More security steps to secure your Facebook profile

Posted on December 30, 2010 by Diganta Kumar Leave a comment

I thought I have secured my Facebook profile by doing the following steps, but I was wrong.

1. Change “Privacy Settings“.
2. Turn on “Account Security”.

As mention above, I have lock down my “Privacy Settings” to friends only list and changed “Account Security”. I think this is not enough.

Some times you add people to your Facebook because you met them once, got a Facebook friend invitation from them and you do not want to be rude by not accepting them. You are also not comfortable sharing your family photo album or wall messages with them. What do you do?

Your ‘Once met and do not trust’ friends in Facebook can also share your photo albums in their wall, which will give access to all their friends. You may not know your friend’s friend or you may not want to share your family album. What do you do?

In short, create a new list under friends, add only people you trust, go to various “Privacy Settings” and give access to only the new list you created.

See the detail steps below,
1. Login to Facebook.
2. Go to Account/Edit Friends and click on the “Create List” button.
3. Add all the people you trust in that list.
4. Go to Privacy Setting/Customize Settings. Click on drop down box and select ‘custom’.
5. “Custom Privacy” dialogue box will appear. Under ‘These people’ drop down box select ‘Specific People’.
6. In the text box below type the name of the new custom trusted friend list you created.
7. Start step 4 again for different privacy settings e.g. Album, website, applications, bock list etc.

Now, if you boss send you a Facebook friend request you can accept without hesitation and not add him/her to your custom friend list. Your boss will only see things which the default Facebook friend list has access to.

Reference:
Facebook help Centre

Posted in Security

Web Config Encryption/Decryption in Framework 4.0

Posted on December 20, 2010 by Diganta Kumar 3 Comments

The RSAProtectedConfigurationProvider is the default protected configuration providers. It supports machine level and user level key containers for key storage. RSA machine key containers are stored in “C:\Documents and Settings\All users\Application data\Microsoft\Crypto\RSA\MachineKeys” in Windows server 2003. The default ‘keycontainerName’ for RSAProtectedConfigurationProvider in machine.config is called ‘NetFrameworkConfigurationKey’ (it’s good practice to change it in the production servers).

To encrypt a web.config file with Framework 4.0 I have used the following steps,

1. Find the location of the root web folder. In this case its “D:\Inetpub\wwwroot\DemoWebsite
2. Create an RSA keypair in ContainerName. The default ‘keycontainerName’ for RSAProtectedConfigurationProvider in machine.config is called ‘NetFrameworkConfigurationKey’ (it’s good practice to change it in the production servers). Modify the web.config in the root folder of the DemoWebsite by adding the following sub-section within the Configuration tag section. I have modified the KeyContainerName to “DemoWebsiteConfigurationKey” and the key name to “DemoWebsiteRSAProtectedConfigurationprovide”.

<configProtectedData>
<providers>
<add keyContainerName="DemoWebsiteConfigurationKey"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
name="DemoWebsiteRSAProtectedConfigurationprovider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>

Note: The keyContainerName default lives in machine.config (usually in C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\CONFIG) we would find this section. We do not want to modify the default machine config, so create a configProtectedData tag in the DemoWebsite’s web.config file.

<configProtectedData defaultProvider="RsaProtectedConfigurationProvider">
<providers>
<add name="RsaProtectedConfigurationProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
keyContainerName="NetFrameworkConfigurationKey"
cspProviderName=""
useMachineContainer="true"
useOAEP="false" />
<add name="DataProtectionConfigurationProvider"
type="System.Configuration.DpapiProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
description="Uses CryptProtectData and CryptUnProtectData Windows APIs to encrypt and decrypt"
useMachineProtection="true"
keyEntropy="" />
</providers>
</configProtectedData>

3. Windows > Run > cmd. If you are using Framework 4.0 the go to folder C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319. Run below to create the RSA cryptographic key container called “DemoWebsiteConfigurationKey”,

aspnet_regiis -pc "DemoWebsiteConfigurationKey" –exp

4. Grant access to the key container by the default asp.net account:

aspnet_regiis -pa "DemoWebsiteConfigurationKey" "NT Authority\Network Service"

Note: If you do not do this step you might see this error “Failed to decrypt using provider ‘RsaProtectedConfigurationProvider’. Error message from the provider: The RSA key container could not be opened”

5. Back up the web.config file, in case. Now to encrypt connection string type below and enter.

aspnet_regiis.exe -pef "connectionStrings" "D:\Inetpub\wwwroot\DemoWebsite" -prov "DemoWebsiteRSAProtectedConfigurationProvider"

6. Now to encrypt appSettings type below and enter.

aspnet_regiis.exe -pef "appSettings" "D:\Inetpub\wwwroot\DemoWebsite" -prov "DemoWebsiteRSAProtectedConfigurationProvider"

Now if you want to modify your web.config you have to decrypt using the steps below first. Then modify and encrypt again. To decrypt I did the following,

1. Windows > Run > cmd.
2. Go to folder C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319.
3. Find the location of the root web folder. In this case its “D:\Inetpub\wwwroot\DemoWebsite
4. Now to decrypt connection string type below and enter.

aspnet_regiis.exe -pdf "connectionStrings" "D:\Inetpub\wwwroot\DemoWebsite"

5. Now to decrypt appSettings type below and enter.

aspnet_regiis.exe -pdf "appSettings" "D:\Inetpub\wwwroot\DemoWebsite"

Reference:
http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
ASP.NET IIS Registration Tool
Encrypting the connection string in ASP.NET V2.0
RSA Algorithm
Encrypting configuration files using protected configuration
Managing Connection Strings for Web Farms in ASP.NET 2.0

Tagged with:
Posted in ASP.NET, Security

How to get rid of Event Viewer errors?

Posted on September 23, 2010 by Diganta Kumar Leave a comment

Error:
The description for Event ID ( 0 ) in Source ( Learning Management System ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event:

In registry:
1. Open regedit and go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Learning Management System.
2. If ‘EventMessageFile’ is missing then the error above show is the event log. See the image below.

RegistryKey

RegistryKey

Code and solution :
The code below has ‘EventLog.CreateEventSource’ which creates ‘Learning Management System’ key under ‘HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application’ in registy and also create ‘EventMessageFile’ expandable string value with details below:
Value name:EventMessageFile
Value data: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll

If the ‘EventMessageFile’ string is missing it show the error message above. On my xp machine I do not see the above message because when I run the code it creates the ‘Learning Management System’ and EventMessageFile string. If you have manually created the key in the registry on the Windows 2003 server because you are getting security exception while the application trying to create the key, then you have to mannually create the EventMessageFile string with the above mention details. 

//Check if the ATLAS web services working
 if (reqHTTPGetADFWebServices.StatusCode == 0)
 {
    //Check if the event log application exist
    if (System.Diagnostics.EventLog.Exists("Application"))
    {
       //Check if the event log source exist
       if (!System.Diagnostics.EventLog.SourceExists("Learning Management System"))
       {
          //Register the source                            
          EventLog.CreateEventSource("Learning Management System""Application");
          // The source is created.  Exit the application to allow it to be registered.                          
       }
 
   // Write an source, message and type entry to the event log.  
   System.Diagnostics.EventLog.WriteEntry("Learning Management System""FAILED:
 ADF web services are not available."EventLogEntryType.Error);                      
}

Resources:
Error Message When ASP.NET Application Tries to Write New EventSource in the EventLog

Posted in C#