473,322 Members | 1,846 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Securing Code On My Laptop

I develop Web applications locally on my Windows XP (SP1) laptop using
Visual Studio. My company is concerned about security, especially if
the laptop is compromised, so I should either encrypt all files on my
computer using the Encrypting File System (EFS) or I should get the
code off my computer.

I tried to encrypt the wwwroot directory but I get a popup when running
a project that says "Error while trying to run project: Unable to start
debugging on the web server. Server side-error occurred on sending
debug HTTP request." When I view the Event Log I see an error that
says "Failed to execute request because the App-Domain could not be
created. Error: 0x80070005 Access is denied."

So clearly the system does not like the files to be encrypted. Has
anyone successfully encrypted using EFS and run projects? Are there
any other ideas about how to solve this problem? I can see only one
other answer, and that is to put the code on a network server and
develop remotely as described in the semi-isolated section of
http://msdn.microsoft.com/library/de...l/tdlg_ch2.asp.

Nov 19 '05 #1
9 1309
WJ

"Brian Russell" <zz*****@hotmail.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
I develop Web applications locally on my Windows XP (SP1) laptop using
Visual Studio.
Are the projects big? Howmany are there ?
My company is concerned about security, especially if
the laptop is compromised
Give it a complex password and patch it. Do not connect to internet, only do
it when you are inside your company FW.
so I should either encrypt all files on my
computer using the Encrypting File System (EFS) or I should get the
code off my computer.


I would stay away from this. If you ever lose your key and or forget the PW,
you lose the whole thing. I use pkzip (pkware suite) to zip each project.

In short, Laptop machines are alway vulnerable to theft! If your projects
are that sensitive, better do them inside your company desktop. Not laptop.
You can be abducted for ransom!

John
Nov 19 '05 #2
Thanks for the response. Maybe I should have clarified. The laptop is
my computer at work. I, like other employees, bring it home all the
time to surf or do work. In addition, we will patch with SP2 soon.
Whether a project is sensitive or not, I don't really have a choice: I
must either encrypt or get it off my PC. The same holds true for any
file on my computer.

I'm not sure how using pkzip will help me. I need to develop an
application, and if the code is zipped it would be in an unusable
format.

Nov 19 '05 #3
One solution would be to develop on a seperate server, and have remote
access of some form to develop when you are at home.

"Brian Russell" <zz*****@hotmail.com> wrote in message
news:11**********************@g49g2000cwa.googlegr oups.com...
Thanks for the response. Maybe I should have clarified. The laptop is
my computer at work. I, like other employees, bring it home all the
time to surf or do work. In addition, we will patch with SP2 soon.
Whether a project is sensitive or not, I don't really have a choice: I
must either encrypt or get it off my PC. The same holds true for any
file on my computer.

I'm not sure how using pkzip will help me. I need to develop an
application, and if the code is zipped it would be in an unusable
format.

--
I am using the free version of SPAMfighter for private users.
It has removed 2915 spam emails to date.
Paying users do not have this message in their emails.
Try www.SPAMfighter.com for free now!
Nov 19 '05 #4
Brian,

It's possible, but it's a wee bit of a pain. First, you'll need to create
an EFS certificate for the ASPNET user. The simplest way to do this is by
calling the EncryptFile function from advapi32.dll on a throw-away file via
p/invoke from within an aspx page run in the ASPNET user context.

Once the ASPNET user has an EFS certificate, each encrypted file it needs to
use must be shared appropriately. You can do this manually as described at
http://www.microsoft.com/resources/d...b_efs_ntta.asp,
but that's probably way too painful to do on a file-by-file basis. Instead,
you'll probably want to call AddUsersToEncryptedFile (also in advapi32.dll)
to automate addition of the ASPNET user to all the files in your project
folder. Unfortunately, I don't know of any existing managed wrappers for
the relevant Windows API functions, so you'll probably need to roll your
own.

BTW, you might also want to account for the fact that files will be copied
to the <Windows>\Microsoft.NET\Framework\<version>\Tempor ary ASP.NET Files
folder when you run your web app, so it might also be a good target for
encryption.

HTH,
Nicole


"Brian Russell" <zz*****@hotmail.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
I develop Web applications locally on my Windows XP (SP1) laptop using
Visual Studio. My company is concerned about security, especially if
the laptop is compromised, so I should either encrypt all files on my
computer using the Encrypting File System (EFS) or I should get the
code off my computer.

I tried to encrypt the wwwroot directory but I get a popup when running
a project that says "Error while trying to run project: Unable to start
debugging on the web server. Server side-error occurred on sending
debug HTTP request." When I view the Event Log I see an error that
says "Failed to execute request because the App-Domain could not be
created. Error: 0x80070005 Access is denied."

So clearly the system does not like the files to be encrypted. Has
anyone successfully encrypted using EFS and run projects? Are there
any other ideas about how to solve this problem? I can see only one
other answer, and that is to put the code on a network server and
develop remotely as described in the semi-isolated section of
http://msdn.microsoft.com/library/de...l/tdlg_ch2.asp.

Nov 19 '05 #5
Wee bit is an understatement. I assumed that the access denied error
was because the ASPNET user was trying to access encrypted files of
mine. And you are right about temporary files. My solution has a
class library project located in the My Documents\Visual Studio
Projects folder, and when that is encrypted (and the Web project is
not) I get a message similar to what happens when Index Services is
stepping on the temporary files
(http://support.microsoft.com/default...;en-us;329065).

Another problem is that I'm not the only developer, and we would all
need to do this on our machines. That would be a pretty tough sell.
I'm guessing that Microsoft just didn't intend for developers to
encrypt code.

Thank you very much for the insight. I'm still leaning towards
semi-isolated development to get the code off our laptops and onto a
server, although I'm not looking forward to that.

Nov 19 '05 #6
"Brian Russell" <zz*****@hotmail.com> wrote in message
news:11**********************@o13g2000cwo.googlegr oups.com...
Wee bit is an understatement.
Yes and no. There's a one-time investment in coding the EFS sharing, but
after that the trouble should be pretty minimal since you would be able to,
for example, run the sharing code from a post-build event in VStudio.

I assumed that the access denied error
was because the ASPNET user was trying to access encrypted files of
mine. And you are right about temporary files. My solution has a
class library project located in the My Documents\Visual Studio
Projects folder, and when that is encrypted (and the Web project is
not) I get a message similar to what happens when Index Services is
stepping on the temporary files
(http://support.microsoft.com/default...;en-us;329065).
I'm guessing that the class library project folder would presumably also
need to be EFS-shared with the ASPNET account.

Another problem is that I'm not the only developer, and we would all
need to do this on our machines. That would be a pretty tough sell.
The amount of friction added to the dev process would probably be fairly
minimal if you code up the EFS-sharing properly. However, there would still
be some additional steps added to at least the project creation process.
There is also pain inherent in working with a remote code base, as you'll
quickly discover if you attempt that approach.

I'm guessing that Microsoft just didn't intend for developers to
encrypt code.
This is far from the only situation in which EFS sharing causes
inconvenience. What I find a bit odd is that there's no mechanism in place
for specifying sharing at the folder level rather than the file level, which
would alleviate a great deal of the user pain in such scenarios.

Thank you very much for the insight. I'm still leaning towards
semi-isolated development to get the code off our laptops and onto a
server, although I'm not looking forward to that.


I'd recommend making a quick trial before you invest too much time in the
approach. It has the obvious problem of making it inconvenient to work on
code when offline (which is presumable part of the point of issuing laptops
to developers in the first place <g>). However, you'll also discover that
there are code access security issues to be addressed which will probably
involve applying CAS policy mods to all the dev laptops. Depending on how
strict you are about how you structure CAS policy, you might end up applying
separate policy additions for each project/solution. This would probably be
almost as painful as enabling EFS sharing (minus the initial sharing code
development), so it's unlikely to be worth the trade-off against permitting
offline development.
Nov 19 '05 #7
Nicole Calinoiu wrote:
Brian,

It's possible, but it's a wee bit of a pain. First, you'll need to
create an EFS certificate for the ASPNET user. The simplest way to
do this is by calling the EncryptFile function from advapi32.dll on
a throw-away file via p/invoke from within an aspx page run in the
ASPNET user context.


I understand why ASPNET would need a certificate, but would the fact that
ASPNET can now access those files also compromise security?
Would it be possible to use that account to get at files (dll's at least,
maybe even .cs/.vb files) ?

Hans Kesting

Nov 19 '05 #8
Unless they're downloadable via the web UI, this wouldn't really cause any
more exposure than the accessibility via the developer's user account.
Since one wouldn't typically allow such files to be downloaded via a web
interface in a security-conscious environment (and it's not possible under
the default configuraiton either), this is unlikely to be a point of
additional risk. Was there some other approach that you thought might be
used to access the files via the ASPNET account?

"Hans Kesting" <ne***********@spamgourmet.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
Nicole Calinoiu wrote:
Brian,

It's possible, but it's a wee bit of a pain. First, you'll need to
create an EFS certificate for the ASPNET user. The simplest way to
do this is by calling the EncryptFile function from advapi32.dll on
a throw-away file via p/invoke from within an aspx page run in the
ASPNET user context.


I understand why ASPNET would need a certificate, but would the fact that
ASPNET can now access those files also compromise security?
Would it be possible to use that account to get at files (dll's at least,
maybe even .cs/.vb files) ?

Hans Kesting

Nov 19 '05 #9
WJ
"Simon Harris" <to***********@makes-you-fat.com> wrote in message
news:ON**************@TK2MSFTNGP12.phx.gbl...
One solution would be to develop on a seperate server, and have remote
access of some form to develop when you are at home.


Developing systems over internet and or remote is not very safe. I would
rather have a Laptop lockup very well, develope the system, then bring it in
and dump to the server behind FW. I have 5 projects, I simply zip them with
complex PW, then bring the zips in and unzip them. Very simple.

John

Nov 19 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

17
by: David McNab | last post by:
Hi, I'm writing a web app framework which stores pickles in client cookies. The obvious security risk is that some 5cr1p7 X1ddi35 will inevitably try tampering with the cookie and malforming...
2
by: James | last post by:
What's the best way of securing online databases and web services? At present I am using a database password, which of course is not hard-coded into the web service, but this means re-submitting it...
1
by: penguin732901 | last post by:
I have never had a need to use Access' built in security. Now a client has requested that one particular table be available only to a specific user. (It happens to be information that's really...
11
by: Wm. Scott Miller | last post by:
Hello all! We are building applications here and have hashing algorithms to secure secrets (e.g passwords) by producing one way hashes. Now, I've read alot and I've followed most of the advice...
1
by: romy | last post by:
Hi I'm about to turn a public website into a secure members only website (after paying registration fee). I assume all I need for that purpose is to save users' information in an XML file and...
1
by: Mark Goosen | last post by:
Hi ive installed wse 2.0 SP3 and was running throught the demo downlaoded on the Securing the Username Token with WSE 2.0 page the Securing the Username Token with WSE 2.0. Im spose to change...
3
by: Marty | last post by:
Hi, My main application is calling a couple of dll assembly that we made. I want to secure those dll assembly so they can't be used by a third party. I did a couple of test with on both...
4
by: KJ | last post by:
Hello All, I have to secure my first real B2B web service. Could you please provide some guidance as to which method of security I should use. One caveat is that we will not be using SSL on the...
10
by: Les Desser | last post by:
In article <fcebdacd-2bd8-4d07-93a8-8b69d3452f3e@s50g2000hsb.googlegroups.com>, The Frog <Mr.Frog.to.you@googlemail.comMon, 14 Apr 2008 00:45:10 writes Not sure if I quite follow that. 1....
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.