史蒂文 :: Release 2.0

I'm doing some security analysis for a bank here in the UK next week and so the weekend thus far has been reading up as much as I can. It's not that the application i see will conatain anything i haven't seen before, but when i have a specific task - such as security in this case - i look at it in two ways.

(1) Security is part of what i do when i develop, rather than being my expertise. I think about issues such as authentication, authorization, roles, encryption, hashing, CAS, and so on rather than the wider security issues. It's useful to know the big picture as best you can to improve the particular focus of your own security work.

(2) An opportunity to learn. Everyone learns something new on each engagement they go in to. It's easier to learn when you understand some of the complex fundamentals - i have been discovering that recently with Design Patterns. Each level becomes a platform due to the higher level meaning you can give to the complexity underneath and you can concentrate on the new bits - such as algorithmic issues, user processes, data, parameters and so on. Once you know how to do encryption properly, you can learn from the new ways people apply that in real applications - that's when the fun begins.

Anyway, Active Directory Application Mode is a lightweigh version of Active Directory with simplified LDAP support. LDAP, along with ADSI is something I used with Site Server may years ago, later with Active Directory and of course ADAM in some utility applications. It's an interesting product and to be honest there is not a whole lot to it - the DirectoryServices namespace will give me what i need.

The interesting thing however, and something i saw lot with ADSI, was how badly it was used. Something i saw more than once, was a COM DLL with ADSI code running in Component Services under a privilaged account. So, anyone able to comprimise that could then create, modify and delete any user in the directory. Typically the front end was a simple web application - i really don't think people "got" just what you could do with these simple interfaces.

I remember i once wrote some code just to demonstrate how easy it was to enumerate an AD and show some user information. A dictionary attack would have been interesting, but it was a political organization and I would probably have been kicked out for demonstrating such a thing... at least publically :) With security it seems noone cares until something happens.

On a lighter note, Scotland play the U.S. at football (soccer) in an hour or so.... apparently the US are now quite good at the game. Unfortunately we have gotten worse, although recently there has been a turnaround. Still, i'll not hold my breath ....