Securing Code On My Laptop

B

Brian Russell

I develop Web applications locally on my Windows XP (SP1) laptop using
Visual Studio. My company is concerned about security, especially if
the laptop is compromised, so I should either encrypt all files on my
computer using the Encrypting File System (EFS) or I should get the
code off my computer.

I tried to encrypt the wwwroot directory but I get a popup when running
a project that says "Error while trying to run project: Unable to start
debugging on the web server. Server side-error occurred on sending
debug HTTP request." When I view the Event Log I see an error that
says "Failed to execute request because the App-Domain could not be
created. Error: 0x80070005 Access is denied."

So clearly the system does not like the files to be encrypted. Has
anyone successfully encrypted using EFS and run projects? Are there
any other ideas about how to solve this problem? I can see only one
other answer, and that is to put the code on a network server and
develop remotely as described in the semi-isolated section of
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/tdlg_ch2.asp.
 
W

WJ

Brian Russell said:
I develop Web applications locally on my Windows XP (SP1) laptop using
Visual Studio.

Are the projects big? Howmany are there ?
My company is concerned about security, especially if
the laptop is compromised

Give it a complex password and patch it. Do not connect to internet, only do
it when you are inside your company FW.
so I should either encrypt all files on my
computer using the Encrypting File System (EFS) or I should get the
code off my computer.

I would stay away from this. If you ever lose your key and or forget the PW,
you lose the whole thing. I use pkzip (pkware suite) to zip each project.

In short, Laptop machines are alway vulnerable to theft! If your projects
are that sensitive, better do them inside your company desktop. Not laptop.
You can be abducted for ransom!

John
 
B

Brian Russell

Thanks for the response. Maybe I should have clarified. The laptop is
my computer at work. I, like other employees, bring it home all the
time to surf or do work. In addition, we will patch with SP2 soon.
Whether a project is sensitive or not, I don't really have a choice: I
must either encrypt or get it off my PC. The same holds true for any
file on my computer.

I'm not sure how using pkzip will help me. I need to develop an
application, and if the code is zipped it would be in an unusable
format.
 
S

Simon Harris

One solution would be to develop on a seperate server, and have remote
access of some form to develop when you are at home.
 
N

Nicole Calinoiu

Brian,

It's possible, but it's a wee bit of a pain. First, you'll need to create
an EFS certificate for the ASPNET user. The simplest way to do this is by
calling the EncryptFile function from advapi32.dll on a throw-away file via
p/invoke from within an aspx page run in the ASPNET user context.

Once the ASPNET user has an EFS certificate, each encrypted file it needs to
use must be shared appropriately. You can do this manually as described at
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_ntta.asp,
but that's probably way too painful to do on a file-by-file basis. Instead,
you'll probably want to call AddUsersToEncryptedFile (also in advapi32.dll)
to automate addition of the ASPNET user to all the files in your project
folder. Unfortunately, I don't know of any existing managed wrappers for
the relevant Windows API functions, so you'll probably need to roll your
own.

BTW, you might also want to account for the fact that files will be copied
to the <Windows>\Microsoft.NET\Framework\<version>\Temporary ASP.NET Files
folder when you run your web app, so it might also be a good target for
encryption.

HTH,
Nicole
 
B

Brian Russell

Wee bit is an understatement. I assumed that the access denied error
was because the ASPNET user was trying to access encrypted files of
mine. And you are right about temporary files. My solution has a
class library project located in the My Documents\Visual Studio
Projects folder, and when that is encrypted (and the Web project is
not) I get a message similar to what happens when Index Services is
stepping on the temporary files
(http://support.microsoft.com/default.aspx?scid=kb;en-us;329065).

Another problem is that I'm not the only developer, and we would all
need to do this on our machines. That would be a pretty tough sell.
I'm guessing that Microsoft just didn't intend for developers to
encrypt code.

Thank you very much for the insight. I'm still leaning towards
semi-isolated development to get the code off our laptops and onto a
server, although I'm not looking forward to that.
 
N

Nicole Calinoiu

Brian Russell said:
Wee bit is an understatement.

Yes and no. There's a one-time investment in coding the EFS sharing, but
after that the trouble should be pretty minimal since you would be able to,
for example, run the sharing code from a post-build event in VStudio.

I assumed that the access denied error
was because the ASPNET user was trying to access encrypted files of
mine. And you are right about temporary files. My solution has a
class library project located in the My Documents\Visual Studio
Projects folder, and when that is encrypted (and the Web project is
not) I get a message similar to what happens when Index Services is
stepping on the temporary files
(http://support.microsoft.com/default.aspx?scid=kb;en-us;329065).

I'm guessing that the class library project folder would presumably also
need to be EFS-shared with the ASPNET account.

Another problem is that I'm not the only developer, and we would all
need to do this on our machines. That would be a pretty tough sell.

The amount of friction added to the dev process would probably be fairly
minimal if you code up the EFS-sharing properly. However, there would still
be some additional steps added to at least the project creation process.
There is also pain inherent in working with a remote code base, as you'll
quickly discover if you attempt that approach.

I'm guessing that Microsoft just didn't intend for developers to
encrypt code.

This is far from the only situation in which EFS sharing causes
inconvenience. What I find a bit odd is that there's no mechanism in place
for specifying sharing at the folder level rather than the file level, which
would alleviate a great deal of the user pain in such scenarios.

Thank you very much for the insight. I'm still leaning towards
semi-isolated development to get the code off our laptops and onto a
server, although I'm not looking forward to that.

I'd recommend making a quick trial before you invest too much time in the
approach. It has the obvious problem of making it inconvenient to work on
code when offline (which is presumable part of the point of issuing laptops
to developers in the first place <g>). However, you'll also discover that
there are code access security issues to be addressed which will probably
involve applying CAS policy mods to all the dev laptops. Depending on how
strict you are about how you structure CAS policy, you might end up applying
separate policy additions for each project/solution. This would probably be
almost as painful as enabling EFS sharing (minus the initial sharing code
development), so it's unlikely to be worth the trade-off against permitting
offline development.
 
H

Hans Kesting

Nicole said:
Brian,

It's possible, but it's a wee bit of a pain. First, you'll need to
create an EFS certificate for the ASPNET user. The simplest way to
do this is by calling the EncryptFile function from advapi32.dll on
a throw-away file via p/invoke from within an aspx page run in the
ASPNET user context.

I understand why ASPNET would need a certificate, but would the fact that
ASPNET can now access those files also compromise security?
Would it be possible to use that account to get at files (dll's at least,
maybe even .cs/.vb files) ?

Hans Kesting
 
N

Nicole Calinoiu

Unless they're downloadable via the web UI, this wouldn't really cause any
more exposure than the accessibility via the developer's user account.
Since one wouldn't typically allow such files to be downloaded via a web
interface in a security-conscious environment (and it's not possible under
the default configuraiton either), this is unlikely to be a point of
additional risk. Was there some other approach that you thought might be
used to access the files via the ASPNET account?
 
W

WJ

Simon Harris said:
One solution would be to develop on a seperate server, and have remote
access of some form to develop when you are at home.

Developing systems over internet and or remote is not very safe. I would
rather have a Laptop lockup very well, develope the system, then bring it in
and dump to the server behind FW. I have 5 projects, I simply zip them with
complex PW, then bring the zips in and unzip them. Very simple.

John
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top