Browsing Posts in SharePoint

My fellow plumber, TechEd roomie, and Notepad MVP, Bil Simser will be talking about Windows SharePoint Services (WSS) 3.0 at the Calgary .NET User Group on Tuesday, October 17, 2006 from 5 to 8pm. Full details and registration can be found here. If you want to find out what’s new and cool in SharePoint Land, Bil’s the man to talk to!

Fellow plumber, Bil Simser, asks the question how the heck does someone debug SharePoint as a non-admin. Elementary, my dear Simser, elementary…

The fundamental problem that Bil is experiencing occurs with SharePoint, ASP.NET, or any app that runs under a different security context than your own. A normal user can only debug applications running under his/her own security context.* Administrators have the SeDebug privilege, which allows them to debug processes running under any security context. Granting your user the SeDebug privilege gives them tremendous power, which is exactly what you’re trying to avoid. (With SeDebug, you can open any process, including system processes with full permissions. If you can do that, you own the box. I leave it as an exercise to the reader to figure out how, given only SeDebug, to elevate your normal user to be a member of the local administrators group.) I know of a few solutions to allow debugging of server processes:

  1. Develop server apps in an isolated virtual machine and use an admin account.
  2. Run as admin when debugging server apps, but run as a normal user while developing them. (This can be done using MakeMeAdmin and then running devenv.)
  3. Run the server app under your user account, though this may mean placing your username/password in clear text, which is non-ideal. (This is the strategy used by the Visual Web Developer Web Server – aka Cassini – that ships with VS 2005.)

* Note that although you don’t require any special privileges to debug a process running under your own security context, Visual Studio does enforce that you need to be a member of the Debugger Users group.

EDIT: Additional information added below related to Bil’s comment.

Bil is correct. If you run Visual Studio as a non-admin when developing server apps and you want to debug, you need to break stride and launch another copy of Visual Studio using MakeMeAdmin or runas. This is highly non-ideal. Is it a huge security risk to run Visual Studio under an admin account while the rest of your log-in session is running as a normal user? Somewhat, but it’s a lot better than running your entire log-in session as an admin.

Also remember one of the main reasons for developing apps as a non-admin – to ensure that you are running/debugging with credentials similar to what your end users will be using. (i.e. Your app isn’t writing to protected regions of the file system or registry to which normal users don’t have access.) With server apps, the story is a bit different. You want your server app to be running with different credentials – the credentials of the account that the application will be running under in production – NETWORK SERVICE or other service account. The safest solution is #1 above. Develop server apps as an admin in an isolated virtual machine. Second would be running only Visual Studio under elevated privileges using technique #2. Although technique #3 above works, you run the risk of developing your server code under unrealistic conditions – for instance, you’ll have a logged in user with a loaded HKCU hive. If you want to try option #3, you’ll have to configure your application pool and/or ASP.NET application to run as your current (non-admin) user. For the app pool identity, you can configure that using the IIS Manager MMC. For ASP.NET, you have to modify the following in machine.config:

<configuration>
  <system.web>
    <processModel username="" password=""/>
  </system.web>
</configuration>

Although you can store this in cleartext, I would recommend against it for obvious reasons. Take a look at aspnet_setreg.exe and the following KB article on how to store this information securely:

How to use the ASP.NET utility to encrypt credentials and session state connection strings

Bil Simser has a great blog post on getting Windows SharePoint Services v2 and SharePoint Portal Server 2003 set up for development in your favourite virtual environment. Given that I’m just doing the install dance with WSS v2, this is great info. I’m taking a twist and seeing if I can get things going with VS 2005 compiling to .NET 1.1 using some MSBuild tricks. I’ll report my success/failure in a few days time.

As usual, I’ve been reading voraciously about all things .NET and here’s a selection of articles and blog posts that every developer should read in their copious amounts of spare time over the holidays.


Our first stop is security… Security for developers has long been near and dear to my heart. So it should come as no surprise that I’m a big fan of Keith Brown‘s work. His articles on security for developers are very insightful and his book, The .NET Developer’s Guide to Windows Security, should be on every developer’s bookshelf. Keith recently published an article in MSDN Magazine entitled Encrypting Without Secrets, where he lays out a foundation for encrypting data (such as credit card numbers) without placing the decryption keys on an internet-accessible server. He uses a technique very similar to SSL where he uses public/private key cryptography (RSA in his example) to encrypt a dynamically generated symmetric key (AES aka Rijndael, pronounced rain-doll). You keep the private (decryption) key on a secure server in your back office and the public (encryption) key on your web server. Even if the web and/or database server are compromised, the attacker doesn’t have the decryption key to make use of the encrypted credit cards numbers he (or she) just harvested. Very cool stuff.


Our next stop is SharePoint land… Bil Simser has a great blog post that discusses why you shouldn’t use your lightsabre to slice cheese. (Because it will melt the cheese, silly!) His point is that although SharePoint is a cool tool, you should use it for what it was designed for. Like any tool, it cannot be all things to all people. A good developer/architect knows his toolset and knows how to pick the right tool for the job. When all you’ve got in your toolbox is SharePoint, everything looks like a webpart. If this is you, learn a few more tools so you can pick the right one for the job.


Last stop is the world of ASP.NET… There are a wide variety of ways to redirect a user to a new web page and ASP.NET 2.0 adds some new tricks. Ting-hao Yang enumerates the options, including pros and cons of each technique, in this blog post. A very worthwhile read for anyone doing ASP.NET development, either 1.X or 2.0.

I present to you, my dear readers, this humble set of links that I’ve found helpful in my own learnings in the arcane (sometimes black) art of SharePoint development. Honestly I’ve had this list kicking around my desktop for a few months and have been meaning to blog about it. (I put them together for a course that I taught on SharePoint development and webparts awhile ago.) So hopefully you find them useful on your path to SharePoint greatness.


Let’s start with the basics on SPS architecture and webparts:




That’s fun, but is there a webpart template that you can use in Visual Studio 2003? I’m glad you asked:

That’s all great, but I hear that you can connect web parts together and do other funky things. Where can I get a more detailed discussion on creating advanced web parts?


What if my webpart needs some external resources like an image or client-side script. Where do I put it? And what’s the difference between wpresources and _wpresources anyway?


OK, all this webpart stuff is really cool, but I’m feeling lazy. How can I drag and drop my way to a webpart like I do with ASP.NET User Controls?


But I want to code a really cool webpart that might not be granted sufficient permissions by CAS. What should I do?



Now that I’ve finished developing my webpart, how can I easily install it on a production server?


I’ve got a bunch of content that I want to move from one server to another. Do I have to code up some gnarly T-SQL to make it happen? No, just learn your way around stsadm.exe and smigrate.exe:



I still need more information. Where should I start looking?


For all things SharePoint, don’t forget to subscribe to Bil “SPS God” Simser’s blog.

 

And what, you might ask, does this have to do with System.Web.UI.WebControls.WebParts in ASP.NET 2.0? Not much, but that’s a post for another day…

After months of preparation and much secrecy, Plumbers @ Work has been released into the wild by the .NET Plumbers. The regular podcast is part of MSDN Canada Radio and will be featuring John Bristowe, Dan Sellers, Bil Simser and myself. We’ll be talking about current and upcoming developments in .NET and Microsoft technologies. Our inaugaural episode will discuss hot topics like:

  • Introducing the podcast
  • VS 2005/SQL 2005/BizTalk 2006 - Here they come!
  • SharePoint vNow and vNext
  • Drinking from the .NET 2.0 firehose
  • Half-time show
  • Security – It’s a process not a technology
  • Developing as a non-admin
  • Microsoft hardware
  • A walk down memory lane with Microsoft Bob
  • Xbox 360 – Should I get one?

Without further ado, I present to you:

Plumbers @ Work – Episode 1 – Mostly Harmless

You can catch the RSS feed here. You can leave us feedback and suggestions on the podcasts at .NET Plumbers.

Microsoft just released a boatload of SharePoint templates for everything from a HelpDesk Dashboard to RFP Management to Change Management and more. 30 new templates in total with both standard SPS and custom versions. All free downloads and customizable to your needs. So if you need to set up a SPS site quickly, it’s worth taking a look.