Index_S


S

sa. See system administrator
safe classes, 214
salt, 388
SAM, 651, 674
database servers, 524
sample databases, 532, 677
sample files, 447
sandboxing
deciding when, 238239
defined, 152
event logging code, 244247
OLE DB resource access, 241243
in partial trust Web applications, 234
privileged code, 236237
unmanaged API calls, 215216
sanitizing input, 77
Scambray, Joel, foreword, xliii
schema element examples, 330331
scope of the guide, xlixl, lxxiii
screened network details, 761
protecting against, 761
script mappings
checklists, 726
vulnerabilities, 429
Web server configuration, 653
Web servers, 429, 456459
script source access, 456
SDKs
database servers, 520
Web servers, 447
sealed keywords, 153
secrets. See sensitive data
secure sockets layer. See SSL
security
account manager Web servers, 450
of applications, 910
assessments, 538
assessments of Web servers, 470
audit logging, 526
caching results of checks, 171172
checklists, lxxx
creating profiles, 55
elements of, 45
holistic, 6
of host, 79
knowledge in practice, 685
layers , 223
namespaces, 139140
network, 7
principles, 11
of Web application, 56
Web application policies, 73
security account manager. See SAM
<Security> element, 334
security notification services, 754
database servers, 538
using, 754
Web servers, 470471
security profile documention, 5556
Security Service Provider interface, 494
Security tab of the SQL Server properties dialog box, 527
security updates
Baseline Security Analyzer, 789790
false positives, 792
SecurityAction.PermitOnly, 205, 206, 209212, 213
SecurityAction.RequestMinimum method, 195, 207209, 211
SecurityAction.RequestOptional method, 195196
SecurityAction.RequestRefuse method, 195196
SecurityCallContext object, 313
SecurityCallContext.OriginalCaller, 308
SecurityException
and .NET Framework, 140
in partial trust Web applications, 232
SecurityPermission
importance of, 143
and potentially dangerous permissions, 627
and serialization, 218
SecurityPermission(SecurityPermissionFlag.UnmanagedCode), 287
sensitive data, 3536
checklists, 692, 698, 706, 710, 715, 718, 737
common vulnerabilities, 115117
data access, 386388
design considerations, 302
exception management logging, 162
how to manage, lxvii
in object constructor strings, 306
per user data, 89
remoted objects, 361364
retrieving on demand, 89
secure Web services, 337339
securing over networks, 387
serviced components , 307308
in storage, 374
storing, 621
types of, 8790
Web pages and controls, 288
serialization, 170171, 218
attacks, 354
checklists, 737
code access security, 218
code review, 618619
remoted components, 351
sensitive data, 170
StrongNameIdentityPermission, 218
SerializationFormatter, 218
server certificates
checklists, 727
Web server configuration, 656
Web servers, 461
server-side input validation, 260
server-to-server authentication, 784785
server-to-server communication, 784785
servers
applications, 666667
maintaining sensitive data on, 292
network utility, 523
Server.Transfer, 291292, 634
authentication issue of, 278
service accounts, 109
requirements of, 108109
service denial, 16
service packs , 683
with a base installation, 433
with a Windows installation, 433
database servers, 537
Web servers, 470
Web sites, 683
ServiceControllerPermission, 143
serviced components, 309313
auditing and logging, 308309
authorization, 304
call level authentication, 304
class implementation, 311313
code access security considerations, 313
code review, 636638
deployment considerations, 314316
design considerations, 302303
Dllhost.exe, 666
DTC requirements, 316
overview of building, 299300
process identity, 309
role-based security, 304
and RPC packet level authentication, 301
Web services, 315
services
application server, 490
checklists, 723, 730
data server configuration, 671
database servers, 512513
network security, 412, 417
vulnerabilities, 427
Web server configuration, 645
Web servers, 427, 438439
session hijacking
described, 1920, 36, 256
network security, 407
Web pages and controls, 256257
session management
ASP.NET, 289290
checklists, 692, 698
threats, 3637
vulnerabilities, 117118
Web applications, 9091
session states
ASP.NET, 646
ASP.NET application and Web services, 565569
how to secure, lxx
protecting, 91
settings, 464
session tokens
and authentication tokens, 290
and session management, 289290
sessions
authentication cookies, 90
data, 290
identifier exchange, 118
limiting, 91
replaying , 37
states, 118
<sessionState> element
ASP.NET application and Web services, 565566
Web server configuration, 662
<sessionState sqlConnectionString = stateConnectionString= />, 546
setup log files
database servers, 520
securing, 673
shares
checklists, 725, 731
data server configuration, 673
database servers, 521
vulnerabilities, 428
Web server configuration, 649
Web servers, 428, 448
sites
checklists, 726
code access security, 183
vulnerabilities, 429
Web server configuration, 653
Web servers, 429, 453456
slidingExpiration="false", 562
slidingExpiration attribute, 659
SMB
and database server security, 514
disabling, 647
Web servers, 441442
SMS. See Microsoft Systems Management Server
SMTP
commands, 414
disabling, 646
Web servers, 439
snapshot of a secure Web server, 466469
sniffing
described, 19
network security, 406
SNMP attacks, 759
SOAP
encryption methods , 337338
headers, validating, 635
passing sensitive data to requests or responses, 664
validating headers, 635
SoapException, 323, 340
exceptions, 339
SoapExceptions, 340341
SoapHeaderException, 323, 339
social security numbers , 266
socket access, 213
SocketPermission, 143, 213
requesting, 214
SocketPermissionAttribute, 213
sockets
code access security, 213
and DNS, 213214
software update services, 753
solutions
administration, lxviiilxxi
architecture and design, lxiii
develpment, lxivlxvii
source addresses that should be filtered, 411, 678
spoofing
danger from weak authentication, 277
described, 16, 19
network security, 406
SQL. See also dynamic SQL
authentication with the database, 109
credentials for authentication credentials, 380
debugger account, 516
guest user accounts, 530
parameters, 377
SQL injection
attacks, 283284
checklists, 717
code injection attacks, 255
code review, 614, 640
data access, 369370, 376
database servers, 503504
described, 2728
how to prevent, lxvi
secure Web services, 331
SQL Server
accessing network from, 515
application server, 481, 485486
audit level, 528
authentication, 527528
checklist on logins, users, and roles, 732
configuring to run as account, 529
data server configuration roles, 676
database objects, 532533, 677
database objects checklists, 733
database server roles, 529531
default permissions of objects, 531
developer workstations, 773774
enabling auditing, 528, 675
guest account, 676
installation cautions , 510
installation considerations, 509510
installation defaults, 509
login auditing, 526
logins, 676
logins with database servers, 529531
and MSDE specifics, 791792
network protocol support configuring, 514
protocols, 671
registry keys, 524
restricting access to ports, 673
securing for developer workstations, 772774
securing registry keys, 674
security and data server configuration, 675
security checklists, 732
security database servers, 527529
security tab of the Properties dialog box, 527
service account for NTFS permissions, 519
service account with database servers, 515
services, 671
services and database servers, 513514
users with data server configuration, 676
users with database servers, 529531
verifying permission on install directories, 519
SqlClientPermission, 143, 209210, 396
sqlConnectionString, 566
Sqldbreg2.exe, 516
SqlExceptions, 389391
SQLSERVERAGENT, 513, 529
SSL
and credentials protection, 343
forms authentication, 562
with the HTTPChannel, 481
limitations of, 3
to protect cookies, 90
remoted objects, 361
secure restricted pages with, 279
using effectively, 290
SSPI. See security service provider interface
stack walk modifiers, 205
state database, 662
stateConnectionString, 569
Stateful inspections, 415
static class constructors, 172
code, 618
static endpoints
configuring for DCOM, 492
mapping, 315, 491492
mapping to support DCOM, 483
static routing, 679
network security, 412
static Web server, 457
staying secure checklist, 733
steps for securing Web servers, 433
storage, 3536, 374
stored procedures
data access, 373
database servers, 532
parameters collection, 377
securing, 677
stores. See configuration stores; user stores
STRIDE
defined, 1618
to identify threats, 57
string fields, 265
string parameters, 168
string types, 632
strncpy , 615
strong names
ASP.NET, 158
assemblies, 155
and authenticode, 159160
code access security, 183
security benefits of, 156
strong password policies
network security, 412
Web servers, 444
strong passwords, 283
policy, 516517
strongly typed parameters, 326327
StrongNameIdentityPermission
in luring attacks, 200
restricting access to public types and members , 623
restricting calling code, 197198, 641
restricting code, 156, 383
restricting serialization, 218, 618
structured exception handling, 161
structures
link demands, 202203
and link demands, 202203
subdirectory for restricted pages that require authenticated access, 278
substitution parameters, 230
SuppressUnmanagedCode attribute, 214
SuppressUnmanagedCodeAttribute, 628
SuppressUnmanagedCodeSecurity, 216
with COM interop, 217
with P/Invoke, 216
SuppressUnmanagedCodeSecurity attribute, 216
SuppressUnmanagedCodeSecurityAttribute, lxvii
SuppressUnmanagedSecurityAttribute, 140
surveying and assessing, 15
SUS. See software update services
switches
checklists, 722
considerations, 409
deployment review, 679
network security, 416
symmetric encryption, 620
using custom binary tokens, 338
using shared keys, 338
SYN attacks, 756758
SYN protection thresholds, 757
sysadmin roles
database servers, 532533
limiting, 531, 676
system administrators
accounts, 641
passwords, 530, 676
system level resources, 83, 113
system.Data.OleDb.OleDbCommand class, 238239
system.DateTime, 267
System.Diagnostics.EventLog class, 341
system.DirectoryServices namespace, 210
System.EnterpriseServices, 313
System.EnterpriseServices.ServicedComponent, 299
System.Environment class, 211
System.Exception, 339
System.IO.Path.GetFullPath
to canonicalize file names, 270
validating input file names, 164165
System.MarshalByRefObject, 639
System.Net.Cookie class, 276
System.Net.Sockets.Socket class, 213
System.Reflection.Assembly.Load, 173
System.Runtime.Remoting.dll, 365
Systems Management Server. See Microsoft Systems Management Server
System.Security, 139140
System.Security namespace, lxiv, 140141
System.Security.CodeAccessPermission, 805
System.Security.Cryptography
creating a Salt value, 388
.NET framework, 139140
System.Security.Cryptography namespace, lxiv, 141, 174, 335
System.Security.Cryptography.DeriveBytes namespace, 175
System.Security.Permissions, 142
.NET Framework, 139140
permission types, 142143
System.Security.Permissions.PrincipalPermission objects, 135136
System.Security.Policy, 142
.NET Framework, 139140
System.Security.Principal, 141
.NET Framework, 139140
System.Security.Principal.IPrincipal interface, 134
System.Text.RegularExpression.Regex, 266
System.Text.RegularExpressions.Regex, 264
for validating input parameters, 293
validating parameter lengths, 326327
System.Web.HttpForbiddenHandler, 458459, 462463
mapping file types to, 662
and .NET Framework, 575
System.Web.Security, 141
.NET Framework, 139140
System.Xml.Serialization.XmlSerializer class, 326327
System.Xml.XmlValidatingReader, 328329



Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net