Monday, September 20, 2010

How to Map Skydrive as a Network Drive in Windows 7

There are already many posts about mapping Skydrive as a network drive in Windows and you are wondering why I am creating a new one. The reason is very simple, none of these existing posts worked for me. So, I decided to put together all the information that worked for me, and hopefully it can help someone else with the same problem.

Check Your Windows Environment

The first step is to make sure your Windows environment is ready for this mapping. I am using Windows 7 x64, so I am not sure if this applies to other Windows versions, but it does not hurt to check.

1. WebClient Windows Service must be running as discussed here.

  • Open the Services management console (Start / Run / services.msc) and locate the WebClient service.
  • Start the WebClient service if it is stopped.
  • Open its Properties window, and set the Startup type to Automatic.
Note: Although this service was already running for me, I still had to restart it and set it to automatic startup in order to be able to map Skydrive.

2. Internet Explorer - LAN Settings should have Automatically detect settings unchecked
  • Open Internet Explorer.
  • Go to Tools, Internet Options.
  • Click on the Connections tab, and click on the LAN Settings.
  • Uncheck the Automatically detect settings.
Note: This might sound weird to check, but I also had to change this setting in order to make it work. When trying to map Skydrive using Windows Explorer, it was asking for my Windows Live credentials multiple times (about 3 times) until it fails.
    Determine the WebDAV access address

    The second step is to determine the proper address (WebDAV access address) you should use to connect to a Skydrive folder. You cannot directly use the URL shown in your browser since it does not work. You will need to get the WebDAV access address by using one of the following options:
    • Manually figure out the address based on the browser URL as described here. I do not recommend this method since the folder name might be different than the one seen on the browser. For example, here it mentions that "Documents" folder should be "^2Documents", but for me it was "^.Documents".
    • Use MS Office 2010 to save a document to Skydrive and then be able to see the WebDAV access address as described here. It would be a good option if you have this version of MS Office.
    • Build your own application that access http://docs.live.net/SkyDocsService.svc and query for the WebDAV folders. It is good to know about this WCF service, but it will take sometime to build a client application.
    • Use an existing application that uses the SkyDocsService and retrieve the information we need: http://skydrivesimpleviewer.codeplex.com/. This open source project provides a command prompt application dumpurls.exe and also a WPF application SkyDriveSimpleViewer.exe.
    I decided to use the simplest way, e.g. the dumpurls.exe command prompt application. Download dumpurls.exe, and run it from a Command Prompt window by passing your email (Windows Live or Hotmail) and your password. If you are not confident about passing your credentials to this application, you can temporary change your password in Windows Live before running this application, and restore it after.

    DumpUrls.exe me@hotmail.com p4ssw0rd
    

    The output is something like:

    https://zzzzzz.docs.live.net/yyyyyyyyyyyyyyyy/^.Documents
    https://xxxxxx.docs.live.net/yyyyyyyyyyyyyyyy/MyFolder
    

    You will not use these URLs directly, but the corresponding paths instead:

    \\zzzzzz.docs.live.net@SSL\yyyyyyyyyyyyyyyy\^.Documents
    \\xxxxxx.docs.live.net@SSL\yyyyyyyyyyyyyyyy\MyFolder
    

    Map Skydrive as Network Drive

    Although you can map it by using Windows Explorer, I mapped using a single command line in the Command Prompt window. So, open a Command Prompt window and run the following command to map a folder named MyFolder to the drive Z by using your credentials:

    net use Z: "\\xxxxxx.docs.live.net@SSL\yyyyyyyyyyyyyyyy\MyFolder" /user:me@hotmail.com p4ssw0rd /persistent:yes
    

    The expected output is:
    The command completed successfully.
    

    Note: these are the errors I had before I fixed my Windows environment as explained in the beginning of this article:
    • System error 5 has occurred: the solution for me was to change the IE setting described above.
    • System error 1920 has occurred: the solution was to restart the WebClient service as described above.
    Now, you can just open Windows Explorer and start using your new drive on the cloud. I noticed that Windows Explorer does not report the proper used and free space, it might show that you have more than 25GB available.

      Saturday, September 18, 2010

      Microsoft ASP.NET Security Vulnerability: The 'Padding Oracle' Attack

      Early this week, a couple of security researchers, Juliano Rizzo and Thai Duong, have implemented an attack that exploits the way ASP.NET applications handle encrypted session cookies (see more details here). They have discussed this in detail during the Ekoparty conference in Argentina. Their research paper is Practical Padding Oracle Attacks.

      In the context of cryptography, an oracle is a system that provides hints as you ask it questions. And this attack explores a vulnerability in ASP.NET which acts as a padding oracle. This vulnerability is explained in details in Understanding the ASP.NET Vulnerability.

      This vulnerability allows attackers to have access to decrypt the information stored in the ViewState object. If sensitive information is stored there, such as passwords or database connection strings, then this data is compromised. If an ASP.NET application is using ASP.NET 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file which the worker process has access to, for example, the web.config file.

      Microsoft has released a security advisory about the problem: Microsoft Security Advisory (2416728). If you or your clients have ASP.NET Web sites, then you must apply the necessary changes as described here: Scott Guthrie: ASP.NET Security Vulnerability

      Update: Also take a look at Scott Guthrie's FAQ about AS.NET Security Vulnerability.