A recent article in SD Times(1) well highlighted some alarming software project failures. For example, among the 68% of "failures" was the problem with the laser-guided missile having software not designed for battery hot-swapping and producing the interesting result of resetting the coordinates to origin. Oops! This failure would give new meaning to your boss going ballistic on discovering the error! The Standish Group's 2009 "Chaos" study also included in the 68%, failures due to late completion, over-budget completion or simply non-completion. Completion doesn't always mean success of course. Only after spending $100 million did the FBI discover that the Virtual Case File system was "... not something that we want." How can this happen? Better to ask, how does this continue to happen? If you had Microsoft's money and experience, how could you fail to produce perfect software? Well, they did fail fantastically with Vista which Scott Rosenberg explains was due to "conflicting ambitions and too few resource constraints" leading to an "organizational breakdown". Well that is enormously helpful in explaining my near breakdown trying to tame the Universal Account Control (UAC) which repeatedly insisted I was not to be trusted using my own computer.
Frustration as an end product is certainly more desirable than loss of life under an X-Ray machine or crashing an Airbus because the computer simply 'wouldn't let go of the controls'. I imagine the software developers felt they could stop the pilot and co-pilot from fighting over who did what if they just let the computer decide. Well, the computer couldn’t rise above the occasion and crashed the trees into the plane – according to its flighty calculations.
So far to go. "There are two ways to write error-free programs; only the third one works" said one expert(2). But we will continue to rise to the challenge of taming complex problems into elegant software solutions. The amazing examples David Worthington gives us should definitely caution us to work with care when using our wide sweep of imaginative powers coupled with mathematical precision to produce the best software we can.
(1) David Worthington, Software Development Times, November 1, 2009. www.sdtimes.com
(2) From ACM's SIGPLAN publication, (September, 1982), Article "Epigrams in Programming", by Alan J. Perlis of Yale
Wednesday, November 25, 2009
Tuesday, November 3, 2009
What is the difference between NETWORK SERVICE and NETWORK accounts?
Quite a bit actually. Although, this is a fair question and an admin in a hurry could assign the wrong one without too much difficulty.
Microsoft explain the purpose of the first:
"By default, Microsoft Internet Information Services (IIS) 6.0 on Windows Server 2003 runs ASP.NET applications in application pools that use the NT AUTHORITY\Network Service account identity. This account is a least privileged machine account with limited permissions. An application that runs using this account has restricted access to the event log, registry, and file system. The account does have network credentials, which means you can use it to access network resources and remote databases by using Windows authentication."
This is the Service account identity you see when adding security to a folder of a web
application. Listed above this account is 'Network account identity' which serves a different
purpose as described below.
SID: S-1-5-2
Name: Network
-------------
Description: A group that includes all users that have logged on through a network connection.
Membership is controlled by the operating system.
SID: S-1-5-20
Name: NT Authority
------------------
Description: Network Service
...And what is the SID?
A security identifier (SID) is a unique value used to identify a security principal or security group in Windows operating systems. Their values remain constant across all operating systems. At times the SID will display and not be replaced by the security principal.
So, choose the wrong account and your web application will likely not work as advertised.
References:
How To: Use the Network Service Account to Access Resources in ASP.NET
Well-known security identifiers in Windows operating systems
Security Watch - Subjects and Security Principals
Microsoft explain the purpose of the first:
"By default, Microsoft Internet Information Services (IIS) 6.0 on Windows Server 2003 runs ASP.NET applications in application pools that use the NT AUTHORITY\Network Service account identity. This account is a least privileged machine account with limited permissions. An application that runs using this account has restricted access to the event log, registry, and file system. The account does have network credentials, which means you can use it to access network resources and remote databases by using Windows authentication."
This is the Service account identity you see when adding security to a folder of a web
application. Listed above this account is 'Network account identity' which serves a different
purpose as described below.
SID: S-1-5-2
Name: Network
-------------
Description: A group that includes all users that have logged on through a network connection.
Membership is controlled by the operating system.
SID: S-1-5-20
Name: NT Authority
------------------
Description: Network Service
...And what is the SID?
A security identifier (SID) is a unique value used to identify a security principal or security group in Windows operating systems. Their values remain constant across all operating systems. At times the SID will display and not be replaced by the security principal.
So, choose the wrong account and your web application will likely not work as advertised.
References:
How To: Use the Network Service Account to Access Resources in ASP.NET
Well-known security identifiers in Windows operating systems
Security Watch - Subjects and Security Principals
Labels:
IIS,
NETWORK accounts,
NETWORK SERVICE,
Security
Subscribe to:
Posts (Atom)