Friday, March 11, 2016

Security in SharePoint 2013

Abstract
This paper explores SharePoint 2013 Service applications in depth along with accounts recommended to configure them to reduce chances of security vulnerabilities. The target audiences for this paper are SharePoint administrators and auditors unlike the previous paper in this series which covered overall Security Framework in SharePoint 2013. To secure the SharePoint environment, administrator must be aware of infrastructure; system & software configurations and define robust patch deployment strategies. This paper will explore here some of the most important configuration aspects at farm level to avoid security breaches.
Keywords: SharePoint Server 2013, Security, Service Applications, Service Accounts, Monitoring, Health Analyzer, SharePoint Administration



Service Applications in SharePoint 2013
Hemant Kumar
This paper gives an overview of all the available service applications in SharePoint 2013 which a SharePoint administrator and auditor must be aware of and covers most important things to be followed to keep environment secure in this context. This paper may be considered in continuation of “Security in SharePoint 2013” by Kumar (2016), where he addressed general audiences who are the stakeholders at any level in hierarchy in an organization, consuming SharePoint 2013. In contradiction to previous one, this paper is helpful only for limited audiences who have knowledge in SharePoint and Windows Server administration. Under SharePoint 2013, service applications are shared amongst all the front end web applications and more often ignored for security issues and practices to be followed, since they are not visible to day-to-day users and owners in the front end web application. Only when something goes wrong, these areas are revisited, but after potential business loss. To avoid disastrous situations and to keep system secure, the author explores mostly ignored topics in SharePoint farm administration here. It is most important to mention here that, with the topics mentioned here in this paper only, achieving certain level of compliance certifications may not be possible. This study may be helpful to avoid only few of vulnerabilities in the system at first place. This covers only a small part of the whole picture; things like network defense/attacks, firewall, possible ways to attack the system etc. are not covered here.



SharePoint 2013: Service Applications
Before author explores biggest mistake administrator does while farm configuration, which leads to major security breaches, names and purpose of each Service application must be understood.
SharePoint Server 20013 allows unique functionalities, for example search to be packaged as a readymade service, which may be deployed on same server or different server in the farm. This also means sharing the same service deployed amongst multiple front end SharePoint web applications is possible, and in some cases even outside the SharePoint farm. But configuring these services in the right manner is mandatory to avoid security breaches and healthy life span of main SharePoint web application whose features are dependent on the services consumed. Here author covers the most important and mostly used SharePoint Services.
Secure Store Service
As mentioned by Kumar (2016), this service may be considered in most layman term as an impersonation layer. Suppose there is particular module which may be executed by a specific user, but sharing credentials of this user amongst the group or to any other user is not possible for security reasons. A target application may be defined in Secure Store Service, to serve such sceneries in SharePoint. Audit logging of actions performed using Secure Store Service is disabled by default, enabling it may help track unauthorized information flow.
Good thing about Secure Store Service is that, it stores credentials of target user encrypted in a separate database, which may be even made more secured by deploying on separate server. Also, credentials fields supported are generic, user name, password, personal identification number, key, windows username, windows password, certificate and certificate password. Bad thing is, if Secure Store Service is hacked, and there are multiple sources of secured information configured to be accessed through this framework, the whole SharePoint farm is most unsecured place to think of.
Search Service
As mentioned by Kumar (2016), this service may be used to even crawl the external content along with SharePoint website sin the SharePoint Farm. This module is responsible for crawling information source, prepare and maintain indexes based on crawled information, search queries analytics and usage, search administration.
Administrator need to make sure, all the content in the target application being crawled is accessible to account with which crawling is being done, but it does not mean giving full permission on the target. Read permissions are sufficient. Sometimes, search services are configured to exist on front end server, where content source web application resides and Windows server prohibits accessing website on the same server by crawlers. Most prevalent solution is to “DisableLoopbackCheck” on front end server level. But as per Kumar (2011), this is not the secure way of implementing search in SharePoint. Another security concern with SharePoint Search Service crawler is that, it relies on custom headers to identify that target web application is SharePoint based. If administrator removes these headers as explained by Kumar (2013), search crawlers are not able to crawl fine grained objects like list item in SharePoint target, and if he doesn’t removes these headers, hackers can easily identify that target is SharePoint based.
User Profile Service
User profile service is used to keep data related to people in an organization. This may have been coming from Active Directory (AD) in parts or some other custom sources. SharePoint features like setting up audiences, my site for end users and social features are directly dependent on this service.
User profile database, synchronization database and social tagging database are created when this service is configured. A healthy and fully functional User Profile Service is dependent on Managed Metadata Service, Search Service and Business Connectivity Service to deliver full range of social features in SharePoint 2013.
Managed Metadata Service
This SharePoint service is responsible for sharing managed keywords and term sets across the multiple site collections across the boundaries. One of the most important use of defining taxonomies and term sets at single place is better and more organized search results. This makes information more meaningful to the end user.
Business Data Connectivity Service
As mentioned by Kumar (2016), content types are the ways to define information in consistent way across the SharePoint site collection. This service is used to define external Content Types to consume data from external line of business. The way this service is configured, is highly dependent on what type of existing or future external to SharePoint solutions and organization consumes and what will be the business flow.
Word Automation Services
This service is responsible for server side conversions of Word documents. This service is able to cater both synchronous and asynchronous operations on documents in SharePoint 2013. For asynchronous operations, this service is dependent on SharePoint Timer Jobs.
User Profile Synchronization Service
This service supplements User Profile Service described above, to facilitate user information import from other systems. These systems may be Active Directory Domain Service, SAP, SQL Server or else.
Machine Translation Service
This service is used to automatically translate content in SharePoint with help of Microsoft Online Translator Tool. This is the most helpful feature in multilingual scenarios in SharePoint 2013.
Work Management Service
This service is responsible for task aggregation at central location. My site and new feed experience are the examples. Be it Exchange, Project Server or to-do and tasks in SharePoint, with help of Search Service and User Profile Service, and user may get everything at one place.
Visio Graphics Service
Visio diagrams may be rendered in SharePoint 2013, with help of this service. This service is dependent on State Service for its normal operation.
State Service
This service is responsible for storing temporary data across related requests over http. Many services and functionalities like Visio Graphics Services, SharePoint Health Reports and many more won’t work without this being configured.
Microsoft SharePoint Foundation Sandboxed Code Service
Traditional custom solutions and webParts used to run under w3wp process earlier, with help of these new service; administrators may actually limit the resources per application basis and they run under a different process altogether to give better security and isolation. The new model available is based on this service.
Access Database Service 2010 and Access Services
In SharePoint 2013, under new app model, for each Access app created a new SQL DB is generated by Access Services. This is a very fast and user friendly way for user to create and publish relational database and content in a web user friendly way. Access Services are responsible for creating and customizing Access apps. Access Database Service 2010 is provided for backward compatibility.
App Management & Microsoft SharePoint Foundation Subscription Settings Service
Providing this feature and service in SharePoint 2013 is a step towards Google Play store and Apple Play Store like mythology from Microsoft in SharePoint, where publishing and buying apps online is facilitated. App Management Service works in conjunction with Microsoft SharePoint Foundation Subscription Settings Service is the backend engine to support this feature
Central Administration Service
Stopping this service on all servers in farm sufficient to screw up a SharePoint 2013 whole farm, an administrator without knowledge in PowerShell may be stuck without this service running.
Claims to Windows Token Service
As the name suggests it’s a part of Windows Identity Foundation on the server. This service is responsible for impersonations required for accessing backend resources by SharePoint and other products.
Distributed Cache Service
This service is required by many services to operate or give better performance for others, few examples of features depending on this services are OneNote, security trimming, news feeds, social features, page load performance and so on.
Document Conversions Launcher and Document Conversions Load Balancer Service
Document Conversions Launcher Service schedules and initiates the document conversions. When SharePoint Foundation passes a document conversion request to the document conversion launcher service, the service must call the appropriate document converter. The load balancing of incoming requests is taken care of by Document Conversions Load Balancer Service.
Excel Calculation Service
Excel calculation Service in SharePoint 2013 may be taken as more of business intelligence tool to share and render workbooks as a web page content directly.
Lotus Notes Connector Service
Since for Lotus notes the platform of development and terminology is different, to support big name sin market, Microsoft altogether built a connector in SharePoint 2013 for functionalities like crawl the content inside Lotus notes.
Microsoft SharePoint Foundation Incoming E-Mail Service
Suppose end user wants to use SharePoint as a dropbox where he could email content and get it follow the further publishing work flow, yes it is possible with help of this service only.
Microsoft SharePoint Foundation Web Application Service
This service provides connect between SharePoint and IIS. Without this service running, not even a web application could be created.
Microsoft SharePoint Foundation Workflow Timer Service
This service is responsible for timed events and workflows related to list and documents in the site collections.
PerformancePoint Service
This service is responsible for monitoring and related data analysis including rich dashboards and tools to consume this information.
PowerPoint Conversion Service
This service is responsible for server side conversions of PowerPoint slides to different formats.
Request Management Service
This service is only configured through PowerShell, and is responsible for request routing based on the type of request, to the right server in the farm.
Farm Level Accounts
The most common flaw in SharePoint Service application configuration observed is using single account for all the operations. Think of the situation, this single account is compromised.
SQL Server Service Account
This is the account is used for setting up Windows Services (named MSSQLSERVER, SQLSERVERAGENT) running on SQL server. Request Manager is functionality in SharePoint Server 2013 that enables administrators to manage incoming requests and determine how SharePoint Server 2013 routes these requests. If this account is not configured correctly, backup and restores from external resources are affected. This is preferred to be domain account, but not a requirement.
Setup User Account
This is the account is used for initial setups and initial configuration wizards execution. This account must be in administrative group on all the servers and part of securityadmin & dbcreator server roles on SQL box. If the administrator plans to run PowerShell scripts which directly affects this is supposed to be db_owner on the target.  This must be a domain account.
Server Farm Account
This is important to understand that, the moment a server is added to SharePoint farm, this account gets additional privileges over the server resources. This account is responsible to configure and mange server farms in future, acts as application pool identity on IIS for central administrative web application and configured to run SharePoint Foundation Workflow Timer Service right from the beginning. The importance and of this account in security may be estimated by the fact that this account is having dbcreator, securityadmin and db_owner roles on all SQL server where all the database and underlying configuration of SharePoint exist. If credentials of this account are leaked, nothing is left to protect anymore. This must be a domain user account.
Service Application Accounts
Above mentioned three accounts are required before even starting deploying SharePoint on a fresh environment. The most common mistake, as described previously in this paper, administrator does is, they don’t go further and setup additional accounts mentioned below: Here the author explores service accounts in terms of application pools and account for unattended services. Say, administrator is having single server to run all the services, single server may have multiple Application Pools on the same server, or in case, multiple servers are provided, each group of services under same application pool may be shifted, or even divided. The purpose is to get basic idea, which services may reside together and share resources without breaching security and which one requires domain account for normal operations to be achieved.
Service Application Account for Application Pool 1
Unless there is a specific security reason, justified per business needs, a single application pool in IIS may host end point for Access Services, Word Automation Services, Usage and Health Data Collection Service, Secure Store Service, Business Data Connectivity service, User Profile Service and Visio Graphics Service. Being under same Application Identity pool means these services are sharing resources. The account being used to run this category may be a local account. They are grouped together here because they don’t mandate the use of a domain account and they may reside together. But administrator is allowed to use a unique domain account if need be.
Service Application Account for Application Pool 2
Excel Services, Managed Metadata Service, PerformancePoint Service and Search Service endpoints may reside together on a single application pool identity, but that must be running with a domain account. Unless, there is a need due to business rules or performance constraint, these services may share single application pool in IIS.
Service Application Account for Application Pool 3
Security Token Service, Application Discovery and Load Balancer Service endpoints may reside together on a single application pool identity. This account must be the Farm Service Account and the SharePoint Products Configuration Wizard automatically creates this application pool. This need not be a domain account.
Unattended Service Account 1
Under Excel Services, this account is must to perform actions like refreshing worksheet data when authentication type specified is none or non-Window credentials are input. This must be a domain user account.
Unattended Service Account 2
Under PerformancePoint Services, this account is used to authenticate with data sources. This must be a domain user account.
Unattended Service Account 3
Under Visio Graphics Services, this account is used to refresh data from non-SharePoint data sources. This need not be a domain user account but this decision is dependent upon which type of data source application uses.
Content Access Account for Search
This account is used by SharePoint Search to crawl content from different sources. The source may be an external content or inside the local farm. This account has read permission on all the content to crawled, no matter what type of account it may be. But as mentioned by Catrinescu (2013), this should be a domain user account. This must not be part of farm administrator group. This issue is caught very common in security audits.
Search Service Account
Please note, this account is different from Content Access Account for Search and Service Application Account for Application Pool 2 described above. This is used to run actual Search Service Engine. This must be a domain user account. This must not be part of farm administrator group. This issue is caught very common in security audits.
User Profile Synchronization Account
Please note, this account is different from Service Application Account for Application Pool 1 which is used to run web application end point hosting User Profile Service. Unlike the App pool 1 account; this must be a domain user account as per Catrinescu (2013). Also, it should have “log on locally” permission on the computer running the instance of the User Profile Synchronization Service.
User Profile Connection Account
Please note, this account is different from Service Application Account for Application Pool 1 which is used to run web application end point hosting User Profile Service and User Profile Synchronization Account which is used run Synchronization Service. This must be a domain user account as per Catrinescu (2013). There may be the case, for each connection established with remote directory service; there is a different connection account. This account must have replicate directory changes permission on the domains under consideration.
App Management Service Account
Type of this account depends on SharePoint Catalog and SharePoint Store being consumed to install apps in local farm. This account is responsible for App management in SharePoint.
PowerPoint Conversion Account
This account is responsible for Microsoft PowerPoint presentations conversion to different formats using PowerPoint conversion service engine. There is no specific requirement for this to be domain account unless required by organization specific architecture.
Machine Translation Account
This account is responsible for automatic translations in SharePoint. There is no specific requirement for this to be domain account unless required by organization specific architecture.
Distributed Cache Account
This account is used to run Distributed cache service responsible for catering in-memory to various features like authentication, security trimming by other services e.g. search results, page load performance, newsfeed and so on. There is no specific requirement for this to be domain account unless required by organization specific architecture.
Work Management Account
All the task aggregations by work management service are performed using this account sources being SharePoint products, Microsoft Exchange Server, Microsoft Project Server and so on. The type of account used greatly depends upon the sources consumed.
Access Services 2013 Account
This account is responsible for views, edits and all kind of interactions with Access 2013 database in browser using SharePoint 2013. There is no specific requirement for this to be domain account unless required by organization specific architecture.
SharePoint Health Analyzer
While auditing any SharePoint 2013 environment for security and other issues, this may be the best place to start with. The reports available under this section in central administration are based on 63 automated rules defined by Microsoft. All the rules may be disabled, if done so by administrator, this must be reported in audits and cross questioned with administrators.  For example, the default rule, “Accounts used by application pools or service identities are in the local machine Administrators group” as per Microsoft (2013), available under “SharePoint Health Analyzer rules reference”, if disabled may open gateways to attack.
Under Central administration, administrator may visit Monitoring > Health Analyzer > Review problems and solutions, to figure out what is going wrong. Since this data comes from a SharePoint List present in Central administration, even he can enable email alerts on item created in this SharePoint List, if paid monitoring tools are not available.
Definitely, this Health Analyzer does not cover everything, but help to detect a lot more than what administrator could achieve manually.
Conclusions and Future Study
This paper covers only SharePoint Service Applications, accounts categories recommended to be used in configuring these service applications & application pools in IIS and brief overview of Health Analyzer. But this does not cover all the vulnerabilities that might be present in the system. For example, there might be many Windows Services and components running on the servers in farm, (with current features required by the organization,) may not be required, and so must be stopped to reduce the attack vectors. SQL Server may be exposed on default ports and many firewall rules may not have been even thought of by the administrator.  And so on.
All in all, this paper covers much, but to secure the SharePoint environment as a whole, one more research on the whole infrastructure is highly recommended.



References
Catrinescu, V. (2013, January 07). SharePoint 2013 Service Accounts Best Practices. Retrieved May 08, 2016, from https://absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best-practices-explained.html
Cleary, L. (2016, May 02). Penetration Testing SharePoint. Retrieved May 08, 2016, from https://www.pluralsight.com/courses/penetration-testing-sharepoint
Collins, J. (2016, April 14). SharePoint Environment Auditing. Retrieved May 08, 2016, from https://www.pluralsight.com/courses/sharepoint-environment-auditing
Ehrenberg, J. (2015, April 01). SharePoint Health Analyzer rules reference (SharePoint 2013). Retrieved May 08, 2016, from https://jimehrenberg.wordpress.com/2015/04/01/sharepoint-health-analyzer-rules-reference-sharepoint-2013/
Fakos, A., & Philipp, J. (2013, November 28). Getting a handle on SharePoint security complexity. Retrieved May 08, 2016, from https://www.owasp.org/images/0/09/OWASP_BeNeLux-SharePoint-Comprehensive_Security_model_v1.0.pdf
Kumar, H. (2011, June 14). SharePoint disable loopback check | Specify Host Names. Retrieved May 08, 2016, from https://hemantrohtak.blogspot.com/2011/06/sharepoint-disable-loopback-check.html
Kumar, H. (2013, January 07). SharePoint 2010 Enterprise Search | SharePoint Crawl Exceptional Behaviour. Retrieved May 08, 2016, from https://hemantrohtak.blogspot.com/2013/01/sharepoint-2010-enterprise-search.html
Kumar, H. (2016, March 11). Security in SharePoint 2013. Retrieved May 08, 2016, from https://hemantrohtak.blogspot.com/2016/03/security-in-sharepoint-2013.html
Lozzi, D. (2013, April 03). Overview of SharePoint 2013’s Services. Retrieved May 08, 2016, from https://davidlozzi.com/2013/04/03/overview-of-sharepoint-2013s-services/
Matthews, P. (2015, January 21). Setting up Word Automation Service for SharePoint 2013. Retrieved May 08, 2016, from https://cann0nf0dder.wordpress.com/2015/01/21/setting-up-word-automation-service-for-sharepoint-2013/
Microsoft. (2013, December 18). SharePoint Health Analyzer rules reference (SharePoint 2013). Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/ff686816.aspx
Microsoft. (2013, December 18). Overview of managed metadata service applications in SharePoint Server 2013. Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/ee424403.aspx
Microsoft. (2013, December 18). Manage service applications in SharePoint 2013. Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/ee704544.aspx
Microsoft. (2014, March 11). Share service applications across farms in SharePoint 2013. Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/ff621100.aspx

Microsoft. (2014, August 26). Plan for administrative and service accounts in SharePoint 2013. Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/cc263445.aspx

Navigating to Multiple Search Results in Google Search Engine (Usability Heuristics for User Interface Design)


Most of the times, an end user is visiting google.com to search something which he may not be sure of where to find. More often, exact term being searched is not easy to remember. Rather than opening a specific search result in new window, it is designed to be opened in the same window. In case, a user proceed further on a website, which don't allow browser's back button functionality, he may have to remember what exact term he searched for.
This is against two principles for interaction design:
  • User control and freedom: User should be able to close browser window, still be able to see the same web page where he entered the search terms. This may be achieved by opening search result url in new window or browser tab.
  • Recognition rather than recall: Since the specific case we are studying don't allow browser back button, user will have to remember and type the search keywords again.  This may be resolved by opening search result url in new window or browser tab.
References
Nielson, J. (1995, January 1). 10 Usability Heuristics for User Interface Design. Retrieved March 02, 2016, from https://www.nngroup.com/articles/ten-usability-heuristics/

Thursday, March 10, 2016

The Design of Everyday Things by Don Norman

1.      According to Norman, how should we handle all failures within a system? What are the primary causes of most failures and what are the design implications for developers?

How should we handle all failures within a system?
1. Understand cause and design to minimize cause rather than blaming end user. It may include using constraints, proper messaging and confirmations.
2. Do Sensibility checks based on user's profile and previous flows chosen if possible.
3. Keep the option to undo action.
4. Make it very easy to discover error.  
5. Try bringing end user to normal desired flow of action rather than immediately throwing out.
Swiss cheese model beautifully describes how to reduce possibility of errors.


What are the primary causes of most failures?
Most common is requiring end user to operate in unnatural ways.  Interruptions are also major cause of errors, both slips and mistakes.
What are the design implications for developers?
It is not always possible to make errors discoverable or report the error before it has occurred, and undo it when transaction is already complete. Say, end user didn't bother the warning he was given and kept on clicking OK.


2.      Explain the relationship between discoverability, feedback, the conceptual model, affordances, signifiers, mappings, and constraints. Use an item to illustrate your points (Norman discusses these in great deal using several examples. Do not repeat an example from the book. Use your own).

Affordances: is the reason why I am using the machine under consideration, say I will be using shaving kit for cleaning my bread in a while.
Signifiers: Signifiers help determine how I can do shaving bread with this shaving kit lying on my table. 
Mapping: size and shape of the holder matching with the slot is natural mapping for me.
Constraints (may be of type physical, logical, semantic, and cultural): so the holes in blade and the corresponding elevation in the holder work has forced constraint in my example.
Vincent-Old-Fashioned-Safety-Razor
Discoverability: with this it is possible to determine what actions are possible in current state of machine. I can put blade in the holder and clean my face full of shaving cream.
Feedback: Is the way to communicate back, what is happening. I will look in to the mirror while shaving how it’s going on, this is feedback for me.
Conceptual model: This is the rough image in my mind of the system and how it works. I am writing this description above based on conceptual modal in my head.


3.      Summarize Norman's thoughts on standardization. He brings it up at several points in the book. He offers the benefits and the drawbacks but does provide a clear viewpoint.

Author clearly mentions the importance of affordances and signifiers, discoverability, feedback. But if it is not possible to provide anything or say there is a language barrier or anything unforeseen, he says  standardization always pays and worth following.
When no other solution is possible, design everything the same way so that people have to learn once. Standards simplify life for everyone, but it is difficult to set a standard and bring all the manufacturers and governing agencies on the same page.
He mentions, sometime standards may take so long to develop that they are no more relevant and beneficial, because already in market there are numerous manufacturer specific designs implemented now.
There are always many people who advocate presence of multiple standards.
Sometimes, even if standards are set, they are no followed and vanish with time.


4.      Norman discusses the process of design thinking. What two tools does he provide to support this process and how are they related? According to Norman, are these more theoretical or practical? Why?

He suggests double diamond model for defining problem and then again    double diamond model to reach the best possible solution.
In both cases, we start with something, and expand our scope and finally based on elimination reach to problem statement/ solution.
Start with an idea, and through the initial design research, expand the thinking to explore the fundamental issues. Only then is it time to converge upon the real, underlying problem. Similarly, use design research tools to explore a wide variety of solutions before converging upon one.
These are more theoretical though.
Money, schedule constraints and market pressure may not allow detailed analysis.


5.      Norman asserts that "reliance on technology is a benefit to humanity". What does he mean by this? Do you agree? Why or why not?

Author here means that, if we use more and more advanced technology based solutions, it is not always true that we will be making ourselves dumb. We may not be always losing our abilities, but we will have more mental resources to be used elsewhere.
But he also mentions that, perfect coordination b/w man and machine is the key. If we are not able to utilize our brain to fully deploy machine power, it may be not so beneficial.


6.      Norman's goal with this book was to turn readers into great observers of the absurd, of the poor design that gives rise to so many of the problems of modern life, especially of modern technology while giving them a tool chest of good design principles to address future issues of design. Did Norman accomplish his goal with you? Explain while offering your biggest take-a-ways from this book (positive or negative).

To be true, he is not successful if I consider myself as an end user and reading this book, but yes me being in a designer role, it helped me.
Me as an end User:
1.  Author uses similar examples to illustrate two almost opposite direction concepts. 
2. I think, if I am the end user in this book, I may be a person without common sense and empty skull. That is not the case in 99% cases. 
Yes it gives me some good tactics to argue, but I will prefer to sort out issue myself before actually running to the manufacturer.
Me as a designer/developer:
Yes, this book is something I will keep with me always and keep on reading again and again. This book is the lifetime experience of a brilliant personality and teaches me to be end user centric in my products.
Some things I am going to stop doing:
1. Thinking that, why my client doesn't understand what I am trying to explain.
2. Did she miss the big red message in large font?
3. Why should I worry to roll back transaction, when I gave the big confirmation message.
4. This application works well in Chrome, who cares IE, there are very few user base from IE as per Google analytics.
5. Why didn't the end user not able to see this download button?
6. I won't ever blame customer service guy to forget a step in sequence we handed over to him, rather think of making design more robust.
7. Now I know the importance of text in error messages.




Interactive Systems Design

Interaction design:

Is evolving software and hardware for better user experience.

human-computer interaction:

Is implementing knowledge of computer and human behavior to evolve better user interface between users and computers.

user experience design:

 Is a way to improve a product keeping in mind why the product is used by an end user to deliver more satisfaction.

interactive systems design:

Is the way to design and develop Interactive systems with more focus on user satisfaction implementing concepts in the field of human computer interaction. Interactive system here points towards a system which will be having heavy interaction between human and digital world. 

Wednesday, March 9, 2016

Don't Make Me Think - by Steve Krug


Ch. No. Title Learnings
1 Don’t make me think! Website design should be as much obvious as possible.
2 How we really use the Web Website should be easy to scan through and reach desired content.
3 Billboard Design 101 visual hierarchies
Follow widely accepted conventions
4 Animal, Vegetable, or Mineral? a)It doesn’t matter how many times I have to click, as long as each click is a mindless, unambiguous
- brief timely and unavoidable assistance
5 Omit needless Words Get rid of half the words on each page, then get rid of half of what’s left.
6 Street signs and Breadcrumbs People won’t use your Web site if they can’t find their way around it. where do I start?

Site Id, obvious Logo and Tagline
Utilities
Sections and sub sections -(where am I also)
Page name
  Areas on this page
  Items on this page
Breadcrumb
Local navigation
   up to nth level
Footer navigation
7 The Big Bang Theory of Web Design Home page design-
      Analyze why  and where people may visit the most.
clear and informative tagline, Welcome blurb, short sweet description
8 The Farmer and the Cowman Should Be Friends how to do usability tests and why
9 Usability testing on 10 cents a day promoting next book and how to do usability test
10 Mobile: It’s not just a city in Alabama anymore responsive design
Mobile Site/Full Site toggle
asynchronous calls to make the page load fast
choose important stuff of the so much
learning curve  for user
11 Usability as common courtesy save your goodwill - honors user's time
dynamic FAQ's - no marketing here
customer care access
error handling
printer friendly pages
12 Accessibility and you alt text
headings
main menu skip
only keyboard
screen contrast
using predefined templates and variable size text fonts
13 Guide for the perplexed no phishing
no small, low-contrast type
no labels inside form fields
distinction between visited and unvisited text links.
No float headings between paragraphs


Website url www.walmart.com
Video URL https://youtu.be/qHfDiOMAZwU?list=PLf8gXAJY10GEx5r_KvBIeTbaHnIMhMlQ_
Task You want to buy  a Laptop with below mentioned specifications:
  a. Lenovo
  b. Screen size not more than 14""
  c. RAM minimum 8 GB
  d. Processor minimum i5 5th generation
  e. hard drive minimum 500GB
  f. Weight maximum 5 Lb.
  g. price should be minimum possible.
1 Don’t make me think! OK
2 How we really use the Web OK
3 Billboard Design 101 OK
4 Animal, Vegetable, or Mineral? OK
5 Omit needless Words OK
6 Street signs and Breadcrumbs Rest is ok, local navigation needs improvements
7 The Big Bang Theory of Web Design No tagline
Changes products based on cookies of various searches I did at multiple sites - good.
Promotions at right place - good.
10 Mobile: It’s not just a city in Alabama anymore good responsive design.
Mentioned app link in the bottom.
 no link to full site since design is responsive.
11 Usability as common courtesy a.)wait time is too high for customer care.
b.)Chat link is down in help where user has lost the product. Chat option or customer care phone number should be prompt at the product itself
c.) Generation of i5 processor not mentioned, there is a model number which I don't understand
d.) good that they have a reference number on page to help the user to retrieve current sessions, but this text is in very light color.
12 Accessibility and you does not seem to be handling accessibility issues
13 Guide for the perplexed a). It is tracking my interests and location, but no cookies consent popup I saw yet.
b.) No distinction to identify visited links.


Website urlbypoo.com
Video URL https://youtu.be/SM2fbGbda7I?list=PLf8gXAJY10GEx5r_KvBIeTbaHnIMhMlQ_
Task Check WhoIs information for domain name "fhsu.edu" along with the location of server where it is deployed.
1 Don’t make me think! The first row of page content of website is enough to puzzle me. I am not here to visit GoDaddy, Sedo or get the worth.
2 How we really use the Web I scanned the whole page to figure out what to do. Not even a single instruction.
3 Billboard Design 101 It seems to be a lot of information is literally poured on a single page. At least I figured out I need to type "fhsu.org"  in the search box in left navigation. But what does tld means, I don't know . Enter keypress should have done same action as that clicking on the magnifier icon.
Also, there are too many h1 tags, no h2, h3 or something like that.
Further big value by statsie indicate like shouting, buy this domain, but I am here only to get WhoIs information.
4 Animal, Vegetable, or Mineral? Even though, I clicked only once to reach WhoIs information page, I had to think quite few seconds. This is not good.
5 Omit needless Words Under whoIs Information, there is so much content which is useless to me. I only need address, email and phone number. Rest is crap.
6 Street signs and Breadcrumbs A.)On the name of site ID, there is the website url
B.) On the name of utilities there is only about us and Facebook share. No login or site map or something like that. One thing here, if there is no login, how previously searched in left navigation calculated ?
C.) On the whole page there are various H1 tags no subsections or similar hierarchy .
D.) There is no page name at all, leave about areas or breadcrumb.
E.) Local navigation is very limited, which only tells about how many visitors came here or are currently online, I think this is wrong place to mention such info.
F.) No footer navigation is present.
G.) If you visit previously searched, grid is not good, not even a back page button, only next is there. further there must be page numbers to jump far off page in the grid.
H.) There is no filters for TLD's
7 The Big Bang Theory of Web Design A.)No Site Id here, leave aside the tagline.
B.) There is no description or introduction at all.
C.)It seems to be godaddy/sedo are there for promotion ( not sure, because when we travel third party website, I don't see any cookies or identifier transferred).
D.) Too much information on home page, it's worth dividing into multiple pages.
10 Mobile: It’s not just a city in Alabama anymore A.)good responsive design, but the navigation doesn't look good on smaller resolutions.
B.)In Mobile view(smaller resolution), few grids like location information are giving horizontal scroll which is against standards.
C.) I observe many asynchronous content loads which is good for mobile and slow internet connects.
11 Usability as common courtesy a.)There is no contact us section.
b.)If I click on about us, it gives entirely different design - loss of confidence.
c.) Try to search invalid domain. Proper error handling is missing.
12 Accessibility and you does not seem to be handling accessibility issues
13 Guide for the perplexed a). It is tracking my interests and location, but no cookies consent popup I saw yet.
b.) No distinction to identify visited links.

Website url www.hp.com
Video URL https://youtu.be/xVDYuS-Q-wo?list=PLf8gXAJY10GEx5r_KvBIeTbaHnIMhMlQ_
Task You want to buy  a Laptop with below mentioned specifications:
  a. hp
  b. Screen size not more than 14""
  c. RAM minimum 8 GB
  d. Processor minimum i5 5th generation
  e. hard drive minimum 500GB
  f. Weight maximum 5 Lb.
  g. price should be minimum possible.
1 Don’t make me think! Ok
2 How we really use the Web bad. No laptops in view all.  Test stops here . Such a big name and fails the basic test!!
3 Billboard Design 101 N/A
4 Animal, Vegetable, or Mineral? N/A
5 Omit needless Words N/A
6 Street signs and Breadcrumbs N/A
7 The Big Bang Theory of Web Design N/A
10 Mobile: It’s not just a city in Alabama anymore N/A
11 Usability as common courtesy N/A
12 Accessibility and you N/A
13 Guide for the perplexed N/A

Website urlwww.dell.com
Video URL https://youtu.be/m_lQff5IjC8?list=PLf8gXAJY10GEx5r_KvBIeTbaHnIMhMlQ_ 

https://youtu.be/FHSwxTdQJtQ?list=PLf8gXAJY10GEx5r_KvBIeTbaHnIMhMlQ_
Task You want to buy  a Laptop with below mentioned specifications:
  a. Dell
  b. Screen size not more than 14"
  c. RAM minimum 8 GB
  d. Processor minimum i5 5th generation
  e. hard drive minimum 500GB
  f. Weight maximum 5 Lb.
  g. price should be minimum possible.
1 Don’t make me think! website design is simple yet meaningful so OK
2 How we really use the Web OK
3 Billboard Design 101 OK
4 Animal, Vegetable, or Mineral? OK
5 Omit needless Words OK
6 Street signs and Breadcrumbs Rest is ok, main navigation need improvement for laptop category
7 The Big Bang Theory of Web Design There is no tagline but carousel heading covers it.
10 Mobile: It’s not just a city in Alabama anymore good responsive design.
 no link to full site since design is responsive.
11 Usability as common courtesy a.)wait time is too high for customer care if connected by phone, but chat wait time is low.
b.)Chat link is spread across everywhere, I like that.
c.) Even minute details of the laptop configuration is mentioned, I like that
d.)Exact laptop weight is not clear.
E.) everything including price match and refund policy link are clearly visible.
f.) After login I am thrown back to home page of site - to do all the selections again. This is heart breaking.
12 Accessibility and you does not seem to be handling accessibility issues fully.
13 Guide for the perplexed a). No tracking until I login with my account.
b.) No distinction to identify visited links.

Tuesday, March 8, 2016

Is Entity Framework the best performing option for PostgreSQL and .NET applications?

Updated on Monday, April 15, 2017
Abstract
Object-relational mapping (ORM) solutions provide a virtual layer between actual application code and backend database (DB) being used in an application via create, read, update and delete (CRUD) operations. PostgreSQL has been one of the top notch backend DB being deployed with Microsoft .NET applications worldwide. This experiment will be targeting various ORM solutions which may perform well with Microsoft .NET platform and PostgreSQL as backend. The list of ORM solutions that will be evaluated includes NHibernate (NH), OrmLite, MicroLite, Entity Framework (EF), LINQ to PostgreSQL, I-Nercya EntityLite Core, Symbiotic Micro ORM x64, LLBLGen Pro, Uni.ORM, and FluentData. It’s very much true that one may be easy to setup and consume than the other, but scope of this experiment will be limited to analyzing these ORM solutions based on how fast they are able to perform CRUD operations with PostgreSQL and .NET.
-1. know your test system
https://hemantrohtak.blogspot.com/2017/02/startstopget-details-for-windows.html
0. Create test databases
https://hemantrohtak.blogspot.com/2017/03/create-database-and-content-using-psql.html
1. EntityFramework6.exe
https://hemantrohtak.blogspot.com/2017/02/entityframework6npgsql-with-postgresql.html
2. FluentData3.exe
https://hemantrohtak.blogspot.com/2017/02/fluentdata-with-postgresql-and-net.html
3. InercyaEntityLite1121.exe
https://hemantrohtak.blogspot.com/2017/02/i-nercya-entitylite-with-postgresql-and.html
4. LINQtoPostgreSQL17x.exe
https://hemantrohtak.blogspot.com/2017/02/linq-to-postgresql-with-postgresql-and.html
5. LLBLGenProLite51Console.exe
https://hemantrohtak.blogspot.com/2017/02/llblgenpro-lite-with-postgresql-and-net.html
6. MicroLite6.exe
https://hemantrohtak.blogspot.com/2017/02/microlite-with-postgresql-and-net.html
7. NHibernate4.exe
https://hemantrohtak.blogspot.com/2017/02/nhibernate-with-postgresql-and-net.html
8. OrmLite.exe
https://hemantrohtak.blogspot.com/2017/02/ormlite-with-postgresql-and-net.html
9. SymbioticDataProviderPostgreSql2.exe
https://hemantrohtak.blogspot.com/2017/02/symbioticdataproviderpostgresqlx64-with.html
10. UniORM144.exe
https://hemantrohtak.blogspot.com/2017/02/uniorm-with-postgresql-and-net.html

git clone https://bitbucket.org/hemantup/orm.git -b master

test Run output: (Average calculated from 10 Cycles)
bitbucket.org/hemantup/orm/raw/HEAD/Results/

As pdf:

https://drive.google.com/open?id=0B6dqipWMkn9XemNaWFRBdkU5b1E