We have been given the directive to make sure that when we develop we are running out of the administrator and poweruser groups to prevent security holes. What are the steps to take to make this possible, but still be able to debug, code, and install when needed?
We develop ASP.NET as well as VB.NET applications.
Thanks!
Brooke Jackson
I have been developing a web application in a team of 5+ developers using ASP.NET 2.0 using Visual C# 2005 and Visual Web Developer 2005 for 6+ months. It was an internal application for our client and was targeted at Internet Explorer 6.0. I have been always using a non-administrator account on my machine and have never run into any problems. Specifically, I have not experienced any problems with debugging. Right now I am switching to a Visual Studio 2008 and I hope everything will work just as it does now.
I am using a laptop for development. A the same time I am moving around and connecting to the internet in different places and I use my admin account only when necessary. I really believe that running an admin account for every day tasks is the single greatest security threat, just because it is so common.
Beware, there seems to be a lot of issues with running VS as non-admin.
Seems silly to me. Run VS as admin/power-user locally with whatever minimal rights you need on the network for publishing to the users and whatnot.
Just makes sure that the applications you CREATE with VS still work without those extra rights.
Use Vista, and take advantage or UAC, because that's UAC allows you to do. You can give VS full rights when needed, and the application/website limited rights.
I'm running VS2008 on Vista with UAC enabled. I've only had one issue worth mentioning.
I occasionally have weird file permission issues when I've run VS with elevated privileges then later run it without them. VS won't be able to delete the old build files, but if I delete them from Explorer its fine. Again, this only happens when switching between elevated and non-elevated permissions.
Related
When trying to install a web setup project (MSI) created in Visual Studio 2010 on Windows Vista, Windows 7 or Windows 2008 Server the setup will fail, with some generic error.
According to http://devio.wordpress.com/2011/04/26/pitfalls-installing-web-setup-msi-on-iis-7/ this is because of a compatibility problem between the setup project en IIS7.
To resolve this I've to enable/install IIS6 metabase compatibility in my windows configuration. This workaround did fix the problem, but raises 2 questions:
Does this have any (negative) impact on functionality of IIS 7?
How can I notify a user running the installation of this problem so he or she can take proper action and install the metabase compatibility component? Is it possible to pop-up the windows component configuration dialog from this install, to make life easier for the user?
I don't think this will have any impact on the application itself, as long as it's implemented the way to talk to IIS7 via its native API. Otherwise, if it doesn't support IIS7 you'd have to enable IIS6 compatibility anyway.
The standard approach to search for anything on a target machine is searching registry and file system. I don't know how it is possible in VS setup project, but e.g. WiX has special elements for this (RegistrySearch, DirectorySearch, FileSearch). Basically, this post to WiX Tips and Tricks thread shows how to check for IIS6 compatibility in WiX and block the installation if it's not enables/installed. It's rather straight-forward even if you don't know WiX, but know the concepts of Windows Installer, and it can help you translate the code into the similar thing in VS setup project.
We seem to be having one negative impact on our servers.
Everytime we roll out a .NET 4.0 application with a msi made in Visual Studio, We get a recycle of ALL our application pools, even the ones not affected by the install.
Apparently the root cause of this is the IIS 6 compatibility. ( This was reported to us by a developer of microsoft in response to our support question about this.
At the moment we have no solution. It's impossible to convert all our installers to Wix.
I've spent waaaay too much time trying to figure this out. I'm running Windows 7 and Visual Studio 2010 in a VMware Fusion virtual.
When I debug my website project, Cassini (aka ASP.NET Web Development Server) starts and the site shows in my default browser (IE). I stop the debugger, make some tweaks to my C# code, and start the debugger again. The website starts up in IE and the site displays, but its using the code base from when I initially debugged NOT including any tweaks in code between the initial debug/build and subsequent debugs/builds.
The only way I can get code changes to build and run in the browser properly is if I manually stop the ASP.Net Web Development Server from the tray and then run debug.
Has anyone encountered this? Not sure if its caused by VS2010 or the environment being a virtual on a Mac.
Manually stopping Cassini after every debug is really starting to suck.
Thanks.
Check if Visual Studio is set to recompile the projects when there are changes.
Check that Tools > Options > Projects and solutions > Build and run > On run, when projects are out of date is set to Always build.
Perhaps you will have a more pleasant experience with IIS 7.5 Express as a replacement for Cassini.
From that page:
IIS Express is a lightweight,
self-contained version of IIS
optimized for developers. IIS Express
makes it easy to use the most current
version of IIS to develop and test
websites. It has all the core
capabilities of IIS 7 as well as
additional features designed to ease
-- website development including:
-- It doesn't run as a service or
require administrator user rights to
perform most tasks.
-- IIS Express works well with ASP.NET and PHP applications.
-- Multiple users of IIS Express can work independently on the same
computer.
Here's an article to help you get started.
Figured this out. I had mapped my Visual Studio 2010 folders to a VMware Fusion share in order to make my .NET projects accessible from Mac world (for copying graphics files into the projects, etc.). Evidently there was some type of permission issue or something that did not result in any sort of alert that was causing the problem.
I remapped all VS folders (Project, Website, etc.) into the standard Documents folder of my user instance and everything began working as expected.
Thanks for the help.
We are a group of four students who have to develop SharePoint web parts for a certain project. After two weeks of trying out various options, the only possible way we could do it was to set up a Windows Server 2008 R2 64-bit virtual machine (using VMware Player) on a Windows 7 Professional 64-bit desktop with an i3 540 (because it supports VT, unlike the laptops we four have), make four user accounts on the VM OS, and remote desktop into it from our laptops to develop. The VM has Visual Studio 2010 Ultimate, SharePoint Foundation 2010 and SharePoint SDKs installed.
My question is; if we create four different projects in Visual Studio, can we concurrently use that single installation of Visual Studio from remote desktop to work on our individual projects?
If yes, what kind of problems should we expect and how can we ensure we don't run into them?
Alternatively, is there another more trouble-free way of working this out (like changing some setting in Visual Studio to allow multiple instances, etc.)?
Thanks!
While this should work without issues, I would take care with an issue like this.
I would first verify that this is allowed under your current licensing for Visual Studio. I suspect that this is likely a violation of the license agreement, and as such, I would take care with trying to find a better solution. It may be allowed under your license (as there are many different forms of licensing), but I would check this very carefully prior to operating in this manner.
That being said, I suspect this will work fine. Visual Studio does take care to work and store settings per user account, so there is likely no issue. Microsoft Support would be the proper channel for support if you do run into any problems while operating, however.
If your laptops are 64-bit, I would install Visual Studio 2010 and SharePoint 2010 on each of your laptops. If your laptops are 32-bit, I would create 4 separate virtual servers.
Beyond the licensing that Reed points out, I would be concerned about resource sharing. During a SharePoint 2007 project, we had 3 developers sharing a single SharePoint virtual server with Visual Studio 2008 installed on each of our laptops. Everything went fine for awhile until development got really heavy. As soon as one developer would finish running a deployment job, another would start one. The application pool was down so often that the web sites were unusable. Everything was fine once we each got our own virtual server.
If you really must use one server (not recommended), then i would suggest you create 4 seperate web applications. This means they will each get a seperate application pool. Then each users should still be able to debug their webparts without effecting the other users. The debugger should only "break" the application pool that the user is on.
Has anyone already tried this, anything particulair that I need to be aware of?
Yep, been running it for a while and I haven't hit any problems yet. Can't say I've use it all day every day, but I've built WPF, WinForms, Web and Console apps with it for testing various things and haven't had any hitches.
I have it on my Dell X1, which is effectively my "NetBook", and it's really pretty rapid. The only glitch I have had at all is some problems with graphics acceleration, but that's down to the Intel driver I'm using being an old XP driver, and it was easily worked around.
I've been running it inside a VM in Parallels Desktop 4 on a MacBook Pro. Absolutely no problems to speak of.
(There's no sound in Windows 7 as virtualized through Parallels, which is a known issue — but not very pertinent to the operation of Visual Studio.)
Jeroen,
I've been unable to install the 2008 Team Developer edition - keep getting a permission error. I was, however, able to insall the 2008 Team Database edition. I normally install both editions, so am kind of bummed about not getting the Developer edition to install. Screenshot of the error is here if you're curious.
No Problem with team edition, but only using it for web projects.
I've been using it at work since RC1 and have not run into any issues. Have developed a WinForms app, a WebForms site and now working on a MVC project.
I have had zero problems running Visual Studio 2008 Pro on 32 bit and 64 bit editions of Windows 7 for full-time C++ development.
If the application you are developing doesn't behave correctly under UAC you may will need to run the IDE as admin otherwise it won't run correctly under debug (this is the applications problem, not Windows 7 or Visual Studios).
Others seem to have problems with access rights/permissions, this should also be fixable by running the IDE as admin (via right click) or more permanently via the compatibility tab in the shortcut properties.
I don't know why this happens, is probably related to their particular user account settings.
What needs to happen before we can open Web Application Projects hosted in IIS7 with Visual Studio 2008 without running as Administrator? Are we talking about waiting for the next version of Visual Studio? Are there any existing workarounds?
I think it's implied by the above, but this pertains to Vista.
Thanks.
Never is a bad option - pretty much all other development I can do as a non-admin. Its not as if the code under IIS requires admin rights either.
I'd like to see an IISAdmin group which grants a developer's user account permission to manage IIS without granting full adminstrator privileges to the entire PC.
My guess is never. I think admin rights will always be needed to change websites and virtual directories in IIS.