Skip to content

Blog

  • in Security
  • 2 min read

How to Remove the OPTIONS Method in IIS 8.5

Most security scanners detect the activated OPTIONS method of HTTP/S and report them as a potential problem. This method can help an attacker to find out about your server configuration and offer a shortcut to other vulnerabilities. However, there are valid use cases to use the OPTIONS method, like for REST APIs or CORS. If you need the OPTIONS method for those use cases, you need to keep it active and should document their usage in your architecture documentation.

How to Test Your Internal Classes in C

One of the most important concepts of object-oriented design is encapsulation. You try to hide all the internal things of a class from the other developers and only offer them a subset of functionality to use. You can achieve this by setting an appropriate access modifier for your methods and classes:

  • public: The type or member can be accessed by any other code in the same assembly or another assembly that references it.
  • private: The type or member can be accessed only by code in the same class or struct.
  • protected: The type or member can be accessed only by code in the same class, or in a class that is derived from that class.
  • internal: The type or member can be accessed by any code in the same assembly, but not from another assembly.
  • protected internal: The type or member can be accessed by any code in the assembly in which it is declared, or from within a derived class in another assembly. (as in protected OR internal)
  • private protected: The type or member can be accessed only within its declaring assembly, by code in the same class or in a type that is derived from that class. (as in private OR protected)

How Far Behind Are Your Dependencies?

The world keeps turning and when you do not actively spend time to update the dependencies of your projects, you will fall behind. First one minor version, then another and before you know, there are a few new major versions released and your project is full of security risks.

We all know that his happens and even when we try to keep everything up to date, sooner or later we fall behind. We cannot give up, then that makes it even worse. There is only one way forward: Update your projects. But where should we start? And how bad is it now?

How to Use DbUp Without Embedded Scripts

I use DbUp for all my database migrations. It is super simple and when something goes wrong, you can fix it without much effort. So far, I never had any problems with the embedded scripts approach as it is explained in the Getting Started section of the official documentation and in my blog post.

However, while trying to get Docker working with DbUp I noticed that I must do a lot of extra work when I need to create a separate DbUp image for every migration project I use. It would be much simpler when I could reuse my DbUp project and only replace the SQL scripts. Unfortunately, the embedded scripts approach requires a rebuild of the project and I am back at the beginning.

Creating Let’s Encrypt Certificates on Windows with Win-Acme

Let’s Encrypt offers free SSL certificates to protect the traffic between your website and your visitors. Earlier this year I wrote about the hoops you need to jump through to use those certificates on Azure. This post shows you a way to use Let’s Encrypt certificates on your on-premises servers.

The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

The Mysterious Error in IIS When You Run an HTTP Site and Activate SNI

A few weeks ago, we run into a strange problem. We were in the middle of our Let’s Encrypt rollout, in which we create a dedicated certificate for each of our domains. Since we run multiple domains on a single web server with only one IP address, we need to activate SNI (Server Name Indication). That worked on all our servers - expect one. That server gave us this useless error page:

A system error has occurred. Try again and contact the system administrator.

How to Generate a Missing project.assets.json in Azure DevOps

We started a few weeks ago to target .Net Standard in our class libraries. While our applications remain for the foreseeable future on the .Net (Full) Framework, we like to start moving code towards .Net Core. Building our solutions in Visual Studio worked without any problems, but as soon as we try to do that in Azure DevOps, we run into this error:

C:\Program Files\dotnet\sdk\2.2.105\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(208,5): Error NETSDK1004: Assets file 'c:\agent\_work\95\s\***\obj\project.assets.json' not found. Run a NuGet package restore to generate this file.

How to Activate TLS 1.2 on Windows Server 2008 R2 and IIS 7.5

There is always that one machine that you cannot upgrade on a current version because some dependencies outside of your control demand that specific configuration. You may postpone the inevitable, but one day you run out of luck. If your box is a web server, that day will come sooner than you think.

Out of the box, IIS on Windows Server 2008 R2 offers Transport Layer Security only in version 1 (TLS 1.0). That version is outdated and should not be used for securing any HTTPS traffic. Unfortunately, you do not see the version your browser uses to connect to a web server and so it may be that this protocol is still active. If this is the case, your users will not be able to visit your web site when all major browsers block that version at the beginning of 2020.