots or a picture of your daughter’s first formal dance; it’s through images that we graphically share the high’s and low’s of our most personal lives.  With Windows Home Server you can easily create a private online photo sharing experience for only those individuals you permit while being accessible to the internet.


 


When you add a Windows Home Server to an online photo sharing site, like Flickr it gets even more interesting. We know that for many Windows Home Server users securely storing and sharing photo’s online is a main reason for them to purchase a server in the first place. Add to that the robust developer community add-ins such as Ed Holloway’s online photo sharing Photosync for Windows Home Server  which automatically syncs the contents of your photo’s folder on the Windows Home Server to Flickr, Doug Barrett’s WebGuide which enables you to remotely access, listen, watch and stream your music, photos and videos stored on your home server while away from home and Andrew Grant’s Whiist that allows you to create and manage web content on your Windows Home Server.


 


I’m a social networking geek these days,  Facebook, LinkedIn, Twitter and I blog about our cycling epics and Windows Home Server, yet I am very hesitant to share truly personal photos, especially group photos, using the current publically available online tools. I value my privacy and want to respect the privacy of my friends by not sharing photos or videos of them in a way that might make them uncomfortable, now or in the future.


 


It’s amazing how much information is shared across the web and photos are a means of visual sharing.  These days social networking and online photo sharing sites  like Facebook,  Flickr, Photobucket, and SmugMug  to name a few, allow us to share our photos with our friends and potentially the world with a few clicks of a mouse. These sites do a great job and provide a community gathering place for those interested in visually exploring the world around them. For an in depth look at the online photo sharing ecosystem including analysis of the various services, check out Wikipedia, cnet Online digital photo printing & sharing and Lifehacker’s review of the Five Best Photo Sharing Sites.


 


I mentioned my cycling epics earlier; this past year I spent 2 weeks riding our tandem down the pacific coast with 28 other folks from all over North America to raise funds for the American Lung Association. Before the trip I knew only one individual, afterwards we are all fast friends who now keep in touch regularly over Facebook and email. Over the course of the trip as the miles passed we all unwound and the ensuing antics of the trip were dutifully recorded by multiple cameras including some video footage of the best dances, camping mornings and late night cribbage games.


 


After the trip we all wanted to check out the photos from the other riders, especially the dancing, however as many of the riders are in the legal profession it was important to ensure security for many of the pictures, especially the really good stuff; yet we wanted to make it possible for all of the riders to access the photo’s online.  The answer to our dilemma was the Windows Home Server and its remote access and shared folder features.


 


Specifically what we did is to create one photo album (folder) and it’s link and password was sent out to the participants. This enabled them to use the web to link into the remote Windows Home Server to access the one online photo album while still keeping the rest of the information on the server private.  We also leveraged the add-in Photosync to share specific photos with the masses on Flickr.


 


With Windows Home Server we were able to collect hundreds of photos of the trip in a private password protected online location.  By allowing each rider to upload their photos, sharing became a breeze. Each of the photos is available online to anyone using web browsers who have the proper permissions.  Permissions are simple to set and can be revised at any time by the Windows Home Server administrator (probably youJ).  This enabled our entire cycling crew to share the experience all over again whenever they want. In addition with the add-ins like Whiist & WebGuide we were able to create a more robust viewing experience.


 


For families, hobby organizations, sports teams, vacation buddies, or conference attendees, anytime when privacy matters Windows Home Server is your online photo sharing solution. It provides a secure location to allow private online photo sharing in addition to robust image based backup software technology. There are alternatives to public websites, why take the chance with a public solution when Windows Home Server can create a private community where you can share photos, videos and files with your friends and family?


 


Moira

Office Integration with MOSS and ADFS

June 16th, 2009 No comments

Previously, Office Integration with SharePoint secured by forms based authentication was not possible.  The new ability of the Office client applications in Office 2007 SP2 to perform a forms login helps to solve this problem.  You will need to install this post SP2 fix to your client machines to gain this functionality.  What is needed in conjunction with it, is means to send an authentication prompt to the Office client if the login cookie doesn’t exist or has expired.  The Identity Management team at Microsoft, in conjunction with the Microsoft Office team, have developed an HttpModule for SharePoint that does just that.  The HttpModule is available as a source code sample download from this blog.


You will need to compile the source to a DLL and then install it to the GAC on the SharePoint front end servers.


To compile you will need  Microsoft Visual C# 2008 edition .


You can download Microsoft Visual C# 2008 Express edition from http://www.microsoft.com/express/download/#webInstall


a.      Extract the code sample locally for example c:Patch


b.      Open Microsoft Visual C# 2008


c.      From the menu options select File / Open Project and browse to  the file c:PatchretailAdfsHttpModule.sln


d.      Next, select build from the menu options


e.      When prompted for password type “password”


f.       The default location of the built DLL  c:Patchreleasereleasebin


To install the compiled DLL to the GAC use the GACUTIL application.  GACUTIL can be obtained by installing the .NET Framework 2.0 SDK


The command to install it would be:


“GACUTIL /i adfsfba.dll”


Next – make the following changes to SharePoint:


1.    Go to Central Administration, click the Application Management tab, and click the Authentication Providers link.


2.    In the Web Applications drop–down list, select the Web application that contains a forms authentication zone, and then click the link for the zone that is configured to use forms authentication.


3.    On the Settings page for the zone, select the Enable anonymous access check box, and then set Enable Client Integration? to Yes.











Note:


Selecting the Enable anonymous access check box does not, by itself, grant anonymous access to any content in the Web application. However, it is needed to enable the Office client applications to gather enough information about the site to display the logon window.


4.    Edit the web.config file as follows on each front end Web server in the farm for the zone that is secured with ADFS:


a.     Add the entry for the HttpModule code sample after the ADFS module. You should see an existing entry such as the following.










Xml 


Copy Code


<add


name=”Identity Federation Services Application Authentication Module”


type=”System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn,


Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null”


/>


b.    Add the following entry immediately after the existing entry.










Xml 


Copy Code


<add


name=”ADFS Module for Office Forms Based Auth”


type=”ADFSFBA.ADFSFBAHttpModule,ADFSFBA,Version=1.0.0.0,


Culture=neutral,PublicKeyToken=083ff59054782422,Custom=null”


/>


c.     Add the usettp element in the websso section, as follows.










Xml 


Copy Code


<websso>



                <usettp enabled=”false”/>



</websso>


After you complete these steps, you can use the Office client in a nearly seamless, integrated experience with SharePoint Server. The authentication prompts for an ADFS-secured site can be further reduced by adding the site for the account logon service (FS-A) to the Local Intranet Zone in Internet Explorer.


 


 

Office Integration with MOSS and ADFS

June 16th, 2009 No comments

Previously, Office Integration with SharePoint secured by forms based authentication was not possible.  The new ability of the Office client applications in Office 2007 SP2 to perform a forms login helps to solve this problem.  You will need to install this post SP2 fix to your client machines to gain this functionality.  What is needed in conjunction with it, is means to send an authentication prompt to the Office client if the login cookie doesn’t exist or has expired.  The Identity Management team at Microsoft, in conjunction with the Microsoft Office team, have developed an HttpModule for SharePoint that does just that.  The HttpModule is available as a source code sample download from this blog.


You will need to compile the source to a DLL and then install it to the GAC on the SharePoint front end servers.


To compile you will need  Microsoft Visual C# 2008 edition .


You can download Microsoft Visual C# 2008 Express edition from http://www.microsoft.com/express/download/#webInstall


a.      Extract the code sample locally for example c:\Patch


b.      Open Microsoft Visual C# 2008


c.      From the menu options select File / Open Project and browse to  the file c:\Patch\retail\AdfsHttpModule.sln


d.      Next, select build from the menu options


e.      When prompted for password type “password”


f.       The default location of the built DLL  c:\Patch\release\release\bin


To install the compiled DLL to the GAC use the GACUTIL application.  GACUTIL can be obtained by installing the .NET Framework 2.0 SDK


The command to install it would be:


“GACUTIL /i adfsfba.dll”


Next – make the following changes to SharePoint:


1.    Go to Central Administration, click the Application Management tab, and click the Authentication Providers link.


2.    In the Web Applications drop–down list, select the Web application that contains a forms authentication zone, and then click the link for the zone that is configured to use forms authentication.


3.    On the Settings page for the zone, select the Enable anonymous access check box, and then set Enable Client Integration? to Yes.











Note:


Selecting the Enable anonymous access check box does not, by itself, grant anonymous access to any content in the Web application. However, it is needed to enable the Office client applications to gather enough information about the site to display the logon window.


4.    Edit the web.config file as follows on each front end Web server in the farm for the zone that is secured with ADFS:


a.     Add the entry for the HttpModule code sample after the ADFS module. You should see an existing entry such as the following.










Xml 


Copy Code


<add


name=”Identity Federation Services Application Authentication Module”


type=”System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn,


Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null”


/>


b.    Add the following entry immediately after the existing entry.










Xml 


Copy Code


<add


name=”ADFS Module for Office Forms Based Auth”


type=”ADFSFBA.ADFSFBAHttpModule,ADFSFBA,Version=1.0.0.0,


Culture=neutral,PublicKeyToken=083ff59054782422,Custom=null”


/>


c.     Add the usettp element in the websso section, as follows.










Xml 


Copy Code


<websso>



                <usettp enabled=”false”/>



</websso>


After you complete these steps, you can use the Office client in a nearly seamless, integrated experience with SharePoint Server. The authentication prompts for an ADFS-secured site can be further reduced by adding the site for the account logon service (FS-A) to the Local Intranet Zone in Internet Explorer.


 


 

Office Integration with MOSS and ADFS

June 16th, 2009 No comments

Previously, Office Integration with SharePoint secured by forms based authentication was not possible.  The new ability of the Office client applications in Office 2007 SP2 to perform a forms login helps to solve this problem.  You will need to install this post SP2 fix to your client machines to gain this functionality.  What is needed in conjunction with it, is means to send an authentication prompt to the Office client if the login cookie doesn’t exist or has expired.  The Identity Management team at Microsoft, in conjunction with the Microsoft Office team, have developed an HttpModule for SharePoint that does just that.  The HttpModule is available as a source code sample download from this blog.


You will need to compile the source to a DLL and then install it to the GAC on the SharePoint front end servers.


To compile you will need  Microsoft Visual C# 2008 edition .


You can download Microsoft Visual C# 2008 Express edition from http://www.microsoft.com/express/download/#webInstall


a.      Extract the code sample locally for example c:\Patch


b.      Open Microsoft Visual C# 2008


c.      From the menu options select File / Open Project and browse to  the file c:\Patch\retail\AdfsHttpModule.sln


d.      Next, select build from the menu options


e.      When prompted for password type “password”


f.       The default location of the built DLL  c:\Patch\release\release\bin


To install the compiled DLL to the GAC use the GACUTIL application.  GACUTIL can be obtained by installing the .NET Framework 2.0 SDK


The command to install it would be:


“GACUTIL /i adfsfba.dll”


Next – make the following changes to SharePoint:


1.    Go to Central Administration, click the Application Management tab, and click the Authentication Providers link.


2.    In the Web Applications drop–down list, select the Web application that contains a forms authentication zone, and then click the link for the zone that is configured to use forms authentication.


3.    On the Settings page for the zone, select the Enable anonymous access check box, and then set Enable Client Integration? to Yes.











Note:


Selecting the Enable anonymous access check box does not, by itself, grant anonymous access to any content in the Web application. However, it is needed to enable the Office client applications to gather enough information about the site to display the logon window.


4.    Edit the web.config file as follows on each front end Web server in the farm for the zone that is secured with ADFS:


a.     Add the entry for the HttpModule code sample after the ADFS module. You should see an existing entry such as the following.










Xml 


Copy Code


<add


name=”Identity Federation Services Application Authentication Module”


type=”System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn,


Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null”


/>


b.    Add the following entry immediately after the existing entry.










Xml 


Copy Code


<add


name=”ADFS Module for Office Forms Based Auth”


type=”ADFSFBA.ADFSFBAHttpModule,ADFSFBA,Version=1.0.0.0,


Culture=neutral,PublicKeyToken=083ff59054782422,Custom=null”


/>


c.     Add the usettp element in the websso section, as follows.










Xml 


Copy Code


<websso>



                <usettp enabled=”false”/>



</websso>


After you complete these steps, you can use the Office client in a nearly seamless, integrated experience with SharePoint Server. The authentication prompts for an ADFS-secured site can be further reduced by adding the site for the account logon service (FS-A) to the Local Intranet Zone in Internet Explorer.


 


 

Office Integration with MOSS and ADFS

June 16th, 2009 No comments

Previously, Office Integration with SharePoint secured by forms based authentication was not possible.  The new ability of the Office client applications in Office 2007 SP2 to perform a forms login helps to solve this problem.  You will need to install this post SP2 fix to your client machines to gain this functionality.  What is needed in conjunction with it, is means to send an authentication prompt to the Office client if the login cookie doesn’t exist or has expired.  The Identity Management team at Microsoft, in conjunction with the Microsoft Office team, have developed an HttpModule for SharePoint that does just that.  The HttpModule is available as a source code sample download from this blog.


You will need to compile the source to a DLL and then install it to the GAC on the SharePoint front end servers.


To compile you will need  Microsoft Visual C# 2008 edition .


You can download Microsoft Visual C# 2008 Express edition from http://www.microsoft.com/express/download/#webInstall


a.      Extract the code sample locally for example c:\Patch


b.      Open Microsoft Visual C# 2008


c.      From the menu options select File / Open Project and browse to  the file c:\Patch\retail\AdfsHttpModule.sln


d.      Next, select build from the menu options


e.      When prompted for password type “password”


f.       The default location of the built DLL  c:\Patch\release\release\bin


To install the compiled DLL to the GAC use the GACUTIL application.  GACUTIL can be obtained by installing the .NET Framework 2.0 SDK


The command to install it would be:


“GACUTIL /i adfsfba.dll”


Next – make the following changes to SharePoint:


1.    Go to Central Administration, click the Application Management tab, and click the Authentication Providers link.


2.    In the Web Applications drop–down list, select the Web application that contains a forms authentication zone, and then click the link for the zone that is configured to use forms authentication.


3.    On the Settings page for the zone, select the Enable anonymous access check box, and then set Enable Client Integration? to Yes.











Note:


Selecting the Enable anonymous access check box does not, by itself, grant anonymous access to any content in the Web application. However, it is needed to enable the Office client applications to gather enough information about the site to display the logon window.


4.    Edit the web.config file as follows on each front end Web server in the farm for the zone that is secured with ADFS:


a.     Add the entry for the HttpModule code sample after the ADFS module. You should see an existing entry such as the following.










Xml 


Copy Code


<add


name=”Identity Federation Services Application Authentication Module”


type=”System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn,


Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null”


/>


b.    Add the following entry immediately after the existing entry.










Xml 


Copy Code


<add


name=”ADFS Module for Office Forms Based Auth”


type=”ADFSFBA.ADFSFBAHttpModule,ADFSFBA,Version=1.0.0.0,


Culture=neutral,PublicKeyToken=083ff59054782422,Custom=null”


/>


c.     Add the usettp element in the websso section, as follows.










Xml 


Copy Code


<websso>



                <usettp enabled=”false”/>



</websso>


After you complete these steps, you can use the Office client in a nearly seamless, integrated experience with SharePoint Server. The authentication prompts for an ADFS-secured site can be further reduced by adding the site for the account logon service (FS-A) to the Local Intranet Zone in Internet Explorer.


 


 

Office Integration with MOSS and ADFS

June 16th, 2009 Comments off

Previously, Office Integration with SharePoint secured by forms based authentication was not possible.  The new ability of the Office client applications in Office 2007 SP2 to perform a forms login helps to solve this problem.  You will need to install this post SP2 fix to your client machines to gain this functionality.  What is needed in conjunction with it, is means to send an authentication prompt to the Office client if the login cookie doesn’t exist or has expired.  The Identity Management team at Microsoft, in conjunction with the Microsoft Office team, have developed an HttpModule for SharePoint that does just that.  The HttpModule is available as a source code sample download from this blog.


You will need to compile the source to a DLL and then install it to the GAC on the SharePoint front end servers.


To compile you will need  Microsoft Visual C# 2008 edition .


You can download Microsoft Visual C# 2008 Express edition from http://www.microsoft.com/express/download/#webInstall


a.      Extract the code sample locally for example c:\Patch


b.      Open Microsoft Visual C# 2008


c.      From the menu options select File / Open Project and browse to  the file c:\Patch\retail\AdfsHttpModule.sln


d.      Next, select build from the menu options


e.      When prompted for password type “password”


f.       The default location of the built DLL  c:\Patch\release\release\bin


To install the compiled DLL to the GAC use the GACUTIL application.  GACUTIL can be obtained by installing the .NET Framework 2.0 SDK


The command to install it would be:


“GACUTIL /i adfsfba.dll”


Next – make the following changes to SharePoint:


1.    Go to Central Administration, click the Application Management tab, and click the Authentication Providers link.


2.    In the Web Applications drop–down list, select the Web application that contains a forms authentication zone, and then click the link for the zone that is configured to use forms authentication.


3.    On the Settings page for the zone, select the Enable anonymous access check box, and then set Enable Client Integration? to Yes.











Note:


Selecting the Enable anonymous access check box does not, by itself, grant anonymous access to any content in the Web application. However, it is needed to enable the Office client applications to gather enough information about the site to display the logon window.


4.    Edit the web.config file as follows on each front end Web server in the farm for the zone that is secured with ADFS:


a.     Add the entry for the HttpModule code sample after the ADFS module. You should see an existing entry such as the following.










Xml 


Copy Code


<add


name=”Identity Federation Services Application Authentication Module”


type=”System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn,


Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null”


/>


b.    Add the following entry immediately after the existing entry.










Xml 


Copy Code


<add


name=”ADFS Module for Office Forms Based Auth”


type=”ADFSFBA.ADFSFBAHttpModule,ADFSFBA,Version=1.0.0.0,


Culture=neutral,PublicKeyToken=083ff59054782422,Custom=null”


/>


c.     Add the usettp element in the websso section, as follows.










Xml 


Copy Code


<websso>



                <usettp enabled=”false”/>



</websso>


After you complete these steps, you can use the Office client in a nearly seamless, integrated experience with SharePoint Server. The authentication prompts for an ADFS-secured site can be further reduced by adding the site for the account logon service (FS-A) to the Local Intranet Zone in Internet Explorer.


 


 

Office Integration with MOSS and ADFS

June 16th, 2009 No comments

Previously, Office Integration with SharePoint secured by forms based authentication was not possible.  The new ability of the Office client applications in Office 2007 SP2 to perform a forms login helps to solve this problem.  You will need to install this post SP2 fix to your client machines to gain this functionality.  What is needed in conjunction with it, is means to send an authentication prompt to the Office client if the login cookie doesn’t exist or has expired.  The Identity Management team at Microsoft, in conjunction with the Microsoft Office team, have developed an HttpModule for SharePoint that does just that.  The HttpModule is available as a source code sample download from this blog.


You will need to compile the source to a DLL and then install it to the GAC on the SharePoint front end servers.


To compile you will need  Microsoft Visual C# 2008 edition .


You can download Microsoft Visual C# 2008 Express edition from http://www.microsoft.com/express/download/#webInstall


a.      Extract the code sample locally for example c:Patch


b.      Open Microsoft Visual C# 2008


c.      From the menu options select File / Open Project and browse to  the file c:PatchretailAdfsHttpModule.sln


d.      Next, select build from the menu options


e.      When prompted for password type “password”


f.       The default location of the built DLL  c:Patchreleasereleasebin


To install the compiled DLL to the GAC use the GACUTIL application.  GACUTIL can be obtained by installing the .NET Framework 2.0 SDK


The command to install it would be:


“GACUTIL /i adfsfba.dll”


Next – make the following changes to SharePoint:


1.    Go to Central Administration, click the Application Management tab, and click the Authentication Providers link.


2.    In the Web Applications drop–down list, select the Web application that contains a forms authentication zone, and then click the link for the zone that is configured to use forms authentication.


3.    On the Settings page for the zone, select the Enable anonymous access check box, and then set Enable Client Integration? to Yes.











Note:


Selecting the Enable anonymous access check box does not, by itself, grant anonymous access to any content in the Web application. However, it is needed to enable the Office client applications to gather enough information about the site to display the logon window.


4.    Edit the web.config file as follows on each front end Web server in the farm for the zone that is secured with ADFS:


a.     Add the entry for the HttpModule code sample after the ADFS module. You should see an existing entry such as the following.










Xml 


Copy Code


<add


name=”Identity Federation Services Application Authentication Module”


type=”System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn,


Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null”


/>


b.    Add the following entry immediately after the existing entry.










Xml 


Copy Code


<add


name=”ADFS Module for Office Forms Based Auth”


type=”ADFSFBA.ADFSFBAHttpModule,ADFSFBA,Version=1.0.0.0,


Culture=neutral,PublicKeyToken=083ff59054782422,Custom=null”


/>


c.     Add the usettp element in the websso section, as follows.










Xml 


Copy Code


<websso>



                <usettp enabled=”false”/>



</websso>


After you complete these steps, you can use the Office client in a nearly seamless, integrated experience with SharePoint Server. The authentication prompts for an ADFS-secured site can be further reduced by adding the site for the account logon service (FS-A) to the Local Intranet Zone in Internet Explorer.


 


 

release.zip

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

June 11th, 2009 No comments

I’ve written twice (here and here) about the relationship between the “old” event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the “new” security event IDs (4xxx-5xxx) in Vista and beyond.


In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03.


The exceptions are the logon events.  The logon success events (540, 528) were collapsed into a single event 4624 (=528 + 4096).  The logon failure events (529-537, 539) were collapsed into a single event 4625 (=529+4096).


Other than that, there are cases where old events were deprecated (IPsec IIRC), and there are cases where new events were added (DS Change).  These are all new instrumentation and there is no “mapping” possible- e.g. the new DS Change audit events are complementary to the old DS Access events; they record something different than the old events so you can’t say that the old event xxx = the new event yyy because they aren’t equivalent.  The old event means one thing and the new event means another thing; they represent different points of instrumentation in the OS, not just formatting changes in the event representation in the log.


Of course I explained earlier why we renumbered the events, and (in the same place) why the difference is “+4096” instead of something more human-friendly like “+1000”.  The bottom line is that the event schema is different, so by changing the event IDs (and not re-using any), we force existing automation to be updated rather than just misinterpreting events when the automation doesn’t know the version of Windows that produced the event.  We realized it would be painful but it is nowhere near as painful as if every event consumer had to be aware of, and have special casing for, pre-Vista events and post-Vista events with the same IDs but different schema.


So if you happen to know the pre-Vista security events, then you can quickly translate your existing knowledge to Vista by adding 4000, adding 100, and subtracting 4.  You can do this in your head.


However if you’re trying to implement some automation, you should avoid trying to make a chart with “<Vista” and “>=Vista” columns of event ID numbers, because this will likely result in mis-parsing one set of events, and because you’ll find it frustrating that there is not a 1:1 mapping (and in some cases no mapping at all).


Eric


 


 


 

Categories: Descriptions, Tips, Tools Tags:

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

June 11th, 2009 No comments

I’ve written twice (here and here) about the relationship between the “old” event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the “new” security event IDs (4xxx-5xxx) in Vista and beyond.


In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03.


The exceptions are the logon events.  The logon success events (540, 528) were collapsed into a single event 4624 (=528 + 4096).  The logon failure events (529-537, 539) were collapsed into a single event 4625 (=529+4096).


Other than that, there are cases where old events were deprecated (IPsec IIRC), and there are cases where new events were added (DS Change).  These are all new instrumentation and there is no “mapping” possible- e.g. the new DS Change audit events are complementary to the old DS Access events; they record something different than the old events so you can’t say that the old event xxx = the new event yyy because they aren’t equivalent.  The old event means one thing and the new event means another thing; they represent different points of instrumentation in the OS, not just formatting changes in the event representation in the log.


Of course I explained earlier why we renumbered the events, and (in the same place) why the difference is “+4096” instead of something more human-friendly like “+1000”.  The bottom line is that the event schema is different, so by changing the event IDs (and not re-using any), we force existing automation to be updated rather than just misinterpreting events when the automation doesn’t know the version of Windows that produced the event.  We realized it would be painful but it is nowhere near as painful as if every event consumer had to be aware of, and have special casing for, pre-Vista events and post-Vista events with the same IDs but different schema.


So if you happen to know the pre-Vista security events, then you can quickly translate your existing knowledge to Vista by adding 4000, adding 100, and subtracting 4.  You can do this in your head.


However if you’re trying to implement some automation, you should avoid trying to make a chart with “<Vista” and “>=Vista” columns of event ID numbers, because this will likely result in mis-parsing one set of events, and because you’ll find it frustrating that there is not a 1:1 mapping (and in some cases no mapping at all).


Eric


 


 


 

Categories: Descriptions, Tips, Tools Tags:

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

June 11th, 2009 Comments off

I’ve written twice (here and here) about the relationship between the “old” event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the “new” security event IDs (4xxx-5xxx) in Vista and beyond.


In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03.


The exceptions are the logon events.  The logon success events (540, 528) were collapsed into a single event 4624 (=528 + 4096).  The logon failure events (529-537, 539) were collapsed into a single event 4625 (=529+4096).


Other than that, there are cases where old events were deprecated (IPsec IIRC), and there are cases where new events were added (DS Change).  These are all new instrumentation and there is no “mapping” possible- e.g. the new DS Change audit events are complementary to the old DS Access events; they record something different than the old events so you can’t say that the old event xxx = the new event yyy because they aren’t equivalent.  The old event means one thing and the new event means another thing; they represent different points of instrumentation in the OS, not just formatting changes in the event representation in the log.


Of course I explained earlier why we renumbered the events, and (in the same place) why the difference is “+4096” instead of something more human-friendly like “+1000”.  The bottom line is that the event schema is different, so by changing the event IDs (and not re-using any), we force existing automation to be updated rather than just misinterpreting events when the automation doesn’t know the version of Windows that produced the event.  We realized it would be painful but it is nowhere near as painful as if every event consumer had to be aware of, and have special casing for, pre-Vista events and post-Vista events with the same IDs but different schema.


So if you happen to know the pre-Vista security events, then you can quickly translate your existing knowledge to Vista by adding 4000, adding 100, and subtracting 4.  You can do this in your head.


However if you’re trying to implement some automation, you should avoid trying to make a chart with “<Vista” and “>=Vista” columns of event ID numbers, because this will likely result in mis-parsing one set of events, and because you’ll find it frustrating that there is not a 1:1 mapping (and in some cases no mapping at all).


Eric


 


 


 

Categories: Descriptions, Tips, Tools Tags:

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

June 10th, 2009 No comments

I’ve written twice (here and here) about the relationship between the “old” event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the “new” security event IDs (4xxx-5xxx) in Vista and beyond.


In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03.


The exceptions are the logon events.  The logon success events (540, 528) were collapsed into a single event 4624 (=528 + 4096).  The logon failure events (529-537, 539) were collapsed into a single event 4625 (=529+4096).


Other than that, there are cases where old events were deprecated (IPsec IIRC), and there are cases where new events were added (DS Change).  These are all new instrumentation and there is no “mapping” possible- e.g. the new DS Change audit events are complementary to the old DS Access events; they record something different than the old events so you can’t say that the old event xxx = the new event yyy because they aren’t equivalent.  The old event means one thing and the new event means another thing; they represent different points of instrumentation in the OS, not just formatting changes in the event representation in the log.


Of course I explained earlier why we renumbered the events, and (in the same place) why the difference is “+4096″ instead of something more human-friendly like “+1000″.  The bottom line is that the event schema is different, so by changing the event IDs (and not re-using any), we force existing automation to be updated rather than just misinterpreting events when the automation doesn’t know the version of Windows that produced the event.  We realized it would be painful but it is nowhere near as painful as if every event consumer had to be aware of, and have special casing for, pre-Vista events and post-Vista events with the same IDs but different schema.


So if you happen to know the pre-Vista security events, then you can quickly translate your existing knowledge to Vista by adding 4000, adding 100, and subtracting 4.  You can do this in your head.


However if you’re trying to implement some automation, you should avoid trying to make a chart with “<Vista” and “>=Vista” columns of event ID numbers, because this will likely result in mis-parsing one set of events, and because you’ll find it frustrating that there is not a 1:1 mapping (and in some cases no mapping at all).


Eric


 


 


 

Categories: Descriptions, Tips, Tools Tags:

Mark Russinovich on Windows 7 UAC

June 9th, 2009 No comments

User Account Control is one of those Windows features that evokes a number of different responses from folks. Most people appreciate the enhanced security UAC offers, but we did hear complaints about the high number of UAC prompts in Windows Vista. This led some customers to turn off UAC, which concerns us from a security perspective. So in Windows 7, we’ve given a great deal of thought to how we marry enhanced security with ease-of-use. We have written extensively about the changes in UAC for Windows 7 on the Engineering Windows 7 blog (Post 1, Post 2, Post 3, Post 4).

Now, Technical Fellow Mark Russinovich weighs in on UAC with some great insight on the technology and some of our motivations around the decisions we have made. Check out Inside User Account Control now available online from TechNet Magazine.

Categories: security, UAC, Windows 7, Windows Security Tags:

Mark Russinovich on Windows 7 UAC

June 9th, 2009 Comments off

User Account Control is one of those Windows features that evokes a number of different responses from folks. Most people appreciate the enhanced security UAC offers, but we did hear complaints about the high number of UAC prompts in Windows Vista. This led some customers to turn off UAC, which concerns us from a security perspective. So in Windows 7, we’ve given a great deal of thought to how we marry enhanced security with ease-of-use. We have written extensively about the changes in UAC for Windows 7 on the Engineering Windows 7 blog (Post 1, Post 2, Post 3, Post 4).

Now, Technical Fellow Mark Russinovich weighs in on UAC with some great insight on the technology and some of our motivations around the decisions we have made. Check out Inside User Account Control now available online from TechNet Magazine.

Categories: security, UAC, Windows 7, Windows Security Tags: