Switch between named SQL Server instances without changing the connection string

SQL Server allows installing multiple copies and multiple versions on the same machine as “named instances”. These are accessed locally with the name “(local)\<instance>” or “.\<instance>” or “localhost\<instance>” where <instance> is the name of the named instance. You can also install exactly one server as the “default” instance which doesn’t require a name. You just connect to (local).

If you want to switch your app between these, you have to change the connection string to the different instance names. It also means that everyone on your team has to use the same instance names or go through some other contortions to isolate the configuration file from source control.

If you aren’t using a default instance, you can make one of the named instances respond to the syntax of a default instance in a connection string. The trick is to use the SQL Configuration Manager to enable TCP/IP on one of your named instances and further configure that instance to accept connections on TCP port 1433.

When you want to switch between instances, you change which of your SQL Server named instances is listening on TCP 1433.

sql-config-mgr

Microsoft: When you have a DVD with room, please bundle your dependencies

I just started an install of Expression Studio 4 from the gold DVD ISO.

Annoyingly, Expression Studio 4 requires .NET Framework 4.0 but—unlike Visual Studio 2010—Expression Sudio doesn’t actually bundle the installer for .NET Framework 4.0.

download-netfx4

Arg! The download is huge.

netfx4-setup

This approach makes total sense if the Expression Studio was actually installed over the net but it isn’t. I have a DVD image and it’s only 40% filled. I wonder if most installation scenarios assumed that Visual Studio 2010 would be installed first? I don’t know but if you want to avoid the extra download time for .NET FX 4.0, install Visual Studio 2010 before Expression Studio 4.0.

Painless NVidia Boot Camp Update on MacBook Pro

NVidia has recently WHQL certified “verde” notebook drivers: 258.96. In the past, drivers from NVidia have refused to install without hacking the INF or waiting for a boot camp update, which happens about once a year.

This time, though the drivers installed happily with no complaint. Woot!

I also grabbed the latest NForce drivers which contain Ethernet, SMBus and Away Mode drivers for my 2009 MacBook Pro Unibody. The SMBus and Away Mode drivers are related to power management. Who knows, maybe they will improve my battery life.

nvidia-ver devmgmt-ver

Online Billing Scary Error

I went to my Vodafone Ghana online billing login and got a big fat scary error:

cert-expired

The SSL certificate is expired. It expired over a month ago:

cert-expired-detail

Now, there’s really not much of a problem here. The certificate is perfectly able to encrypt my connection to the server and it identifies the server as belonging to vodafone.gh. It’s just out of date. Embarrassing for Vodafone but it is actually safe for me to continue.

This is exactly the sort of wolf-crying that teaches people to ignore security warnings that computers throw up. To a normal human that just wants to complete a task, the big red screen looks an awful lot like “Blah, blah, blah, click the ‘Proceed’ button if you want to get your bills paid.”

Cormac Herly has a great paper on the rational rejection of security advice by users where he notes that “fully 100% of certificate error warnings appear to be false positives.” The gist of Herley’s argument is that burdens of understanding and implementing good e-security may not be worth it to people in a rational cost-benefit trade off of the perceived risk versus the value of their time and pain.

Mitigate Stuxnet with Least Privilege and AppLocker

There is a lot of concern about the LNK (shortcut) vulnerability which exists in all current versions of Windows. Basically, viewing a malicious link file or favicon in a web site will cause Windows to execute the malicious code which can be hosted remotely on an SMB network or a WebDAV server on the Internet.The vulnerability is actively being exploited by very sophisticated bad guys and there is no patch available, yet.

So what can be done to mitigate the risk in lieu of a patch?

Microsoft has a “Fixit” solution that involves disabling Windows’ ability to load icons resources on shortcuts. This solution basically makes Windows unusable because all icons in the Start menu and task bar become generic white documents.

The other recommendation is disabling the WebClient service but this breaks integration with Sharepoint and other services based on WebDAV.

I’m not sure why it isn’t being recommended by Microsoft but the AppLocker feature of Windows 7 should provide a robust mitigation without these side-effects.

AppLocker is a policy technology which allows an administrator to define which executables are allowed to run on a computer. The rules can be based on a any combination of trusted paths, file names and cryptographic hashes of files.

Least Privilege

The first step, though is to make sure that your day-to-day account is not anadministrators Administrator. UAC is not really a security boundary. If you are an Administrator it is a warning system to be careful but nothing more. If you are a non-administrator it works to elevate your rights to perform administrative tasks. If your account is in the Administrators group, create another account or enable the built-in Administrator account and remove yourself from the Administrators group.

For example, my main system—which is not joined to a domain—has only the Administrator in the Administrators group. (Be sure to create yourself an administrator account before removing your main account from Administrators or you will lock yourself out of your machine.)

Without Administrator-level privileges, most worms—including the Stuxnet worm exploiting the Windows LNK vulnerability—will fail to deliver its payload. That’s because they usually try to install a rootkit which means installing drivers which requires Administrator privileges. If you don’t have those privileges, the OS can’t be compromised.

Trusted Apps with AppLocker

As worms become more sophisticated, they may find ways to do their work without requiring Administrator privilege. Certainly, Administrator privilege isn’t required in order to steal your personal data because your account has access to personal data. This is where AppLocker comes in. AppLocker creates a concept of trusted applications. Only trusted applications are allowed to run. The default ruleset is pretty good. It simply says that normal users can only execute programs in the Windows directory or the Program Files directory. Those directories have permissions set on them so that only Administrators can put files in there. Hence the applications installed there are trusted.

In order to configure AppLocker, you first need to start the “Application Identity” service and set it to start automatically.

Next use the local security policy editor to configure AppLocker. If you are running as a non-admin, the command-line is this:

runas /user:Administrator "mmc secpol.msc"

Or you can search for “Local Security Policy”, right-click and choose Run as Administrator from the menu. (If you are running as a non-admin, you have to provide a password or smart card for the administrator-level account.)create-default-rules

Navigate to Security Settings | Application Control Policies | AppLocker | Executable Rules. Right-click on Create Default Rules. AppLocker will generate the reasonable set of defaults that I described above.

Unfortunately a few useful application don’t install themselves in Program Files. For example, Google Chrome installed itself on a per-user basis in the application data folder structure of each user. I believe the primary reason it does this is to be able to silently update itself on a least-privilege machine. It also makes it possible for users to install in an enterprise environment where users don’t have administrator privileges. With the default AppLocker settings, Chrome will be blocked from running.

If you want to run Chrome, the simplest solution is to trust the Google signing key and allow any applications published by Google to run.

Right-click on Executable Rules. Choose Create New Rule… Click “Next” through all the screens until you get to the screen asking to browse for an executable. For this purpose, any binary signed by Google will do but I’m going to use chrome.exe. For me, chrome.exe lives in

C:\users\breiter\AppData\Local\Google\Chrome\Application\chrome.exe.

After selecting Chrome.exe, slide the selector up to Publisher and click next until you are allowed to choose create.

publisher

Now we are trusting Google not to let someone steal their signing certificate and do something bad with it. Chrome runs and so do any other executables signed by Google.

Also, anything installed in C:\Program Files or C:\Program Files (x86) or C:\Windows runs.

Windows won’t let any other executables run.

This should posture completely mitigate the Stuxnet attacks because no untrusted code is ever allowed to run.

Developers

AppLocker creates a problem for developers that want to run as a limited-rights user. They won’t be able to execute and debug binaries that they compile!

This problem should primarily affect people creating directly executable code. Dynamic code (perl, python, ruby, vbscript, powerhsell script, etc.) executed by a trusted interpreter will work as will Java class and jar files because they are executed by java.exe or javaw.exe.

The issue is really directly executable Portable Executable (PE) binaries. It doesn’t matter if they are native or managed binaries. AppLocker won’t let them run.

The solution is straightforward. You have to relax the policy enough so that developers can work. The risk is that developers will execute stuff that they shouldn’t or some malware will leverage the knowledge of the location of the developer sandbox. It’s a risk you have to accept.

Put all of your source code into a directory tree and create a rule in AppLocker to allow any executables in there to run. For example, you could create a Developers security group and a “C:\source\*” directory. Grant Administrators and System “Full Control” and grant Developers “Modify” on C:\Source. In AppLocker grant Developers the right to execute on “C:\Source\*”.

Limitations

Unfortunately the biggest limitation is that AppLocker is only available in Windows 7 Enterprise and Ultimate or any version of Windows Server 2008 R2.

EDIT

Amazon Kindle for PC also installs itself into %localappdata%. Cisco’s WebEx installs itself onto the “all users” application data directory (%allusersprofile%). They need AppLocker publisher exlusions in order to run.

MSE v2 Command-Line Scanning

Microsoft Security Essentials (MSE) 2.0 adds command-line file scanning to its command-line interface.

MpCmdRun.exe is the command-line interface to MSE.

(Note that MSE has moved from “C:\Program Files\Microsoft Security Essentials” to “C:\Program Files\Microsoft Security Client”. And MpCmdRun.exe has moved to a subdirectory called Antimalware.)

In MSE v1, MpCmdRun was conspicuously missing an option to scan a file from a command line but the problem is rectified in MSE v2 beta.

mpcmdrun-filescan 

The file scanning is a new sub-option of the –Scan argument.

-Scan [-ScanType value]
    0  Default, according to your configuration
    1  Quick scan
    2  Full system scan
    3  Single file custom scan

       [-File ]
            Indicates the file path to be scanned, only valid for custom scan

       [-DisableRemediation]
            This option is valid only for custom scan.
            When specified:
              - File exclusions are ignored.
              - Archive files are scanned.
              - Actions are not applied after detection.
              - Event log entries are not written after detection.
              - Detections from the custom scan are not displayed in the user
                interface.

The usage is slightly awkward. It requires specifying –Scan –ScanType 3 –File <filename>.

A simple powershell function or a batch file.

Powershell

function Scan-File( $file )
{
    $exe = Join-Path $env:ProgramFiles &quot;Microsoft Security Client/Antimalware/MpCmdRun.exe&quot;
	&amp; $exe -Scan -ScanType 3 -File $file
}

Batch

@echo off
setlocal
set path=%programfiles%\Microsoft Security Client\Antimalware;%path%
cmd /c MpCmdRun.exe -Scan -ScanType 3 -File %1

Niftier PowerShell integration is possible by extending the work of the Scripting Guy’s Invoke-SecurityEssentials.ps1 script for MSE v1.0.

Security Essentials v2.0 on Windows Server

Microsoft released a beta of Microsoft Security Essentials (MSE) version 2.0 on July 20. The major new advertised feature is that it integrates with the Windows Filtering Platform (WFP) on Windows Vista and later to provide real-time network traffic inspection.

What they didn’t mention is that MSE 2.0 will install and run on Windows Server platforms. I suspect their target market here is Windows Home Server but it doesn’t seem to be picky.

I hope this feature stays in the final product. It and it makes sense to be able to protect servers as well as the client OS. MSE is a great option for SMEs and home users—any organization that is too small to make use of the centralized monitoring and management capabilities of a product like Forefront. It also might make sense for some bastion hosts.

MSE 2.0 beta x64 installed happily on my Mac Mini running Windows Server 2008 R2 Standard x64.

msev2-win2k8r2

Fix: “Edit with GIMP” context menu in Windows 7 x64

I can’t remember when it happened but at some point, I lost the “Edit with GIMP” context menu for image files after I started using Windows 7 about a year ago. I just installed the GIMP 2.6.10 x64 version and I noticed that the issue wasn’t fixed. (I had a further problem because the Open With shell magic was broken because the 2.6.10 installer uses a different directory than the 2.6.9 x64 installer did.)

With my context menus thoroughly busted for images, I had a look in the registry. For every sort of image file, there were shell verbs configured. For example, here’s jpeg:

jpegfile\shell\Edit with GIMP]
@="Edit with GIMP"

[HKEY_CLASSES_ROOT\jpegfile\shell\Edit with GIMP\command]
@="\"C:\\Program Files\\GIMP 2\\bin\\gimp-2.6.exe\" \"%1\""

This all looks fine. It’s a custom shell verb called “Edit with GIMP” with the menu label “Edit with GIMP” that invokes the gimp-2.6.1.exe executable, passing the argument of the file name.

Except it doesn’t do anything in Windows 7.

I channeled Mark Russinovich and fired up Sysinternals ProcMon and had a look at what the explorer.exe process is accessing in the registry when I right-click on a jpeg.

procmon

It turns out that Explorer isn’t looking at jpegfile or pngfile or giffile et al. It is looking at “image files" as a class via HKCR\SystemFileAssociations\image. Therefore, the solution is to add a custom shell verb there:

[HKEY_CLASSES_ROOT\SystemFileAssociations\image\shell\Edit with GIMP]
@="Edit with GIMP"

[HKEY_CLASSES_ROOT\SystemFileAssociations\image\shell\Edit with GIMP\command]
@="\"C:\\Program Files\\GIMP 2\\bin\\gimp-2.6.exe\" \"%1\""

And success.

image-context-menu

Pin Eclipse Helios to Windows 7 Taskbar

eclipse-jumplistEclipse 3.6 “Helios” has Windows 7 taskbar jump lists and can be pinned to the task bar like  a native app but they don’t work out-of-the-box. The jump lists items generate a bonk error dialog complaining that Java cannot be found and the pin this program to taskbar option is missing.

In order for the Windows 7 taskbar features of Eclipse 3.6 to work, eclipse needs to know where Java is installed. That means editing eclipse.ini  to add a ”-vm” argument followed by the path to your Java runtime. Eclipse.ini is located in the same directory as eclipse.exe and the “–vm” argument has to be the very first line in eclipse.ini or Eclipse will complain a big error dialog that says the Java VM could not be found and refuse to start.

eclipse-ini

After adding the path to your Java runtime environment to eclipse.ini, start Eclipse but wait until after Eclipse has finished loading your workspace before attempting to pin it to the taskbar. Once the workspace has been loaded, you can pin the Eclipse icon to the Windows 7 taskbar and it will work like any other app. If you don’t wait until after the Workspace is running, you’ll end up getting a second eclipse icon every time you start Eclipse just like with Eclipse 3.5 and Netbeans 6.8.

This solution is working for me Eclipse 3.6.0 for Windows 64 bit running on Sun (Oracle) Java 1.6.0_20 64-bit on Windows 7 x64 Enterprise.

Via bugs.eclipse.org: bug 314805.

Visual Studio 2010 Professional Should be Free

Microsoft has created yet another SKU for Visual Studio 2010, Ultimate Edition.

This is out of hand.

  • Visual Studio Express editions Basic CMYK
  • Visual Studio Professional
  • Visual Studio Premium
  • Visual Studio Ultimate
  • Visual Studio Test Professional
  • Visual Studio Team Foundation Server
  • Visual Studio Lab Management

The express editions are free of charge but weirdly crippled:

  1. Rather than being features extending the base IDE, there are entirely separate Express IDEs for each language.
  2. The source control plugin API is missing
  3. Extremely limited refactoring (at a time when the refactorings in the full edition don’t compare well to Eclipse or Netbeans)
  4. No conditional breakpoints
  5. No remote debugging
  6. No thread debugging
  7. No support for compiling 64-bit native images
  8. No support for setup projects
  9. No support for solutions which contain projects written in different languages (because of item #1).
  10.   No MS Office development support.
  11.   No VSIX extensions (like this spell checker).

And apparently, you don’t have access to F# and IronPython languages with any Express edition. What?

Visual Studio Professional is the vanilla full-featured version of Visuals Studio 2010.

Visual Studio is really the mechanism by which developers add value to Microsoft’s platforms. It is used to build applications that people actually use. We are not living in the gay 90s anymore when compilers were generally very expensive and IDEs were new and a huge value-add. Now, every platform vendor I can think of except for Microsoft gives away the best development tools it can in order to draw developers to it.

Here are some examples:

  • Apple gives away XCode and all its developer tools and documentations to anyone that registers.
  • Eclipse is free and open source.
  • Netbeans is free and open source

Visual Studio Express editions do not have parity with the features of XCode, Netbeans and Eclipse. Visual Studio Professional is much closer.

But to get Visual Studio Professional, you have to be student or faculty at an institution participating in the Microsoft Academic Alliance program, an employee of a Microsoft Certified Partner or you or your employer have to buy an MSDN subscription every year. There are now 6 MSDN subscription SKUs.

  • MSDN Operating Systems
  • MSDN Embedded
  • Visual Studio Professional with MSDN
  • Visual Studio Test Professional with MSDN
  • Visuals Studio Premium with MSDN
  • Visual Studio Ultimate with MSDN

These range in price from $699 to $11,899 retail with the “Professional” version weighing in at $1,199 ($799 for a renewal). The Operating Systems one doesn’t even come with Visual Studio which makes no sense at all. Why offer developers a subscription to your operating systems without giving them the tools to develop applications on the operating systems?

This state of affairs is out of control.

I don’t have any issue with Microsoft selling value-adds over and above of Visual Studio Professional (e.g. Premium, Ultimate, Professional Tester, Team Server, etc.) to compete with IBM Rational and Perforce et al in the application lifecycle management and enterprise architecture modeling stuff and build management and testing.

But rather than trying to squeeze 800 bucks a year out of developers, Microsoft should discard the Express editions of Visual Studio and make Visual Studio 2010 Professional available at no cost to anyone with a valid copy of Windows.

Otherwise, Microsoft is literally driving startups and young developers to other platforms which offer fully functional free tools from vendors like Apple, IBM, Oracle (Sun), Novell, Red Hat and Canonical.

And when I say free I don’t mean crippled or ad supported. In order to keep the Windows platform relevant, Microsoft needs to make credible modern tools available to anyone that might be interested. That means Visual Studio 2010 Professional should be a free download.

Seriously.

Follow

Get every new post delivered to your Inbox.

Join 86 other followers

%d bloggers like this: