I have enabled the analytics options in BizTalk Server 2020. All the data is sent to Azure Application Insights. But there is too much sensitive data like username and password that are not encrypted in the customDimensions of the send port events.
Is there a hidden option in BizTalk to obfuscate or encrypt some data context?
If they are out of the box adapters, then you should raise a ticket with Microsoft as there are no settings to change what is sent to Analytics except for the standard Tracking settings.
See Send BizTalk Server tracking data to Azure
Related
Is push support in Service Workers dependant on Firebase (and Apple's equivalent)? All the tutorials I find have a step where you register a Firebase account, but for our webapp this is a no-go as it will be used at premises without internet access.
I would have assumed that it was possible to register a URL that conformed to some protocol that the OS would register with, but I cannot find any information of the sort.
If it is the case that one needs internet access for service worker push support I assume the only option for a web app to receive background notifications is to wrap it in a native web view and use that to call out to on-premise services.
Internet or third-party push services are not required if you provide a local push service on a local network server that can be accessed via HTTPS URL from clients' browsers. Your local push service needs to implement the W3C Push API specification, and you could also search the web or GitHub for an open-source push service in the language of your choice.
The browsers would would require an HTTPS URL that resolves to a server on your network via hostname or IP, so self-signed SSL certificates would most likely be used. The devices would need the certificates (or CAs) implicitly trusted or explicitly added as a trusted CA/cert.
tldr; it depends on your browser, as it needs to be configured on a per-browser level. As of May 2018, it seems as if Firefox is the only one that lets you configure the service url. For everyone else, you need internet for push messages to be delivered.
The December 2017 Push API specification (which is the official one as of May 2018), says this:
The term push service refers to a system that allows application servers to send push messages to a webapp. A push service serves the push endpoint or endpoints for the push subscriptions it serves.
There is only one push service per user agent and it cannot be changed from the default value. This limitation is due to a variety of performance-related concerns, including the complexity of running reliable push services and the impact on battery lifetime if there were an unbounded set of push services to which a device could connect.
In April 2018 they relaxed this requirement and the spec now allows for configuring a different provider.
I also recommend reading this the dumbed-down version of how webpush works, where the main points are as follows:
First the end user's web browser needs to establish a push channel with the browser manufacturer's push server. In the case of Firefox, this would be a Mozilla server, in Chrome's case, this would be a Google server. After this is done, a unique endpoint URL is sent to the browser, and the browser generates a public and private key pair which is stored internally in the browser. The browser then makes a public key and a user authentication secret used by your server to E2E encrypt messages to the user's browser.
The browser sends the public key, authentication secret and endpoint URL to your server, and the server stores this somehow (in a database, in memory, a file, whatever).
When the time comes that the server wishes to send a push message, it retrieves the stored information on the push message subscription and creates an encrypted message with the public key and user authentication. Then the server contacts the endpoint URL and tells it to push some content to the user agent.
Given everything looks OK, the push server pushes the message to the user's browser.
As part of our solution, we want to deploy an FCM "app server" at each of our customer sites. Each customer site has their own users with their own devices using our app. However, we want to make sure that if one of the customer sites is compromised, an attacker could not abuse the FCM "app server" (e.g. by sending notifications to all devices at all customer sites).
Instead of sharing credentials between all customer sites, we are thinking of generating a unique server key for each customer site. That way if one customer site is compromised, we can disable that server key and stop any more FCM notifications from being sent.
Question: Can we be sure that an attacker cannot send global notifications to all devices?
Assuming an attacker has a server key and access to one customer site "app-server", can they get a list of all the registered devices?
Is there a default notification "topic" that is sent to all devices? (e.g. /topic/all or /topic/global). If so, can we disable that default topic?
Instead of sharing credentials between all customer sites, we are thinking of generating a unique server key for each customer site. That way if one customer site is compromised, we can disable that server key and stop any more FCM notifications from being sent.
If by "we are thinking of generating a unique server key for each customer site" you mean that you'll simply create a Firebase Project for each customer site, then I think this is the correct approach.
Can we be sure that an attacker cannot send global notifications to all devices?
An app can receive messages from a different Sender by implementing the getToken(authorizedEntity, scope) which will generate a different token for each Sender. In order to negate this action, you could simply call deleteToken(authorizedEntity, scope) (my reference).
This would invalidate the token for that corresponding sender (which is what they probably have and should be the only one on their App Server), which would automatically disable them for receiving messages to your App.
So as long as you're able to remove them as a valid sender from your app, then it's all good.
Assuming an attacker has a server key and access to one customer site "app-server", can they get a list of all the registered devices?
This depends on how the App Server is implemented. If the customer's App server is only used for sending messages, but the tokens are stored elsewhere, then probably no. There is no API to retrieve registration tokens on the server side for an App based on the Server Key (see #1 here).
Is there a default notification "topic" that sends to all devices? (e.g. /topic/all or /topic/global). If so, can we disable that default topic?
There isn't. There is the option to send a Notification to a specific app via the Firebase Notifications Console, but if the app doesn't authorize the Sender ID corresponding to that project, it won't receive any messages from it. I've tested this behavior out before posting, so I'm positive that this is how it works.
There is no way to restrict a server key to only allow certain topics/devices/etc.
I would consider using Cloud Functions for Firebase to solve this a different way. You could build an HTTPS function that took per-site authorization tokens (by any means you deem fit) and then that function calls through to Firebase Cloud Messaging to actually send the push notifications.
This way, you have complete control over what kinds of push notifications can be sent by the "client" sites, and you don't have to worry about cascading security problems in the event a client site gets compromised.
I am planning a 3-tiered architecture in which I need to track changes to domain objects on the client (a Windows Store app) then send those changes back to the server (an Azure worker-role). I just found out about WCF Data Services which I can run on the client and integrate with Entity Framework Code First on the server. It looks okay but I'm wondering what other tools may also be available.
Are there any alternatives to WCF Data Services for tracking changes in client then sending them to server? If available, I'd like a solution that doesn't require generated DTO classes but instead sends the deltas alone.
Have you considered using rest services?
Im not an AZURE user, but use elsewhere.
Azure rest services docu
I'm developing an ASP.Net web site using VB.Net for receiving data from a device.
The device will send data to the server where the website is placed.
My question is: can I write my script in WebService VB.Net for getting the values from the device and for storing the same information into the web server database?
My advice for that would be to have a separate windows service to poll or respond to I/O interrupts from the device and have that push information into the DB.
Your website would then simply pull that information from the DB and display it.
I've read Microsoft documentation about Push Notification Service that they are offering for Windows phones but there is no information about pricing. I've read somewhere that it is free to use max 500 notification per day/per application/per device and it is unauthenticated mode but there is also authenticated mode which has no daily limit and cost some money. Is that true and if it is, how much is price?
Also I am interested in information about saving messages in server if user is not active in time of sending. How much push messages can Microsoft Push Service save for one device/user before starts to discard it?
It is free, authenticated or not.
Not sure if they actually store messages on the server to be delivered. When you send one they will give you the clients connection status as part of the response.