Posts From April 2012 - Musing, Rants & Jumbled Thoughts

Header Photo Credit: Lorenzo Cafaro (Creative Commons Zero License)

Posts From April 2012

Family and Friends: Protect Your Computer!

Posted on Apr 24, 2012
 || Last Updated: Jun 17, 2013

Being in the tech industry, I occasionally get asked by family and friends to help with computer issues. Two items in particular come up, either because they asked, or more likely, because I bring it up:

  • Virus Protection
  • Backups

So, I decided to write down my thoughts for future reference.

Virus Protection:

Everyone should be running anti-virus software -- always.  Let me say that again: EVERYONE SHOULD BE RUNNING ANTI-VIRUS SOFTWARE. ALWAYS!

The Internet, being the giant series of tubes that it is, is great for sharing information, but is also a breeding ground for nasties.  You're first line of defense should be a network firewall.  Chances are you have a router, possibly built into your modem, sitting at the connection point between you and the Internet. In most cases, the router acts as a firewall too.  If it's a "NAT" router (that's Network Address Translation), it also provides an additional layer of protection by giving your computer a "private" IP address that's not directly accessible from the Internet at large.  This means the bad guys can't just attack your PC directly -- they have to find a way for your PC to come to them.  The bad news -- it's really easy to get you to come to them: email, social network sites, rouge ads on webpages, phishing links... you get the idea.

So, install an anti-virus package.  There are many, many choices, including Norton AntiVirus, AVG, avast!, McAfee, and many others.  But my recommendation is to use Microsoft Security Essentials.  It's free, it's integrated with Windows Update, and from my experience, it's just as accurate as the other guys and doesn't seem to hurt performance.

Now, it's not enough to just install the software.  You also need to keep it updated.  Out of the box, all of these programs are configured to auto-update their virus definitions.  In most cases, it's configured to do it in the middle of the night, one or more nights a week.  This is fine, as long as you keep your computer on all night.  But, if you turn off your PC, or have a laptop that turns off when you close the lid, make sure to change the settings to run during a time the computer is on.  It should be fine to run while you're using the PC.  If your PC isn't on frequently enough to have a set schedule, make sure to open the virus software (there should be an icon down by the clock in the lower left corner) and manually kick off the updates once a week.

I've been running Microsoft Security Essentials for years with good results; however my wife's laptop got hit pretty hard by a virus last year which was missed by Security Essentials and several other anti-virus packages I tried.  Eventually, after having to do a complete re-install of the machine twice, I found a secondary anti-malware package that did the job: MalwareBytes.  This program is not intended to be a replacement for your anti-virus, rather it's a supplement.  The designers do not try to catch the bad stuff that the anti-virus apps will find -- they target the stuff that's difficult for them to find.  It's a for-pay application (after a fairly long trial period) if you want real-time checking (which you probably do), but worth it if you find yourself frequently getting hit by nasty, slimy bits.

Note: "malware" (shortened for of "malicious software") is the larger category of viruses, worms, trojan horses, key loggers, root kits and other applications that intend harm or deception.  Most "anti-virus" software is really "anti-malware", as they protect against more than just viruses.

Backups:

Backups are an insurance policy.  You don't need them until you really need them, and by that time, it's too late.  For years, I went without backups, and lost many, many files to accidental deletes, hardware failures, viruses and just stupidity.

There are several levels of backup, and anything is better than nothing!

File backups:

If you just need to make sure a handful of files are safe from getting nuked, you have a lot of options. I prefer DropBox, which is a cloud-based storage application.  It also has the added benefit of keeping the files sync'd across multiple computers. So in my case, I have the DropBox client running on my home machine, my work machine, my iPad and iPhone, as well as on the web, and it keeps the files updated in all those places with no actions on my part.   And, it's free for 2GB, with options to buy more storage. You can also unlock additional storage by recommending it to friends (thus, the link above has my "recommend to friends" info in them -- Disclaimer: If you signup using that link, I'll get some extra space too).

Microsoft has a similar product called SkyDrive, which as of this week, has a limit of 7GB for the free account. And Google is expected to go live with their solution soon, so expect to see free account size limits increase and the three companies compete for customers.

File and System backups:

For most versions of Windows, you can setup the built-in backup -- you'll likely want to by an external USB or firewire (if you're PC supports it) harddrive to store the files.  For full system backups, you'll want a big drive, since it'll keep multiple copies of your current harddisk -- so shoot for 2x to 5x the currently used size of your main harddrive.  It's generally a bad idea to use a second partition on your main harddisk, since a disk failure will kill your data and your backups at the same time.

There's also Carbonite, an online backup solution. I've not used it, but have heard good things. **Update: I now use Carbonite, and like it as an off-site backup. Be warned, though: It chews up a lot of bandwidth, especially as it uploads your initial files.

Finally, there's what I've been using for a little over a year: Microsoft Home Server.  You can purchase what is basically a server in a box (with no screen) with various levels of hardware and configuration.  I built my own, opting for uber-protection using RAID-5 arrays for harddrive protection inside the box.  Home Server will easily configure your Windows machines to not only backup your files to the network device, but also perform full system images.  This allows you to do a full system restoration, including harddrive partitioning, by just booting from a CD or USB drive you create from the server, selecting which backup image you want to restore (by date backup was taken) and sitting back to watch for about 45 minutes while it does all the work.  It also provides a personal website that you can access from anywhere, using SSL (https) encryption, where you can get access to files stored on the server, get Remote Desktop access to any machines online at home that support it, and more.  This is definitely NOT the cheap route to go, and is overkill for most. Update: Microsoft has chosen not to continue the Windows Home Server product, suggesting people move to Windows Server Essentials for that support. However, unless you're willing to seriously earn your IT merit badge, I wouldn't suggest going this route.

Now, go make sure you've got anti-virus running, backups in place, and spread the word!

This entry was posted in TipsAndTricks .

Dynamics CRM 2011 Plugin Sandbox Mode Security Restrictions

Posted on Apr 22, 2012
 || Last Updated: Jul 16, 2013

Lately, I've been doing work with Microsoft's Dynamics CRM 2011. Specifically, I've been integrating InRule's flagship product into Dynamics, which includes utilizing the Plugin feature of Dynamics.  Dynamic provides the option of registering a plugin to run in "sandbox" mode, which is a Partial Trust process.  While the on-premise Dynamics software will allow you to run plugins in or out of sandbox mode, the Dynamics Online (Microsoft's hosted solution) will only run in sandbox mode.

Unfortunately, there's not really any good documentation saying what is or is not allowed in the sandbox mode.  Even when I spoke to a group of Microsoft Dynamics team members and MVPs at the Dynamics Acceleration Lab earlier this month on Microsoft's Redmond campus, there wasn't a known set.

So, I basically had to take the approach of just trying to run the software in isolated mode and see what fails.  As I uncovered a new security failure, I'd create a whitebox plugin that would test the specific scenario to ensure it was indeed a sandbox-induced issue and to test any potential workarounds.  The good news is that the sandbox mode for on-premise installations is the same as the Dynamics OnLine environment, so I could test things locally.

Below is a list of items I discovered during my testing.

This is not an exhaustive list by any means, as I focused only on functionality I needed for the InRule integration. I will continue to update it as I come across additional items.

Exception classes: With .Net 4, there was a change to how you must construct your Exception classes if you want to include any custom data when serializing your object.  Previously, you would override the GetObjectData() method, but with .Net 4, this has been slapped with the [SecurityCritical] attribute, which stops you from using it in partial trust environments.  Instead, you would need to change the implementation per this link: http://msdn.microsoft.com/en-us/library/system.runtime.serialization.isafeserializationdata.aspx

Using any of the following cause a security exception (not an exhaustive list):

  • Attempting to use the AppDomain.CurrentDomain.AssemblyResolve event
  • System.IO.Path.GetTempPath() [System.Security.Permissions.EnvironmentPermissionException]
  • Any filesystem access code [System.Security.Permissions.FileIOPermissionException]
  • Attempting to use the EventLog [System.Diagnostics.EventLogPermissionException]
  • Attempting to use IsolatedStorage [System.Security.Permissions.IsolatedStoragePermissionException]
  • Any references to Thread.CurrentThread caused a security failure. 

Usage of the XmlReader class using a StringReader to provide the XML, caused a security failure.  I haven't yet been able to narrow down the specifics as to where or why this was disallowed, but here is the code that fails:

using(XmlReader reader = XmlReader.Create( new StringReader (_xmlString ))
{
    reader.MoveToContent(); //Security exception occurs here.

As I determine more, I'll update this post.

Note: My testing was with Dynamics CRM 2011 Rollup 7 running on a Windows 2008 server virtual machine inside VMWare Player.

Update: I came across this MSDN article Plug-in Isolation, Trusts, and Statistics which provides some info on restrictions related to opening networking connections, including a registry edit you can make to ease the restrictions. Noteworthy excerpt from the article:

Sandboxed plug-ins and custom workflow activities can access the network through the HTTP and HTTPS protocols. This capability provides 
support for accessing popular web resources like social sites, news feeds, web services, and more. The following web access restrictions
apply to this sandbox capability.

* Only the HTTP and HTTPS protocols are allowed.
* Access to localhost (loopback) is not permitted.
* IP addresses cannot be used. You must use a named web address that requires DNS name resolution.
* Anonymous authentication is supported and recommended. There is no provision for prompting the 
  on user for credentials or saving those credentials.
This entry was posted in MS Dynamics .