.NET Framework Security |
By Brian A. LaMacchia, Sebastian Lange, Matthew Lyons, Rudi Martin, Kevin T. Price |
| |
Publisher | : Addison Wesley |
Pub Date | : April 24, 2002 |
ISBN | : 0-672-32184-X |
Pages | : 816 |
Slots | : 2 | | | Copyright |
| | About the Authors |
| | Acknowledgments |
| | Introduction |
| | | Demystifying .NET Framework Security |
| | | What Do You Need to Know Prior to Reading This Book? |
| | | What Software Will You Need to Complete the Examples Provided with This Book? |
| | | How This Book Is Organized |
| | | Where to Download the Associated Code for This Book |
| | | Conventions Used in This Book |
|
| | Part I. Introduction to the .NET Developer Platform Security |
| | | Chapter 1. Common Security Problems on the Internet |
| | | Problems with Securing Mobile Code |
| | | Writing Secure Applications |
| | | Summary |
|
| | | Chapter 2. Introduction to the Microsoft .NET Developer Platform |
| | | Tight Language Interoperability |
| | | Metadata |
| | | JIT Compilation |
| | | Garbage Collection |
| | | Object-Oriented Programming |
| | | Code Access Security |
| | | Base Class Library |
| | | Native Code Interoperability |
| | | Summary |
|
| | | Chapter 3. .NET Developer Platform Security Solutions |
| | | Fundamental Security Benefits from the .NET Framework |
| | | Mobile Code Solutions with the .NET Framework |
| | | Networked Computing with the .NET Framework |
| | | Summary |
|
|
| | Part II. Code Access Security Fundamentals |
| | | Chapter 4. User- and Code-Identity “Based Security: Two Complementary Security Paradigms |
| | | A Little Anatomy of Computer Security Systems |
| | | A Review of User-Identity “Based Security |
| | | Entering a New Paradigm: Code-Identity “Based Security |
| | | How User- and Code-Identity “Based Security Systems Complement Each Other |
| | | Summary |
|
| | | Chapter 5. Evidence: Knowing Where Code Comes From |
| | | Evidence Explained |
| | | Different Sources of Evidence |
| | | Evidence and the Base Class Library |
| | | Summary |
|
| | | Chapter 6. Permissions: The Workhorse of Code Access Security |
| | | Permissions Explained |
| | | How Permissions Are Used |
| | | Declarative and Imperative Security |
| | | Built-in Permissions |
| | | Permission Sets |
| | | Summary |
|
| | | Chapter 7. Walking the Stack |
| | | A Review of Stacks and Their Uses |
| | | The Security Stack Walk |
| | | Modifying a Stack Walk |
| | | The Interaction of App Domains with Stack Walks |
| | | Summary |
|
| | | Chapter 8. Membership Conditions, Code Groups, and Policy Levels: The Brick and Mortar of Security Policy |
| | | Membership Conditions |
| | | Code Groups |
| | | Policy Levels |
| | | Default Security Policy |
| | | Summary |
|
| | | Chapter 9. Understanding the Concepts of Strong Naming Assemblies |
| | | Assemblies and Identity |
| | | Public/Private Key Pairs |
| | | Signing and Verifying Assemblies |
| | | Delay Signing Assemblies |
| | | Comparison with Authenticode Signatures |
| | | Summary |
|
| | | Chapter 10. Hosting Managed Code |
| | | What Does Hosting Mean? |
| | | Containing Assemblies Through the Use of Appdomains |
| | | Controlling Trust Within the Hosted Environment |
| | | Dealing with Assembly-Sharing Issues |
| | | Using Appdomains to Secure Unmanaged Clients |
| | | Summary |
|
| | | Chapter 11. Verification and Validation: The Backbone of .NET Framework Security |
| | | Review of the Anatomy of an Assembly |
| | | PE File Format and Metadata Validation |
| | | IL Validation and Verification |
| | | Code Access Security's Dependence on Validation and Verification |
| | | Summary |
|
| | | Chapter 12. Security Through the Lifetime of a Managed Process: Fitting It All Together |
| | | Development-Time Security Considerations |
| | | Deployment-Time Security Issues |
| | | Execution-Time Security Issues |
| | | Summary |
|
|
| | Part III. ASP.NET and Web Services Security Fundamentals |
| | | Chapter 13. Introduction to ASP.NET Security |
| | | New Security Features in ASP.NET ”And How to Use Them |
| | | Authentication for Web Services |
| | | Code Access Security and ASP.NET |
| | | Summary |
|
| | | Chapter 14. Authentication: Know Who Is Accessing Your Site |
| | | ASP.NET Authentication and IIS Authentication |
| | | Default IIS Settings |
| | | Using CLR Role-Based Security in Windows |
| | | Using ASP.NET Forms Authentication |
| | | Using Impersonation and Delegation in ASP.NET |
| | | Summary |
|
| | | Chapter 15. Authorization: Control Who Is Accessing Your Site |
| | | File and Directory Access Control Lists (ACLs) |
| | | Using URL Authorization to Allow or Limit Access |
| | | Using Programmatic Authorization to Determine Who Is Attempting to Access Your Site |
| | | Summary |
|
| | | Chapter 16. Data Transport Integrity: Keeping Data Uncorrupted |
| | | Implementing SSL Encryption and HTTPS |
| | | Encryption of Individual Data Elements ”An Overview |
| | | Remoting and Encryption via Sinks ”An Overview |
| | | Summary |
|
|
| | Part IV. .NET Framework Security Administration |
| | | Chapter 17. Introduction: .NET Framework Security and Operating System Security |
| | | A Roadmap for Administering the Security Context of Managed Code |
| | | .NET Framework Security and Operating System Security Settings |
| | | Summary |
|
| | | Chapter 18. Administering Security Policy Using the .NET Framework Configuration Tool |
| | | Before Making Any Security Policy Change: Administration Strategies |
| | | Introduction to the .NET Framework Configuration Tool |
| | | Increasing Trust for an Assembly or Software Publisher Using the Trust Assembly Wizard |
| | | Changing Trust for a Zone Using the Adjust Security Wizard |
| | | Manipulating the Security Policy Tree Directly ”Basic Techniques |
| | | Testing Security Policy Using the Evaluate Assembly Wizard |
| | | Modeling Policy Changes Using Open and New |
| | | Deploying Security Policy |
| | | Resetting Security Policy |
| | | The .NET Framework Configuration Tool's Self Protection Mechanism |
| | | Administrative Tactics: Scenarios, Solutions, Hints, and Tricks |
| | | Summary |
|
| | | Chapter 19. Administering .NET Framework Security Policy Using Scripts and Security APIs |
| | | Using Batch Scripts for Security Policy Administration |
| | | Changing Security Policy by Programming Directly to the Security APIs |
| | | Summary |
|
| | | Chapter 20. Administering an IIS Machine Using ASP.NET |
| | | XML-Based Configuration Files |
| | | Hierarchy of .NET Configuration Files |
| | | Attributes and Settings |
| | | IIS Security Settings ”A Refresher |
| | | Summary |
|
| | | Chapter 21. Administering Clients for .NET Framework Mobile Code |
| | | Default Security Policy and Mobile Code |
| | | Limitations on Calling Strong Named Components |
| | | Running Mobile Code in Internet Explorer |
| | | Summary |
|
| | | Chapter 22. Administering Isolated Storage and Cryptography Settings in the .NET Framework |
| | | Administering Isolated Storage |
| | | Administering Cryptography Settings |
| | | Summary |
|
|
| | Part V. .NET Framework Security for Developers |
| | | Chapter 23. Creating Secure Code: What All .NET Framework Developers Need to Know |
| | | Security and the Developer |
| | | Structure of the .NET Framework Security System |
| | | Limitations of the .NET Framework Security System |
| | | Summary |
|
| | | Chapter 24. Architecting a Secure Assembly |
| | | Thinking Like a Security Expert: How to Improve the Security of Your Designs from Day One |
| | | If All Else Fails |
| | | Don't Throw It All Away |
| | | Summary |
|
| | | Chapter 25. Implementing a Secure Assembly |
| | | Using Existing Security Mechanisms |
| | | Implementing Your Own Permissions |
| | | Working with Strong Names |
| | | Summary |
|
| | | Chapter 26. Testing a Secured Assembly |
| | | Determining What Is Being Protected |
| | | Determining How Resource Protection Is Implemented |
| | | Testing Any Applied Custom Permissions |
| | | Testing the Methods and Properties That Should Be Protected |
| | | Summary |
|
| | | Chapter 27. Writing a Secure Web Site Using ASP.NET |
| | | Designing a Secure Web Site |
| | | Implementing a Secure Web Site |
| | | Summary |
|
| | | Chapter 28. Writing a Secure Web Application in the .NET Development Platform |
| | | ASP.NET with Remoting Versus Web Services |
| | | Authentication and Authorization Without IIS |
| | | Summary |
|
| | | Chapter 29. Writing a Semi-Trusted Application |
| | | Restrictions on Libraries That Can Be Called |
| | | Making Permission Requests |
| | | Protecting Data |
| | | Being Careful About What Code Gets Executed |
| | | Being Aware of Permissions at Runtime |
| | | Summary |
|
| | | Chapter 30. Using Cryptography with the .NET Framework: The Basics |
| | | Setting the Stage: Key Definitions and Scenarios in Cryptography |
| | | The Cryptographic Object Model of the .NET Framework |
| | | Operating on Streams: CryptoStreams and ICryptoTransforms |
| | | Using Symmetric Algorithms |
| | | Using Cryptographic Hash Functions |
| | | Using Keyed Hash Functions |
| | | Random Number Generation and Key Derivation |
| | | Using Asymmetric Algorithms |
| | | Summary |
|
| | | Chapter 31. Using Cryptography with the .NET Framework: Advanced Topics |
| | | Working with CryptoAPI 1.0 |
| | | Working with CryptoAPI 2.0 |
| | | Finalization Versus Explicit Destruction via IDisposable |
| | | Extending the .NET Framework's Cryptography Classes and the Cryptographic Configuration System |
| | | Summary |
|
| | | Chapter 32. Using Cryptography with the .NET Framework: Creating and Verifying XML Digital Signatures |
| | | XMLDSIG Design Principles and Modes of Use |
| | | The Structure of an XMLDSIG Signature |
| | | Creating XMLDSIG-Compliant Signatures Using the .NET Framework |
| | | Verifying an XMLDSIG Signature |
| | | Extending System.Security.Cryptography.Xml for Custom Processing |
| | | Summary |
|
|
| | Index |