Web Application Configuration Analyzer – WACA CTP Release Coming Soon

RV here… Last year we developed an internal tool to review servers for security configuration issues. Microsoft offers several enterprise options for doing this such as Systems Center Configuration Manager but the requirements were for a lightweight stand-alone tool focused towards developers and testers who often developed in an unmanaged environment. The tools needed to…


Double Hop Windows Authentication with IIS Hosted WCF Service

Hello, Randy Evans here.  I am a principal developer on the Information Security Tools Team.  In a recent project, we had a intranet web site that called an IIS hosted WCF service.  The WCF service, in turn, called a SQL Server Reporting Services (SSRS) web service. We wanted to utilize the authorization mechanisms of SSRS….


Normal Service Will Resume Soon

The coding fairies are been busy crafting code. Blogging (and maybe even Tweeting if there is a demand) will return soon and well have a few nice CTP’s for you to play with over the next few weeks. Look for news about; CAT.NET 2.0 CTP – Rebuilt from the ground up using Phoenix WPL 1.0…


How To: Use VSTS Code Profiler

Syed Aslam Basha here. I am a tester on the Information Security Tools team. This blog post is in continuation with website performance testing simplified blog post. The final step in performance testing is to narrow down the faulty code which is taking lot of time or memory or CPU usage. I will show how…


Web Protection Library – CTP Release Coming Soon

RV here… Over the last couple of months we have been actively developing the next version of Anti-XSS library and Security Runtime Engine (SRE). We have added new mitigations that go way beyond the original Cross Site Scripting (XSS) protections of the Anti-XSS Library hence the change in name to the Web Protection Library or…


SQL Server 2008 Security – Policy Example

Hi, Gaurav Sharma here, I’m a developer with the Information Security Tools (IST) team. A few months ago I posted a blog, SQL Policy Based Management (PBM) and posted a follow up introductory “How Do I” video on the same topic. Since then I’ve received a lot of feedback and questions regarding how to create more…


Anti-XSS Library v3.1 Released!

The Microsoft Information Security Tools (IST) team has released the latest Microsoft Anti-Cross Site Scripting (Anti-XSS) Library version 3.1.  Read more about Anti-XSS v3.1 on the Information Security blog and watch the video, “Anti-XSS 3.0 Released,” as Vineet Batta and Anil Revuru (RV), Senior Software Developers from the Microsoft Information Security Tools (IST), provide an…


Automating Windows Firewall settings with C# (part 2)

Hi Vamsy here. I am an Operations Engineer in the Information Security  Team. In my previous post, I have described automating Windows Firewall Settings with C#. As promised in the previous post, I will describe the tool I call Windows Firewall Checker in this blog. The tools is written in C# and uses .NET Framework…


HTML Sanitization in Anti-XSS Library

RV here… For a while now, I have been talking about various types of encodings and how they protect web applications from cross site scripting attacks. In most cases input is simply passed through AntiXss.HtmlEncode or similar methods to transform it into safely displayable HTML entities. In some cases you as a developer would like…


Sharing Master Pages in Multiple Projects

Hi Anil Chintala here. I am working on a requirement for a Portal, which is to share the look and feel of the portal by multiple web applications seamlessly and without any rework. I started doing some prototyping work and writing up some scenarios we would like to consider for the requirement. For the sake…