Browser Version: 2.0.0.11
Vault Version: 4.0.5
.net Version: 2.0
O/S Version: WinXP Pro
I am getting prompted to save or open the VaultService.asmx file.
Unfortunately, I am not that familiar with Mozilla and don't know what I have configured incorrectly.
Anyone have any idea how to make it run the asmx file instead of ask me to downlaod it?
Thanks.
Problem on Mozilla FireFox
Moderator: SourceGear
After going to http://<machine>/VaultService and selecting the http://CR1/VaultService/VaultService.asmx link I get the below code displayed in the IE browser. In FireFox I am prompted to download the file.
<%@ WebService Language="c#" Codebehind="VaultService.asmx.cs" Class="VaultService.VaultService" %>
<%@ WebService Language="c#" Codebehind="VaultService.asmx.cs" Class="VaultService.VaultService" %>
Sounds like IIS is not configured for an ASP.NET application on your Win XP Pro box.
Try this:
a) Open a command prompt
b) Goto %windir%\Microsoft.NET\Framework\v2.0.xxxxx where xxxxx is the minor build of .NET.
c) Run "aspnet_regiis -i"
d) Assuming it installs correctly browse to the .asmx page. Do you now get a VaultService service description page?
Try this:
a) Open a command prompt
b) Goto %windir%\Microsoft.NET\Framework\v2.0.xxxxx where xxxxx is the minor build of .NET.
c) Run "aspnet_regiis -i"
d) Assuming it installs correctly browse to the .asmx page. Do you now get a VaultService service description page?
Jeff Clausius
SourceGear
SourceGear
Hello,
it worked for me also. However it's incredible the number of changes (mainly security) I've had to make to have it work.
I'm a really concerned by security as the web will be exposed to internet.
Is there a documentation that explains the right restriction to set in place to have this work without risk (or at least as possible).
For examples the account ASPNET did not exist; I had to create it, set rights on folders... But it doesn't have any password !
Hope you have some docs (or time) on this to explain a minimal installation to have fortress work. We used sourcegear for a long time and the approach was very secure according to me and really simple to install !
I think you should also add a link to the Vault documentation in the fortress page; it would help for new users.
Xavier
it worked for me also. However it's incredible the number of changes (mainly security) I've had to make to have it work.
I'm a really concerned by security as the web will be exposed to internet.
Is there a documentation that explains the right restriction to set in place to have this work without risk (or at least as possible).
For examples the account ASPNET did not exist; I had to create it, set rights on folders... But it doesn't have any password !
Hope you have some docs (or time) on this to explain a minimal installation to have fortress work. We used sourcegear for a long time and the approach was very secure according to me and really simple to install !
I think you should also add a link to the Vault documentation in the fortress page; it would help for new users.
Xavier
The ASPNET account only exists on systems with IIS 5.0. For systems with IIS 6.0, ASP.NET has an entirely different security model using the 'NT AUTHORITY\NETWORK SERVICE' account.Xavier wrote:For examples the account ASPNET did not exist; I had to create it, set rights on folders... But it doesn't have any password !
If you're using IIS 5.0 (Win XP or Windows 2000 Server), then something is definitely wrong with your setup as the ASPNET account is created when you install/configure .NET Framework AFTER installing and setting up IIS. I believe the order of things is important as the .NET Framework is IIS aware, but the IIS installation is not necessarily aware of .NET Framework
Here are some articles which explain what principles lies behind Vault/Fortress -Xavier wrote:Hope you have some docs (or time) on this to explain a minimal installation to have fortress work. We used sourcegear for a long time and the approach was very secure according to me and really simple to install !
An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS - http://msdn2.microsoft.com/en-us/magazine/cc301387.aspx
An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS, Part - http://msdn2.microsoft.com/en-us/magazine/cc301390.aspx
Authentication in ASP.NET: .NET Security Guidance - http://msdn2.microsoft.com/en-us/library/ms978378.aspx
Security Guidelines: ASP.NET 2.0 - http://msdn2.microsoft.com/en-us/library/ms998258.aspx
Jeff Clausius
SourceGear
SourceGear
I've had a glance at those pages; I think this is mainly for those who design the pages (you 
).
I'm far to be a web security expert, I then have what certainly are obvious questions:
- is http://server/VaultService OK, or https mandatory (mainly for password reasons, my understanding is that a hacker could easily read the user/password and get/delete the sources). If https is required, how can it be setup.
- is there anything else that should be done to have our sever secure ? Or (as I hope) are all the default hacker safe (as far as it can be).
Thanks
).I'm far to be a web security expert, I then have what certainly are obvious questions:
- is http://server/VaultService OK, or https mandatory (mainly for password reasons, my understanding is that a hacker could easily read the user/password and get/delete the sources). If https is required, how can it be setup.
- is there anything else that should be done to have our sever secure ? Or (as I hope) are all the default hacker safe (as far as it can be).
Thanks
For functionality found in the non-web app based clients, those go through our own protocol, so although the data is sent in the clear, the client never sends passwords in clear text.
For the web-based access of Vault, you'll want to probably enforce SSL based connections. Since this might be different on each version of IIS, please consult the correct manual for your version of IIS in setting up an SSL Certificate for encryption. Also note, you don't necessarily have to "buy" a cert for this. You should be able to use a Certificate Server (Microsoft or Open SSL based) to create self-made certificates to be used within IIS.
As far as default installations, .NET framework creates accounts and grants permissions with a minimized risk. The links I posted above should have information about how the Framework works. This behavior would also cover behavior found in both Vault and Fortress.
HTH
For the web-based access of Vault, you'll want to probably enforce SSL based connections. Since this might be different on each version of IIS, please consult the correct manual for your version of IIS in setting up an SSL Certificate for encryption. Also note, you don't necessarily have to "buy" a cert for this. You should be able to use a Certificate Server (Microsoft or Open SSL based) to create self-made certificates to be used within IIS.
As far as default installations, .NET framework creates accounts and grants permissions with a minimized risk. The links I posted above should have information about how the Framework works. This behavior would also cover behavior found in both Vault and Fortress.
HTH
Jeff Clausius
SourceGear
SourceGear
-
Mike Dimmick
- Posts: 28
- Joined: Tue Feb 17, 2004 7:42 am
- Location: UK
- Contact:
We keep our Vault server behind our firewall and use a VPN for remote access. In the past, before moving to a different server, it was also accessible via HTTPS but that was almost an accident; it shared a server with Exchange ActiveSync.
HTTPS only protects you from disclosing passwords and source code to network packet sniffing. It doesn't protect against password guessing attacks or any injection vulnerabilities or other attacks against Vault itself. If you're worried about security, don't expose Vault to the public internet.
HTTPS only protects you from disclosing passwords and source code to network packet sniffing. It doesn't protect against password guessing attacks or any injection vulnerabilities or other attacks against Vault itself. If you're worried about security, don't expose Vault to the public internet.
Thank for these advises. I know those questions are not really of your concern, though I wouldn't ask if this wasn't to use your product...
- We would like to give the opportunity to our customers to enter and follow their bugs through the WEB only licence. I suppose we can do that only through direct WEB access ? Unless we give them access to our network through a VPN.
- Why would a VPN be more secure ? Or is it really safer ?
- I've found some link on Microsoft to install a Certificate but not on how to obtain a free certificate. Do you have a link for that ?
- We would like to give the opportunity to our customers to enter and follow their bugs through the WEB only licence. I suppose we can do that only through direct WEB access ? Unless we give them access to our network through a VPN.
- Why would a VPN be more secure ? Or is it really safer ?
- I've found some link on Microsoft to install a Certificate but not on how to obtain a free certificate. Do you have a link for that ?
As long as the end-users only have access to the Vault/Fortress server that would be OK. Inviting non-trusted users inside a VPN where other trusted resources may exist is ill advised. The other option would be a public IP address on the Vault/Fortress Server.Xavier wrote:- We would like to give the opportunity to our customers to enter and follow their bugs through the WEB only licence. I suppose we can do that only through direct WEB access ? Unless we give them access to our network through a VPN.
I don't want to put words into Mike's post, but if I were to guess, he would say the less services you expose to a public interface, the better. Removing IIS from public exposure is just one less piece you need to worry about.Xavier wrote:- Why would a VPN be more secure ? Or is it really safer ?
http://technet.microsoft.com/en-us/libr ... .aspx#EDAAXavier wrote:- I've found some link on Microsoft to install a Certificate but not on how to obtain a free certificate. Do you have a link for that ?
http://support.microsoft.com/kb/218445
Jeff Clausius
SourceGear
SourceGear