System.Transactions.dll supports transaction-oriented programming in SQL Server, ADO.NET, MSMQ. The core abstraction is the IDisposable Transaction class. An implicit programming model is also supported via the TransactionScope class. This is where you will start hearing terms like "ambient transaction context".
Thursday 30 May 2013
Saturday 18 May 2013
Good Books on Active Directory, Network Operating System and Cloud Computing
Active Directory, 5th Edition, May 17th 2013, O'Reilly, Brian Desmond, Robbie Allen et.al. - recommended reading. A great book on all things Active Directory.
For wider reading on network operating systems, and how they might change with the cloud, Barrie Sosinsky's books are good ones to dive into:
Networking Bible, Barrie Sosinsky, September 2009, John Wiley and Sons (almost a thousand pages of networking goodness)
Cloud Computing Bible, Barrie Sosinsky, January 2011, John Wiley and Sons
For wider reading on network operating systems, and how they might change with the cloud, Barrie Sosinsky's books are good ones to dive into:
Networking Bible, Barrie Sosinsky, September 2009, John Wiley and Sons (almost a thousand pages of networking goodness)
Cloud Computing Bible, Barrie Sosinsky, January 2011, John Wiley and Sons
Active Directory Programming in .NET and the Concept of the "Network Operating System"
Programming the Active Directory
Directory Services are a specialized part of .NET and thus the API functionality is contained in its own dedicated DLL (System.DirectoryServices.dll).
AD programming, specifically, can be done via the System.DirectoryServices.ActiveDirectory namespace which provides access to the ADSI, although DirectoryServices provides access to a wider range of directory services, such as NDS (the Novell NetWare directory service).
ADSI is the name of the programmatic interface into Active Directory. Admin tasks such as backing up databases, testing printers and administering user accounts can be done via the ADSI (Active Directory Service Interfaces).
Evolution of Directory Services
Here is an interesting comparison of AD versus Novell NetWare. More interesting than the comparison, is the discussion of the evolution of directory services, from a "white pages" service of people on the network, to a way to access network resources such as printers, and apply security permissions. AD thus has quite an impressive scope. There is also the provision of "directory-enabled infrastructure" such as shared file systems.
Some people call this the "NOS" or Network Operating System. Windows NT introduced the notion of "domains" (security and administrative boundaries within the network) and the related notion of "domain controllers" (administrative services in the "NOS"). There were certain limitations in the initial releases of Windows NT (such as domains supporting only a maximum of 40,000 objects - users, groups, computers), causing Microsoft to later embrace the LDAP standard in the design of new technology.
X.500 DAP and Some of its Limitations (Directory Server Technology from late 80s to late 90s)
In 1988, the ITU and ISO came together to develop the X.500 model for directory services, based on the OSI model (rather than the more lightweight TCP/IP). This led to the development a more lightweight version called LDAP. Version 3 of LDAP was published in 1997. LDAP-based directory servers have been developed by many vendors including IBM, Microsoft and Novell.
Basic X.500 Concepts and Terminology
X.500 refers to Directory System Agents (DSAs) i.e. directory servers, each holding part of the Directory Information Base (DIB). The DIB objects are structured by a Directory Information Tree (DIT). As LDAP emerged, the first LDAP-based servers were gateways into X.500 servers, before the trend came to break away from X.500 altogether.
Active Directory Concepts
The basic structuring concepts in AD are DOMAINS, DOMAIN TREES and FORESTS. This is the logical structure of AD. Domains in AD consist of a hierarchical structure of containers and objects, like in X.500 and a DNS name as a unique identified (e.g. techno.com). Adding europe.techno.com and asia.techno.com would create a hierarchical structure called a domain tree. Domains in a domain tree trust each other via transitive trusts (if A trusts B, B trusts C, then A trusts C). A FOREST is a collection of one or more domain trees. Domains are administered by domain controllers.
Time Synchronisation in the Forest
This is based on Network Time Protocol (NTP).
Directory Services are a specialized part of .NET and thus the API functionality is contained in its own dedicated DLL (System.DirectoryServices.dll).
AD programming, specifically, can be done via the System.DirectoryServices.ActiveDirectory namespace which provides access to the ADSI, although DirectoryServices provides access to a wider range of directory services, such as NDS (the Novell NetWare directory service).
ADSI is the name of the programmatic interface into Active Directory. Admin tasks such as backing up databases, testing printers and administering user accounts can be done via the ADSI (Active Directory Service Interfaces).
Evolution of Directory Services
Here is an interesting comparison of AD versus Novell NetWare. More interesting than the comparison, is the discussion of the evolution of directory services, from a "white pages" service of people on the network, to a way to access network resources such as printers, and apply security permissions. AD thus has quite an impressive scope. There is also the provision of "directory-enabled infrastructure" such as shared file systems.
Some people call this the "NOS" or Network Operating System. Windows NT introduced the notion of "domains" (security and administrative boundaries within the network) and the related notion of "domain controllers" (administrative services in the "NOS"). There were certain limitations in the initial releases of Windows NT (such as domains supporting only a maximum of 40,000 objects - users, groups, computers), causing Microsoft to later embrace the LDAP standard in the design of new technology.
X.500 DAP and Some of its Limitations (Directory Server Technology from late 80s to late 90s)
In 1988, the ITU and ISO came together to develop the X.500 model for directory services, based on the OSI model (rather than the more lightweight TCP/IP). This led to the development a more lightweight version called LDAP. Version 3 of LDAP was published in 1997. LDAP-based directory servers have been developed by many vendors including IBM, Microsoft and Novell.
Basic X.500 Concepts and Terminology
X.500 refers to Directory System Agents (DSAs) i.e. directory servers, each holding part of the Directory Information Base (DIB). The DIB objects are structured by a Directory Information Tree (DIT). As LDAP emerged, the first LDAP-based servers were gateways into X.500 servers, before the trend came to break away from X.500 altogether.
Active Directory Concepts
The basic structuring concepts in AD are DOMAINS, DOMAIN TREES and FORESTS. This is the logical structure of AD. Domains in AD consist of a hierarchical structure of containers and objects, like in X.500 and a DNS name as a unique identified (e.g. techno.com). Adding europe.techno.com and asia.techno.com would create a hierarchical structure called a domain tree. Domains in a domain tree trust each other via transitive trusts (if A trusts B, B trusts C, then A trusts C). A FOREST is a collection of one or more domain trees. Domains are administered by domain controllers.
Time Synchronisation in the Forest
This is based on Network Time Protocol (NTP).
Thursday 16 May 2013
Directory Services - the "White Pages" of the Network
Directory services provide detailed info about users or objects on a network. Early examples include the WHOIS service. Later in the 1990s came Novell Netware. Then came LDAP, which was designed to run on TCP/IP. AD was designed to run on LDAP.
Some abbreviations needed to understand the LDAP specification:
TLS - Transport Layer Security
PDU - Protocol Data Unit
SASL - Simple Authentication and Security Layer
AD technology is a shining example of Microsoft confidently embracing Internet technology such as LDAP and TCP/IP. AD also borrows a lot of concepts from the X.500 directory structure.
Some abbreviations needed to understand the LDAP specification:
TLS - Transport Layer Security
PDU - Protocol Data Unit
SASL - Simple Authentication and Security Layer
AD technology is a shining example of Microsoft confidently embracing Internet technology such as LDAP and TCP/IP. AD also borrows a lot of concepts from the X.500 directory structure.
What is wusa.exe?
wusa.exe is the Windows Update Standalone Installer. It lives in %windir%\System32. It is available on Windows Server 2012 as well as Windows 7 and 8. It is used to install "update packages" with .msu extension.
Windows Groups and Roles - A Peaceful Coexistence
Ah, the dilemmas of enterprise authorization! Groups, or roles, for my permissioning, groups or roles, I query? The two need not be conflicting, necessarily.
Roles have the positive externality of existing outside of Active Directory (AD). Because they are external to AD, they can be flexibly employed to allow authorisation of any system.
They can work together by making membership of the role a group! Then update the group to give everyone in the group that role! Amazing!
Roles have the positive externality of existing outside of Active Directory (AD). Because they are external to AD, they can be flexibly employed to allow authorisation of any system.
They can work together by making membership of the role a group! Then update the group to give everyone in the group that role! Amazing!
A Windows Cloud in the Azure Sky (backed by Solid Data Centers)
Windows Azure has had a lot of publicity of late, as Microsoft's flagship cloud platform, the latest nuance in its PaaS offering (Platform as a Service). In PaaS, the platform provider provides the data center facilities and tools to deploy applications.
Locations of Azure datacenters include San Antonio, Texas (a migration of their Quincy, Washington site), Hong Kong and Dublin, Ireland. A good way to track datacenter activity is the site datacenterknowledge.com.
Locations of Azure datacenters include San Antonio, Texas (a migration of their Quincy, Washington site), Hong Kong and Dublin, Ireland. A good way to track datacenter activity is the site datacenterknowledge.com.
net group
The Power of net group (a.k.a. net groups)
This command is used to manage groups in Windows domains.
e.g. net group __groupname__ /add
will add the __groupname__ to the domain.
Without parameters, it displays the name of a server and the names of groups on that server.
The Limitation of net groups
However, one should be careful. This command is only used for global groups; there is a corresponding command, net localgroup, for local groups. Note the singular, localgroup, not localgroups.
The nice thing about net localgroup is you don't need to be on a domain controller for this to work. You can run this command on any Windows PC. Some familiar local groups include Administrators and Event Log Readers.
This command is used to manage groups in Windows domains.
e.g. net group __groupname__ /add
will add the __groupname__ to the domain.
Without parameters, it displays the name of a server and the names of groups on that server.
The Limitation of net groups
However, one should be careful. This command is only used for global groups; there is a corresponding command, net localgroup, for local groups. Note the singular, localgroup, not localgroups.
The nice thing about net localgroup is you don't need to be on a domain controller for this to work. You can run this command on any Windows PC. Some familiar local groups include Administrators and Event Log Readers.
This command can only be used on a Windows domain controller!
The Domain Controller lingo hails from the world of Microsoft Servers. In NT Server, one controller was configured as the Primary Domain Controller with the others being mere BDCs. Updates such as password changes and group membership could only be made via the PDC which would then propagate changes to all the BDCs responsible for authenticating users to the domain. From a DR perspective, if the PDC were to go down, a BDC could be promoted to PDC status. PDCs are recommended to be on dedicated machines running nothing else owing to their critical nature.
Windows Joe Knowledge Base
These days a Modern Windows Joe (MWJ) needs to know more than just .NET programming. And knowing .NET programming requires more knowledge than just syntax and keywords. Here are some CONCEPT areas that Windows Joe needs to be fully familiar with:
DATABASES
COMPUTER SECURITY, including DATABASE SECURITY
NETWORKING PROTOCOLS
DIRECTORY SERVICES
These topics can be classified as the "broader body of knowledge" (BBOK) required by a Windows Joe/.NET programmer. Additionally, the following WINDOWS SYSADMIN skills are useful:
How do you administer a Windows Server? (e.g. what commands can you, or might you, want to run on a domain controller)
How do you administer Scheduled Tasks?
How do you administer a Database?
How do you maintain an Active Directory install?
TOOLCHAINS (e.g. for continuous integration, unit testing).
DATABASES
COMPUTER SECURITY, including DATABASE SECURITY
NETWORKING PROTOCOLS
DIRECTORY SERVICES
These topics can be classified as the "broader body of knowledge" (BBOK) required by a Windows Joe/.NET programmer. Additionally, the following WINDOWS SYSADMIN skills are useful:
How do you administer a Windows Server? (e.g. what commands can you, or might you, want to run on a domain controller)
How do you administer Scheduled Tasks?
How do you administer a Database?
How do you maintain an Active Directory install?
TOOLCHAINS (e.g. for continuous integration, unit testing).
Recognised Security Tomes and Resultant Concepts
Recognised security tomes include:
Bruce Shneier's Applied Cryptography
and "The Rainbow Series" which include requirements for systems that process sensitive information:
The Orange Book - nickname for the TCSEC (Trusted Computer System Evaluation Criteria), mandates a Security Policy to be defined for the computer system. The security policy must be "explicit, well-defined and enforced".
An interesting concept that the Orange Book refers to is the distinction between Mandatory and Discretionary Access Control. Mandatory Access Control impose limitations on "subjects and objects" whereas Discretionary Access Control is more focused on individual user access needs (and access control based on the "groups" to which they belong). The Orange Book doesn't discuss specific implementation abstractions of these concepts though.
The Rainbow Books came out of a recommendation by a Task Force set up in 1967 to analyse computer security safeguards to protect sensitive information. These concerns relate not just to building secure systems, but evaluating and auditing them as well. The Orange Book addresses these dual concerns.
There is also a set of Compact Disc format specifications also known as "The Rainbow Books" (including the 1988 CD-ROM format specification, 1993 VCD Specification).
Bruce Shneier's Applied Cryptography
and "The Rainbow Series" which include requirements for systems that process sensitive information:
The Orange Book - nickname for the TCSEC (Trusted Computer System Evaluation Criteria), mandates a Security Policy to be defined for the computer system. The security policy must be "explicit, well-defined and enforced".
An interesting concept that the Orange Book refers to is the distinction between Mandatory and Discretionary Access Control. Mandatory Access Control impose limitations on "subjects and objects" whereas Discretionary Access Control is more focused on individual user access needs (and access control based on the "groups" to which they belong). The Orange Book doesn't discuss specific implementation abstractions of these concepts though.
The Rainbow Books came out of a recommendation by a Task Force set up in 1967 to analyse computer security safeguards to protect sensitive information. These concerns relate not just to building secure systems, but evaluating and auditing them as well. The Orange Book addresses these dual concerns.
There is also a set of Compact Disc format specifications also known as "The Rainbow Books" (including the 1988 CD-ROM format specification, 1993 VCD Specification).
Role-Based Access Control (RBAC)
A computer systems concept, RBAC (or role-based access control) is a system of restricting access to computer resources (also known as role-based security).
SQL Server Security - Unleashed
What you Will Learn
What server principals are
What types of server principals there are
What schema to query to access the "principals" list!
The Low Down on SQL Server Security
An average Windows Joe needs to know something about databases, and SQL Server databases in particular. But you can't claim to be a database know-it-all without knowing "un peu" of SQL database security, in particular the concepts of Principals and Securables.
A great book to accelerate your learning about SQL Server Security is "SQL Server (2008 R2) Unleashed" from SAMS Publishing (famous for their "Unleashed" series and "How To" books). The concepts are well-presented and can save you time before diving into specific details strewn across the MSDN jungle.
Speaking of concepts, let's introduce the most basic ones; requestors of resources, resources and permissions. Turns out, these concepts have a rather different terminology in the SQL Server worldspace.
1. A Requestor of a SQL Server Resource is henceforth known as a Principal. These principals may be Windows users, SQL Server users and so forth.
2. A SQL Server resource is henceforth known as a Securable.
3. Permissions link Principals with Securables.
But you can't know-it-all about SQL Server databases without having some tools to practice with. For this, the SQL Server 2008 R2 Management Studio is an excellent choice.
Some simple queries to get you "synced" with the SQL Serve Security spirit:
1. select * from sys.server_principals
This so-called "catalog view" in SQL Server (nothing more than a "window on metadata") identifies all "server-level" principals and what type they are; an example would be the "sa" account which has type "SQL_LOGIN" (and incidentally cannot be removed). Other types include WINDOWS_LOGIN (self explanatory!), WINDOWS_GROUP and SERVER_ROLE. All are types of PRINCIPALS in a SQL Server database.
However, there is another, less documented type of "server-level" principal, the CERTIFICATE_MAPPED_LOGIN. Some systems use digital certificates as an additional means of authenticating users.
What server principals are
What types of server principals there are
What schema to query to access the "principals" list!
The Low Down on SQL Server Security
An average Windows Joe needs to know something about databases, and SQL Server databases in particular. But you can't claim to be a database know-it-all without knowing "un peu" of SQL database security, in particular the concepts of Principals and Securables.
A great book to accelerate your learning about SQL Server Security is "SQL Server (2008 R2) Unleashed" from SAMS Publishing (famous for their "Unleashed" series and "How To" books). The concepts are well-presented and can save you time before diving into specific details strewn across the MSDN jungle.
Speaking of concepts, let's introduce the most basic ones; requestors of resources, resources and permissions. Turns out, these concepts have a rather different terminology in the SQL Server worldspace.
1. A Requestor of a SQL Server Resource is henceforth known as a Principal. These principals may be Windows users, SQL Server users and so forth.
2. A SQL Server resource is henceforth known as a Securable.
3. Permissions link Principals with Securables.
But you can't know-it-all about SQL Server databases without having some tools to practice with. For this, the SQL Server 2008 R2 Management Studio is an excellent choice.
Some simple queries to get you "synced" with the SQL Serve Security spirit:
1. select * from sys.server_principals
This so-called "catalog view" in SQL Server (nothing more than a "window on metadata") identifies all "server-level" principals and what type they are; an example would be the "sa" account which has type "SQL_LOGIN" (and incidentally cannot be removed). Other types include WINDOWS_LOGIN (self explanatory!), WINDOWS_GROUP and SERVER_ROLE. All are types of PRINCIPALS in a SQL Server database.
However, there is another, less documented type of "server-level" principal, the CERTIFICATE_MAPPED_LOGIN. Some systems use digital certificates as an additional means of authenticating users.
Wednesday 8 May 2013
log4net
log4net is a port of log4j, part of the broader Apache Logging Services project (incorporating log4php and log4cxx).
Subscribe to:
Posts (Atom)