Index_R | Improving Web Application Security: Threats and Countermeasures

R

RACI chart, lxxxilxxxii

RADIUS. See remote authentication dial-in user service

random class versus RNGCryptoServiceProvider, 175

random keys, generating, 175

random numbers , 620

range checks, 268

RDP

copying files over, 473

Microsoft Terminal Services, 539

terminal services, 472

RDS. See remote data services

Read permissions, 455

read-only properties, 617

recommended settings, 517

reduced attack surface, 239

reference hub, 685

reflection, 172173

checklists, 738

code review, 619

on types, 619

ReflectionPermission, 143

refuse permissions, 624

regex class, 265

RegexOptions.IgnorePatternWhitespace, 265

Regex.Replace, 269

registry, 208209

ASP.NET application and Web services, 579

checklists, 725, 731, 739

code access security, 208209

constraining access to, 209

registry,

custom policies to allow access, 251

data server configuration, 674

database servers, 523524

event logging, 166

medium trust, 250

reading from, 167

storing secrets in, 621

verifying permissions with MBSA, 524

vulnerabilities, 428

Web server configuration, 651

Web servers, 428, 449450

registry keys, 524

RegistryPermission, 143, 208

requesting, 209

RegistryPermissionAttribute, 209

Regsvcs.exe, 310

regular expressions

comments, 265

common, 271

fields, 271272

for strong passwords, 283

in Web controls and user controls, 264265

RegularExpressionValidator control

for constraining data, 264266

for validating form field input, 632

rejectRemoteRequests, 360

relationship of chapter to product life cycle, lxxix

remote access, limiting, 360

remote administration, 114

database servers, 539540

how to perform, lxxi

Web servers, 471473

remote application servers

deployment model, 476

in deployment topology, 102

remote authentication dial-in user service, 417

remote data services, 454455

remote database, 578

remote logons

database servers, 517

Web servers, 444

remote procedure call. See RPC

remote registry administration, 651

remote resources, 262

remote scans , 792793

remote serviced components , 668

remoted components

design considerations, 352

overview, 347348

threats and countermeasures, 349

remoted objects

auditing and logging, 365

authentication, 355358

authorization, 359360

custom encryption sink, 361364

exception management, 364365

exposing to Internet, 352

input validation, 353

sensitive data, 361364

remoting

ASP.NET application and Web services, 573

checklists, 713715

code review, 638639

<httpHandlers> element, 573

main threats, 349

in trusted server scenario, 353

typical deployment, 348

Web server configuration, 668670

report details for a scanned machine, 749

repudiation

described, 17

serviced components, 302

threats, 42

request sizes, 803

Request.Cookies, 632

RequestMinimum method, 195

code access security, 195

RequestOptional method, 195196

Request.QueryString, 632

RequestRefuse method, 195196

RequestRefused method, 195196

required shares, 448

RequiredFieldValidator, 268

for constraining data, 264

resource access

ASP.NET, 223224

checklists, 739740

resource access code, 263

resource access identities, 262, 325326

resources

alerts and notifications, 684

and associated permissions, 193

communities and newsgroups, 683

index of checklists, 687688

Microsoft patterns and practices guidance, 681682

partners and service providers, 682

patches and updates, 683

Response.Write, 610

restrict file I/O, 206

restricted ACLs, 386

restricted areas, 81

restricted inheritance, 198

restricted operations or data, 635

restricted pages

access to, 634

subdirectory for, 278

restricted permissions, 184

restricting unauthorized callers , 382

restricting unauthorized code, 382

retrieval of plaintext configuration secrets, 34

RevertAssert method, 203

reducing assert duration, 204

risk = probability * damage potential, 63

Rivest, Shamir, and Adleman. See RSA

RNGCryptoServiceProvider

creating a salt value, 388

random class, 175

role checks

performing in code, 638

principal-based , 360

role-based authorization, 302

role-based security, lxiv

checks, 137

code review, 637638

configuring with <authorization> element, 138139

enabling, 495

identity objects, 134

logical view of, 132133

.NET, 131132

principal objects, 134

serviced components, 304

system.security.principal.IPrincipal interface, 134

routers

checklists, 721

considerations, 409411

deployment review, 678

logging features of, 679

network security, 408409

RPC

dynamic port allocation, 483, 491

encryption and IDC, 302

packet level authentication, 301

RSA, 179

rules

described, 779

IPSec policies, 778779

run-as accounts, 306

Runas.exe utility, 767

runat ="server" property, 265

runtime, creating code dynamically at, 619