How can we protect our MVC2 code? - security

In a normal ASP.NET Website there is a Web Deployment Project that we can use to pre-compile our entire website and then we can safely upload this project to our production server in order to protect our code.
What can we do for ASP.NET MVC 2?
Link to it as is available today (RTM version)
Visual Studio® 2010 Web Deployment Projects - RTW

Make sure you install the latest security patches for your operating system and hire a good network administrator. No kidding. No matter what you do if a hacker gains control over the server he will get the code under one form or another even if it is precompiled. This being said it is a good idea to precompile the application and deploy only the assemblies instead of the source code. You could also consider obfuscating it also but this is something usually done for client applications which you deploy to your users computers and less frequently done in server side applications because you control the server.

Related

Blazor Server and Sandboxing assemblies

I'm currently working on a .NET 5.0 Blazor Server project that imports and utilizes user-uploaded .NET assemblies (in either DLL or NUPKG form). Currently, these assemblies are loaded using Collectible AssemblyLoadContexts which, if I understand correctly, is a major security hazard for both my user-base and the server itself. That said, I'm searching for methods that can sandbox the inclusion/execution of those assemblies. The main concerns that I can think of are:
Access to sensitive system information/environment variables
Access to processes
Access to internet (sockets/clients)
File System access
but I probably haven't thought about a plethora of other factors I should be aware of.
How could I achieve such feat?
ps: The server runs on a Linux machine and all uploaded assemblies must be valid architecture-irrelevant .net5 or .netStandard2.0 in order to be loaded.

IIS/ASP.Net vs NodeJs/ExpressJS

I'm very new to NodeJs/expressJs, i read tons of articles on internet and still don't understand it
is NodeJs a web server like IIS ? if so can i host an asp.net app in NodeJS ?
Is expressJs a framework like ASP.NET ?
I currently work on both IIS ASP.NET applications as well as NodeJS/ExpressJS systems and the below is what I have noted to be different:
IIS:
Windows server based
Can have strict setups such as MVC etc
Built in deployment that compiles the entire website
Setup can take quite some time to create all modals and get all
plugins working etc
Services can take some time setup and modal mapping can be tedious
NodeJS/ExpressJS:
Not Windows based. I run this typically on an Ubuntu server with
Nginx to push the domain to the public
Easy to setup and fast to get something basic online
Does not natively compile and runs files as they are
Uses npm package manager with easy to install packages
Does not have strict setups but you can technically create your own
MVC style system
Code can quickly become messy however with the correct approach you
can manage the amount of code easily.
NodeJS is not a web server. It is a backend server (Such as a REST API etc)
ExpressJS sits ontop of NodeJS to add functionality and is essentially a framework. Coupled with jade/pug you can write js inside the html.

What web server do you recommend?

For work, I need a free web server system to host a few web apps that I will develop. The server will be installed on Windows. The apps will need to be able to access a bunch of files on the intranet, and massage them. Mostly 10 people at same time will be using the apps. I would prefer to write code in .NET as it contains many great APIs, but I am not sure if the latest IIS Express has any major restrictions (number of clients connected to web server or database, etc.).
The other web servers I looked at (which are not .NET) are:
glassfish - seems that many are switching from it since Oracle stopped supporting it
wamp servers - there are many, the other day I installed wampserver and wrote an app in PHP to see how good it is. I must say PHP was very slow accessing my intranet files and processing them.
oracle weblogic server - never used it and have no idea how good it is
tomee - seems to be new and I do not know how good it is for web application development
I am wondering what do you recommend?
Thank you
first of all I very invested in TomEE. That here here is my feedback:
weblo, TomEE and GlassFish are java servers where wamp is a php/httpd one. Depending what you target it can be enough to make a choice (investment for java is more important than php).
If you choose java then weblogic is not free AFAIK.
Then TomEE is very close to TomEE giving you just all the power you need for web development so it is a safe choice (you'll benefit from a lot of integration and tools for free).
GlassFish is not bad by itself and the best way to select one server is to test it with a small app in your environment IMO.

Opensource IAM tool used in development

I am looking for an Opensource lightweight IAM to be used in development as a substitute for the real commercial IAM in production. Something with basic IAM functionalities, easy to install & easily configured to inject HTTP headers like user group.
Is OpenAM a good option? Any recommendations?
OpenAM comes from a very good pedigree...is forked from OpenSSO which is open-sourced code from the original SUN Access Manager product. OpenSSO was abandoned by Oracle after the Sun acquisition, so another company took it over and promoted a developer community around it.
Overall its a good choice for your requirements; that is:
Production-ready - yes, this version and previous versions have been used in production implementations
basic IAM functionality - it contains basic web access management functions and more than a few advanced features.
Inject HTTP headers - Yes, this is a standard function among web access management products.
In the past, a limitation with OpenAM/OpenSSO is that it required Sun Directory as the configuration store; however, this has changed with recent releases allowing other directories to be used.
Expect that installation and configuration of OpenAM to be rather command-line intensive; that is, with a minimal package installation and then options set in config files or thru utilities.
Hope that helps...

What setup are people going with for Orchard CMS and multiple sites?

I've just joined the Orchard CMS movement, but I'm having some major meltdowns about the setup. Their site has too much documentation about what I'm not looking for and it's making it tough to figure this out.
I plan to run about 15 brand new websites on one web/sql server and I have a separate development machine. I plan to make some custom themes and modules to suite each website's common and specific needs. I want to use IIS 7 and MS-SQL 2008 on the production server.
So, should I:
Just create the Orchard sites on the production server itself (With Web Platform Installer) and port in any themes and modules as necessary?
Or create the sites on the dev machine and Publish to the production environment with WebMatrix and WebDeploy?
I hate to create hello world sites on the production server and add content, themes, modules, etc as I develop them as in option 1. Or, in option 2 doing the web deploy introduces some complications such as database schema deficiencies because the site's db was created on the dev machine's SQL server and WebMatrix doesn't handle porting in the db schema during the Web Deploy (does it?). It seems option 2 makes it a lot more complicated.
What are other people doing in this situation?
Definitely the second option. WebMatrix should handle DB deployment just fine. You might want to take any problems you've faced with this to the WebMatrix support or forums.
I routinely deploy sites from my dev box to production, fwiw.

Resources