DEPLOYMENT UPGRADES (MAJOR VS MINOR)

WiX supports Major upgrade and Minor upgrade 

Minor Upgrade

 – increase version number (any of the first 3 numbers will do).

 – Update existing product to newer version.

Major Upgrade 

–  increase version number and change ProductId (Remember to keep UpgradeCode constant).

–  Uninstall old product and install a new one.

Minor Upgrade:

msiexec.exe /i \product.msi REINSTALLMODE=voums REINSTALL=ALL

-- REINSTALL property are case-sensitive.

The important part is the “v” in the reinstall mode settings. It forces the use of the new msi file instead of the cached copy. Therefore it can’t be set inside the package. The rest of the REINSTALLMODE flags make sure that existing files get updated, new files get installed, registry entries are re-written and shortcuts are created. REINSTALL=ALL means that only those features, that were selected by the user during the install of the old version get updated. Unselected features should not be added.

Continuous Integration vs. Continuous Delivery vs. Continuous Deployment

1. Continuous build: automated build on every check-in
2. Continuous Integration (CI): automated testing of at least unit tests to prove integration of new code with existing code, but preferably integration tests (end-to-end).
3. Continuous Deployment (CD): automated deployment when code passes CI at least into a test environment, preferably into higher environments when quality is proven either via CI or by marking a lower environment as PASSED after manual testing. I.E., testing may be manual in some cases, but promoting to next environment is automatic.
4. Continuous Delivery: automated publication and release of the system into production. This is CD into production plus any other configuration changes like setup for A/B testing, notification to users of new features, notifying support of new version and change notes, etc.

"Continuous delivery is a software development methodology where the release process is automated. Every software change is automatically built, tested, and deployed to production. Before the final push to production, a person, an automated test, or a business rule decides when the final push should occur. Although every successful software change can be immediately released to production with continuous delivery, not all changes need to be released right away.

Continuous integration is a software development practice where members of a team use a version control system and integrate their work frequently to the same location, such as a master branch. Each change is built and verified by means of tests and other verifications in order to detect any integration errors as quickly as possible. Continuous integration is focused on automatically building and testing code, as compared to continuous delivery, which automates the entire software release process up to production."

Continuous Integration

Continuous integration is the practice of constantly merging development work with a Master/Trunk/Mainline branch so that you can test changes and test that those changes work with other changes.  The idea here is to test your code as often as possible so you can catch issues early on.  In the continuous integration process, most of the work is done by an automated tests technique which requires a unit test framework.  It is best practice to have a build server designed specifically for performing these tests so your development team can continue merging requests even while tests are being performed.

Continuous Delivery

Continuous delivery is the continual delivery of code to an environment once the developer feels the code is ready to ship - this could be UAT, staging or production.  The idea behind continuous delivery is that you’re constantly delivering code to a user base, whether it be QA or directly to customers for continual review and inspection.  Although similar to continuous integration, continuous delivery differs because it can feed business logic tests where unit tests are unable to catch all business logic, particularly design issues. In this process, you may also be delivering code for code review which may be batched for release or not until after the UAT or QA is done.  

The basis of continuous delivery is to have small batches of work continually fed to the next step so it can be consumed more easily and issues can be found early on.  This process is typically is easier for developers because issues come to light before the task has left their memory.

Continuous Deployment

Continuous deployment is the deployment or release of code to production as soon as it’s ready.  There is no large batching in staging nor a long UAT process before production.  Any testing is done prior to merging to the Mainline branch and is performed on production-like environments.  The production branch is always stable and ready to be deployed by an automated process.  The automated process is key because it should be able to be performed by anyone in a matter of minutes (preferably by the press of a button).  After a deploy, logs must be inspected to determine if your key metrics are affected, positively or negatively.  Some of these metrics may include revenue, user sign-up, response time or traffic and preferably these metrics are graphed for easy consumption.  

The key feature of the continuous deployment process is that it requires continuous integration and continuous delivery because without, you’re guaranteed to get errors in the release.

How They Work Together 

Once you’ve moved to a continuous deployment process, you’ll need to have several pieces of automation in place.  You must automate your continuous integration build server and continuous delivery to staging, as well as have the ability to automatically deploy to production.  

In the ideal workflow, the entire process could be automated from start to finish:

Step 1:  Developer checks in code to development branch.

Step 2: Continuous integration server picks up the change, merges it with Master/Trunk/Mainline, performs unit tests and votes on the merge to staging environment based on test results.

Step 3. If Step 2 is successful, developer deploys it to the staging environment and QA tests the environment.

Step 4. If Step 3 passed, you vote to move to production and the continuous integration server picks this up again and determines if it’s ok to merge into production.

Step 5. If Step 4 is successful, it will deploy to production environment.  

This process varies slightly based on needs, requirements and approaches.

Continuous deployment relies on small changes which are constantly tested, deployed and released to production immediately upon verification.  The ownership of the code from development to release must be controlled by the developer and must be free flowing.  The automation of steps allows this process to be implemented and executed without cumbersome workflows.

Continuous Integration is the practice of testing each change done to your codebase automatically and as early as possible.

Continuous Deployment follows the testing that happens during Continuous Integration and pushes changes to a staging or production system. This makes sure a version of your code is accessible at all times.

Security configurations for MVC application & IIS

1. Make sure web content is on non-system partition.
2. Remove or rename well-known urls.
   %systemdrive%\inetpub\AdminScripts
   %systemdrive%\inetpub\scripts\IISSamples
   http://localhost/iissamples
   http://localhost/iishelp
   http://localhost/printers
   http://localhost/iisadmpwd
3. Require a host headers on all sites. Don’t bind http:/*:80 to any site.
4. Disable directory browsing
5. Set default application pool identity to least privilege principal.
6. Ensure application pools run under unique identities, and unique application pools for different sites.
7. Config anonymous user identity to use application pool identity, this will greatly reduce the number of accounts needed for websites.
   open applicationHost.config and make sure you set the userName attribute of the anonymousAuthentication tag is set to a blank string.

<system.webServer> <security> <authentication> <anonymousAuthentication userName = ""/> </authentication> </security> </system.webServer>

8. Configure authentications,
   a. Ensure sensitive site features is restricted to authenticated principals only.

<system.webServer> <security> <authorization> <remove users="*" roles="" verbs="" /> <add accessType="Allow" roles="administrators" /> </authorization> </security> </system.webServer> </configuration>

b. Require SSL in forms authentications and configure forms authentication to use cookies.

<system.web> <authentication> <forms cookieless="UseCookies" requireSSL="true" /> </authentication> </system.web>

c. Configure cookie protection mode for forms authentication.

<system.web> <authentication> <forms cookieless="UseCookies" protection="All" /> </authentication> </system.web>

d. Never save password in clear format!!
8. Asp.net configurations.
   a. Set deployment method to retail, modify machine.config

<system.web>   <deployment retail="true" /> </system.web> When the retail attribute is set to true, ASP.NET disables trace output, disables debug capabilities, and disables detailed system-generated error messages for remote users. For applications that have a customErrors element in the application Web.config file, the mode attribute is forced to On. These settings override any settings that are made in application Web.config files. Note that you should continue to set the debug attribute to false in application’s Web.config files that are deployed to the server. The debug setting disables request execution timeout, and this is not overridden by the retail setting.

b. Turn debug off.

<system.web> <compilation debug="false" /> </system.web> </configuration>

c. Ensure custom error messages are not off.

<customErrors mode="RemoteOnly"/> or <customErrors mode = "On"/>

d. Ensure failed request tracing is not enabled.
– Open IIS.
– Go to Connections pane, select server connection, site, application or directory.
– In actions pane, click failed request tracing… make sure the checkbox is not checked.
e. Configure to use cookies mode for session state in web.config

<system.web> <sessionState cookieless="UseCookies" /> </system.web>

f. Ensure cookies are set with HttpOnly attribute in web.config. This will stop client side script access to cookies.

<configuration> <system.web> <httpCookies httpOnlyCookies="true" /> </system.web> </configuration>

g. Set global .NET trust level. Open IIS, in the features view, double click .NET Trust Levels.
9. Request filtering & restrictions in web.config, set maxAllowedContentLength, maxUrl, maxQueryStringallowHighBitCharacters (setting to dis-allow non-ASCII characters) & allowDoubleEscaping.

<system.webServer> <security> <requestFiltering allowHighBitCharacters="false" allowDoubleEscaping = "false"> <requestLimits  maxAllowedContentLength="30000000" maxUrl="4096" maxQueryString="1024" /> </requestFiltering> </security> </system.webServer> </configuration>

11. Disallow unlisted file extensions in web.config.

For MVC applications, Extensionless URLs that were introduced in ASP.NET 4. To allow extensionless addresses, add <add fileExtension="." allowed="true" /> to your web.config as below: <system.webServer> <security> <requestFiltering> <fileExtensions allowUnlisted="false" > <add fileExtension="." allowed="true"/> <!--<add fileExtension=".asp" allowed="true"/> <add fileExtension=".aspx" allowed="true"/> <add fileExtension=".html" allowed="true"/>--> </fileExtensions> </requestFiltering> </security> </system.webServer> </configuration> It will allow only controller(extensionless) and block all other(any extens). The *. handler is specific to ASP.NET 4.0 and is added when you install ASP.NET 4.0. This handler is there to provide support for extensionless URLs.

12. Enable advanced iis logging

https://www.iis.net/downloads/microsoft/advanced-logging

13. Enable dynamic ip restication

https://www.iis.net/downloads/microsoft/dynamic-ip-restrictions

14.  To prevent HTTP TRACE requests to your server
In the Deny Verb dialog box, enter the HTTP verb that you wish to block, and then click OK. 

<system.webServer>
<security>
<requestFiltering allowHighBitCharacters="false" allowDoubleEscaping="false"> <requestLimits maxAllowedContentLength="30000000" maxUrl="4096" maxQueryString="2048" /> <fileExtensions allowUnlisted="false"> <add fileExtension=".aspx" allowed="true" /> <add fileExtension=".axd" allowed="true" /> <add fileExtension=".css" allowed="true" /> <add fileExtension=".csv" allowed="true" /> <add fileExtension=".qif" allowed="true" /> <add fileExtension=".ofx" allowed="true" /> <add fileExtension=".doc" allowed="true" /> <add fileExtension=".docx" allowed="true" /> <add fileExtension=".eot" allowed="true" /> <add fileExtension=".gif" allowed="true" /> <add fileExtension=".htm" allowed="true" /> <add fileExtension=".html" allowed="true" /> <add fileExtension=".jpg" allowed="true" /> <add fileExtension=".js" allowed="true" /> <add fileExtension=".ico" allowed="true" /> <add fileExtension=".mp3" allowed="true" /> <add fileExtension=".mp4" allowed="true" /> <add fileExtension=".m4v" allowed="true" /> <add fileExtension=".ogg" allowed="true" /> <add fileExtension=".ogv" allowed="true" /> <add fileExtension=".oga" allowed="true" /> <add fileExtension=".otf" allowed="true" /> <add fileExtension=".pdf" allowed="true" /> <add fileExtension=".png" allowed="true" /> <add fileExtension=".spx" allowed="true" /> <add fileExtension=".svc" allowed="true" /> <add fileExtension=".svg" allowed="true" /> <add fileExtension=".svgz" allowed="true" /> <add fileExtension=".txt" allowed="true" /> <add fileExtension=".ttf" allowed="true" /> <add fileExtension=".webm" allowed="true" /> <add fileExtension=".woff" allowed="true" /> <add fileExtension=".woff2" allowed="true" /> <add fileExtension=".xls" allowed="true" /> <add fileExtension=".xlsx" allowed="true" /> <add fileExtension=".xml" allowed="true" /> <add fileExtension="." allowed="true" /> </fileExtensions> <verbs> <add verb="TRACE" allowed="false" /> </verbs> </requestFiltering> </security>

  </system.webServer>

------------------------------------------------------------------------------------------

Encrypt Decrypt connectionstring in Web.Config easily

To Encrypt Connection string in Web.Config files, We can follow these steps.

1. Open C:\Windows\System32\CMD.exe As Administrator
2. In CMD type CD C:\Windows\Microsoft.NET\Framework64\v4.0.30319
3. In CMD type aspnet_regiis.exe -pef connectionStrings “Path of the Folder containing the Web.Config file”
   Ex: aspnet_regiis.exe -pef “connectionStrings” “D://PROJECTS/SAMPLE_PROJECT”
4. Set to identity impersonate false for project web.config
   <system.web>
<identity impersonate="true" />
</system.web>

For Decryption, you can use the below command.

1. Open C:\Windows\System32\CMD.exe As Administrator
2. In CMD type CD C:\Windows\Microsoft.NET\Framework64\v4.0.30319
3. In CMD type aspnet_regiis.exe -pdf “connectionStrings” “Path of the Folder containing the Web.Config file”
   Ex: aspnet_regiis.exe -pdf “connectionStrings” “D://PROJECTS/SAMPLE_PROJECT”

Cross-Site Request Forgery (CSRF)

A CSRF vulnerability allows an attacker to force a validated and logged in user to perform actions without their consent or unknowingly.

Solution:

Add @Html.AntiForgeryToken()

Cross-Site Scripting (XSS) attacks

Solution: 

1. [ValidateInput(false)]
2. [AllowHtml]
3. [RegularExpressionAttribute]
4. AntiXSS Library

List of Regular Expression to Use.

Alphabets and Space

[a-zA-Z ]+$

Alphabets

^[A-z]+$

Numbers

^[0-9]+$

Alphanumeric

^[a-zA-Z0-9]*$

Email

[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?

Mobile no.

^([7-9]{1})([0-9]{9})$

Date Format( mm/dd/yyyy | mm-dd-yyyy | mm.dd.yyyy)

/^(0[1-9]|1[012])[- /.](0[1-9]|[12][0-9]|3[01])[- /.](19|20)\\d\\d+$/

Website URL

^http(s)?://([\\w-]+.)+[\\w-]+(/[\\w- ./?%&=])?$

Credit Card Numbers

Visa

^4[0-9]{12}(?:[0-9]{3})?$

MasterCard

^5[1-5][0-9]{14}$

American Express

^3[47][0-9]{13}$

Decimal number

((\\d+)((\\.\\d{1,2})?))$