Three positive things, day fifty seven (catching up)


(posting a few days late)

Today was Wednesday and that meant...

The first positive thing was Kian picking up a potato from a box of spuds his mum had brought home from the store, and then just running around the house with it. I don't know whether to blame that on some genetic memory of his Irish heritage that tells him potatoes are important, or he was just being a toddler, but either way.. lol!

The second positive thing was doing a security release for a Drupal plugin/module I maintain. I'm always impressed by how much emphasis the Drupal community places on security, and it's always a pleasure to be a part of it.

The third positive thing was going bowling with my friend and coworker, Matt Goodwin, and our families. We actually focused even less on the bowling this time that we did last time, but we still had fun.

How to spot a site that stores plaintext passwords


Here's a screenshot of the password requirements for a site. The's one really suspect thing about it that strongly suggests that the passwords are stored in plain text in their database instead of being hashed/encrypted - there's a limit to the password length. The instructions say the password must be no more than 14 characters long, were it stored properly it would be able to accept a much longer password. While I applaud them in being able to accept non-alphanumeric aka "special" characters, needlessly limiting its length is a step backwards.

All IE8 security settings


There are occasions when you have problems with Internet Explorer (IE) having problems with Javascript or plugins that at least partially stem from the browser's security level, for example it can cause Drupal's Ubercart e-commerce module to not let IE users to checkout (a bad thing). For those occasions, here are all of the IE8 security settings listed out in a single table in all their gory detail.

To see them go to the Tools browser menu, click on the Internet Options menu item and then the Security tab, then click Custom Level to see how each setting is adjusted based on the specific security level.

IE Security Settings
Setting Medium (default) Medium-High High
.NET Framework
Loose XAML: enable enable disable
XAML browser applications: enable enable disable
XPS documents: enable enable disable
ActiveX controls and plugins
Allow previously unused ActiveX controls to run without prompt: enable disable disable
Allow scriptlets: disable disable disable
Automatic prompting for ActiveX controls: disable disable disable
Binary and script behaviors: enable enable disable
Display video and animation on a webpage that does not use external media player: disable disable disable
Download signed ActiveX controls: prompt (recommended) prompt (recommended) disable
Download unsigned ActiveX controls: disable (recommended) disable (recommended) disable (recommended)
Initialize and script ActiveX controls not marked as safe for scripting: disable (recommended) disable (recommended) disable (recommended)
Only allow approved domains to use ActiveX without prompt disable enable enable
Run ActiveX controls and plug-ins: enable enable disable
Script ActiveX controls marked safe for scripting: enable enable disable
Automatic prompting for file downloads: disable disable disable
File download: enable enable disable
Font download: enable enable disable
Enable .NET framework setup
: enable enable disable
Access data sources across domains: disable disable disable
Allow META REFRESH: enable enable disable
Allow scripting of Microsoft web browser control: enable disable disable
Allow script-initiated windows without size or position contraints: disable disable disable
Allow webpages to use restricted protocols for active content: prompt prompt disable
Allow websites to open windows without address or status bars: enable disable disable
Display mixed content: prompt prompt prompt
Don't prompt for client certificate selection with no certificates or only one certificate exists: disable disable disable
Drag and drop or copy and paste files: enable enable prompt
Include local directory path when uploading files to a server: enable disable disable
Installation of desktop items: prompt (recommended) prompt (recommended) disable
Launching applications and unsafe files: prompt (recommended) prompt (recommended) disable
Launching programs and files in an IFRAME: prompt (recommended) prompt (recommended) disable
Navigate windows and frames across different domains: disable disable disable
Open files based on content, not file extension: enable enable disable
Submit non-encrypted for data: enable enable prompt
Use Pop-up Blocker: enable enable enable
Use SmartScreen Filter: enable enable enable
Userdata persistence: enable enable disable
Websites in less privileged web content zones can navigate into this zone: enable enable disable
Active scripting: enable enable disable
Allow Programmatic clipboard access: prompt prompt disable
Allow status bar updates via script: enable disable disable
Allow websites to prompt for information using scripted windows: enable disable disable
Enable XSS filter: enable enable enable
Scripting of Java applets: enable enable disable
User Authentication
Login: Automatic logon only in Intranet zone Automatic logon only in Intranet zone Prompt for user name and password

FYI these were obtained from a Windows XP SP3 virtual machine and may behave differently on different versions of Windows.

Why I don't use Cygwin for SFTP


In the UNIXy (UNIX, BSD, Linux, OSX) world secure file transfers have been the norm for years, thanks in part to the standardization of SSH as the security protocol due to both its simplicity and power. Windows, on the other hand, has never featured security as a very important feature, evidenced by the ellaborate routes someone must take to handle SSL in IIS.

As a stop-gap measure many people have started to use the UNIX compatibility layer Cygwin, which is a wonderful system that lets you run and/or compile UNIX software on Windows. One of Cygwin's many available software packages is OpenSSH, the defacto standard SSH daemon in the UNIXy world, so by using Cygwin you can set up SSH for your Windows server. There's just one problem - it doesn't work well.

The problem with SSH, or indeed any UNIXy compatibility layer, on Windows is the age old problem that the traditional UNIXy file & directory security system is completely different to what Windows provides.

UNIX file security is based on setting the Read, Write and eXecute (thus RWX) status on any given file for both you (aka the User), anyone in your Group (or more specifically the file's assigned group) and the Other users on the computer (thus UGO). As an example, if your file is set to allow all three (UGO) to Read & Write to the file then anyone who has access to the machine can open & change the file. A common way to list these settings is in the form of octal values - Read is 4, Write is 2 and eXecute is 1, with the numbers added together for each user type, so the common setting of U=RWX,GO=RX becomes 755.

Windows file security is based on Access Control Lists (ACLs), which are basically lists of individual users and groups and their associated permissions. Rather than restricting you to only assigning permissions at three levels (UGO) you are completely open to decide what groups and users can do what to your files. This gives a great amount of flexibility as you can more easily mix 'n match security groups and group memberships. An example might be allowing both the Executive and IT groups could read a reports directory but only Accounting to modify files there.

As you can guess there's going to be issues trying to superimpose the UNIX UGO-style permissions on top of Windows' ACLs, and there are.

When you install Cygwin first it grabs a copy of the current users & groups settings from Active Directory (or your local computer, if you aren't in a domain) and saves them out as /etc/passwd and /etc/group in the standard UNIX format.

The first issue with this system is that every time the user groups and user accounts change you have to re-import the accounts settings. While, yes, you can create a cron event to automate this, the problem gets worse ...

The next issue is that it doesn't correctly handle the user's primary user group, mainly because Window's doesn't have such a thing, so instead it assigns all users to an invalid group. Now, on top of having to automate synchronizing with the Windows accounts system you have to work out how to put users into their proper groups so that their files are properly acessible.

There's another problem: when you log in through sftp any files uploaded have the file permissions set incorrectly. Thankfully there's a way of fixing this using a kludge to override the sftp defaults, but who likes kludges?

The problem gets worse with directories: all directories created are assigned the default usergroup listed, and coupled with the file permissions problem it leaves your directory structure so that only the original user can view files in the new directory. And no, there's no way to fix it using SFTP, you need to log in with a full shell session to run chown on the directory in question - not something you want your average non-technical designer doing on your production web server.

So, combine the four problems above and you end up with a really messy system that ultimate simply doesn't work cleanly.

It is for the above hassles that at work we've paid hard cash for Vandyke's VShell ssh server, which works wonderfully well by the way.

Free backup app - Genie Games Backup


Despite its name, Genie Games Backup is a general purpose backup utility for Windows that lets you make backups of any files you want, and run the backup either manually or on an automatic schedule. While their fully-fledged commercial products work wonders, I'm personally amazed they're giving away something so fully fledged for free. Well worth trying out if you don't already have a backup utility.


Subscribe to Security