Category: IIS

Certificates, IIS, Security, SSL, Troubleshooting, Web

Dealing with SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Jared Meredith

A lot of you may be getting emails from your sys admins telling you about needing to protect yourself from the POODLE vulnerability. I wanted to post my response back to what I did to bring my servers into compliance.

I used a tool called IISCrypto to place the server in best practice template from the command line. You can do it to be in PCI, PCI31 or FIPS140 compliance as well.

Here’s what I ran for what got fixed:

ss1

They also offer a GUI that you can run to see exactly what’s being used. Here’s the box after I applied the command ran above to confirm the removal of PCT 1.0 & SSL 2.0/3.0:ss2

My recommendation would be to deploy the command line version of the tool and execute the best practice template, let it apply the best practice template and restart the box.

However, if you don’t prefer a 3rd party tool then you can follow the Microsoft suggested actions to update the registry entries and build a .reg script to run.

Hope this helps.

.Net, IIS, Programming, Troubleshooting, Visual Studio, Web, XML

Troubleshooting “Could not load file or assembly ‘DotNetOpenAuth.Core, Version=4.1.0.0, Culture=neutral, PublicKeyToken=2780ccd10d57b246’ or one of its dependencies”

Jared Meredith

The Issue:

After I had updated my .Net Core on my developer machine to a newer version I went to debug a web application I had and received this error:

Could not load file or assembly 'DotNetOpenAuth.Core, Version=4.1.0.0, Culture=neutral, PublicKeyToken=2780ccd10d57b246' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

The Problem:

Here is what I had in my config prior to the update install:

<runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="DotNetOpenAuth.Core" publicKeyToken="2780ccd10d57b246" />
        <bindingRedirect oldVersion="1.0.0.0-4.0.0.0" newVersion="4.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="DotNetOpenAuth.AspNet" publicKeyToken="2780ccd10d57b246" />
        <bindingRedirect oldVersion="1.0.0.0-4.0.0.0" newVersion="4.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="EntityFramework" publicKeyToken="b77a5c561934e089" />
        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>

I had outdated references in my config file.

The Solution:

Ensure your references get updated after you update your development environment.

Here is what I updated to:

  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="DotNetOpenAuth.AspNet" publicKeyToken="2780ccd10d57b246" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-4.3.0.0" newVersion="4.3.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="DotNetOpenAuth.Core" publicKeyToken="2780ccd10d57b246" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-4.3.0.0" newVersion="4.3.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="EntityFramework" publicKeyToken="b77a5c561934e089" />
        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>

Hope that helps. Questions are always welcome.

.Net, IIS, Security, Sitecore, Web, XML

Encrypting .NET Config Files in a Shared Development Environment

Jared Meredith

This page will attempt to describe how to encrypt sensitive information contained in .NET config files using the RSA Key Container, as well as how to export/import the key from that container so that other developers may use the same key to work on the same project.

Helpful Tips: The aspnet_regiis.exe utility must be run as a administrator, otherwise you may receive “duplicate object” errors. In addition, you will want to run Visual Studio as an administrator to ensure the program has access to the RSA Key Container store.

Creating a Custom RSA Key Container

In this part we will create an RSA key container by using aspnet_regiis.exe with the -pc option. This identifies the RSA key container as a user-level key container. RSA key containers must be identified as either user-level (by using the -pku option) or machine-level (by not using the -pku option). For more information about machine-level and user-level RSA key containers, see Understanding Machine-Level and User-Level RSA Key Containers.

In this example the following command will create an RSA key container named SampleKeys that is a machine-level key container and is exportable:

cd \WINDOWS\Microsoft.Net\Framework\v4.0.*
aspnet_regiis -pc "SampleKeys"–exp

Adding your provider to the web.config

The following example shows the configProtectedData section of a Web.config file. The section specifies an RsaProtectedConfigurationProvider that uses a machine-level RSA key container named SampleKeys.

<configProtectedData>
   <providers>
    <add keyContainerName="SampleKeys" useMachineContainer="true" description="RsaCryptoServiceProvider" name="SampleKeys" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
   </providers>
</configProtectedData>

Importing and Exporting the Key Container

In order for another developer to run your project (encrypted by your key) you will need to  export a key to be used by another developer:

aspnet_regiis -px "SampleKeys" "C:\keys.xml" -pri

Once you pass this along to another user to use then import with the following command:

aspnet_regiis -pi "SampleKeys" "C:\keys.xml"

If this is a machine level container, the code should now run without the need to assign permissions. However, if it’s a user container (i.e. your app pool is ran by a specific user or service account), additional permissions may need to be assigned:

aspnet_regiis -pa "SampleKeys" "NT AUTHORITY\NETWORK SERVICE"
aspnet_regiis -pa "SampleKeys" "[impersonation account]"

To use the default RsaProtectedConfigurationProvider specified in the machine configuration, you must first grant the application’s Windows identity access to the machine key container named NetFrameworkConfigurationKey, which is the key container specified for the default provider. For example, the following command grants the NETWORK SERVICE account access to the RSA key container used by the default RsaProtectedConfigurationProvider:

aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"

Encrypting and Decrypting Config Sections

.NET allows specific sections of a config file to be encrypted, so non-sensitive information can still be accessed. To encrypt a section:

aspnet_regiis -pef [section] [path] -prov [provider]

Where [section] is the name of the config section, relative to the configuration tag. [path] is the relative path to the directory containing the web.config file. For example, the following commands will encrypt the appSettings section as well as the impersonation credentials:

cd C:\SolutionFolder
aspnet_regiis -pef appSettings ProjectFolder -prov SampleKeys
aspnet_regiis -pef system.web/identity ProjectFolder -prov SampleKeys

To decrypt the appSettings section:

aspnet_regiis -pdf appSettings ProjectFolder

Partially Encrypting a Section

It may be necessary to only encrypt part of a section in a web.config file. For example, if the appSettings section contains multiple, non-sensitive keys and only a subset contain sensitive information. To encrypt only a few keys, a second appSettings section must be created and the new keys moved into it. The keys are accessed exactly the same way in the code, so no coding changes are needed.

First, register a new section name called secureAppSettings by placing the following XML under the configuration node:

<configSections>
<section name="secureAppSettings" type="System.Configuration.NameValueSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</configSections>

Next, create a new section called secureAppSettings and move the sensitive keys under it:

<secureAppSettings>
    <add key="Username" value="XXX" />
    <add key="Password" value="XXX" />
</secureAppSettings>
<appSettings>
    <add key="NotSensitive" value="XXX" />
</appSettings>

Finally, the new secure section can be encrypted and decrypted independently of the existing appSettings section:

aspnet_regiis -pef secureAppSettings ProjectFolder -prov ProviderName

App.config

This Microsoft utility was designed for web.config files. It will not find app.config files for other project types. To encrypt these config files, just rename them to web.config prior to encrypting, then rename back afterwards.

Other Helpful Links:

IIS, SharePoint, Troubleshooting

Help! Need Help Diagnosing A 500 Errors In SharePoint? Try This…

Jared Meredith

Imagine the nightmare…you decided to sneak in a web part deployment in right before the start of the business day. Right after your deployment you see that the site is about to come back up…and…then nothing. A blank screen. In desperation you open Internet Explorer to try and see if it loads there as well..nothing but a 500 error. Then, the feeling rushes over you that this was a very bad decision. While we should address why you were doing an early morning deployment we shall spare you. 🙂 So what do you do now?

One of the best ways to see what is going on with a 500 error is to enabled Failed Request Tracing in IIS for the web site in question. Once enabled you can replicate the issue by refreshing the browser a few times; this should be more than enough to capture a few. Once captured then you will usually see where the issue is identified (especially with web.config changes that happen).

To do this:

1) Open IIS

2) Select the web site in question and open the Features View

3) Under the IIS section select “Failed Request Tracing” by double-clicking it

FRT1

4) In the top right hand corner click the message in the Alerts section

FRT2

5) When the pop-up comes up then select to enable and take the default directory (unless you need it elsewhere, then specify another location) and hit OK

FR3

6) Next, under actions select “Add…” and select “All content (*)” and click Next

FRT4

7) Indicate the status code of 500 (and others where applicable) and click next again

Frt5

8) Indicate your trace providers and click Finish

FRT6

You should now see your created Failed Request Tracing Rules.

FRT7

Now go and refresh the browser a couple times to see your error again. Once that is logged then go to the trace logs. To find that location go back to the site in features view, select Failed Request Tracing and select “View Trace Logs…”

FR8

Double click to view the recorded log (you can use IE):

FRT9

Viewing these should at least help to identify the obvious when it is a line in the web.config or when there has been a setting changed as a result of saving a configuration option in SharePoint (or 3rd party products or web parts in SharePoint). Hope this helps, happy troubleshooting. Questions are always welcome.