Category name´╝ÜSecurity

Amplitube 2 VST not loaded

Yet again a VST did not load in my Ableton Live DAW. This time it is the Amplitube 2 VST by IK Multimedia. It did work if I launched Ableton with administrator priviledge but we al know that we shouldn’t do that if it is not necessary and running as administrator to load a VST sure is not very useful. I launched the excellent process monitor and filtered for stuff coming from the ableton process that did not succeed and I found out that Amplitube 2 is writing to the file:

C:Windowsmsocreg32.dat

A very naste way from IK Multimedia to put that file in the Windows folder as normal users cannot create or modify that file. The file is created by Amplitube so it must be some sort of timer file for the product evaluation.

To fix this without running as administrator and with UAC enabled do the following:

  1. Launch your DAW by right clicking its icon and select “Run as administrator”.
  2. Rescan your VST folder for new plugins. Amplitube gets loaded and the above mentioned file is created. You should be able to use the VST.
  3. Quit your DAW.
  4. Go to c:Windows with file explorer.
  5. Find the file “msocreg32.dat”, right click it and select properties from the context menu.
  6. Go to the security tab
  7. Click “Edit”. A UAC box will appear to ask you for permission and allow it.
  8. Select the “Users” group.
  9. Set a checkmark next to “Modify” in the lower list.
  10. Click twice on “OK” to close both dialogs.
  11. Launch your DAW as you normally would.

Now you are running as a normal user with a function Amplitube VST. This happens to more VST’s like for example the Native Instruments collection required quite a lot of folders to be writable by the user. Because the files are located in the Program Files folder this is not allowed. Just do the above mentioned modification on *only* the “c:Program Files (x86)Native Instruments” folder and no more popups to select another folder to write to.

The tool called “process monitor” by Sysinternals really helps to identify such permission problems so download it if you have similar problems with other VST’s in your favorite DAW.

 

 

Abusing IsInRole(..) is not done

Rockford Lhotka has writen about permission-based authorization versus role-based authorization. He describes how he is abusing the principal IsInRole(..) method. This is definitely wrong and should never be implemented that way! Besides that it could result in serious performance issues! Image a system with a million objects then storing all permissions allowed to those objects as a role would become disastrous.

A user identity and its role(s) is a pretty lightweight set of a user in a certain domain. This is called authentication. The identity can even be an identity from an external source trusted within this domain.

The other set of data is which users or roles/groups are allowed to do what and is called authorization. An application can support one or more types of authentication for a single user to now who he or she is or what role it has. Often identify management is now managed within an application like for example usage of Windows users, OpenID, Microsoft Passport, etc. and which roles such an identity has depends on the provider. For example Windows roles are the Windows groups.

The .net ‘role’ should be seen as ‘group’ when the ‘role’ is an external managed entity or be seen as ‘role’ if its definition is defined within the application. With this in mind you get the following relation chain:

Identity <-> Group(s) <-> Roles <-> Tasks/Permissions

When the ‘group’ is managed within the application you often see that group and role are merged in one thus resulting in the .net role definition.

Most frameworks allow relations to be defined between all four entities.

  • Identity can be linked to a groups, roles and/or tasks
  • Groups can be linked to identities, roles and/or permissions
  • Roles can be linked to identities, groups and/or tasks
  • Tasks can be linked to identities, groups and/or roles

But this would be a very bad security design. Normally an application has a lot of defined tasks. On top of that roles can be defined

lets take entity manager that has four CRUD operations:

  • Administrator is allowed to do create, read, update and delete
  • Moderator is allowed to do read and update
  • Normal user is only allowed to do read.

Here we have four tasks that resulted in three application roles. These application roles can then be assigned to a user and/or a group.

So what to do in situations where you need a more fine graded solution like a file system having loads of entries and defining permissions that can differ between all those entries? Implement it like is also done in the file-system! Store that authorization information as part of your data.

Key to success here is to think about what features you need like:

  • permission inheritance
  • deny permissions
  • loops in your hierarchy.

Try not to add this meta data in the same data structure as the data that you store as this will make your security model not flexible for possible future requirements (and trust me, these WILL come!) but if performance is crucial then this is probably the only solution. But still always try to use something like the following pseudo code!

class BlogPost
{
    …
}

[Flags]
enum BlogPostPermissions
{
    Create = 1,
    Delete = 2,
    Update = 4,
    Read = 8
}

interface BlogPostSecurityManager
{
    SetPostSecurity(
          IIdentity identity,
          BlogPostDTO post,
          BlogPostPermissionspermissions);
}

 

Now we have clearly seperation of responsibilies. The blog post doesn’t contain any security related data.

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

Anyone will get this message sooner or later so the normal steps I usually do are:

Check if I have read/execute permissions on the file

Check if it is blocked because it is an internet download and then unblock it

Check if I’m the owner

Well today I did this on a file that I downloaden on server A, copied to a storage server and then copying it to server B to run it again. I got this message and did the steps above without any success.

The almighty google helped me again but not in the first few hits on the error. It guided me to a forum where the solution was posted to the message Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item.

“Un-install IE Enhanced security from Windows Components. Viola problem gone”

I tried it and I can now execute those files although it should have worked as all security attributes on the file where set correctly. Very weird…

Low privileges IIS Application Pools

When you want to create a new application pool you probably want to do this to create an application pool with least privileges for the application that you are going to run with it.

This article describes how to create a user account for use in an IIS application pool. This article is useful when you get one of the following messages:

  • The identity of application pool is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled.
  • The identity of application pool, is invalid. If it remains invalid when the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

User account

There are two accounts types:

  1. Domain accounts
    • Useful when you run a web application on server A but it needs to access resource on another server within the domain. This account type can be created with the active directory users and computers management console on one of the domain controllers in your domain.
  2. Local accounts
    • Useful when the application is only needs access to local files or/and accesses resources out-side of the domain with its own credentials.

Create the account

  1. Create a user account and store its (complex) password at a ‘well known’ but secure location.
  2. Remove it from the User group.
  3. Add the user account to the IIS_WPG (IIS Worker Process Group) group on the web server where you are going to run the web application.

Application pool

  1. Launch the IIS Manager
  2. Add an application pool
  3. Change the application pool and specify its identity by entering the newly created account.

File system

The application pool probably needs read and or write access to the file system at the location where the web application is deployed. Give the account read access to the root of the web application folder and only ‘modify’ rights to folders where it is actually needed. No need to use ‘Full control’ rights at all.

Incorrect ‘Google’ hits

At some sites people mention that the user account needs to be part of the ‘Act as part of the operating system’ policy but this is NOT necessary.

Finished

You can now test this new application pool with a (new) web application.

Modifying NTFS file security with fileacl.exe

Till now I normally used the cacls command on the commandline for modifying ntfs file permissions. I always used the /E /T /G switches but soon found out that this does a recursive change on all folders/files and doesn’t use the inheritance flag. Normally not really a big problem but updating the security descriptors on a large directory tree takes time. Too much time if you ask me and so my search for a better alternative was started. I quickly found references to xcacls.vbs / xcacle.exe . These seem to fix inheritance related issues that cacls cannot do.

But I found a tool that is much easier to use these and that is fileacl.exe. When adding permissions to a folder then underlying files and folder will inherit these by default which is what you normally would want to. The syntax is also somewhat better and also provides some advanced enhancements.

Sign your distributables free and easy!

I was using signtool.exe a while ago to see what it does and learned that it is a security tool to sign any executable or dll (thus not .net only). Maybe even other weird filecontainer formats that Microsoft made are supported.

Anyway, I was struggling with openssl and makecert alot to make it work. Well, not really struggling but if you don’t have a lot of PKI knowledge then your in for a treat! Months passed and then I found the nice and free certificate provider CAcert. I registered and scored enough points to get me a nice personally named certificate. The system is comparable with Thawtes web of trust but I think Thawte’s certificates can only be used for e-mail signing and encryption.

I am busy with a tool that can backup running virtual server machines. Don’t know if this functionality is already made by somebody or that it is available in the R2 release. More on this in a future post. I thought that it would be nice if would sign those assemblies and started signtool in the wizard mode.

    signtool.exe signwizard

It was really easy to sign my assemblies with my personal CAcert certificate. I really don’t understand why major software providers like Mozilla took so long before they started signing there Windows downloads when it is so easy to do.

The signwizard is a bit problematic in an automated build environment like a nightlybuild (or even better a nice continious integrated one). Luckily for us were also able to do all of this from the commandline.

    signtool.exe sign /a /d "Ramon Smits" /du http://bloggingabout.net/  *.exe *.dll

This assumes that the certificate it stored in the personal store without
There is also a timestamp option. Verisign has a public timestamp service and you only have to add the following to make use of it.

    /t http://timestamp.verisign.com/scripts/timstamp.dll

After signing you can view the results by viewing the properties of your application and selecting the digital signatures tab that has become available. Selecting details will bring up the following dialog.

The most important thing about signatures is that you check if you trust the specified party including it’s certification path. Any application can have a valid certificate but that doesn’t mean I will trust everyone :-).


"After viewing the certification path I decided that I trust this dude…"

My favorite browser is FireFox but is has doesn’t have the nice security option that internet explorer has. When you download an executable with internet explorer and this executable is opened locally then you will see the following dialog.

Windows shows this message because Internet Explorer had added meta information about the download in an alternate filestream. Downloading it with firefox and then run it will not have any check performed. I don’t remember this very well but I think Windows Vista does show this message with any application. Clicking on the first url will navigate to blogginabout.net (the /du param of signtool.exe) and the second shows the same dialog as explorer (Digital Signature Details).

A major benefit of codesigning downloads is that you can easily host your download at other locations without the risk that others can modify it. Downloaders have a quick and easy way to check it the download is valid and not been tampered with.

WSE2 : KerberosToken and WSE policies

I had a weird problem today with a computer in our development domain. We currently use encryption and signing for webservice calls with WSE2. We use a WSE policy to achieve this but today a collegue of mine got an error when he tried to run the code on his machine. The first thing was that the webservice wasn’t running under the SYSTEM account. This account does not have enough priviledges to access the active directory information so it can’t access the data for the kerberos token. This isn’t a problem on Windows 2003 because .net webapplications run under a certain application pool.

But then we had a problem where the code didn’t run while it should! It was a very frustrating thing and we got keeping exceptions that said the username was incorrect. So we triple checked everything and couldn’t any problem. As a last resort I removed the computer from the domain and added it again and guess what. It worked afterwards.

So remove and add the machine to your domain if you are experiencing problems with kerberos token exceptions with WSE on one computer but not on another.

This isn’t mentioned at the WSE FAQ or it’s wiki. I will try to contribute to it this evening ­čÖé

  • Recent Posts
  • Recent Comments
  • Archives
  • Categories
  • Meta