|
sa account, Locking Down SQL Server
SQL-injection attacks, SQL-Injection Attacks
sandboxes, Deploy and Run Your Application in the .NET Security Sandbox
scalability
DoS attacks, mitigating, Table 14-2: Example of Common Attacks and Techniques to Mitigate Them
scenarios, attack, Plan of Attack—The Test Plan
attacker’ s view, taking, Take the Attacker’s View
brainstorming, Brainstorm—Generate Security-Related Scenarios, Create Scenarios Based on Inroads for Attack
creating based on inroads, Create Scenarios Based on Inroads for Attack
defined, Plan of Attack—The Test Plan
generating tests for, Generate Tests, Filter and Prioritize Tests for Each Scenario
including all in testing, Get Focused—Prioritize Scenarios
prioritizing, Get Focused—Prioritize Scenarios, Prioritize Security-Related Scenarios Based on Threats
relevance of tests to, Filter and Prioritize Tests for Each Scenario
threat prioritization, Prioritize Security-Related Scenarios Based on Threats
scoped addresses, The IPv6 Internet Protocol
screen saver passwords, Use Screen-Saver Passwords
script kiddies, What Happens Next?
scripts
disabling, Take the Attacker’s View
Secure Hashing Algorithm., see sha-1
secure sockets layer., see ssl (secure sockets layer)
Security Adjustment Wizard
opening, Run Your Code in Different Security Zones
security policy
changing, Ensuring That Your Code Will Run Safely
security policy updates, Deploying .NET Security Policy Updates, Deploy .NET Enterprise Security Policy Updates
security zones, Security Zones and Trust Levels
ASP.NET, Table3-5: Security Zone Assignments for .NET Applications, How Visual Basic .NET Determines Zone
code-access permissions granted in, Security Zones and Trust Levels, Table 3-3: Full Trust Permissions Granted to My Computer Zone
default trust levels, Security Zones and Trust Levels
determination of by .NET, How Visual Basic .NET Determines Zone
Internet, Security Zones and Trust Levels, Security Zones and Permissions
Internet Explorer, Security Zones and Trust Levels
loading options for applications, Ensuring That Your Code Will Run Safely
Local Intranet, Security Zones and Trust Levels, Security Zones and Permissions, Local Intranet, Internet, and Trusted Sites Zones
My Computer, Security Zones and Trust Levels, Security Zones and Permissions
showing available, Run Your Code in Different Security Zones
symbols for, Security Zones and Trust Levels
trust levels, changing, Security Zones and Permissions
Trusted Sites, Security Zones and Trust Levels, Security Zones and Permissions, Local Intranet, Internet, and Trusted Sites Zones
Untrusted Sites, Security Zones and Trust Levels, Security Zones and Permissions
Windows Forms assignments, How Visual Basic .NET Determines Zone, Table3-5: Security Zone Assignments for .NET Applications
SecurityLibrary.vb, Hash Digests
functions of, Appendix B: Contents of SecurityLibrary.vb, Validating Input
SecurityPermission, Table 3-2: Permissions for Each Zone, Table 3-4: Permissions for Local Intranet and Trusted Sites Zones
self-testing code, Table 9-2: General Testing Approaches, Writing Self-Testing Code
servers
locking down, Locking Down Windows Servers, Install a Firewall
service packs, Fundamental Lockdown Principles
ServerVariables collection, Web Application Input
service packs, Fundamental Lockdown Principles, Locking Down .NET
maintaining, Step 10: Design for Maintenance
Microsoft Access, Locking Down Microsoft Access
ServiceControllerPermission, Table 3-3: Full Trust Permissions Granted to My Computer Zone
settings
storing, access issues, Cooperating with the Security System
SHA-1, Hash Digests
defined, Hash Digests
display format for hashes, Hash Digests
function for, Hash Digests
function returning, Hash Digests
hash digests, Hash Digests
verification with, Hash Digests
shares
turning off unnecessary, Turn Off Unnecessary Sharing
Shell command, Table 15-1: Visual Basic .NET Keywords to Look For_ (continued)
Shell function
code-access default for, It’s On By Default
Shell statements
attacks against, Child-Application Attacks, Use Quotes Around All Path Names
Show function
code-access default for, It’s On By Default
SignCode.exe, Strong Naming, Certificates, and Signing Exercise
simplicity, Step 7: Design for Simplicity and Usability
Slammer worm
fix for, The Arms Race of Hacking
history of, The Arms Race of Hacking
SMTPSVC service, Turn Off Unnecessary Services
social engineering attacks, What Happens Next?
sockets
permission for using, Table 3-3: Full Trust Permissions Granted to My Computer Zone
Software Publisher Certificates, Obtain an X.509 Certificate from a Certificate Authority, Strong Naming, Certificates, and Signing Exercise
source code, attackers accessing, Create a Blueprint of Your Application
spoofing
hashes, Hash Digests
spoofing attacks, Table 14-1: STRIDE Threat Categories
SQL Server
access restriction, Locking Down SQL Server
account for running, Locking Down SQL Server
auditing, Locking Down SQL Server
authorization, SQL Server Authorization
clustering, Named-Pipes vs. TCP-IP
directory access, restricting, Locking Down SQL Server
encryption for, Locking Down SQL Server
IPSec, Locking Down SQL Server
locking down, Locking Down SQL Server, Figure 12-4: Turn on auditing in SQL Server Enterprise Manager
logging, Locking Down SQL Server
named-pipes v. TCP/IP, Named-Pipes vs. TCP-IP
passwords, Locking Down SQL Server
permissions, SQL Server Authorization, Locking Down SQL Server
port for, Step 9: Secure the Network with a Firewall
SA account, Locking Down SQL Server
sample database for, Migrating the Employee Database to SQL Server 2000
stored procedures for authorization, SQL Server Authorization
stored procedures, adding to, Migrating the Employee Database to SQL Server 2000
system commands, danger of, Locking Down SQL Server
xp_cmdshell, Locking Down SQL Server
SQL Server authentication, SQL Server Authentication
administration considerations, SQL Server Authentication
administrative permission privileges, How SQL Server Assigns Privileges
advantages of Windows Authentication for, SQL Server Authentication
blank passwords, SQL Server Authentication
changing Mixed to Windows Authentication, SQL Server Authentication
default users, How SQL Server Assigns Privileges
determining logged-on users, Determining Who Is Logged On
groups, adding, SQL Server Authentication
guest user, How SQL Server Assigns Privileges
logons, setting up, SQL Server Authentication
mechanisms for, SQL Server Authentication
Mixed Mode, SQL Server Authentication
public role, How SQL Server Assigns Privileges
roles, How SQL Server Assigns Privileges
SQL Server authorization
privilege assignment, How SQL Server Assigns Privileges
users, adding, How SQL Server Assigns Privileges
SQL Server Profiler, Table 9-3: Test Tools
SQL Server 2000
buffer overruns, The Arms Race of Hacking
SQL Slammer attacks
socket packet prelude to, Early Detection
SQL Slammer worm, Step 1: Believe You Will Be Attacked
SQL-injection attacks, SQL-Injection Attacks
application execution with, SQL-Injection Attacks
defensive techniques, Defensive Techniques for SQL-Injection Attacks, Add a Stored Procedure to Validate the User
defined, SQL-Injection Attacks
EMS sample defense, Add a Stored Procedure to Validate the User
example of, SQL-Injection Attacks
final parameter checks, Add a Stored Procedure to Validate the User
IIS, stopping, SQL-Injection Attacks
input validation, Validate Input Parameters
least privilege principle with, SQL-Injection Attacks
logon issues, SQL-Injection Attacks
Microsoft Access databases, SQL-Injection Attacks
parameterized query defense, Use Parameterized Queries
sa account, SQL-Injection Attacks
stored procedure defense, Add a Stored Procedure to Validate the User
testing against, Create Scenarios Based on Inroads for Attack
user names, SQL-Injection Attacks
xp_cmdshell command, SQL-Injection Attacks
SqlClientPermission, Table 3-3: Full Trust Permissions Granted to My Computer Zone
SSL (secure sockets layer), Secure Sockets Layer, Securing Web Services
adding to applications, How SSL Works
advantages of, Secure Sockets Layer
bidirectionality of, Secure Sockets Layer
browser support for, Secure Sockets Layer
certificates for, How SSL Works
disadvantages of, Secure Sockets Layer
ease of implementation, Secure Sockets Layer
https\, Secure Sockets Layer, How SSL Works
IIS sections, specifying for, How SSL Works
methodology of, How SSL Works
Page_Load events for, How SSL Works
private key generation, How SSL Works
purpose of, Secure Sockets Layer
requirements, software, How SSL Works
resources, consumption of, Secure Sockets Layer
setting up, references for, How SSL Works
speed, effects on, Secure Sockets Layer
SQL Server with, Locking Down SQL Server
validating input, Web-Based Input Attacks and SSL
Web services using, Securing Web Services
staff as a design challenge, Design Challenges
steps for designing security., see design steps
storage
isolated, Cooperating with the Security System
stored procedures
adding to SQL Server, Migrating the Employee Database to SQL Server 2000
SQL-injection attack defense, Add a Stored Procedure to Validate the User
stress test tools, Table 9-3: Test Tools
stress testing, Table 9-2: General Testing Approaches, Stress Testing
stress, exceptions from, Where Exceptions Occur
STRIDE security threat model, STRIDE—Categorizing Threats, Table 14-1: STRIDE Threat Categories
strong name security policy attribute, Table 10-4: Attributes Used to Grant Permissions
strong passwords, Fundamental Lockdown Principles
strong-name signatures
Authenticode, compared to, Authenticode Signing vs. Strong Naming, Should You Authenticode-Sign and Strong-Name Your Application?
benefits of, Strong-Name Signing
creating applications with, Strong Naming, Certificates, and Signing Exercise
delay signing, Delay Signing—Securing Your Build Process, Strong Naming, Certificates, and Signing Exercise
DLLs with, Strong-Named Visual Basic .NET .DLLs and Partial Trust
hash digests, Strong-Name Signing
integrity assurance, Strong-Name Signing
operation of, Strong-Name Signing
partially trusted DLLs, Strong-Named Visual Basic .NET .DLLs and Partial Trust
parts of, Strong-Name Signing
public keys, Strong-Name Signing
PublicKeyToken, Strong Names vs. Weak Names
recommended use of, Should You Authenticode-Sign and Strong-Name Your Application?
representation of, Strong Names vs. Weak Names
sample application, Strong Naming, Certificates, and Signing Exercise
unique identity guarantees, Strong-Name Signing
version integrity, Strong-Name Signing
weak names, compared to, Strong Names vs. Weak Names
strong-named .NET assemblies, Create Scenarios Based on Inroads for Attack
subroutine input
validating, Input to Subroutines
Sun Microsystems vulnerabilities, No Operating System Is Safe
symmetric encryption., see private key encryption
system components
code-access security techniques, Security Features and the Visual Basic .NET Developer
system crash DoS attacks, Table 6-1: Forms of DoS Attacks
|