Code access to external urls - c#

I have code that uses process class to sign code with a verisign signature.
So basically it uses command line cmd. Now this all used to work but recently (maybe due to malware), it fails at the timestamping stage. Pretty sure this is because it is no longer able to access the verisign external url in order to time stamp.
I have tried the same command from command manually and the result is the same. I have a proxy configured in IE which is necessary for external web access but I assume when I'm using cmd for e.g. it's not derived from IE settings?

To me it sounds like your IE proxy settings got messed up. Malware can do that. Go into IE, then Internet Options (it's different depending on version of IE and Windows). Once in there, hunt down proxy settings and turn them off. I'd guess they are currently enabled.
Also, timestamping will fail if the certificate expired. Did it expire?

Related

Silverlight 5 with elevated privileges in browser using clientaccesspolicy.xml

I am trying to get my silverlight application running with elevated privileges in browser. However, no matter what I do, it doesnt get elevated.
I have tried to add registry key AllowElevatedTrustAppsInBrowser (as DWORD with value 1), and signed the XAP file using VS 2012. I also came across a blog that mentioned the clientaccesspolicy.xml file, but I was not able to allow elevated privileges with this either. I put the xml file inside the web project hosting the html file that displays the XAP.
Has anyone actually managed to get this to run?
I also tried following this: http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2011/04/27/silverlight-5-beta-rough-notes-trusted-apps-in-the-browser.aspx but im unsure about where to run the commands he runs on windows.
There is a good summary on how to enable in-browser elevated trust by Mister Goodcat here, where he also provides some troubleshooting tips:
One thing to keep in mind is that even if your application runs as trusted in-browser app, it is still subject to the security restrictions the browser itself imposes. That means that its possibilities may be much more restricted than if they ran out of browser, for example by Internet Explorer's Protected Mode. In addition, the Silverlight runtime itself restricts use of certain features for in-browser trusted apps, for example you cannot use the Window class and/or create additional windows when you're running in the browser.
If none of the above applies to you and you still run into problems, one thing to do is check whether your certificate(s) have been installed correctly. There's a snap-in for the management console for this. Here is an article that describes how to get there (note that you should add a snap-in for your user account, not the computer account as in this description).
You can also check whether your registry key is actually and successfully queried, for example by using a tool like Process Monitor from the Sysinternals Suite. Watch for operations of type "ReqQueryValue" of your browser executable that access the key we created above, and make sure the Result is "SUCCESS".

Run .exe on client system from server-side c# code

I want to run an exe on client system from my c# asp.net website. When I use Process.Start()
it throws an error:
The requested operation requires elevation.
How do I set permissions to run that exe?
You can't spawn processes on the client machine from server-side code.
When you use Process.Start in server-side code, it is attempting to execute the process there, on the server where the website is hosted. If you wanted to create processes on the clients computer then you would need to expose a download for them (and not in employing subterfuge, like malign sites might do to install software - supply it gracefully, and normally (and with permission)), or a Silverlight application or something along those lines.
The bottom line is that the code you want to execute (even if that is just to spawn a process) must reside on the client, and be executed there.
You can't run an application from a web server like that. You will have to have the user download the application by supplying the EXE, a setup file or using ClickOnce.
Or you can develop an ActiveX control that you can have the browser automatically download from a Trusted Internet Zone.
Once downloaded, proper signing with a certificate (signed from the trusted (corporate) root certificate) will avoid the user getting a prompt to ask whether he wishes to allow the ActiveX control to install/be activated -
The ActiveX control can subsequently do anything the interactively logged on user could. This means that to actually install a program you'd need to elevate (UAC on Vista+); But if the goal was just to run a standalone executable, you should be good to go.
This all assumes white-hat purposes in a (larger) corporate setting, because it relies on PKI infrastructure and central browser policies, to name just two.**
This would, really, lead to some excellent questions on serverfault or superuser
I noticed you said you wanted to run an exe file on the client, but you didn't say explicitly that the exe is on the server and you want to push it to the client. Everyone seems to be assuming that is the case.
You CAN accomplish this fairly easily with a small JavaScript if you have a few prerequisites:
The executable is already present on the client machine.
All of your clients are running IE
You can enforce a policy to put your site in the Intranet or Trusted
Sites zone.
So basically this means it's a corporate intranet application. I am assuming this is probably the case since, well, if you were expecting to do this with a public app, I would be surprised.
For the script to accomplish this, please see my answer to this question:
How can I get a program on a client machine to run from an ASP.NET page?

.NET proxy detection

I am having an issue with .NET detecting the proxy settings configured through internet explorer.
I'm writing a client application that supports proxies, and to test I set up an array of 9 squid servers to support various authentication methods for HTTP and HTTPs. I have a script that updates IE to whichever configuration I choose (which proxy, detection via "Auto", PAC, or hardcode).
I have tried the 3 methods below to detect the IE configuration through .NET. On occassion I notice that .NET picks up the wrong set of proxy servers. IE has the correct settings, and if I browse the web with IE, I can see I am hitting the correct servers via wireshark.
WebRequest.GetSystemWebProxy().GetProxy(destination);
GlobalProxySelection.Select.GetProxy(destination);
WebRequest.DefaultWebProxy
Here are the following tips I have:
My script sets a PAC file on a webserver, and updates the configuration in IE, then clears IE's cache
.NET seems to get "stuck" on a certain proxy configuration, and I have to set another configuration for .NET to realize there was a change. Occasionally it seems to pick some random set of servers (I'm sure they're not random, just a set of servers I used once and are in some cached PAC file or something). As in, I will check the proxy for the destination "https://www.secure.com" and I may have IE configured for and thus expect to get "http://squidserver:18" and instead it will return "http://squidserver:28" (port 18 runs NTLM, 28 runs without authentication). All the squid servers work.
This does not appear to be an issue on XP, only Vista, 2003, and windows 7.
Hardcoding the proxy servers in IE ALWAYS works
Time always solves the issue - if I leave the computer for about 20 or 30 minutes and come back, .NET picks up the correct proxy settings, as if a cached PAC script expired.
I found the solution.
.NET uses the "WinHttp Web Proxy Auto Discovery Service" to perform PAC script execution, and probably caches the results. Simply stopping and restarting this service does the trick. The following command line does this for me.
NET STOP WinHttpAutoProxySvc
NET START WinHttpAutoProxySvc
http://wiki.blackviper.com/wiki/WinHTTP_Web_Proxy_Auto-Discovery_Service
I found this by following James Kovacs' suggestion of attaching the debugger. I had already reflected through the code and made a failed attempt to attach a debugger before I ever posted the question, but could not decipher exactly what was happening. Running out of options, I tried debugging again, and after several hours found the following comment in _AutoPWebProxyScriptEngine.cs on line 76 that led me to this discovery
// In Win2003 winhttp added a Windows Service handling the auto-proxy discovery. In XP using winhttp
// APIs will load, compile and execute the wpad file in-process. This will also load COM, since
// WinHttp requires COM to compile the file. For these reasons, we don't use WinHttp on XP, but
// only on newer OS versions where the "WinHTTP Web Proxy Auto-Discovery Service" exists.
I had the same issue and I succeded getting/setting the proxy setting in registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="<your proxy IP address>:8080"
"ProxyEnable"=dword:00000001
"ProxyOverride"="<local>"

Heightened privilege selenium browsers on Windows 7 (x64)

I make use of *firefox and *iexplore etc. within my selenium tests to get around the issue of self-signed SSL certificates on my local machine. Unfortunately, now that I've moved from XP over to 7, this seems to have stopped working.
I'm running the selenium RC server process as administrator, since that was necessary to get an IE instance to launch properly.
I've tried adding permanent security exceptions for the certificate in question, and have confirmed that this works when I myself launch a browser session. But when a browser session is instantiated by the Selenium RC, I'm still receiving the security warnings.
I've also tried specifying the 32bit version of IE, in case it was just the 64bit version that wasn't working, but both exhibit the same behaviour.
I've also tried temporarily disabled UAC, in case I was falling foul of a permissions/elevation problem, but that also did not help.
Has anybody managed to get the heightened privilege browsers working properly on Windows 7? Alternatively, does anybody know a way that I can get around this issue? (short of not using https!)
Thanks!
Have you tried adding the certificate to your list of accepted certificates by hand?
As IE doesn't have profiles, and each session uses the user's profile, you can add the certificate by hand the first time the error occurs to Selenium and next time the browser finds an error to warn, it will find the cert in the list of exceptions and proceed with the page without warning.
For Firefox, the best way to get around this is to create a custom profile with all the certificates accepted, then specify that profile when you start your Selenium server. I use this same strategy for setting up browsers in different languages.
*chrome is normally the way to run Firefox with relaxed security.

Can't get my .Net Console App to run on a Server "The Publisher Could Not Be Verified"

I've written a simple C# console app that gets executed by SQL Server Integration Services as part of a datawarehouse load (on Windows Server 2003).
Unfortunately the step that calls the .exe is failing because a Open File security warning dialog "The Publisher Could Not Be Verified. Are you sure you want to run this software" is shown.
I think I need to sign my console app, but this seems a little overkill for an internal application. Can I sign it without having to get an externally recognised certificate?
Thanks.
Yes, signing is easy, Just look up Project|Options|Signing. The combobox will let you pick a key-file or create one. It is always a good idea.
But signing may not be enough, the server may impose stricter rules so that you will need a certificate. I'm not 100% sure but you may be abkle to create your own and tell the server to trust it.
But try the signing first.

Categories