Security: Webcasts and Screencasts

Applications that unnecessarily require administrative privileges are among the biggest obstacles to secure desktop deployment, and this is not likely to change for Windows Vista deployments. Designing applications to install and run under the Least-Privilege User Account (LUA) can help to address this problem to a certain degree, but some applications can still break when run with a limited user account. Identifying specific causes for these "LUA bugs" has traditionally been very difficult, and applying the fixes often exposes other unnecessary risks. In this webcast, we introduce LUA Buglight, a new tool that quickly identifies the specific causes of “LUA bugs”, which you can remediate at the code level or at deployment with carefully tailored system tweaks.

Windows Installer 4.0 in Windows Vista includes new features that allow application developers to take full advantage of User Account Control (UAC) when installing, updating, and uninstalling software. In this presentation, we cover the new installation features that specifically relate to User Account Control, such as marking a package as UAC-compliant, taking advantage of UAC patching, and adding the “shield” icon to your user interface. We also address common UAC debugging issues pertaining to application installation and servicing.

In this session, we discuss the enhancements to the digital certificate infrastructure in both the Microsoft Windows Server code-named “Longhorn” and Windows Vista operating systems.  We cover Active Directory Certificate Services (ADCS) in Windows Server “Longhorn” and introduce new technologies such as Online Revocation Services, which uses the Online Certificate Status Protocol (OCSP) responder to verify the validity of certificates. We demonstrate the new X.509 certificate enrollment APIs in Windows Vista that enable developers to develop robust and secure digital certificate-aware applications more easily. We also discuss additional features such as Credential Roaming Services, Network Device Enrollment Services, and Web Enrollment Services.

In this webcast, we explore Windows User Account Control (UAC), a new security feature in the Windows Vista operating system. Learn how User Account Control reduces the security exposure and the attack surface of the operating system by running all user processes with non-administrative privileges and requiring user consent for elevated operations. By helping ensure that users do not accidentally make computer or file modifications that cannot be easily reversed, UAC reduces the cost of managing desktops and the overall total cost of ownership (TCO). We provide best practices for deploying and managing User Account Control, ensuring compatibility with existing applications, and coding to take advantage of User Account Control protection.

Windows Vista's UAC feature is designed to minimize security risks by running most applications under a standard user token, lessening the risk that an attacker could gain admin rights to the machine.  This is a great step forward for users, but it may leave developers wondering what to do when their apps do really need admin rights to complete a task.
Ian Griffiths to the rescue, with another screencast showing how to structure an app to enable certain admin tasks to run in an elevated context.

Windows Vista's UAC feature is designed to minimize security risks by running most applications under a standard user token, lessening the risk that an attacker could gain admin rights to the machine. UAC allows executables to specify what privilege level they require -- if an app doesn't provide a specification, it will be run in the context of a standard user, but UAC will provide some virtualization features to make it appear as though certain admin tasks succeeded.
Ian Griffiths presents another screencast that covers the default virtualization behavior, and then shows how to write a UAC manifest to specify a desired privelege level, for both native win32 apps and managed .NET apps.

Learn the new WSS 3.0 model for configuring access to a WSS site collection.

Learn how to configure a Windows SharePoint Services 3.0 site to use the ASP.NET 2.0 Forms Authentication Provider.

This Webcast demonstrates how ASP.NET AJAX works and provide real examples of the inner workings of an AJAX application. In addition, we explore how Java script and Web services work and why securing them is critical.

This Webcast defines how to reverse engineer and exploit an ASP.NET AJAX application. Attendees learn how a hacker looks at the application and what information they gather from exploring the applications architecture. In addition, we discuss the threat of cross-site scripting (XSS), what it is and how this dangerous application security defect increases the attack surface of AJAX applications making the XSS threat even more malicious.

This Webcast covers advanced cross-site scripting (XSS) attack methods, such as Web malware, XSS in e-mail, datamining with AJAX and virus’s that run inside of Web browsers. We cover the impact of these attacks and how they can be used to steal cookies. In addition, we review how mistakes in AJAX style programming could introduce security vulnerabilities into your code.

This presentation is a comprehensive discussion AJAX related application security concerns. Specifically we discuss browser/server interact issues, the increased attack surface of AJAX applications, repudiation of HTTP requests, exposing application logic, vulnerabilities in AJAX bridges, cross-site scripting (XSS) and AJAX (i.e. The MySpace Virus, inappropriate use of AJAX, and input validation issues, presentation layer attacks and exploiting mash-ups).

AJAX is changing the way Web applications look and how they are developed, but Web developers are not aware of the security risks they are introducing into their applications with these emerging technologies. While most developers are aware of the importance of designing and testing for security in their applications, few of them are aware of the unique security implications of AJAX technologies. AJAX fundamentally changes the user experience and server interactions in Web applications, so developers may be taking otherwise secure applications and opening up new angles of attack for hackers by hastily adopting these new approaches without understanding their vulnerabilities. This talk will discuss and demonstrate the security pitfalls common in ASP.NET AJAX development. The talk will then introduce secure AJAX development principles for building secure AJAX applications for the ASP.NET AJAX Extensions, complete with working examples of secure Atlas development. QA challenges for exhaustive testing are great, but QA should be an important factor when looking at securing your applications.