Archive

Archive for February, 2010

NOW OPEN: Microsoft Security Compliance Manager version 1.0 Beta Review Program!

February 16th, 2010 No comments

The Solution Accelerators team is pleased to announce the beta release of Microsoft Security Compliance Manager version 1.0, an end-to-end Solution Accelerator to help you plan, deploy, operate, and manage your security baselines for Windows® client and…(read more)

Categories: Uncategorized Tags:

NOW OPEN: Microsoft Security Compliance Manager version 1.0 Beta Review Program!

February 16th, 2010 No comments

The Solution Accelerators team is pleased to announce the beta release of Microsoft Security Compliance Manager version 1.0, an end-to-end Solution Accelerator to help you plan, deploy, operate, and manage your security baselines for Windows® client and…(read more)

Categories: Uncategorized Tags:

NOW OPEN: Microsoft Security Compliance Manager version 1.0 Beta Review Program!

February 16th, 2010 Comments off

The Solution Accelerators team is pleased to announce the beta release of Microsoft Security Compliance Manager version 1.0, an end-to-end Solution Accelerator to help you plan, deploy, operate, and manage your security baselines for Windows® client and…(read more)

Categories: Uncategorized Tags:

Silverlight 3.0 Datagrid – How to change a cell state?

February 13th, 2010 No comments

Hi Syam Pinnaka, Sr. SDE in Infosec tools team.

Silverlight 3.0 datagrid can be used to bind to any enumerable collection and display the data in the grid. The data changes in the grid can be propagated back to the bound data using a special type in silverlight called ObservableCollection. We will discuss more about ObservableCollection in a separate post. In this post Lets see how to change a datagrid cell state based on certain condition. For example lets say there are two DataGridCheckBoxColumn columns and first check box column state will need to change to read-only based on the value of second check box column.

We can accomplish this by handling datagrid events like BeginningEdit or CellEditEnded. In our example, we can use BeginningEdit to check for checkbox whether the checkbox being clicked is first one, if so check the state of second check box to allow the click or not. Example code below.

#region selectUsersGrid_BeginningEdit
private void selectUsersGrid_BeginningEdit(object sender, DataGridBeginningEditEventArgs e)
{
    if (e.Column.DisplayIndex == 0) //First DataGridCheckBoxColumn
    {
        User u = e.Row.DataContext as User; //fetch the row data.
        if (u.IsMember == false) //examine the second checkbox data, do not allow if its false
        {
            e.Cancel = true;
        }
    }
}
#endregion

The same effect can be accomplished in some other ways. For example we can use CellEditEnded instead of BeginningEdit. In CellEditEnded, check for second check box state and mark first one as read-only when required. Example code below.

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {
        User u = e.Row.DataContext as User; //fetch the row data
        if (u.IsMember == false) //This is not a member, Clear IsDeny (make first check box as read-only)
            u.IsDeny = false;
    }
}
#endregion

One point to note in the above two code snippets is that, we are modifying the data (binding) to alter the cell state instead of cell itself. This becomes essential when we waned to change state that is not related to data, for example lets say background color of the cell. this can be accomplished as below.

 

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {

FrameworkElement firstCheckbox = e.Column.GetCellContent(e.Row);
if (firstCheckbox is CheckBox)
{
    CheckBox c = firstCheckbox as CheckBox;
    c.Background = new SolidColorBrush(Colors.Red);
}

    }
}
#endregion

 

This is about it for now, We will talk more silverlight during coming posts. Feel free to contact me at syamp@microsoft.com if you have any questions about the above post.

Happy coding!

Categories: ASP.NET, C#, SilverLight, Visual Studio Tags:

Silverlight 3.0 Datagrid – How to change a cell state?

February 13th, 2010 No comments

Hi Syam Pinnaka, Sr. SDE in Infosec tools team.

Silverlight 3.0 datagrid can be used to bind to any enumerable collection and display the data in the grid. The data changes in the grid can be propagated back to the bound data using a special type in silverlight called ObservableCollection. We will discuss more about ObservableCollection in a separate post. In this post Lets see how to change a datagrid cell state based on certain condition. For example lets say there are two DataGridCheckBoxColumn columns and first check box column state will need to change to read-only based on the value of second check box column.

We can accomplish this by handling datagrid events like BeginningEdit or CellEditEnded. In our example, we can use BeginningEdit to check for checkbox whether the checkbox being clicked is first one, if so check the state of second check box to allow the click or not. Example code below.

#region selectUsersGrid_BeginningEdit
private void selectUsersGrid_BeginningEdit(object sender, DataGridBeginningEditEventArgs e)
{
    if (e.Column.DisplayIndex == 0) //First DataGridCheckBoxColumn
    {
        User u = e.Row.DataContext as User; //fetch the row data.
        if (u.IsMember == false) //examine the second checkbox data, do not allow if its false
        {
            e.Cancel = true;
        }
    }
}
#endregion

The same effect can be accomplished in some other ways. For example we can use CellEditEnded instead of BeginningEdit. In CellEditEnded, check for second check box state and mark first one as read-only when required. Example code below.

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {
        User u = e.Row.DataContext as User; //fetch the row data
        if (u.IsMember == false) //This is not a member, Clear IsDeny (make first check box as read-only)
            u.IsDeny = false;
    }
}
#endregion

One point to note in the above two code snippets is that, we are modifying the data (binding) to alter the cell state instead of cell itself. This becomes essential when we waned to change state that is not related to data, for example lets say background color of the cell. this can be accomplished as below.

 

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {

FrameworkElement firstCheckbox = e.Column.GetCellContent(e.Row);
if (firstCheckbox is CheckBox)
{
    CheckBox c = firstCheckbox as CheckBox;
    c.Background = new SolidColorBrush(Colors.Red);
}

    }
}
#endregion

 

This is about it for now, We will talk more silverlight during coming posts. Feel free to contact me at syamp@microsoft.com if you have any questions about the above post.

Happy coding!

Categories: ASP.NET, C#, SilverLight, Visual Studio Tags:

Silverlight 3.0 Datagrid – How to change a cell state?

February 13th, 2010 Comments off

Hi Syam Pinnaka, Sr. SDE in Infosec tools team.

Silverlight 3.0 datagrid can be used to bind to any enumerable collection and display the data in the grid. The data changes in the grid can be propagated back to the bound data using a special type in silverlight called ObservableCollection. We will discuss more about ObservableCollection in a separate post. In this post Lets see how to change a datagrid cell state based on certain condition. For example lets say there are two DataGridCheckBoxColumn columns and first check box column state will need to change to read-only based on the value of second check box column.

We can accomplish this by handling datagrid events like BeginningEdit or CellEditEnded. In our example, we can use BeginningEdit to check for checkbox whether the checkbox being clicked is first one, if so check the state of second check box to allow the click or not. Example code below.

#region selectUsersGrid_BeginningEdit
private void selectUsersGrid_BeginningEdit(object sender, DataGridBeginningEditEventArgs e)
{
    if (e.Column.DisplayIndex == 0) //First DataGridCheckBoxColumn
    {
        User u = e.Row.DataContext as User; //fetch the row data.
        if (u.IsMember == false) //examine the second checkbox data, do not allow if its false
        {
            e.Cancel = true;
        }
    }
}
#endregion

The same effect can be accomplished in some other ways. For example we can use CellEditEnded instead of BeginningEdit. In CellEditEnded, check for second check box state and mark first one as read-only when required. Example code below.

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {
        User u = e.Row.DataContext as User; //fetch the row data
        if (u.IsMember == false) //This is not a member, Clear IsDeny (make first check box as read-only)
            u.IsDeny = false;
    }
}
#endregion

One point to note in the above two code snippets is that, we are modifying the data (binding) to alter the cell state instead of cell itself. This becomes essential when we waned to change state that is not related to data, for example lets say background color of the cell. this can be accomplished as below.

 

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {

FrameworkElement firstCheckbox = e.Column.GetCellContent(e.Row);
if (firstCheckbox is CheckBox)
{
    CheckBox c = firstCheckbox as CheckBox;
    c.Background = new SolidColorBrush(Colors.Red);
}

    }
}
#endregion

 

This is about it for now, We will talk more silverlight during coming posts. Feel free to contact me at syamp@microsoft.com if you have any questions about the above post.

Happy coding!

Categories: ASP.NET, C#, SilverLight, Visual Studio Tags:

Whitepaper “HSPD-12 Logical Access Authentication and Active Directory Domains”

February 10th, 2010 Comments off

This document explains the interdependencies between Active Directory Domain Services (AD DS) and Public Key Infrastructure (PKI) related to Homeland Security Presidential Directive 12 (HSPD-12) smart card logon. Topics concerning the Federal PKI Common Policy Root certificate, Extended Key Usage (EKU) requirements and validation of Personal Identity Verification (PIV) authentication certificates for smart card logon are addressed. This document is written for enterprise information technology professionals who are planning or implementing PIV-II smart card logon in accordance with the HSPD-12 directive. It is assumed that the audience for this document has basic knowledge of Public Key Infrastructure and Smart Card concepts.

Categories: Uncategorized Tags:

Black Hat TPM Hack and BitLocker

February 10th, 2010 No comments

Last week at the Black Hat DC conference a presenter showed how one manufacturer’s Trusted Platform Module (TPM) could be physically compromised to gain access to the secrets stored inside. Since that presentation, I have had plenty of questions from customers wanting to know how this might affect Windows. The answer? We believe that using a TPM is still an effective means to help protect sensitive information and accordingly take advantage of a TPM (if available) with our BitLocker Drive Encryption feature in Windows 7.

The attack shown requires physical possession of the PC and requires someone with specialized equipment, intimate knowledge of semiconductor design, and advanced skills. While this attack is certainly interesting, these methods are difficult to duplicate, and as such, pose a very low risk in practice. Furthermore, it is possible to configure BitLocker in a way that mitigates this unlikely attack.

With our design for BitLocker in Windows 7, we took into account the theoretical possibility that a TPM might become compromised due to advanced attacks like this one, or because of poor designs and implementations. The engineering team changed the cryptographic structure for BitLocker when configured to use enhanced pin technology, discussed in the BitLocker Drive Encryption in Windows 7: Frequently Asked Questions. As a result, an attacker must not only be able to retrieve the appropriate secret from the TPM, they must also find the user-configured PIN. If the PIN is sufficiently complex, this poses a hard, if not infeasible, problem to solve in order to obtain the required key to unlock the BitLocker protected disk volume.

BitLocker remains an effective solution to help safeguard personal and private data on mobile computers. For more information on BitLocker best practices, we have published guidance in The Data Encryption Toolkit for Mobile PCs. This toolkit discusses the balance of security and usability and details that the most secure method to use BitLocker in hibernate mode and a TPM+PIN configuration. With the advancements in Windows 7, users that are worries about potential attacks such as this one should also enable the Allow enhanced PINs for startup group policy setting for their environment.

Black Hat TPM Hack and BitLocker

February 10th, 2010 No comments

Last week at the Black Hat DC conference a presenter showed how one manufacturer’s Trusted Platform Module (TPM) could be physically compromised to gain access to the secrets stored inside. Since that presentation, I have had plenty of questions from customers wanting to know how this might affect Windows. The answer? We believe that using a TPM is still an effective means to help protect sensitive information and accordingly take advantage of a TPM (if available) with our BitLocker Drive Encryption feature in Windows 7.

The attack shown requires physical possession of the PC and requires someone with specialized equipment, intimate knowledge of semiconductor design, and advanced skills. While this attack is certainly interesting, these methods are difficult to duplicate, and as such, pose a very low risk in practice. Furthermore, it is possible to configure BitLocker in a way that mitigates this unlikely attack.

With our design for BitLocker in Windows 7, we took into account the theoretical possibility that a TPM might become compromised due to advanced attacks like this one, or because of poor designs and implementations. The engineering team changed the cryptographic structure for BitLocker when configured to use enhanced pin technology, discussed in the BitLocker Drive Encryption in Windows 7: Frequently Asked Questions. As a result, an attacker must not only be able to retrieve the appropriate secret from the TPM, they must also find the user-configured PIN. If the PIN is sufficiently complex, this poses a hard, if not infeasible, problem to solve in order to obtain the required key to unlock the BitLocker protected disk volume.

BitLocker remains an effective solution to help safeguard personal and private data on mobile computers. For more information on BitLocker best practices, we have published guidance in The Data Encryption Toolkit for Mobile PCs. This toolkit discusses the balance of security and usability and details that the most secure method to use BitLocker in hibernate mode and a TPM+PIN configuration. With the advancements in Windows 7, users that are worries about potential attacks such as this one should also enable the Allow enhanced PINs for startup group policy setting for their environment.

Black Hat TPM Hack and BitLocker

February 10th, 2010 Comments off

Last week at the Black Hat DC conference a presenter showed how one manufacturer’s Trusted Platform Module (TPM) could be physically compromised to gain access to the secrets stored inside. Since that presentation, I have had plenty of questions from customers wanting to know how this might affect Windows. The answer? We believe that using a TPM is still an effective means to help protect sensitive information and accordingly take advantage of a TPM (if available) with our BitLocker Drive Encryption feature in Windows 7.

The attack shown requires physical possession of the PC and requires someone with specialized equipment, intimate knowledge of semiconductor design, and advanced skills. While this attack is certainly interesting, these methods are difficult to duplicate, and as such, pose a very low risk in practice. Furthermore, it is possible to configure BitLocker in a way that mitigates this unlikely attack.

With our design for BitLocker in Windows 7, we took into account the theoretical possibility that a TPM might become compromised due to advanced attacks like this one, or because of poor designs and implementations. The engineering team changed the cryptographic structure for BitLocker when configured to use enhanced pin technology, discussed in the BitLocker Drive Encryption in Windows 7: Frequently Asked Questions. As a result, an attacker must not only be able to retrieve the appropriate secret from the TPM, they must also find the user-configured PIN. If the PIN is sufficiently complex, this poses a hard, if not infeasible, problem to solve in order to obtain the required key to unlock the BitLocker protected disk volume.

BitLocker remains an effective solution to help safeguard personal and private data on mobile computers. For more information on BitLocker best practices, we have published guidance in The Data Encryption Toolkit for Mobile PCs. This toolkit discusses the balance of security and usability and details that the most secure method to use BitLocker in hibernate mode and a TPM+PIN configuration. With the advancements in Windows 7, users that are worries about potential attacks such as this one should also enable the Allow enhanced PINs for startup group policy setting for their environment.

Microsoft Security Advisory (979682): Vulnerability in Windows Kernel Could Allow Elevation of Privilege – Version: 2.0

Revision Note: V2.0 (February 9, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-015 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-015. The vulnerability addressed is the Windows Kernel Exception Handler Vulnerability – CVE-2010-0232.

Categories: Uncategorized Tags:

Microsoft Security Advisory (979682): Vulnerability in Windows Kernel Could Allow Elevation of Privilege – 2/9/2010

February 9th, 2010 Comments off

Revision Note: V2.0 (February 9, 2010): Advisory updated to reflect publication of security bulletin. Advisory Summary:Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-015 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-015. The vulnerability addressed is the Windows Kernel Exception Handler Vulnerability – CVE-2010-0232.

Categories: Uncategorized Tags:

How To: Use CAT.NET 2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

*Note sn this step will be fixed in a an incremental build very soon*

image_thumb

 

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

 

image_thumb1

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image_thumb2

3. Click on the “Rules” tab to select appropriate rules.

image_thumb3

 
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:AntiXssSample ApplicationbinSampleApp.dll"

image_thumb4

 

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET 2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

*Note sn this step will be fixed in a an incremental build very soon*

image_thumb

 

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

 

image_thumb1

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image_thumb2

3. Click on the “Rules” tab to select appropriate rules.

image_thumb3

 
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image_thumb4

 

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET 2.0 Beta

February 5th, 2010 Comments off

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

*Note sn this step will be fixed in a an incremental build very soon*

image_thumb

 

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

 

image_thumb1

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image_thumb2

3. Click on the “Rules” tab to select appropriate rules.

image_thumb3

 
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image_thumb4

 

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET V2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

image

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

image

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image

3. Click on the “Rules” tab to select appropriate rules.

image
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:AntiXssSample ApplicationbinSampleApp.dll"

image

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET V2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

image

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

image

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image

3. Click on the “Rules” tab to select appropriate rules.

image
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET V2.0 Beta

February 5th, 2010 Comments off

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

image

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

image

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image

3. Click on the “Rules” tab to select appropriate rules.

image
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

CAT.NET 2.0 – Beta

February 4th, 2010 No comments

Mark Curphey here…

Please to announce a beta of the upcoming CAT.NET 2.0. This beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community.   Please send all feedback to ist-cat@microsoft.com.  There have been some significant changes to the code.  These changes include;

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added.  There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives. 
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults. 
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document.  The items listed in this document will be resolved prior to final release.

Download

You can download the bits at Connect (link below)

https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

Enjoy!

CAT.NET 2.0 – Beta

February 4th, 2010 No comments

Mark Curphey here…

Please to announce a beta of the upcoming CAT.NET 2.0. This beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community.   Please send all feedback to ist-cat@microsoft.com.  There have been some significant changes to the code.  These changes include;

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added.  There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives. 
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults. 
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document.  The items listed in this document will be resolved prior to final release.

Download

You can download the bits at Connect (link below)

https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

Enjoy!