Index_E
E
eavesdropping. See sniffing
egress filtering, 410
elevation of privileges
described, 17, 32
Web servers, 425
EnableSessionState attribute, 289
enableViewStateMac attribute, 291
encoding characters , 612
encoding output, 612
encryption. See also cryptography
algorithms and need for quality in, 38
of file system, 520
network security, 417
parts of a message, 338339
of secrets, 621
symmetric, 620
and verification in ASP.NET application and Web services, 584
encryption keys, 120
ASP.NET application and Web services, 570
securing, 9293
encryption sink, 361364
EncryptionPermission, 805806
creating, 807814
inheritance hierarchy, 806
EncryptionPermissionAttribute class, 815817
end users
authorization granularity, 84
authorizing, 112
lockout policies for accounts, 81
EndpointPermission, 142
Enterprise Services
accounts, 665
application authentication levels, 494
application server, 480, 482483, 487488
applications, 493
applications and Windows authentication, 304
checklist, 709711
components , 488
in deployment topology, 102103
files and directories, 665
firewall port configuration, 482
how to secure, lxx
threats, 301
typical deployment configurations, 314
using HTTP Web services facade layer, 315
Web server configuration, 664668
entropy values, 177
entry points
identifying, 54
unmanaged code, 629
enumerated types, 629
environment variables
checklists, 740
constraining access, 211
file I/O, 164
EnvironmentPermission
default credentials, 250
requesting, 211
table, 142
EnvironmentPermissionAttribute, 211212
error handling
application level, 294
in Global.asax, 341
error messages
detailed, 630
logging, 95
escalating privileges, 1516
event handlers, 633
event logging
ASP.NET, 244
ASP.NET application and Web services, 576577
assemblies, 165166
checklists, 739
code access security, 207
constraining, 208
constraining code, 208
of key events, 96
event sources, 309
EventLogPermission, 207, 296
requesting, 208
table, 142
EventLogPermission class, 244
EventLogPermissionAccess.Instrument, 208
EventLogPermissionAttribute, 208
Everyone group
accessing shares, 673
database servers, 520
restricting, 648
securing shares, 673
Web servers, 446
Everyone permissions, 673
evidence, 183
exception management, 94, 122123, 161164
applications, 122123
ASP.NET, 293294
ASP.NET application and Web services, 572
checklists, 693, 699, 707, 715, 719, 737
data access, 389393
framework, 163
remoted objects, 364365
secure Web services, 339340
exception trapping
data access, 389
with page<customErrors> elementError event, 294
exceptions. See also exception management; exception trapping
code review, 619620
exception objects, 339
filter issues, 162163
handling, lxiv
handling threats, 4041
information diagram, 392393
logging, 389390
objects, 339
SoapException objects, 339
SoapHeaderException objects, 339
Web services, 339
exclusive code groups, 190
expiration periods
ASP.NET application and eb services, 562
using fixed, 281
explicit interfaces, 627
explicit role checks
authorization decisions, 285
for fine-grained authorization, 285286
with IPrincipal.IsInRole method, 137
exploiting and penetrating , 15
exposing fields with properties, 154
extended stored procedures, 532
extranet
deployment, 343
Web applications, 74
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
EAN: 2147483647
Year: 2003
Pages: 613
Pages: 613
Authors: Microsoft Corporation