Application Security Testing: An Integral Part of DevOps
Written by Paul Kimmel. firstname.lastname@example.org
Copyright © 2004. All Rights Reserved.
A couple of times a year, I start working with a new customer. Generally, each customer has a slightly different work environment and tools. Some have Clearcase. Some have Visual SourceSafe. Some are using the latest version of a compiler, and others are using an older version. Often, the customer prefers that I work with their hardware and software, which means I am using a machine configured by someone else.
After having to cope with VS.NET being installed without IIS a couple of times, I decided to write down how to recover from this omission so that I wouldn't have to remember it or rediscover it if it should happen again. Here are some of my notes.
You Can't Create an ASP.NET Web Application or Web Service. What Do You Do?
You're trying to build an ASP.NET Web Application or XML Web Service for the first time and Visual Studio .NET informs you that it is unable to create a Web project of either of these types. This can often indicate that ASP.NET was not installed correctly.
ASP.NET may not install correctly, or you may not be able to create a Web-based solution if IIS or FrontPage Services weren't installed before VS.NET was installed or a Web server with ASP.NET is not accessible. To correct the problem, we need to perform some specific diagnostics steps and then complete applicable corrective measures.
Diagnosing and Fixing the Problem
The first thing we want to do is ensure that ASP.NET is installed on the PC on which we want to create a Web solution. Generally, it is desirable to build, test, and debug Web applications (including Web Services) on your development machine and then deploy to your actual Web server. However, whether you follow this advice or not does not change the diagnostic step.
Is IIS Installed?
To determine whether IIS is installed, we can try a couple of different things. Proceed to the keyboard of the computer on which you are trying to create a Web application. Try any of these things:
- Open Internet Explorer and type http://localhost. If some kind of page or a blank page with no errors is displayed, IIS is installed and running. If you navigate to the virtual Default Web Site and the VCR-like Play button is black, IIS may be installed but not running. Try clicking the Play button (Action|Start in the management console menu).
- Click Start|Run and enter C:\Windows\System32\inetsrv\iis.msc in the Run dialog. If the console fails to open or opens but appears blank, IIS may not be installed.
- If you are not the technical administrator for the computer, ensure that it is not running the Apache Web server or something else.
- Finally, look in the Windows Components Wizard and make sure that IIS is checked (see Figure 1). This feature is accessible from Start|Control Panel|Add Remove Programs|Add/Remove Windows Components.
Figure 1: If IIS is installed, it should be checked in the Windows Components Wizard dialog as shown.
If Internet Information Services is not checked, you can install it from this wizard. You may need the original operating system media (your Windows XP install disk) to add this service, and you will need to re-boot when you are finished. After checking Internet Information Services, click Next. The install process will begin. Follow and comply with the prompts generated by the install process.
If you had to install IIS and VS.NET is already installed, you will want to re-install VS.NET. Instead of un-installing and re-installing VS.NET, insert Disk 1 of VS.NET and select the repair/add features option. This is generally faster and works just as well as a complete re-install.
After you have installed IIS and re-installed VS.NET, we need to install and register ASP.NET. A utility for this purpose—someone at Microsoft must have forgotten to install ISS first, too—is installed with VS.NET; it's called aspnet_regiis.exe.
To register ASP.NET, open the Visual Studio .NET Command Prompt. This is an option installed with Visual Studio .NET on the Tools item. This menu item runs cmd.exe and a batch file that sets some path information relevant to VS.NET.
At the open command prompt, type aspnet_regiis -i. You should see two lines separated by a modest delay that indicate ASP.NET is being installed and has completed. After you have finished this step, you should be able to create and host Web applications and Web Services on your workstation or the PC we have been fiddling with.
If you still can't create an ASP.NET solution, give the next section a quick read. Otherwise, see you in a few weeks.
I Tried Everything and Still No Luck
Recently, I got an error indicating that a new ASP.NET Web Application would have to be made ASP.NET 1.0 compatible. I thought for sure that I had forgotten to install IIS before installing VS.NET or just had some old media. After checking and re-checking my configuration, it turned out to be neither. Here is how the problem was resolved.
I tried to create an ASP.NET application. The default location was http://localhost/WebApplication1. When I clicked OK, an error was received, indicating that the WWW server was running ASP.NET 1.0. After verifying that IIS 5.1 or greater was running and ASP.NET 1.1 was installed, I tried using the localhost address 127.0.0.1 (see Figure 2). Oddly enough, this worked and created an ASP.NET application without the ASP.NET 1.0 warning message.
Figure 2: Try using the loopback IP if the localhost host name doesn't seem to work correctly.
Then, it suddenly struck me that this foreign network was using a proxy server. By using localhost as the host URL, VS.NET was seeing the proxy server, which must have ASP.NET 1.0 installed on it. The solution, or fix, was to bypass the proxy server.
Because ASP.NET uses the network configuration settings from Internet Explorer, we can change the proxy settings through Internet Explorer. (Keep in mind that this problem and fix are only relevant if you are networked and using a proxy server.)
To change the proxy settings, start Internet Explorer and follow these steps:
- Select Tools|Internet Options.
- In the Internet Options dialog, select the Connection tab.
- On the Connection tab, click the LAN Settings button.
- If Use a proxy server... is checked in the Proxy server group (see Figure 3), check Bypass proxy server for local address (see Figure 3).
- Click OK to close the LAN Settings dialog, and close the Internet Options dialog.
Figure 3: If you are having problems creating an ASP.NET application and using a proxy server, try bypassing the proxy server.
Try creating an ASP.NET application again. If it still doesn't work, you may need to uninstall and re-install VS.NET completely. If I encounter any additional fail-receovery scenarios, I will be sure to update you, the faithful reader, in future articles.
It is amazing how easy it is to take things for granted. As software developers, we have to use a huge variety of tools, know how to configure PCs and networks, and actually write stored procedures and code that result in an application that does something useful and does it correctly. It is easy to forget how many skills are involved.
If you are a new developer, the pure number of skills is overwhelming, and if you are learning something new, any disruptions or problems seem magnified. If you find yourself having problems running demos for ASP.NET or Web Services applications, or creating a new project because someone (to remain nameless) forgot to install a necessary prerequisite, I hope this article helps you get the problem solved.
Paul Kimmel is the "VB Today" columnist, has written several books on .NET programming, and is a software architect. You may contact him at email@example.com if you need assistance.