Wednesday, April 21, 2004 - Posts
I'm a regular Windows user (at work and at home) but I use also OS like Linux (I've done my Engineering Thesys on Linux some years ago). I'm a Linux estimator (for me it's a very interesting OS), but I hate the Linux fans that says that "Linux is better than Windows", "Linux is more secure than Windows" or "Linux is more innovative than Windows"... however, I could understand the fans of an OS (is something like the fans of a footbal team 
).
What hurts me is something like the fact that I've just read on ZDNet.
Matt Asay, Novell's director of Linux Business Office, said at the Linux User and Developer Expo 2004 in London that Linux threatened the proprietory software industry with innovation, rather than extinction, and accused companies such as Microsoft of failing to come up with exciting new applications.
Exclamation like "When was the last time that Microsoft Office got significantly better? It's been pretty much the same product for a while now" or "As things stand, creativity has gone, and that's one reason that Linux on the desktop makes sense. It'll be good for Microsoft, too. They won't like it, but it will force them to innovate" seems a little bit arrogant... 
This is a thing I've seen today from a customer. They have only an Administrator account on their Windows machines and they use this account to do all the possible tasks.
I don't agree to this choice. You shouldn't use the Administrator account to perform all your tasks. In this case "Unix Docet": you should have an Administrator account and a User account for everyday use.
The best way is using the User account for the normal usage of your machine and use the Administrator account only when you have the necessity to do tasks that requires the administrative privileges.
When you need to perform this type of tasks you could also use the Runas command, a command that restricts the administrative privileges to the task that you're performing (the same thing you are doing with Unix with the su command).
By typing something like:
runas /user:<local machine>\administrator MyTask
or
runas /user:administrator@<domain name> MyTask
you can run a task respectively with local administrative privileges and domain administrative privileges.
Having only the Administrator account is (in my opinion) dangerous... I don't want to imagine what could happen if a secretary of my customer log in to the server with the Admin account and start working...
In these days I've mentioned the SQL Injection attack to a big italian site, and I've also put in evidence a simple site I've received via email from a friend that seems to be ready to be hacked.
SQL Injection is a common type of attack agains site that use databases and you've to be ready to prevent these possible attacks.
My personal advices to prevent SQL Injection attacks are the follow:
- Test well any possible user input and check that no dangerous code could be injected into your SQL instructions.
- Look your URL that receive parameters (something like http://www.mysite.com/index.asp?id=1 ) and check possible dangerous parameters.
- If possible, escape all single quotes (send the character to the SQL database preceded by a backslash (\) character to indicate that the character is not to be interpreted by the server but just included as part of a string)
- If you have some TextBox where user enter text (and you pass this to SQL queries), check the MaxLenght property of these TextBox to avoid that a user can enter more than the maximum amount of necessary characters.
- Check the character inserted on the TextBox: they must be charactes that are admitted for your application.
- Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie - If you have numeric value, convert it to Integer or check if it's an Integer (using something like IsNumeric) before parsing it into SQL statement.
These are little advices for your application, but there are also some things that is good to do at SQL Server level.
The default installation of SQL Server is running as SYSTEM, the equivalent to Administrator Level in Windows. An attacker could use stored procedures like master..xp_cmdshell to perform remote execution (by intruding strings like ‘; exec master..xp_cmdshell ‘............’-- to your SQL query).
What you can do is:
- Run your SQL Server using low privilege.
- Delete stored procedures that you are not using (like master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask).
I hope this post could be a little alert to check your applications.