I'm a web developer. I used to work in an environment where I could build entire production web sites and run them in local IIS for debugging purposes.
I recently switched jobs and now that's not allowed anymore. Security policy (please don't ask about it) does not allow for me to run IIS on my development workstation. However, it seems that there is no reason why I may not attach a remote debugger (msvsmon.exe) to the IIS running the development web site because it is not public-facing (neither is my workstation public facing, but let's not talk about the security policy that I have no control over).
I would like to know what security concerns there are for using the remote debugger. The documentation says that UDP port 135 must be open between the remote development workstation and the web server being debugged...
Is there any particular security concern that I should bear in mind?
The only security concerns would be internal traffic sniffing on that port in case https traffic was being debugged and the unencrypted values were part of what was being debugged this data would likely go over the wire unencrypted.
Also, the vulnerabilities in the service that receives the UDP packets could be futzed with (again internally) to gain access in a way that would normally not be available (UDP port listening off).
Related
I'm trying to use Fiddler version 5.0.20202.18177 (latest as of writing) to determine the URLs used by various online / web installers.
This works fine in most cases. For example, with SpotifySetup.exe:
However, this does not work in some cases. For example, with DropboxInstaller.exe and bitdefender_online.exe:
I have ensured that:
HTTPS decryption is set up for all processes:
All types of connections are being captured:
Windows' proxies are set as expected.
All Windows 10 AppContainer Loopback exemptions are in place:
Running Fiddler as administrator doesn't make a difference.
I would have guessed that the executables simply aren't utilising the proxy but, as far as I'm aware, if the proxy is set at the Windows level then they can't override that?
A program can use of the proxy defined in the Windows Internet settings but it also can ignore those settings and directly connect to the Internet.
The proxy settings are only used automatically for programs that use an HTTP client provided by Microsoft (e.g. WinHTTP for C/C++ or a Dot.net Http client implementation).
All other programs that use their own HTTP client can query the Windows proxy settings and apply them but this is optionally. From a Windows perspective those programs just open TCP connections, what protocol is used on the connection is unknown to Windows hence Windows could not enforce that a proxy is used even if it would try to do so.
By default even programs that come with Windows like the command-line too curl ignore the Windows proxy settings.
Dropbox for example has their own proxy settings within the Dropbox client. There you have to configure Fiddler as proxy.
Bitdefender also seem to have it's own proxy settings where you have to configure Fiddler.
After my discussion with Robert, I ended up abandoning Fiddler, setting up a VirtualBox VM running pfSense Community Edition (free) + Squid3 with HTTPS Interception and Access Logging, installing the pfSense's root CA certificate in my test Windows VM, and changing my test Windows VM's default gateway to the LAN IP address of the pfSense which worked.
In the case of the Dropbox example, it was initially logging TCP_TUNNEL_ABORTED/200 client.dropbox.com:443 so I added client.dropbox.com to the whitelist in the ACLs then it worked and I could see the full EXE URL:
I have a .net core app that when runs, spins up a grpc server to listen for inbound network connections. Firewall allows .netcore app to run and listen for connections, but it doesn't allow grpc server to bind to any port. Even though I added a rule for the port in question to allow connections, I still can't get it to work. For other applications, firewall prompts me if I want to allow access to certain app, but for this case I don't get any prompt. How can I allow access to server that runs a server?
I wasted 2 days on this and finally got the answer. Windows update caused certain valid to use ports to be excluded and as a result I couldn't run any app that listens on those excluded ports.
Here is a link to Microsoft article.
Windows Update blocking ports
Actually the question is kind of duplication of the following one Unable to access a locally hosted wcf service over the internet but with only difference that the service is hosted by a windows service on Azure Virtual Machine.
I can access the service on the machine and I have added an endpoint to the service port at Azure Configuration console, but still cannot access the service over the Internet.
The error message that is not possible to set up connection.
Is my scenario technical possible on azure? if yes - what is done wrong?
The answer to my question was pretty straightforward. Although I opened my endpoint in Azure Management Console the port was blocked by the virtual machine firewall (windows firewall). After setting in- and out- tcp port rule, the problem had gone.
The access to my web application running Windows 2008 Server on localhost is fast; however, when I tried to access the web application through another PC (exp: http://xxx.xxx.xxx.xx:8080/appname) is takes about one minute to load a simple login page. Any input regarding this matter is much appreciated.
Further information, the firewall is already off and the setup within a LAN environment without Internet access.
With this little information it is almost impossible to debug your situation. However, I'll take a guess based on what you've provided.
If you're running on an internal LAN, the problem is likely that you don't have reverse DNS configured for your server. Your server has some made-up name for which only forward-DNS exists. When Tomcat receives a request it tries to look up the hostname based on the IP address, and this can take a long time to time-out.
I will be building a server/client software on Windows, where many machines need to communicate with a Postresql database running on the server. This is C++ software so I will use libpq to connect to the database.
If I do this, will there be issues with the firewall? I'd like to make configuration as easy as possible and not have users open up firewall ports or disable their firewall.
If I do need to open up firewall ports, can I use WCF to get around the issue? Basically send a command to the server using WCF, run the postgresql command locally, and get the result back (I have never used WCF but understand that it can communication using HTTP port 80).
PostgreSQL typically listens on port 5432, which is not open by default in the Windows firewall. But the only machine where the firewall would need to be re-configured is the one where PostgreSQL is running. If you have many client machines, none of them should require firewall changes (unless they have restrictions on outbound traffic, which is rare).
Hope this helps.
You can also configure SSL connections to ensure better security.