Contents tagged with Security
For the last year I have had really annoying security troubles when working with documents in SharePoint (2003 or 2007, WSS or MOSS) on my Windows Vista machine with Office 2007. Every time I have opened up a document for editing the Office applications have asked me to log in to access the document. I have been able to press Cancel three times, but then the document is opened up in read-only mode. The problem has not occurred on any Windows XP installations. I have seen this problem on several computers with Vista. There have been several reported workarounds, of which none has worked for me.
But now Microsoft has released a number of hotfixes, which will be included in the soon to come Vista Service Pack 1, and there are two interesting hotfixes that currently focuses on this problem.
I installed this one first, but it did not fix my problems after rebooting.
But this one did (don't know if it was the combination or if this one did the whole job...)! Sweet!
To get your hands on these hotfixes, before Service Pack 1, you have to call the Microsoft support who will send you the update packages. Last night the Release Candidate of SP1 was released, so I guess these fixes are included in that one. If you have had this problem and are testing the RC of SP1, please inform me on the results.
When using BitLocker or encrypting your file system with EFS on Windows Vista, you will be using certificates and/or passwords. If these certificates or passwords are lost the chance that you loose the information and data on the disks that are protected is very likely. The certificates can of course be backed up on removable media or similar. But storing these kind of crucial information bits on a remote location is of course the best way and you should do that. You can store it in any kind of web-storage such as SkyDrive, but the best way is to use a service called the Digital Locker by Microsoft.
The Digital Locker is a remote and safe way to store software product keys and certificates and it is integrated into the Windows Marketplace so your purchase history is automatically appended to your Digital Locker.
The Digital Locker is accessible from the Internet at https://digitallocker.windowsmarketplace.com/ and you sign in using your Windows Live ID. From there you can access your software. You may enter notes on each product, view license information and download the product.
You also have the possibility to archive your software for later use.
Windows Vista integration
Windows Vista comes with a Digital Locker integration for storing your BitLocker recovery password and/or your EFS recovery certificate. You can easily backup this information by using the Control Panel and then select what you would like to backup. You may keep all of your certificates, from all your Vista machines, at the same location.
Windows Vista also contains direct access to the Digital Locker via the Digital Locker Assistant, found in the Control Panel.
According to the documentation it should be possible to back the Digital Locker up to a CD/DVD, but I have not found where to do that yet.
The Digital Locker is a part of the Windows Marketplace so whenever you add something to your cart in Windows Marketplace it is added to your Digital Locker. For example if you buy a product you can easily later on reinstall it by downloading it once again and using the product key stored in the Digital Locker.
Adding your own software
With the Digital Locker you can backup your own software securely. You can with a few steps add all your software, purchased from anywhere, to the Digital Locker together with an optional product key and download location. I previously stored all this information in a document stored on my hard disk, but now I try to keep all this information in the Digital Locker.
If you use Windows XP, you can download and install the Digital Locker assistant to get direct access from you desktop to the Digital Locker.
Aaron Brethorst has written a nice tutorial on how to create an UAC aware manifest for you Windows Vista applications by creating a .manifest file. He will follow up this article with information on how to embedd the manifest into a managed executable file.
I recently ran into a problem where I had by mistake checked the Remember password checkbox in Internet Explorer 7 (RC) when visiting a NTLM based website, then I wanted to get back to use my currently logged on user to access this website. There is no way to clear these usernames and passwords using the standard ways in Internet Explorer.
First of all I tried to turn off the Automatic logon only in Intranet Zone and entering a new but faulty password for the user and checking the remember password checkbox. This cleared the old password but after resetting the automatic logon Internet Explorer always asked for my password for that site and I didn't want to enter my current logon information and save the password (this would only ask me for a new password whenever I change it).
After some searching on the Internet I found no other solution than the one I tried above. But after digging into the problem for some time I found out where Internet Explorer 7 RC stores the cached credentials. They are stored in file (Documents and Settings\
\Application Data\Microsoft\Credentials\SID>\Credentials) that I removed (of course after making a backup). Then I rebooted the computer and the automatic logon worked fine.
If you are interested in what usernames and passwords that are stored on your machine you can check out Nir Sofers Password Recovery Utilities.
Yesterday I wrote about our new server which is now up and running nicely hosting a number of Virtual Server, this morning none of them was up and a few sites and applications was down. This was due to that the server had Windows Update set to Automatic which is recommended by the OS - which had led to that the server rebooted. I've seen it before so this time I found the resolution quick, but the last time it caused me a headache!
So my recommendation is to never have Windows Update set to automatic! This is not new but take it as a reminder, especially for your servers. The workstations may not suffer that much but imagine that you have left your machine on over the night and you have unsaved data...
I have been using Microsof Internet Explorer 7 beta for a while and I have noticed that some sites are reported as suspicious phising websites. The address bar turns yellow and a big popup informs you about it. A few days ago the popup appeard on one of my blog entries. The popup includes a link to a site in which you may inform Microsoft that you are the owner of the site and the site is not a phising site. I gave it a try and reported the site not to be phising site and that I am the owner. Within 24 ours I recieved a response from Microsoft that they had reviewd my request and a few ours later the warning was gone. Phew! I think it all worked very smoothly and I think it is a great feature of IE7. If you would like more information on the IE anti-phising filter, read about it here.
Tristank has a nice article 3 Simple Rules to Kerberos Authentication/Delegation SPNs on how Kerberos authentication via HTTP should be configured. It contains well explained steps using the SETSPN utility.