R
RADIUS. See remote authentication dial-in user service
random class versus RNGCryptoServiceProvider, 175
random keys, generating, 175
RDP
copying files over, 473
Microsoft Terminal Services, 539
terminal services, 472
RDS. See remote data services
read-only properties, 617
recommended settings, 517
reduced attack surface, 239
reflection, 172173
checklists, 738
code review, 619
on types, 619
ReflectionPermission, 143
RegexOptions.IgnorePatternWhitespace, 265
registry, 208209
ASP.NET application and Web services, 579
checklists, 725, 731, 739
code access security, 208209
constraining access to, 209
registry,
custom policies to allow access, 251
data server configuration, 674
database servers, 523524
event logging, 166
medium trust, 250
reading from, 167
storing secrets in, 621
verifying permissions with MBSA, 524
vulnerabilities, 428
Web server configuration, 651
Web servers, 428, 449450
RegistryPermission, 143, 208
requesting, 209
RegistryPermissionAttribute, 209
regular expressions
comments, 265
common, 271
fields, 271272
for strong passwords, 283
in Web controls and user controls, 264265
RegularExpressionValidator control
for constraining data, 264266
for validating form field input, 632
rejectRemoteRequests, 360
relationship of chapter to product life cycle, lxxix
remote access, limiting, 360
remote administration, 114
database servers, 539540
how to perform, lxxi
Web servers, 471473
remote application servers
deployment model, 476
in deployment topology, 102
remote authentication dial-in user service, 417
remote data services, 454455
remote logons
database servers, 517
Web servers, 444
remote procedure call. See RPC
remote registry administration, 651
remote serviced components , 668
remoted components
design considerations, 352
overview, 347348
threats and countermeasures, 349
remoted objects
auditing and logging, 365
authentication, 355358
authorization, 359360
custom encryption sink, 361364
exception management, 364365
exposing to Internet, 352
input validation, 353
sensitive data, 361364
remoting
ASP.NET application and Web services, 573
checklists, 713715
code review, 638639
<httpHandlers> element, 573
main threats, 349
in trusted server scenario, 353
typical deployment, 348
Web server configuration, 668670
report details for a scanned machine, 749
repudiation
described, 17
serviced components, 302
threats, 42
RequestMinimum method, 195
code access security, 195
RequestOptional method, 195196
RequestRefuse method, 195196
RequestRefused method, 195196
RequiredFieldValidator, 268
for constraining data, 264
resource access
ASP.NET, 223224
checklists, 739740
resource access code, 263
resource access identities, 262, 325326
resources
alerts and notifications, 684
and associated permissions, 193
communities and newsgroups, 683
index of checklists, 687688
Microsoft patterns and practices guidance, 681682
partners and service providers, 682
patches and updates, 683
restricted inheritance, 198
restricted operations or data, 635
restricted pages
access to, 634
subdirectory for, 278
restricted permissions, 184
restricting unauthorized callers , 382
restricting unauthorized code, 382
retrieval of plaintext configuration secrets, 34
RevertAssert method, 203
reducing assert duration, 204
risk = probability * damage potential, 63
Rivest, Shamir, and Adleman. See RSA
RNGCryptoServiceProvider
creating a salt value, 388
random class, 175
role checks
performing in code, 638
principal-based , 360
role-based authorization, 302
role-based security, lxiv
checks, 137
code review, 637638
configuring with <authorization> element, 138139
enabling, 495
identity objects, 134
logical view of, 132133
.NET, 131132
principal objects, 134
serviced components, 304
system.security.principal.IPrincipal interface, 134
routers
checklists, 721
considerations, 409411
deployment review, 678
logging features of, 679
network security, 408409
RPC
dynamic port allocation, 483, 491
encryption and IDC, 302
packet level authentication, 301
rules
described, 779
IPSec policies, 778779
runat ="server" property, 265
runtime, creating code dynamically at, 619