|
access
Web services, Securing Web Services
accounts
disabling, Disable and Delete Unnecessary Accounts
Achilles, Table 9-3: Test Tools
ACT (Microsoft Application Center Test), Stress Testing, Table 9-3: Test Tools
Active Directory
advantages for authorization, Role-Based Authorization in the Real World
permissions for, Table 3-3: Full Trust Permissions Granted to My Computer Zone
referencing services, Windows Integrated Security
searching for roles, Searching Active Directory, Windows Integrated Security
ActiveX
buffer overrun vulnerability, Buffer Overrun
deployment, Windows Installer Deployment
ad hoc testing, Table 9-2: General Testing Approaches, Ad Hoc, or Manual, Testing
Administrator accounts
disabling, Disable and Delete Unnecessary Accounts
Aimster, Remove File-Sharing Software
AllowPartiallyTrustedCallers attribute, Strong-Named Visual Basic .NET .DLLs and Partial Trust
AllowPartiallyTrustedCallers attributes, Security Features and the Visual Basic .NET Developer
alsohashes, Chapter 1: Encryption
Anakrino, Create a Blueprint of Your Application, Table 9-3: Test Tools
analyzing for vulnerabilities, Analyze for Threats and Vulnerabilities
identifying threats, Identify and Prioritize, Table 14-1: STRIDE Threat Categories
methods for avoiding damage, list of, Analyze for Threats and Vulnerabilities
overview, Analyze for Threats and Vulnerabilities
prioritizing threats, Prioritize Threats
threat analysis, Analyze for Threats and Vulnerabilities
anomaly detection, Detecting That an Attack Has Taken Place or Is in Progress
anonymity as an issue, Privacy vs. Security
anonymizer.com, Privacy vs. Security
Anonymous users
denying access to, Windows Integrated Security Authentication
anti-replay protection, The IPv6 Internet Protocol
antivirus software, Fundamental Lockdown Principles
ANTS, Table 9-3: Test Tools
API functions, Table 15-1: Visual Basic .NET Keywords to Look For_ (continued)
Apple OS vulnerabilities, No Operating System Is Safe
application firewalls, Step 9: Secure the Network with a Firewall
application-level attacks
buffer overruns, Buffer Overrun
child-application attacks, Child-Application Attacks, Use Quotes Around All Path Names
cross-site scripting. , see cross-site scripting attacks
denial of service. , see denial of service (dos) attacks
directory-based attacks, File-Based or Directory-Based Attacks, Enforce Canonical Filenames
file-based attacks, File-Based or Directory-Based Attacks, Enforce Canonical Filenames
real-world considerations, Guarding Against Attacks in the Real World
SQL-injection. , see sql-injection attacks
XSS. , see cross-site scripting attacks
architecture
designing secure, Step 4: Design a Secure Architecture, If You Do Nothing Else…
diagrams for threat analysis, Draw Architectural Sketch and Review for Threats
distributed, Step 4: Design a Secure Architecture
minimum security measures, If You Do Nothing Else…
named-pipes v. TCP-IP, Named-Pipes vs. TCP-IP
arms race nature of security, The Arms Race of Hacking, What Happens Next?
ASP.NET
anonymous users, ASP.NET Authentication and Authorization
authenticated users, ASP.NET Authentication and Authorization
BUILTIN qualifier, ASP.NET Authentication and Authorization
cross-site scripting attack vulnerability, Cross-Site Scripting Attacks
Request object, Web Application Input, Don’t Rely on Data Sent to the Client
role-based authorization, ASP.NET Authentication and Authorization
validator controls, Validation Tools Available to ASP.NET Web Applications
Web.config file, Authorization section, ASP.NET Authentication and Authorization
ASP.NET authentication
authorization with, Chapter 4: ASP.NET Authentication
Forms authentication, Table 4-1: Authentication Types for ASP.NET Applications
None option, Table 4-1: Authentication Types for ASP.NET Applications
Windows integrated security for, Table 4-1: Authentication Types for ASP.NET Applications
ASP.NET Web Forms
zone assignment, Table3-5: Security Zone Assignments for .NET Applications, How Visual Basic .NET Determines Zone
assemblies
strong v. weak naming of, Strong Names vs. Weak Names
Assembly keyword, Table 15-1: Visual Basic .NET Keywords to Look For_ (continued)
Assert, Security Features and the Visual Basic .NET Developer
attack signature detection, Detecting That an Attack Has Taken Place or Is in Progress
attack surface
reducing for platforms. , see locking down
attack surface area
defined, Where Exceptions Occur
attacks
ActiveX vulnerability, Buffer Overrun
advantages of .NET, Guarding Against Attacks in the Real World
assessing damage from, Respond to an Attack
attacker’ s view, taking, Take the Attacker’s View
bandwidth starvation, Table 6-1: Forms of DoS Attacks
buffer overruns, Buffer Overrun
child-application attacks, Child-Application Attacks, Use Quotes Around All Path Names
code access, Create a Blueprint of Your Application
CPU starvation, Table 6-1: Forms of DoS Attacks, Table 6-2: DoS Defensive Techniques
creating scenarios based on inroads, Create Scenarios Based on Inroads for Attack
cross-site scripting. , see cross-site scripting attacks
decomposing applications, Take the Attacker’s View
denial of service. , see denial of service (dos) attacks
deploying fixes for, Prepare for a Response
detecting. , see detecting attacks
detection systems, on, Determining Whether to Trust Your Detection Mechanisms
device names, Enforce Canonical Filenames
directory-based, File-Based or Directory-Based Attacks, Enforce Canonical Filenames
file-based, File-Based or Directory-Based Attacks, Enforce Canonical Filenames
fixes, Respond to an Attack
input-related, Chapter 7: Validating Input
inventory of installed components, Take the Attacker’s View
memory starvation, Table 6-1: Forms of DoS Attacks, Table 6-2: DoS Defensive Techniques, Defending Against Memory and Resource DoS Attacks
network hijacking, Table 9-3: Test Tools
preserving evidence of, Respond to an Attack
prioritizing scenarios, Get Focused—Prioritize Scenarios, Prioritize Security-Related Scenarios Based on Threats
real-world considerations, Guarding Against Attacks in the Real World, Security Threats in the Real World
resource starvation, Table 6-1: Forms of DoS Attacks, Table 6-2: DoS Defensive Techniques, Defending Against Memory and Resource DoS Attacks
responding to, Respond to an Attack, Prepare for a Response
response plans for, Prepare for a Response
restoring systems after, Respond to an Attack
root cause detection, Respond to an Attack
scenarios. , see scenarios, attack
social engineering, What Happens Next?
SQL-injection. , see sql-injection attacks
steps after detecting, Summary
steps in securing from, Chapter 14: Threats—Analyze, Prevent, Detect, and Respond
stopping damage from, Respond to an Attack
system crash DoS, Table 6-1: Forms of DoS Attacks
testing to prevent. , see testing
threat mitigation, Prevent Attacks by Mitigating Threats, Table 14-2: Example of Common Attacks and Techniques to Mitigate Them
tools available for, What Happens Next?
user notification of, Prepare for a Response
XSS. , see cross-site scripting attacks
attributes
security policy permission, table of, Update .NET Enterprise Security Policy
audit trails, creating, Implementing an Audit Trail
auditing
activity types, based on, Privacy vs. Security
Big Brother systems, Privacy vs. Security
importance of, Privacy vs. Security
SQL Server, Locking Down SQL Server
trace-back, Privacy vs. Security
auditing, enabling, Enable Auditing
authentication
database, Core Database Security Concepts, SQL Server Authentication, How SQL Server Assigns Privileges, Microsoft Access Authentication and Authorization, Microsoft Access User-Level Security Models
Microsoft Access, Microsoft Access Authentication and Authorization, Microsoft Access User-Level Security Models
passwords, encrypted, Encryption in the Real World
privacy issues, Privacy vs. Security
role-based. , see role-based security
SQL Server. , see sql server authentication
user-level security for Access, Microsoft Access Authentication and Authorization, Microsoft Access User-Level Security Models
Web services with, Securing Web Services
X.509 certificates, X.509 Certificate, Keep Your Private Keys Safe
Authenticode signing
overview, Authenticode Signing, Incorporate Authenticode Signing in Your Build Process
sample application, Strong Naming, Certificates, and Signing Exercise
setup packages, Strong Naming, Certificates, and Signing Exercise
SignCode.exe, signing with, Strong Naming, Certificates, and Signing Exercise
strong naming, compared to, Authenticode Signing vs. Strong Naming, Should You Authenticode-Sign and Strong-Name Your Application?
timestamp services, Strong Naming, Certificates, and Signing Exercise
authorization
ASP.NET-based, ASP.NET Authentication and Authorization
column level, SQL Server Authorization
databases, Core Database Security Concepts, SQL Server Authorization, Microsoft Access User-Level Security Models
Microsoft Access, Microsoft Access User-Level Security Models
real world-problems, Role-Based Authorization in the Real World
real-world problems, Role-Based Authorization in the Real World
role-based. , see role-based security
row level, SQL Server Authorization
SQL Server, SQL Server Authorization
table level, SQL Server Authorization
Web services, for, Securing Web Services
Authorization Manager (AzMan), Microsoft Initiatives
automated unit testing, Table 9-2: General Testing Approaches, Automated Unit Testing, Table 9-3: Test Tools
AzMan (Authorization Manager), Microsoft Initiatives
|