Alexander’s Blog

Microsoft Office SharePoint Server (MOSS) 2007 has a feature called ViewFormPagesLockdown, or some people simply refer to it as the SharePoint lockdown feature. Fortunately, the feature also works with SharePoint Server 2010.

The lockdown feature is useful if you have a site collection that is configured for Anonymous access on a Publishing site and you want to lock it down so Anonymous users don’t have access to the Forms page (e.g. http://ServerName/Pages/Forms/AllItems.aspx). You might also be able to take advantage of this feature in another way. For example, if you ever run into an issue on a Publishing Portal configured for Anonymous access where users are unable to post comments (which are stored in a List) on a blog site then the lockdown feature can be disabled, which will result in allowing Anonymous users to post comments. Normally, people won’t have problem posting comments on a blog site unless it is a Publishing site, in which case they will get a prompt to enter user credentials. In such a scenario you can disable the lockdown feature.

NOTE: By default, all publishing sites have the ViewFormPagesLockdown feature enabled.

You can either use stsadm.exe or PowerShell to enable this feature. I prefer to use PowerShell. If you want more detailed information on how to use stsadm.exe, Microsoft’s Tyler Butler has documented it here for MOSS 2007.

With PowerShell, you can easily enable to disable this feature. Here are the instructions.

1. If you are unsure whether the lockdown is enabled, use the following PowerShell command to find out the answer.
   get-spfeature -site SiteCollectionURL
   e.g. get-spfeature -site http://www.winnetusergroup.com

   

2. Look at all the features listed and see if ViewFormPagesLockdown is enabled. If you see it listed then it is enabled, otherwise ViewFormPagesLockdown is disabled.
3. The lockdown feature can be enabled or disabled. To enable it first run the following command.
   $lockdown = get-spfeature viewformpageslockdown
4. Now execute the following command to enable it.
   enable-spfeature $lockdown -url SiteCollectionURL
   e.g. enable-spfeature $lockdown -url http://www.winnetusergroup.com

   
   
   NOTE: To disable the lockdown feature replace the word enable with disable. For example:
   disable-spfeature $lockdown -url SiteCollectionURL

5. At this point you can verify that the feature is enabled by running the following command. Look for the ViewFormPagesLockdown entry in the list. If it exists, the lockdown feature is enabled.

   
   
   

6. According to Microsoft, if Anonymous Access is configured for the site then you need to first disable it and then re-enable it. To enable/disable Anonymous Access in SharePoint Server 2010 go to Site Actions, Site Permissions and click Anonymous Access icon on the ribbon.

Microsoft recently posted this Knowledge Base article 2588513: Vulnerability in SSL/TLS could allow information disclosure. The actual Security Advisory is posted here. According to the advisory:

“Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected. We are not aware of a way to exploit this vulnerability in other protocols or components and we are not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.”

There are at least two mitigating factors:

1. The attack must make several hundred HTTPS requests before the attack could be successful.
2. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Workaround

Microsoft offers the following workaround. In Windows 7, disable the TLS 1.0 protocol and enable TLS 1.1 and TLS 1.2 because they are not affected. Unfortunately, in Windows XP the Internet Explorer doesn’t offer TLS 1.1, or TLS 1.2.

NOTE: Neither Mozilla Firefox nor Chrome supports TLS 1.1 and TLS 1.2. Therefore, your best bet is to use Internet Explorer 9 on Windows 7 or Opera 10, which also supports TLS 1.2.

In Internet Explorer 9, go to Tools, Internet options, and on the Advanced tab clear the TLS 1.0 check box and select the TLS 1.1 and TLS 1.2 check boxes. Your screen should look something like this.

Does Fix It Really Fixes Things?

If you use the Fix it solution in the KB article that automatically creates a restore point and then supposedly fixes the problem, you will notice that it DOES NOT clear the TLS 1.0 box. I am not sure why when the entire hoopla has to do with TLS 1.0 and SSL 3.0 in the first place. All it does is enable TLS 1.1. Perhaps enabling TLS 1.1 takes precedence and therefore TLS 1.0 is not used but I don’t feel comfortable using any scripts or wizards created by a vendor because there is no way for me to know exactly what the wizard does behind the scenes. Besides, I have been burned in the past by one of Microsoft’s wizard that installs a security template so I am pretty hesitant when it comes to wizards. I’d much rather make the change manually so I can reverse the process manually if necessary.

One challenge that you might have to face is whether the Web sites you visit support TLS 1.1 and later or not. Until there is a solution (remember this is only a workaround) I would rather implement the workaround just to be on the safe side and take my chances with Web sites not supporting the newer version of TLS.

As a best practice, always sign out of the Web site and then close your browser to ensure that your SSL/TLS session is properly terminated.

Microsoft yesterday announced a Blue Hat Prize which is designed to generate new ideas for defensive approaches to support computer security. The goal is to inspire security researchers to develop innovative solutions intended to address serious security threats.

Here are the details. The inaugural Microsoft BlueHat Prize contest challenges security researchers to design a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities. The solution that is considered to be the most innovative by the Microsoft BlueHat Prize board will be presented the grand prize of US $200,000.

• Entries will be accepted and must be received by email to bluehatprize@microsoft.com between August 3rd 2011 to midnight Pacific Time on April 1st 2012.
• The winning entry will be announced at Black Hat USA 2012.
• For full details, see rules and regulations.

First prize: $200,000 (USD)
Second prize: $50,000 (USD)
Third prize: MSDN Universal subscription valued at $10,000 (USD)

When Federal Trade Commission (FTC) came out with the Do Not Call list idea, everyone loved it. Okay, may be not everyone. I am sure the telemarketers didn’t like the fact that they can’t pick up the phone and start calling anyone they want. But I bet they like it when they themselves don’t receive these uninvited calls. The Do Not Call list is by far one of the most popular successes FTC ever had. Now FTC wants voluntary ‘Do Not Track’ for the Web. The details are posted on the FTC site in this 122-page PDF file. The document was posted on December 1, 2010 and is essentially a Do Not Call list for online behavioral advertising.

Just three days ago on January 24, 2011, Mozilla and Google announced their browser Do Not Track features. You can read more about their approach here. There are pros and cons to the way different companies will implement their features. For example, adding a Do Not Track HTTP header in the browser like Mozilla’s plan for the Firefox browser seems to have an advantage in the sense that even if the user clears the browser cache, the opt-out setting will remain in place. If the feature is implemented as opt-out cookies or an opt-out registry, the results will be different and the setting may be lost. Once the dust settles we will know exactly how different browsers will end up implementing this feature. Frankly, at this point it’s too early and as some wise guy/gal once said, the proof is going to be in the pudding.

Microsoft has already announced in the first week of December that it would add a new Tracking Protection feature to Internet Explorer (IE) 9. This feature is expected to show up in IE9′s release candidate (RC) version sometime in Q1 2011. This is good news because according to some reports Microsoft removed similar features from IE8 because of the pressure from online advertisers.

If you are unable to preview Word, Excel and PowerPoint files in Outlook 2010, make sure that the previewers are not disabled. The attachment previewers are enabled by default. Here’s how the previewers work in Outlook 2010.

First of all, make sure that the attached file that you are trying to preview in Outlook has the application installed. In other words, if you are trying to preview a Word file in an Outlook message then Microsoft Word must be installed on your computer. For security reasons, you have the option to selectively remove some or all the attachment previewers.

If you want to selectively use only certain attachment previewers in Outlook then follow these steps.

1. Click the File tab.
2. Click Options
3. Click Trust Center.

   

4. Under Microsoft Outlook Trust Center, click Trust Center Settings, and then click Attachment Handling.
5. Do one of the following:
   • To turn off all attachment previewers, click Turn off Attachment Preview.
   • To turn off a specific attachment previewer, click Attachment and Document Previewers, clear the check box for a previewer that you want to turn off, and then click OK.