|
W3C (World Wide Web Consortium)
defined, 454
“Exclusive XML Canonicalization” document, 63
SOAP extensions, 318
XML Signature standard, 302
WANs (Wide Area Networks), 204, See also LAN security
Web Application Management Interface (IWAM) rights, 270, 270, 274, 332
Web data security, 264–298
data leak protection, 277–278
database security
building validated databases, 271–277, 276
checking credentials, 265
database uses, 264
databases, defined, 264
fixing IIS Lockdown Tool errors, 269–271, 269–270
IWAM rights and, 270, 270, 274
logic errors and, 265
patches, 266
providing default values, 273
removing RDS support, 266, 266
using role-based security, 271–273
setting SQL Server passwords, 274–277, 276
Slammer virus and, 266
SQL Server exploits and, 265
SQL Server permission problem, 273
via user input validators, 267–269, 268, 275–276, 276
warning, 271
using digital rights management, 278
using encryption
asymmetric encryption, 278–279
channel sinks, 279, 282
internal encryption, 282
overview of, 278–279
in remoting, 282–292
overview of, 262, 298
in remoting
authentication, 282
code access security problem, 281–282
data encryption, 282–292
data streams and, 286
defined, 279, 280
deserialization and, 280–281
using HTTPChannel class, 288, 293–294
monitoring ports, 288
.NET boundaries on, 280
partially trusted code and, 281
remoting clients, 288–292
remoting components, 283–286
remoting hosts, 286–288
testing, 292–293, 293
Web sites on, 280, 287
wire security, 282
using SSL protocol
configuring IIS support for, 293, 294–296, 295–296
defined, 209–210, 451
getting certificates for, 294
getting client certificate information, 296–298, 298
in wireless networks, 376, 382, 386
Web server security, 234–262
administering
using Baseline Security Analyzer, 250–252, 250–251
using IIS Lockdown Tool, 252–253, 252–253
overview of, 249
using authentication
AuthenticationManager class, 241–244, 244
choosing usernames, 237
creating breach in, 245
defined, 236, 241
enabling for remote debugging, 238–241, 239–240
HTTP-specific classes and, 244–245
password guidelines, 237
pre-authentication, 241–244, 244, 246–248
warning, 245
using authorization, 242–244, 244, 246–248
avoiding DDOS attacks
defined, 253–254, 444
not processing OOB messages, 254
using performance counters, 254–258, 257
creating security checklists, 260–261
hardening servers, 391
using multiple servers, 249
overview of, 234–235, 260–262
techniques for testing, 236, 259–260
threats to, See also security risks
classifying, 249
communication errors, 258
DDOS attacks, 253–254
losing system security, 245
overview of, 234, 235
Web resources on, 260–261
using virus scanners, 235
Web services
accessing using PocketSoap, 381–382
using COM+ as
adding SOAP support to, 326–328, 326–328
creating Web reference to, 328–329, 329
IWAM and, 332
overview of, 325–326
testing SOAP calls, 329–332
verifying safety of, 332, 332
comparing, 303
discovering
building CredentialCache objects, 312
checking permissions before, 308–310, 309–310
using DiscoveryClientProtocol class, 308, 310–312
Web Services Description Language. See WSDL
Web Services Enhancements (WSE), 318–320, 319
Web services security, 300–333
attributes problem, 308–309, 309
using biometrics, 302–303
checking permissions, 308–310, 309, 310
distributed applications and, 302
using eXtensible Access Control Markup Language, 320–321, 445
overview of, 300–301, 332–333
risks, See also security risks
in authentication, 304–305
in caller locations, 305
channel data interception, 304
using DCOM and CORBA, 301
hidden in Web services, 306
overview of, 302, 303
query contamination, 303
using SOAP, 300
third party intervention, 305
untrustable data, 304
viruses, 304
Security Assertions Markup Language and, 320, 322, 451
using SOAP Security Extensions, 318
SoapHttpClientProtocol class and
adding permissions, 307
changing ports, 307
debugger attribute, 306, 307
generated by .NET IDE, 305–306
generating manually, 306–308
using System.Security.Cryptography.Xml namespace
creating/verifying XML signatures, 314–317, 316–317
data management, 313
data transformation, 314
key management, 313
overview of, 312–313
verifying caller zones, 305
using Visual Studio .NET Passport
accessing in System.Web.Security namespace, 41, 323
defined, 321
versus Liberty Alliance Project, 322
logging in to, 323–325
.NET Framework requirements, 321
warning, 323
Web service proxy/stub setup and, 303
using Web Services Enhancements, 318–320, 319
using XML Signature standard, 302
Web sites
articles, See also InfoWorld/Microsoft articles (below)
absurd cracker methods, 235
“Abusing poor programming…”, 58
buffer overruns, 60
comparing Passport/Liberty Alliance, 322
comparing Web services, 303
controlling wireless access points, 366
cracking DES, 186
“Exclusive XML Canonicalization”, 63
“The Foundation to Secure Computing”, 27
“How Does Base64Encoding Work?”, 213
“Microsoft Complier Flaw…”, 28
“Microsoft Windows Security Patches”, 26
network server security, 220
OOB exploits, 209
“Open Source Group Issues Top Ten…”, 260
RSA algorithm, 186
“Schneier worried about SOAP…”, 213
security techniques, 260
Slammer virus, 266
social engineering, 70
SQL Server exploits, 265
TripleDES slowness, 186
viruses in XML/Web services, 304
Web server attacks, 234
Wired Equivalent Privacy limits, 365
ASN.1 Consortium, 183
Bugtraq, 17
Certificate Authorities, 99
CNet articles, 60, 235, 266
The Code Project, 27
cryptography techniques, 172
Der Keiler (“Wild Boar”), 26, 58, 260
DevX article, 220
Dotfuscator tool, 156
DSA algorithm evaluation, 186
eWeek articles, 303, 322, 366
eXtensible Access Control Markup Language, 320, 321
general security tips, 26–27
hacker testing, 259
hash algorithms, 200
HIPAA of 1996, 367
IETF standards, 196
InformIT article, 265
InfoWorld articles
biotechnology, 367
cracking as organized crime, 305
data encryption laws, 282
how to harden servers, 391
ID-WSF specification, 322
Outlook attachment security, 73
Passport bug, 323
“Stupid User Tricks”, 12
Wayne Rash on testing wireless, 374
Wi-Fi hotspots, 364
Windows Media Player patch, 209
wireless hardware security, 366
wireless spam, 364
WS-Security, 383
InternetNews article, 322
IrDA, for communications, 376
IT World, 26
Keith’s Security Sample Gallery, 274
Liberty Alliance Project, 322
Microsoft
Active Directory tools, 342, 343
ADSI Viewer, 339, 344
Baseline Security Analyzer, 15
Best Practices, 220
CASPol tool, 108, 109
Class Library Comparison Tool, 367
classifying server threats, 249
DCOM protocol, 213
Developer Network, 26–27, 28
DeviceSpecific object, 379
directory services functions, 347
domain controller/replication functions, 347
Exchange port usage, 376
FileAuthorizationModule class, 384
free XML virus filter, 304
Global XML Architecture, 318
HFNetChk tool, 252
Hotfix & Security Bulletin Service, 25
Knowledge Base, 25
MBSA tool, 250
naming unmanaged code, 165
.NET Compact Framework classes, 367–369, 368
.NET deserialization support, 281
.NET security updates, 6
.NET Specific Security, 27
.NET standard permissions, 80
.NET value types, 53
Passport SDK, 41, 321
patches, 25–26
Platform SDK, 339
pre-authentication, 241, 243
registry functions, 97
Remote Data Services, 266
remoting, 280, 287
scripting tool for ADSI, 344
security class at Leeds, 4
security tools/checklists, 249
server hardening guide, 391
SIDs, 397
System Update Services, 15
UrlAuthorizationModule class, 384
URLScan tool, 253
Web Services Enhancements, 319
Web Services Specifications, 13
WFP security bulletin, 17
Win32 API authentication functions, 395
Win32.RegistryKey class, 97
Windows Update, 15, 25
Microsoft articles
“About the Passport SDK”, 41
controlling buffer overruns, 61
“The Cryptography API”, 36
“Defend Your Code…”, 27
hidden Web service threat, 306
“How to Keep a Secret”, 36
incorrect domain splitting, 346
major security breach, 245
“Protecting Your Network:…”, 381
“Trust Relationships”, 345
“Using Web Services Instead of DCOM”, 302
Mueller, J.P. (author), 312, 437
namespaces
System.DirectoryServices, 42
System.Runtime.Remoting.Contexts, 28
System.Security, 32
System.Security.Cryptography, 35
System.Security.Permissions, 39
System.Security.Policy, 40
System.Security.Principal, 40
System.Web.Security, 41
.NET 247, 27
.NET Framework Class Browser, 29
.NET-specific security tips, 27–28
Network World Fusion articles, 186, 304
OASIS, 320
PKI and x.509 standards, 196
PocketSoap, 381
Random Password Generator-Pro, 237
Rijndael algorithm, 186
SANS Institute, 26, 27, 380
Security Assertions Markup Language, 320
Security Guide for Windows, 26
Security Policy Project, 380
security testing, 259–260
security threats, 376
security vulnerabilities, 260–261
Slashdot article, 186
SOAP extensions, 318
SoapSuds, 328
sockets, 205
SSPI tools, 274
Telnet, 209
vnunet.com article, 234
W3C, 63, 302, 318
Wired articles, 186, 209, 265
Woody’s Office Watch, 73
World of Data Security, 17
WS-Security standard, 383
XACML standard, 320, 321
XML Common Biometric Format, 303
XML Signature standard, 302
WEP (Wired Equivalent Privacy) limitations, 365
WFP (Windows File Protection) security bulletin, 17
Wide Area Networks (WANs), 204, See also LAN security
“Wild Boar” (Der Keiler) sites, 26, 58, 260
Win32 API advanced security, 414–437
using DCOM Configuration Tool
authentication levels, 436–437
component options, 435
default options, 434–435
defined, 432
dialog box tabs, 432–433
impersonation levels, 433–434
overview of, 212
starting, 432
uses, 432
warning, 434
Discretionary Access Control List
getting/setting in registry, 431
obtaining privilege information, 414–417, 417
overview of, 414
errors
data structures and, 417
function failures, 416, 429
handling, 415, 416, 420–421
initializing SACL, 422
privilege change failures, 423
running SACL audits, 423–424, 424
handles, 416
obtaining privilege information, 414–417, 417
overview of, 411, 414, 437
remote unmanaged components and, 432–437
securing
controls/components, 425–426
files, 426–429, 429
registry, 97, 429–431
Security Access Control List
defined, 418
error initializing, 422
error running audits, 423–424, 424
getting/setting in registry, 431
privileges, 414
verifying audit entries, 424, 424
writing auditing code, 418–423
security descriptors, 422–423, 428–429, 431
using SetNamedSecurityInfo() function, 424–425
Win32 API security overview, 390–411
using Access Control Editor, 401–403, 401
Access Control Entries
accessing directly, 408–411
ordering in ACLs, 400, 435
overview of, 390
access problems, 399–401
using alternatives to pointers, 394–395
Discretionary Access Control List
accessing ACEs in directly, 408–411
ACE order in, 400, 435
functions for, 395, 396, 397, 399
overview of, 390
setting properties, 401, 401
error trapping, 351
functions
authentication functions, 395
calling AD domain controllers, 346–353, 352
calling unmanaged code, 165–166
ISecurityInformation functions, 402–403
old, risks of, 392–393
overview of, 165, 390, 399
security descriptor functions, 398–399
SID-related functions, 397–398
user access token functions, 395–397
using IntPtr, 395
versus .NET Framework security, 9, 70–71, 82–83, 391–392
using out keywords, 395
overview of, 75, 128, 387, 390, 411
using ref keywords, 395
risky API features
old functions, 392–393
ordered rights to resources, 400–401, 435
pointers, 394–395
unmanaged code, 392, 393
unsafe code, 393–394
Security Access Control List
accessing ACEs in, 408
functions for, 395, 396, 397, 399
overview of, 390
setting properties, 401, 401
using Security Configuration Editor, 403–405, 404
Security Identifiers
converting to human readable form, 405–408
defined, 451
ordering group SIDs, 400–401
overview of, 392
SID-related functions, 397–398
well-known predefined SIDs, 407
testing, 399–400
when to use, 391
Windows sites, Microsoft. See Web sites
wire security in remoting, 282
Wired Equivalent Privacy (WEP) limitations, 365
wireless device security, 364–387
accessing components via Web pages, 381
accessing Web services using PocketSoap, 381–382
advances in, 366
in desktop and Web environments
avoiding browser-based issues, 376–380, 377–378
benefits, 374
connecting PDAs to desktops via IrDA, 376
connecting PDAs to desktops physically, 375
limitations, 375
testing applications, 374
hiding data with filters, 377–379, 377–378
in .NET Compact Framework
checking application safety, 370–374, 372–373
classes, vs. in .NET Framework, 367–369, 368
defined, 364, 365
IrDA support, 369
limitations, 365–367
Microsoft.WindowsCE.Forms classes, 369
overview of, 365
SQL Server CE support, 369
overview of, 362, 364–365, 386–387
using policies, 380–381
risks in, 14, 365–367, 369–370, 376
using SSL protocol, 376, 382, 386
using System.Web.Security namespace
FileAuthorizationModule class, 383–384
FormsAuthentication class, 384–386
overview of, 41, 365, 382–383
Passport support in, 41, 323
UrlAuthorizationModule class, 383–384
Web site on, 41
testing, 387
Web resources on, 366, 374, 380, 381
using WS-Security, 383
World of Data Security site, 17
write access to Active Directory, 357–362, 362
WS-Security
Web Services Development Kit, 318, 453
Web Services Enhancements, 318–320, 319, 453
using in wireless networks, 383
WSDK. See WS-Security
WSDL (Web Services Description Language)
COM+ application output, 327–328, 328
defined, 453
generating SoapHttpClientProtocol class, 306–307
security hole in, 328
WSE. See WS-Security
|