ActiveX Privileges, Making Icon Files, Sticky Sessions, and More

Article
10/18/2019

Web Q&A

Edited by Nancy Michell

Code download available at:WebQA0502.exe(2,302 KB)

Q I have an application that downloads ActiveX® controls in an HTML page. On certain machines the download fails, but if I give the user local admin rights, the download succeeds. What are the specific privileges that need to be granted to a user for them to be able to download ActiveX controls via HTML pages?

A Don't hack your user privileges to allow them to install ActiveX controls, as this would allow users to install any arbitrary code and trash the machine. You should deploy the ActiveX controls to the users in a Microsoft® Installer (MSI) package through Active Directory® so that you don't have to loosen user restrictions. You can also use Systems Management Server (SMS) or your tool of choice.

Q Do you know of any good tools for converting .png (or .psd, .jpg, .gif) into .ico files?

A There are a number of programs that do this. You can try Axialis IconWorkshop. You might also want to look at Irfanview. It's fast and does all the conversions you mentioned, along with other useful stuff. You can also use icoConverter developed by Alexandre Souza. It lets you select an image (.bmp, .png, or .jpg) that will be converted to .ico file. You can download it from the link at the top of this article.

Q I'm using load balancing across my Web services farm. Both my UI servers and servers hosting the Web services are load balanced. Also note that I have affinity set to "none". Occasionally when calling a Web service from ASP.NET, I get "Underlying Connection Was Closed" error messages. When load balancing is not involved in the test environment, I don't get the error. The error is described at FIX: Intermittent "Underlying Connection Was Closed" Error Messages When You Call a Web Service from ASP.NET. What's up?

A This type of error is common in load-balancing situations. To avoid it you need to use sticky sessions; in other words you need to set the Affinity to "single host" (note that Cisco and other load-balancing packages may refer to it by a different name).

If you are using secure sockets layer (SSL), it doesn't make sense to negotiate an SSL connection from the client to server A and then have the load balancer move your next round-trip to server B. Since no SSL connection was established with server B, you get "The underlying connection was closed: Could not establish secure channel for SSL/TLS" error.

Sticky sessions are a requirement if you are using any HTTP connection-level (as opposed to request-level) protocols like SSL or Windows NT® LAN Manager (NTLM). Like SSL, if you are using NTLM authentication, when the load balancer moves the client to server B for the second round-trip, the client will get some kind of HTTP 400-level Bad Request message (like 401 or 403) or some access denied error, because the proper NTLM negotiation didn't take place between the client and server B (the client negotiated with server A).

SSL and NTLM operate at the connection level, not at the request level. Load balancers operate at the request level unless configured for client affinity.

Depending on your particular circumstances, it is sometimes possible to use UnsafeAuthenticatedConnectionSharing to prevent this NTLM error. Here is further reading on the subject: ASP and Web Session Management, How To Handle Web Client Session State in an Application Center 2000 Cluster, Avoiding Traps When Using the Application and Session Objects, and How to use ASP.NET session state SQL Server Mode in a failover cluster.

Q How can I capture all Web requests that come into my site using a single .aspx page that will examine the path requested and then generate the response from a database? I added the following code to my Global.asax, but it's working on only some requests:

protected void Application_BeginRequest(Object sender, EventArgs e) { HttpContext hContext = HttpContext.Current; string requestURL = hContext.Request.Path; hContext.RewritePath("/default.aspx?path=" + hContext.Server.UrlEncode(requestURL)); }

protected void Application_BeginRequest(Object sender, EventArgs e) { HttpContext hContext = HttpContext.Current; string requestURL = hContext.Request.Path; hContext.RewritePath("/default.aspx?path=" + hContext.Server.UrlEncode(requestURL)); }

A Your module will only execute ASP.NET requests because .html and .asp extensions will be served by IIS without being passed to the ASP.NET runtime. If you want to capture all requests in that single .aspx page, you have to do the following:

Go to Properties for your virtual directory in the IIS administrative tool and click the Configuration option.
Map the .asp, .html, and other extensions you desire to the aspnet_isapi.dll (copy the path used for .aspx extension). That will tell IIS to pass requests for these extensions to ASP.NET. You should make sure to deselect "Check if file exists" if the .asp and .html files are virtual and do not actually exist on the server.

Go to Properties for your virtual directory in the IIS administrative tool and click the Configuration option.
Map the .asp, .html, and other extensions you desire to the aspnet_isapi.dll (copy the path used for .aspx extension). That will tell IIS to pass requests for these extensions to ASP.NET. You should make sure to deselect "Check if file exists" if the .asp and .html files are virtual and do not actually exist on the server.

Q In my dynamic DataGrid, (see Figure 1) why am I able to see all of the columns from the DataSet, even though I have set the AutoGenerateColumns property to false and have one bound column added to the grid?

Figure 1 Dynamic DataGrid

Dim dsServer As DataSet = New DataSet sda.Fill(dsServer) Dim dgServer As DataGrid = New DataGrid dgServer.DataSource = dsServer dgServer.DataBind() dgServer.AutoGenerateColumns = False Dim bcolumn As BoundColumn = New BoundColumn bcolumn.DataField = "GMTOffset" dgServer.Columns.Add(bcolumn) Page.Controls.Add(dgServer)

A You have already bound the grid before you set any of the settings. Calling DataBind should be the last step before adding it to the page, as shown in Figure 2.

Figure 2 Binding the Grid

Dim dsServer As DataSet = New DataSet sda.Fill(dsServer) Dim dgServer As DataGrid = New DataGrid dgServer.DataSource = dsServer dgServer.AutoGenerateColumns = False Dim bcolumn As BoundColumn = New BoundColumn bcolumn.DataField = "GMTOffset" dgServer.Columns.Add(bcolumn) dgServer.DataBind() Page.Controls.Add(dgServer)

Q I have some questions about the Local Group Policy (Windows® XP SP2). What is the difference between this registry key

User Configuration\Windows Settings\Internet Explorer Maintenance\Security

and the following registry key:

User Configuration\Administrative Templates\Windows Components\ Internet Explorer\Internet Control Panel\Security Page\...

Do I need to set both, one, or the other?

Q I have some questions about the Local Group Policy (Windows® XP SP2). What is the difference between this registry key

User Configuration\Windows Settings\Internet Explorer Maintenance\Security

and the following registry key:

User Configuration\Administrative Templates\Windows Components\ Internet Explorer\Internet Control Panel\Security Page\...

Do I need to set both, one, or the other?

Both of these keys deal with the security zones in Microsoft Internet Explorer. The second key looks like the GUI piece but also sets the keys, while the first key directly sets the key. Which one of these takes precedence?

A The Admin Templates settings are true policies (no registry tattooing) and provide for very granular control. This is new with Windows XP Service Pack 2 and is a great improvement in Internet Explorer manageability.

Internet Explorer Maintenance (IEM) provides functionality similar to the Internet Explorer Administration Kit (IEAK). Those settings tattoo the registry and do not provide for granular control. Internet Explorer Maintenance does not provide the ability to configure just one URL Action (like Active Scripting to Prompt for the Internet zone) without configuring all the other URL actions for all the zones.

Another important point is that IEM controls registry settings outside of policy and sets the corresponding registry key in preferences. Savvy users can then manipulate the URLAction settings in the registry after the IEM portion of the Group Policy Object (GPO) applies. Windows XP SP2 policy settings (those configured in Admin Templates) provide protection from non-administrative user manipulation because the policy subkeys have ACLs which prevent non-admins from changing these values.

The following is the order of precedence of policy (Admin Templates) and preference (IEM) processing of URLAction values:

HKEY_Local_Machine Policy (Admin Templates)
HKEY_Current_User Policy (Admin Templates)
HKEY_Current_User Preference (IEM)
HKEY_Local_Machine Preference (IEM)

The first match is the enforced setting within Internet Explorer, meaning that if you set it in the policy section and the IEM section, policy wins. This includes modifications made in the UI (which simply control URLAction settings in the preferences subkeys).

Q A free newspaper Web site I use confirms password updates with an e-mail in which the password is revealed in plain text. This does not seem secure to me. Is it?

A The right question to ask is, "is this secure enough?" This kind of question is a good opportunity to really get a handle on how far you need to go to secure different kinds of data. Remember, security isn't a binary, all-or-nothing bit that you set on an application. Security comes from a process whereby you identify threats, then identify the value of the data being threatened, and design a strategy to mitigate those threats in the context of the value being protected. How worried is anyone that someone else might read that free newspaper using your ID?

Do you keep silverware in your house? You must eat with something. Is your house secure? Someone certainly could get into your house and steal your silverware if he really wanted to. The question then is whether your silverware is so valuable and the threat of me stealing it is so great that you're willing to shutter all your windows, bar your doors, buy a safe for your silverware, and hire guards to keep me out.

So, what's the bottom line? It makes little sense to implement a security system that costs more than replacing the data being threatened. If you paid $30 for your silverware at Target, you wouldn't exactly be worried about it. Having a password costs something—the password database has to be maintained, the code has to be debugged, and so on. But passwords mitigate a whole lot of threats. Not every threat, by any means, but lots of them.

You've identified a threat not mitigated by the existing strategy—someone could be packet-sniffing your e-mail. There could be a rogue admin at your ISP. Sending the password in the clear doesn't mitigate against these threats.

However, you need to ask yourself the following questions: what is the value of the data being protected—the ability to read your newspaper? What is the likelihood of attack? Are there really rogue admins reading your e-mail to steal your newspaper password? What is the cost of mitigating the attack? Are there any other factors? For instance, if recovering from an attack is cheap and easy, then preventing the attack is less important. Of course, you make things worse for yourself if the password you use to access this newspaper is the same password you use to check your e-mail or to access your financial records.

In this case, the value of the data being protected is low, the likelihood of attack is low, the cost of recovering from a successful attack is low, and therefore the cost of the security system should also be low.

Q I have a client certificate authorization requirement on a virtual directory of my IIS 6.0 Web site. After IIS authenticates the certificate, I verify that the usage policy of the client certificate is enabled for "smartcard logon." If the client certificate does not have this usage policy, then the request will be redirected.

But after Internet Explorer successfully authenticates a client certificate against a specific virtual directory, it will use the same client certificate in the future, and never pop up the certificate picker dialog. It seems there is nothing that I can do to bring the certificate selection box back up again the next time the user hits this virtual directory, but is there?

A Your only possible solution in Internet Explorer is to clear the SSL state by choosing Tools | Internet Options | Content | Clear SSL State from the tools menu.

The other possibility lies not in Internet Explorer, but in CryptoAPI. In Windows XP Service Pack 2 there is a design change in the way that the Crypto API caches the certificates on the client for a given process (see Windows Prompts You for Your Password Multiple Times When You Use Outlook If Strong Private Key Protection Is Set to High).

This is the registry key that controls the new behavior:

HKLM\Software\Policies\Microsoft\Cryptography

To change it, add a new DWORD named "PrivKeyCacheMaxItems." Setting the value to " = 0" will prevent any keys from being cached. By default 20 keys will be cached per process.

Got a question? Send questions and comments to webqa@microsoft.com.

Thanks to the following Microsoft developers for their technical expertise: Betsy Aoki, Gaurav Bansal, Rob Campbell, Richard Ciapala, Dan Crevier, Rob Franco, Jay Herbison, Simon Hoare, Kenneth Lassesen, Drew Leaumont, Eric Lippert, Eilon Lipton, Lawrence Liu, David Lovell, Duncan Mackenzie, Rob Maushardt, Alan Melia, Jerry Orman, Nikola Penkov, Minh Pham, Jiri Richter, Mike Shepperd, Nuno Silva, Eugene Siu, Morgan Skinner, Andy Sterland, Sean Sutherland, Stephen Toub, Joel Yoker, and Fan Zhang.

Additional resources