$files = Get-ChildItem -Name *.PNG -recurse -Path ./ | grep .PNG foreach($file in $files) { $newName = $file -replace '.PNG','.png' git mv $file $newName; }Sure it not pretty but it works for me!
Stuart McLean's tech
Stuart McLean's tech blog.
Wednesday, 6 November 2024
Rename powershell with case sensitive
Friday, 1 June 2018
SPN for network service
“
The HOST service represents the host computer. The Kerberos protocol uses the HOST SPN to access the host computer. The Kerberos protocol uses the long-term key on the host computer to create a service ticket.
The HTTP service class is one of the built-in services that act as an alias to the HOST SPN. The HOST SPN is mapped to the host computer account. Therefore, when you use the default HTTP service class, the Kerberos protocol uses the computer account as the service account to request a service ticket.”
Translation – if you are using network service and tying to set the SPN – use the computer name as the account name.
Some simple secure development standards
These are mainly based around ASP.NET/IIS – but the same principles can be applied everywhere.
These are just a few that I’ve seen highlighted a lot in pen tests of late.
Nothing is going to make you 100% secure but remember – defence in depth. Lots of defences adds up.
I may get some others written up some time.
(HTML/URL) Encode everything
Why
This helps prevent Cross Site Scripting (XSS) attacks. XSS attacks occur when user input (or other data) is displayed on the browser. The attacker puts javascript in the input and this is then executed by the browser.
Examples
sending the user a link with a query string which contains a value that is displayed on the target page – look at google and you’ll see the search is in the url and displayed on the browser. (Reflected XSS).
Putting data in to the system that is displayed on someone elses browser (e.g. facebook page) (Stored XSS). For a great example of this watch this watch https://www.youtube.com/watch?v=EYMGAoIx8yk&feature=youtu.be FROM 8:30
How?
- Http(s) content type MUST be utf-8 – for asp.net this can be specified in the master page / web.config.
- In ASP.NET (>4) Use the <%#:, <%:, <%=: to ensure databound or other expressions are html encoded (https://www.owasp.org/index.php/ASP.NET_Output_Encoding).
- Use ASP.NET controls that automatically html encode/decode. See - https://msdn.microsoft.com/en-us/library/ms178270%28v=VS.100%29.aspx for an indication of which controls automatically html encode output. In particular note the Label Control does not automatically encode.
- Razor automatically html encodes (https://docs.microsoft.com/en-us/aspnet/web-pages/overview/ui-layouts-and-themes/4-working-with-forms) – think carefully before overriding. (You might have actual html that you want to display as html).
Use strongly typed parameterised queries (that’s stored procs or EF).
Why
To mitigate against SQL injection attacks.
Parameterised queries (and stored procs) should treat the input as input – not build sql strings from them so cannot be manipulated as easily.
How?
Use an ORM (Entity Framework) AND DO NOT GENERATE SQL ON THE FLY IN YOUR CODE.
Use strongly typed stored procedures and DO NOT GENERATE SQL ON THE FLY IN YOUR SQL.
Combine this with
- least privilege (execute on stored procs or data reader/writer on appropriate tables for EF) – note SPROCS allow a more minimal access as an attaker owning the applications connection can still not read whole tables but needs to go through stored procs.
- A defence mechanism for preventing developers from still generating sql on the fly.
- e.g. for stored procs review them all.
EF does not particularly encourage sql on the fly but none the less be aware application developers now have a connection available that can do data reader/writer functions. I have seen this result in a successful attack – not surprisingly on the last (hastily implemented) CR implementation.
Implement some secure configuration/hardening
These are some simple hardening recommendations – may not do much but will not make you less secure!
Why?
- Your application and server (IIS) etc. uses technologies. These may have known vulnerabilities. Advertising the technologies is the same as advertising the weaknesses. Security by obscurity is not security but giving attackers a list of sites to attack when a vulnerability is published is dumb.
- Reduce the attack surface area.
How?
•Disclosure of server type / Disclosure of technology
* For azure - (https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/) – this should work in IIS too – but depends on later frameworks.
For IIS - https://www.saotn.org/remove-iis-server-version-http-response-header/
- Block unwanted request verbs - for a web site you probably only need GET and POST. For rest you might need PUT and DELETE too (if your really rest). https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/verbs/ Personally, of course, I prefer white-listing
<configuration>
<system.webServer>
<security>
<requestFiltering>
<verbs
allowUnlisted="false"
>
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" /></verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
See - https://docs.microsoft.com/en-us/iis/manage/configuring-security/use-request-filtering
- Set custom errors RemotOnly (https://msdn.microsoft.com/en-us/library/h0hfz6fc(v=vs.100).aspx)
- Set debug=false.
Use least privilege database access (or any other access!)
Why?
Defence in depth – if someone owns your web server or another defence (e.g. sql injection) fails – limits the damage can be done.
How
- Don’t use dbowner/sa
- Do use separate account for applications with privilege to execute stored procs (GRANT EXEC ON proc TO user) or (if using EF) data reader/writer as required on specific tables.
- Do this from the beginning in all your environments so you don’t hit all the issues late in your dev cycle.
Configure your security headers and cookies
See - https://securityheaders.com/
Why?
Modern browsers are adding additional protection against vulnerabilities – xss, disclosure.
How?
See https://securityheaders.com/
If your are https (and you should be)
Enable hsts
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>
</httpProtocol>
</system.webServer>
Set requires SSL on all your cookies - <httpCookies requireSSL="true" />
(and your forms auth config too if you have it).
X-Frame-Options – do you want your pages to be embedded in another site. Allowing this facilitates an attacker making a fake site.
X-XSS-Protection – tells the browser to turn on xss filters.
X-Content-Type-Options – stops content type sniffing
Content Security Policy – allows you to list where your page downloads from so you can protect from downloading malicious code.
Referrer Policy – limits the “Referrer” information in http requests. For example, if you download fonts from google do you want google to be able to track people on your site through the referrer header. Remember you may letting a third party know the IP (personal information under GDPR) the activity on your site.
Monday, 9 April 2018
Azure–iterate resources in all tenants for GDPR
GDPR means that we now have a policy for all data to be in UK or Europe.
So – to find where all our azure resources are
1. Install the azure PowerShell toolkik (https://docs.microsoft.com/en-gb/azure/azure-resource-manager/powershell-azure-resource-manager)
2. Run the script below to check the location of your resources are in the list of allowed locations.
# login to azure this should request secure credentials
Login-AzureRmAccount
# get a list of tenants / subscriptions
$allowedlocations = 'northeurope', 'westeurope' , 'francecentral' , 'francesouth', 'ukwest' , 'uksouth', 'germanycentral' , 'germanynortheast'
$subscriptions = Get-AzureRmSubscription
foreach($sub in $subscriptions) {
Select-AzureRmSubscription -Subscription $sub.Id
$resources = Get-AzureRmResource
$resources.where({ $_.Location -notin $allowedlocations })
}
Sunday, 1 October 2017
Strava open image script
Sometimes I want to download peoples photos from strava.
Click on image to get it full screen
run
$im = $('div[class="photo-slideshow-content"] > image[alt="Photo"]').src
window.open($im)
in console.
Will open the image in a new window so you can download.
Wednesday, 20 September 2017
SSRS (2014) Load balancing woes
Symptoms
HTTPS to reporting services only working on prd-web01b, not on 01a. Checked all the config etc. and re imported certs from b to a. SChannell errors were our only clue, although William found some of these on the other server too. Even rebooted the server for good measure.
How we fixed it
This was the clue - https://support.microsoft.com/en-gb/help/956209/ssl-no-longer-works-after-you-remove-an-ssl-binding-from-sql-server-20
We added the cert into IIS (even though we are running in native mode) , removed it from IIS and rebound it to reporting services and everything now appears ok.
Explanation
Some months ago we upgraded all our certs – I think it was to 2056 bits or such like – as the old ones were becoming invalid.
My theory is on the a server we unbound the old cert – thus removing the crucial registry setting in the above link – and then bound in the new cert.
On the b server we probably just selected the new cert.
I’m not sure who did this work but since a good manager always takes the blame for their teams actions – it was probably me. (Lesson – sooner we go to scripted deploy the better).
However this did not fix the problem!
2’nd problem
The ever clever mr***suggested looking at the logs – and I found them – FYI there in d:\ Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\LogFiles on our servers.
Found the errors –
library!ReportServer_0-36!1050!09/05/2017-08:54:29:: e ERROR: Error rending control: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
http://go.microsoft.com/fwlink/?LinkID=314055 ---> System.Web.UI.ViewStateException: Invalid viewstate.
Client IP: *****
Port: 59222
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
ViewState: /wEPDwUKMTEzMjExOTUxNA9kFgQCAQ8WAh4EbGFuZwUFZW4tR0JkAgMPZBYEAgQPZBYEAgEPFgIeBVZhbHVlZGQCAw9kFgJmD2QWAmYPFgIfAWRkAgUPFCsABQ8WCh4UU2hvd1Byb21wdEFyZWFCdXR0b25oHgxTY3JvbGxUYXJnZXRkHhNQcm9tcHRBcmVhQ29sbGFwc2VkZx4QVjFTdHlsZVNoZWV0TmFtZWQeDlJlbmRlcmluZ1N0YXRlCymRAU1pY3Jvc29mdC5SZXBvcnRpbmcuV2ViRm9ybXMuUmVwb3J0UmVuZGVyaW5nU3RhdGUsIFJlcG9ydGluZ1NlcnZpY2VzV2ViU2VydmVyLCBWZXJzaW9uPTEyLjAuMC4wLCBDd
..
How we fixed it
This was easy for a web farm person like me – when you have a .net application in a web farm you need to add in encryption keys across the farm.
First I checked the instructions as I would have thought that SSRS might do this for me as you actually configure the thing for scale out but MS aren’t that bright – yes you do need to manually put in some keys (https://docs.microsoft.com/en-us/sql/reporting-services/report-server/configure-a-report-server-on-a-network-load-balancing-cluster).
So I generated some for each environment and did this.
Explanation
I always said the old load balancer was not load balancing. The new ones (F5) are.
Tuesday, 4 July 2017
Import and bind a cert is IIS.
param ( [Parameter(Mandatory=$true)][String]$certpath, [Parameter(Mandatory=$true)][String]$certpass, [Parameter(Mandatory=$true)][String]$ip, [Parameter(Mandatory=$false)][String]$website = "Default Web Site" ) $mypwd = ConvertTo-SecureString -String $certpass -Force –AsPlainText $cert = Import-PfxCertificate -FilePath $certpath Cert:\LocalMachine\My -Password $mypwd -Exportable $bind = Get-WebBinding -Protocol https -IPAddress $ip -port 443 if($bind -ne $null) { Remove-WebBinding -Protocol https -IPAddress $ip -port 443 } # -Name $website -IPAddress $ip -Protocol HTTPS -Port 443 -HostHeader '' -Binding $ip':433:' new-WebBinding -Name $website -IPAddress $ip -Protocol https -Port 443 $bind = Get-WebBinding -Protocol https -IPAddress $ip -port 443 $bind.AddSslCertificate($cert.GetCertHashString(), "my")This is for a cert to IP without host header.