Index_C
C
C2 level auditing, 526
CA. See certificate-based authentication
caching
data, 625
protecting data, 199
results of security checks, 171172, 618
of secrets, 89
sensitive data, 288
call level authentication
serviced components , 304
setting, 494
callers
authenticating, 109, 664
authorizing, 635
calls, forcing clients to authenticate, 357
canonicalization
described, 2829
need for caution in, 76
CAS. See code access security
catch exceptions, 95
categorized threat lists, 57
centralizing input, 75
certificate installation on the database server, 536
certificate-based authentication, 784
channel sink, 365
channels, 568
chapter to product life cycle relationship, lxxix
character encoding, 612
setting correctly, 274
character representation in HTML, 611
checklists
accounts, 730
ACLs and permissions, 703704
administration, 707
administrators, 711
application bin directory, 703704
architecture, 690
architecture and design review, 689694
assembly level checks, 735
and assessment guidelines, 684685
auditing and logging, 694, 699, 707, 710, 715, 726, 732
authentication, 690691, 697698, 706, 709, 714, 717
authorization, 691, 697, 706, 709710, 714, 718
class level checks, 735
code access, 727
code access security, 740741
configuration file settings, 699702
configuration management, 692, 697, 710, 714, 718
cryptography, 693, 735
database servers, 729733
delegates, 737
deployment, 689, 710
deployment considerations, 719
design, 690, 695
design considerations, 715
environment variables , 740
event logging, 739
exception management, 693, 699, 707, 715, 719, 737
file I/O, 739
files and directories, 725, 730
firewall considerations, 722
hosting multiple applications, 703
IIS lockdown , 723
IIS metabase, 727
impersonation, 711
input validation, 690, 696, 705, 715
ISAPI filters, 727
Machine.config, 727
managed code, 735742
parameter manipulation, 693, 698, 706
patches and updates, 723, 729
ports, 725, 731
protocols, 724, 730
proxy considerations, 707
reflection, 738
registry, 731, 739
resource access considerations, 739740
router considerations, 721
script mappings, 726
secrets, 737
securing ASP.NET, 695704
securing data access, 717719
securing Enterprise Services, 709711
securing remoting, 713715
securing Web services, 705707
securing your network, 721722
security, lxxx
sensitive data, 692, 698, 706, 710, 715, 718
serialization, 737
server certificates, 727
services, 723, 730
session management, 692, 698
shares, 725, 731
sites and virtual directories, 726
SQL injection checks, 717
SQL Server database objects, 733
SQL Server logins, users, and roles, 732
SQL Server security, 732
staying secure, 733
switches, 722
threading, 738
unmanaged code access, 738739
Web farm, 702
Web servers, 723728
CheckProductStockLevel method, 393395
checks, bypassing, 93
checksum spoofing, described, 3839
cipher text from the <appSettings> element, 385
class attribute, 624
class demands, 201
class design
code review, 617
considerations, 153
class visibility restriction, 153
class level checks, checklists, 735
class level link demands, 201
classes
principal demands, 284
validating data streams, 619
client credentials, configuring, 356
client side state management options, 289
client side validation, 76, 632
clients
forcing to authenticate each call, 357
Iprincipal objects from, 358
leaking information to, 9495
returning generic error pages to, 293294
clocks, 417
CLR. See common language runtime
cmdExec, 532533, 677
code
authorization, 196197
authorizing in code access security, 196197
code access security, 183
constraining, 204205
creating dynamically at runtime, 619
impersonation, 618
restricting calls on, 197
restricting what users can call, 154
restrictions on calling, 197198
security in .NET, 131
static class constructors, 618
storing keys in, 177
storing sensitive data in, 88
code access
checklists, 727
permissions, 184
permissions in .NET framework, 222
code access security, lxiv, 622627
with ASP.NET, lxv, 221224
checklists, 740741
configuring in ASP.NET, 225226
considerations, 313, 342, 396
data access, 209210
delegates, 217218
described, 186187
diagram, 186187
environment variables, 211
event logging, 207
evidence, 183
file I/O, 205207
file I/O constraints, 830831
isolating applications with, 600
layer, 223
link demands, 199201
.NET, 132133
overview, 181182
permissions, 194196
permissions required by ADO.NET data providers, 396
privileged code, 193
privileged operations, 194
privileged resources, 193
remoted objects, 365
secure Web services, 326
serviced components, 303
sockets and DNS, 213
and <trust> element, 326
unmanaged code, 214217
vulnerabilities, 429
Web servers, 429, 464
Web services, 212
code access security policy, 159
configuring to constrain file I/O, 828830
configuring to restrict file I/O, 207
how to use to constrain an assembly, 823831
code groups
code access security, 186187
exclusive and level final, 190
code injection
assemblies, 147148
attack patterns, 61
buffer overflows, 26
Web pages and controls, 255256
Code Red worm, 426
application filters, 414
code review
ASP.NET pages and controls, 630634
buffer overflows, 616
code access security, 622627
cross-site scripting, 608613
data access code, 640642
guidelines, 735
managed code, 616622
overview, 605
serviced components, 636638
SQL injection, 614
unmanaged code, 628629
Web services, 634635
CodeAccessPermission.Assert method, 203, 236
$CodeGen$, 230
COM+, application server, 487488
COM+ catalogs
application server, 492
securing, 665
COM+ role-based security, 495
COM+ roles, 304
COM components, 169
COM interop
SuppressUnmanagedCodeSecurity, 217
with SuppressUnmanagedCodeSecurity, 217
COM/DCOM resources, 583
common criteria, 685
common language runtime, 130131
communication channel
application server considerations, 480
need for securing, 89
communities and newsgroups, 683
<compilation> element
ASP.NET application and Web services, 571
Web server configuration, 657
component services infrastructure, 487488
component level access checks, 305, 637
application server, 495496
enabling, 495496
ComponentAccessControl, 305
confidentiality, 4
configuration categories
securing for developer workstations, 774775
Web servers, 427429
configuration data
data access, 370
and WSDL, 323
configuration data disclosure, 302
configuration files
ASP.NET, 548
checklists of settings, 699702
locations, 549
plaintext passwords, 288
configuration management
checklist, 692, 710, 714, 718
checklists, 697
data access, 384
described, 3334
serviced components, 305307
vulnerabilities, 114
of Web applications, 8687
configuration settings
applying, 551
locking, 552553
configuration stores
need for security of, 86
securing, 115
ConfigurationSettings class, 385
connect attribute, 212
connection details, 371
connection strings
encrypting, 641
management, 398
securing and encrypting, 384385
storing, 384385
ConnectionGroupName, 357358
ConnectionString property, 385, 641
ConnectPattern property, 212
constructor strings, 638
Control.MapPathSecure method, 271
cookie replay attacks described, 31
cookies. See also authentication cookies
encrypting, 281282
encrypting states, 93
encryption in forms-authentication, 570
encryption with <forms> element, 281
encryption with FormsAuthenticationTicket, 281
inputting, 632
limiting lifetimes, 281
manipulation described, 40
names and paths, 563
persistent cookies, 90
personalization, 282
session authentication, 90
stolen, 82
storing sensitive data in, 90
time-out values, 562
using unique paths and names, 659
core elements of a deployment review, 644
core security principles, 11
coss-site scripting, 2627
countermeasures
assemblies, 147
code injection attacks, 256
described, 13, 46
identity spoofing, 258
information disclosure, 260
network eavesdropping, 259
parameter manipulation, 259
session hijacking, 257
STRIDE, 1718
CredentialCache.DefaultCredentials, 333
credentials
and authentication tickets in ASP.NET, 262
encrypting for <identity>, 559
management, 283
in <Security> element, 334
for SQL authentication, 380
theft described, 31
<credentials> element
ASP.NET application and Web services, 562
on production servers, 659
Credentials property of the Web service proxy, 333
CredentialsCache.DefaultCredentials, 356
CRM log files
application server, 498
securing, 665
cross-site scripting
code injection attacks, 255
code review, 608613
how to prevent, lxvi
overview, 253
secure Web services, 331
validating input used for, 273
Web page validation, 272273
Web pages and controls, 272277
cryptography. See also encryption
checklists, 693, 735
code review, 620
considerations, 174179
description of, 9192
threats, 3739
vulnerabilities, 119
CryptProtectData API, 176
CRYPTPROTECT_LOCAL_MACHINE flag, 176
and DPAPI, 374
CSS See cross-site scripting
Curphey, Mark, foreword, xlixlii
custom application filters, 415
custom authentication, 635
and principal objects, 639
custom binary tokens, 338
custom channel sink, 365
custom encryption permission, 805822
custom encryption sinks, 361364
custom EncryptionPermission, 805806
inheritance hierarchy, 806
custom permissions, 199
custom policies to allow registry access, 251
custom processes
hosting, 358
with the TCPChannel, 670
custom resources
custom permissions, 199
exposing, 625
protecting with custom permissions, 199
customer class, 311312
<customErrors> element
ASP.NET application and Web services, 572
for exception conditions, 464
to return a generic error page, 293294
Web server configuration, 658
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
EAN: 2147483647
Year: 2003
Pages: 613
Pages: 613
Authors: Microsoft Corporation
- Chapter II Information Search on the Internet: A Causal Model
- Chapter III Two Models of Online Patronage: Why Do Consumers Shop on the Internet?
- Chapter XI User Satisfaction with Web Portals: An Empirical Study
- Chapter XVI Turning Web Surfers into Loyal Customers: Cognitive Lock-In Through Interface Design and Web Site Usability
- Chapter XVIII Web Systems Design, Litigation, and Online Consumer Behavior