|
SACL (Security Access Control List), See also Win32 API
defined, 418
errors initializing, 422
errors running audits, 423–424, 424
functions for, 395, 396, 397, 399
getting/setting in registry, 431
overview of, 390
privileges, 414
setting properties, 401, 401
verifying audit entries, 424, 424
writing auditing code, 418–423
SAML (Security Assertions Markup Language), 320, 322, 451
SANS Institute Web sites, 26, 27, 380
SDCheck tool, 343
Secure Socket Layer. See SSL
Security Access Control List. See SACL
Security Configuration Editor, 403–405, 404
security descriptors, 398–399, 422–423, 428–429, 431
Security Guide for Windows site, 26
security problems. See avoiding; errors; troubleshooting
security risks, See also cracker exploits; .NET Framework security
Active Directory return values, 356
authenticating Web servers, 237, 245
authenticating Web services, 304–305
caller locations, 305
channel data interception, 304
complacency, 380
data leaks, 277–278, 353
of data streams, 286, 301
in data transfers, 434
in using DCOM and CORBA, 301
in deserializing data, 280
entire security system failure, 245
in FileAuthorizationModule class, 384
in incorrect domain procedures, 346
killing processes prematurely, 434
lack of policies, 380
learning about, 260–261, 376
memory leaks, 361, 422
in modifying Web.CONFIG files, 385
of OOB messages, 209, 254
of passwords, 237
query contamination, 303
in Remote Data Services, 266, 266
in remote debugging, 240
in using SOAP, 300
third party intervention, 305
unexpected input, 259
unmanaged code, 392
of unnecessary characters, 58, 59
untrustable Web data, 304
in using UrlAuthorizationModule class, 383–384
of usernames, 237
viruses, 304
in Web services, 302, 303, 304–305, 306
in Win32 API
old functions, 392–393
ordered rights to resources, 400–401
overview of, 399, 400
pointers, 394–395
unmanaged code, 392, 393
unsafe code, 393–394
in wireless security, 14, 365–367, 369–370, 376
in WSDL output, 328, 329
SecurityCallContext class, 223–225
SecurityException exception, 32
SecurityManager class, 32–35, 35
SecUtil tool, 101, 101
Select Users or Groups dialog box, 226, 226
serialization, 280–281, 451
servers, See also Web server security
service provider classes, 36
SetFileSecurity() function, 424–425
SetNamedSecurityInfo() function, 424–425
SHA hash algorithms, 199–200, 451
SIDs (Security Identifiers) in Win32 API
converting to readable form, 405–408
defined, 451
ordering group SIDs, 400–401
overview of, 392
SID-related functions, 397–398
well-known predefined SIDs, 407
signatures, digital, 72–73, 99, 153
sink, 64
Site evidence class, 76
sites. See Web sites
Slammer virus, 266
SOAP (Simple Object Access Protocol)
defined, 452
overview of, 63, 212, 213
Security Extensions, 318
support, adding to COM+, 326–328, 326–328
testing calls, 329–332
SoapHttpClientProtocol class, See also Web services security
adding permissions, 307
changing ports, 307
debugger attribute, 306, 307
generated by .NET IDE, 305–306
generating manually, 306–308
SoapSuds utility, 289, 328
social engineering, 70
sockets, See also LAN security; SSL
caching credentials, 210–212
defined, 452
overview of, 205
using SocketPermission class, 205–209, 208
using SSL protocol, 209–210
Special Edition Using SOAP (Mueller), 301
SQL Server CE classes, 369
SQL Server. See Web data security
SSL (Secure Socket Layer) protocol
configuring IIS support for, 293, 294–296, 295–296
defined, 209–210, 451
getting certificates for, 294
getting client certificate information, 296–298, 298
using in wireless networks, 376, 382, 386
SSPI (Security Support Provider Interface), 274
streams, data, 286, 301, 442
strong name checks, 155
Strong Name utility, 173
StrongName evidence class, 76
StrongNameIdentityPermission class, See also code access security
checking credentials, 101–102
defined, 98
extracting public keys, 101, 101
versus Publisher evidence, 99
signed client sample code, 99–101
testing, 103
“Stupid User Tricks” article, 12
SUS (System Update Services), 15
symmetric encryption. See cryptography, symmetric
SynchronizationAttribute class, 29–31, 30
System.DirectoryServices namespace, See also AD
accessing Active Directory, 43–44, 45
examples, 42–50, 45, 50
getting AD user information, 45–49, 50
overview of, 41
path types and, 44, 45
Web site on, 42
System.Net.CredentialCache class, 210–212
System.Net.NetworkCredential class, 210–212
System.Reflection.Assembly.Evidence property, 103–106, 106
System.Runtime.Remoting.Contexts namespace
defined, 28
security benefits, 29
SynchronizationAttribute class, 29–31, 30
Web site on, 28
System.Security namespace
AllowPartiallyTrustedCallersAttribute, 31–32, 281
overview of, 31–32
SecurityException exception, 32
SecurityManager class, 32–35, 35
Web site on, 32
System.Security.Cryptography namespace
class structure, 36
defined, 35
example, 37–39, 38–39
Web site on, 35
System.Security.Cryptography.X509Certificates namespace, 196–199, 197
System.Security.Cryptography.Xml namespace
creating/verifying XML signatures, 314–317, 316–317
data management, 313
data transformation, 314
key management, 313
System.Security.Permissions namespace, 39
System.Security.Policy namespace, 39–40
System.Security.Principal namespace, 40–41
System.Web.Security namespace, See also wireless device security
FileAuthorizationModule class, 383–384
FormsAuthentication class, 384–386
overview of, 41, 365, 382–383
Passport support in, 41, 323
UrlAuthorizationModule class, 383–384
Web site on, 41
|