Home Page Icon
Home Page
Table of Contents for
Index
Close
Index
by Michael James Bond, Ed Robinson
Security for Microsoft® Visual Basic® .NET
Security for Microsoft® Visual Basic® .NET
Introduction
How to Use This Book
How to Use the Code Samples
Create a Desktop Shortcut for Running Tools
A Final Word
Corrections, Comments, and Help
Acknowledgments
I. Development Techniques
1. Encryption
Practice Files
Hash Digests
Private Key Encryption
Keeping Private Keys Safe
Public Key Encryption
Hiding Unnecessary Information
Encryption in the Real World
Summary
2. Role-Based Authorization
Role-Based Authorization Exercise
Windows Integrated Security
ASP.NET Authentication and Authorization
Role-Based Authorization in the Real World
Summary
3. Code-Access Security
How Actions Are Considered Safe or Unsafe
What Prevents Harmful Code from Executing?
It’s On By Default
Security Features and the Visual Basic .NET Developer
Code-Access Security vs. Application Role-Based Security
Code-Access Security Preempts Application Role-Based Security
Run Your Code in Different Security Zones
What Code-Access Security Is Meant To Protect
Permissions—The Basis of What Your Code Can Do
Security Zones and Trust Levels
Security Zones and Permissions
Local Intranet, Internet, and Trusted Sites Zones
How Visual Basic .NET Determines Zone
Ensuring That Your Code Will Run Safely
Cooperating with the Security System
Code-Access Security in the Real World
Summary
4. ASP.NET Authentication
EmployeeManagementWeb Practice Files
Forms Authentication
Windows Integrated Security Authentication
Passport Authentication
Install the Passport SDK
ASP.NET Authentication in the Real World
Summary
5. Securing Web Applications
Secure Sockets Layer
How SSL Works
Securing Web Services
Implementing an Audit Trail
Securing Web Applications in the Real World
Summary
II. Ensuring Hack-Resistant Code
6. Application Attacks and How to Avoid Them
Denial of Service Attacks
Defensive Techniques for DoS Attacks
Defending Against Memory and Resource DoS Attacks
File-Based or Directory-Based Attacks
Defensive Technique for File-Based or Directory-Based Attacks
Enforce Canonical Filenames
SQL-Injection Attacks
Defensive Techniques for SQL-Injection Attacks
Validate Input Parameters
Use Parameterized Queries
Add a Stored Procedure to Validate the User
Cross-Site Scripting Attacks
When HTML Script Injection Becomes a Problem
Defensive Techniques for Cross-Site Scripting Attacks
Use Server.HtmlEncode and Server.UrlEncode
Check All Input for Content and Length
Child-Application Attacks
Defensive Technique for Child-Application Attacks
Use Quotes Around All Path Names
Guarding Against Attacks in the Real World
Summary
7. Validating Input
Working with Input Types and Validation Tools
Direct User Input
Validation Tools Available to Windows Forms Applications
Validation Tools Available to ASP.NET Web Applications
General Language Validation Tools
Regular Expressions
Parse Method
Web Application Input
Don’t Rely on Data Sent to the Client
Nonuser Input
Input to Subroutines
Summary
8. Handling Exceptions
Where Exceptions Occur
Exception Handling
Global Exception Handlers
Exception Handling in the Real World
Summary
9. Testing for Attack-Resistant Code
Plan of Attack—The Test Plan
Brainstorm—Generate Security-Related Scenarios
Take the Attacker’s View
Create a Blueprint of Your Application
Create Scenarios Based on Inroads for Attack
Get Focused—Prioritize Scenarios
Prioritize Security-Related Scenarios Based on Threats
Generate Tests
Filter and Prioritize Tests for Each Scenario
Attack—Execute the Plan
Testing Approaches
Writing Self-Testing Code
Ad Hoc, or Manual, Testing
Automated Unit Testing
Stress Testing
Testing Tools
Create Your Own Test Tools
Example: Create a Test Tool for Testing Web Applications
Test in the Target Environment
Make Testing for Security a Priority
Common Testing Mistakes
Testing Too Little, Too Late
Failing to Test and Retest for Security
Failing to Factor In the Cost of Testing
Relying Too Much on Beta Feedback
Assuming Third-Party Components Are Safe
Testing in the Real World
Summary
III. Deployment and Configuration
10. Securing Your Application for Deployment
Deployment Techniques
XCopy Deployment
No-Touch Deployment
Windows Installer Deployment
Cabinet-File Deployment
Code-Access Security and Deployment
Deploy and Run Your Application in the .NET Security Sandbox
Certificates and Signing
Digital Certificates
X.509 Certificate
Obtain an X.509 Certificate from a Certificate Authority
Keep Your Private Keys Safe
Authenticode Signing
When to Use Authenticode Signing
When the Authenticode Signature Is Checked
Incorporate Authenticode Signing in Your Build Process
Strong-Name Signing
Strong Names vs. Weak Names
Strong-Named Visual Basic .NET .DLLs and Partial Trust
Authenticode Signing vs. Strong Naming
Should You Authenticode-Sign and Strong-Name Your Application?
Strong Naming, Certificates, and Signing Exercise
Deploying .NET Security Policy Updates
Update .NET Enterprise Security Policy
Deploy .NET Enterprise Security Policy Updates
Protecting Your Code—Obfuscation
Obscurity <> Security
Deployment Checklist
Deployment in the Real World
Summary
11. Locking Down Windows, Internet Information Services, and .NET
"I’m Already Protected. I’m Using a Firewall."
Fundamental Lockdown Principles
Automated Tools
Locking Down Windows Clients
Format Disk Drives Using NTFS
Disable Auto Logon
Enable Auditing
Turn Off Unnecessary Services
Turn Off Unnecessary Sharing
Use Screen-Saver Passwords
Remove File-Sharing Software
Implement BIOS Password Protection
Disable Boot from Floppy Drive
Locking Down Windows Servers
Isolate Domain Controller
Disable and Delete Unnecessary Accounts
Install a Firewall
Locking Down IIS
Disable Unnecessary Internet Services
Disable Unnecessary Script Maps
Remove Samples
Enable IIS Logging
Restrict IUSR_<computername>
Install URLScan
Locking Down .NET
Summary
12. Securing Databases
Core Database Security Concepts
SQL Server Authentication
Determining Who Is Logged On
How SQL Server Assigns Privileges
SQL Server Authorization
Microsoft Access Authentication and Authorization
Microsoft Access User-Level Security Models
Locking Down Microsoft Access
Locking Down SQL Server
Summary
IV. Enterprise-Level Security
13. Ten Steps to Designing a Secure Enterprise System
Design Challenges
Step 1: Believe You Will Be Attacked
Step 2: Design and Implement Security at the Beginning
Step 3: Educate the Team
Step 4: Design a Secure Architecture
Named-Pipes vs. TCP-IP
If You Do Nothing Else...
Step 5: Threat-Model the Vulnerabilities
Step 6: Use Windows Security Features
Step 7: Design for Simplicity and Usability
Step 8: No Back Doors
Step 9: Secure the Network with a Firewall
Step 10: Design for Maintenance
Summary
14. Threats—Analyze, Prevent, Detect, and Respond
Analyze for Threats and Vulnerabilities
Identify and Prioritize
Identify Threats
Prioritize Threats
Prevent Attacks by Mitigating Threats
Mitigating Threats
Detection
Early Detection
Detecting That an Attack Has Taken Place or Is in Progress
Determining Whether to Trust Your Detection Mechanisms
Humans: The Key to Success
Respond to an Attack
Prepare for a Response
Security Threats in the Real World
Summary
15. Threat Analysis Exercise
Analyze for Threats
Allocate Time
Prioritize Analysis Based on the Function of Each Component
Plan and Document Your Threat Analysis
Create a Laundry List of Threats
Draw Architectural Sketch and Review for Threats
Review Code for Threats
Prioritize Threats
Respond to Threats
Summary
16. Future Trends
The Arms Race of Hacking
No Operating System Is Safe
Cyber-Terrorism
What Happens Next?
Responding to Security Threats
Privacy vs. Security
The IPv6 Internet Protocol
Government Initiatives
Microsoft Initiatives
Summary
A. Guide to the Code Samples
Employee Management System
Employee Management Web
Encryption Demo
TogglePassportEnvironment utility
Employee Database Structure
Migrating the Employee Database to SQL Server 2000
B. Contents of SecurityLibrary.vb
Hash Digests
Private Key Encryption
DPAPI Encryption
Public Key Encryption
Logging Exceptions
Role-Based Security
Validating Input
C. About the Authors
Ed Robinson
Michael Bond
Index
About the Authors
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Index
Next
Next Chapter
Index
D
Dashboard sample form,
Employee Management System
data authentication,
Privacy vs. Security
Data Encryption Standard,
Private Key Encryption
(see )
data or input tampering attacks,
Mitigating Threats
databases,
Practice Files
,
Public Key Encryption
,
SQL-Injection Attacks
,
Create a Blueprint of Your Application
,
Securing Databases
,
Securing Databases
,
Securing Databases
,
Securing Databases
,
Securing Databases
,
SQL Server Authentication
,
SQL Server Authentication
,
SQL Server Authentication
,
SQL Server Authentication
,
SQL Server Authentication
,
SQL Server Authentication
,
Determining Who Is Logged On
,
Determining Who Is Logged On
,
SQL Server Authorization
,
SQL Server Authorization
,
SQL Server Authorization
,
SQL Server Authorization
,
SQL Server Authorization
,
Microsoft Access User-Level Security Models
,
Microsoft Access User-Level Security Models
,
Locking Down SQL Server
,
Step 1: Believe You Will Be Attacked
,
Detection
,
Future Trends
Access authentication,
SQL Server Authorization
Access, Microsoft,
SQL Server Authorization
(see )
administrating accounts,
SQL Server Authentication
authentication,
Securing Databases
authorization,
Securing Databases
,
Determining Who Is Logged On
,
Microsoft Access User-Level Security Models
blank password problem,
SQL Server Authentication
column-level authorization,
SQL Server Authorization
importance of,
Securing Databases
locking down,
Securing Databases
logons, setting up,
SQL Server Authentication
Mixed Mode authentication,
SQL Server Authentication
permissions for,
Microsoft Access User-Level Security Models
privilege assignment,
Determining Who Is Logged On
removing unencrypted fields,
Public Key Encryption
row-level authorization,
SQL Server Authorization
sample for exercises,
Practice Files
single authentication method,
SQL Server Authentication
SQL,
Locking Down SQL Server
(see )
SQL authentication,
Securing Databases
(see )
SQL injection,
SQL-Injection Attacks
(see )
SQL Slammer worm,
Step 1: Believe You Will Be Attacked
,
Detection
,
Future Trends
table-level authorization,
SQL Server Authorization
testing security of,
Create a Blueprint of Your Application
Windows Authentication, changing to,
SQL Server Authentication
dates, validating,
General Language Validation Tools
debugging features,
Testing Approaches
Declare keyword,
Review Code for Threats
decompiling,
Deploy .NET Enterprise Security Policy Updates
decomposing,
Plan of Attack—The Test Plan
decryption,
Encryption
,
Encryption
,
Private Key Encryption
(see also )
defined,
Encryption
private key,
Private Key Encryption
default behavior,
Step 5: Threat-Model the Vulnerabilities
default installations, lack of security of,
Locking Down Windows, Internet Information Services, and .NET
delay signing,
Strong Naming, Certificates, and Signing Exercise
Delete keyword,
Review Code for Threats
Demands,
How Actions Are Considered Safe or Unsafe
,
It’s On By Default
demilitarized zones (DMZs),
Step 4: Design a Secure Architecture
denial of service (DoS) attacks,
Code-Access Security
,
Application Attacks and How to Avoid Them
,
Application Attacks and How to Avoid Them
,
Application Attacks and How to Avoid Them
,
Application Attacks and How to Avoid Them
,
Application Attacks and How to Avoid Them
,
Application Attacks and How to Avoid Them
,
Application Attacks and How to Avoid Them
,
Denial of Service Attacks
,
Denial of Service Attacks
,
Denial of Service Attacks
,
Denial of Service Attacks
,
Defensive Techniques for DoS Attacks
,
Defensive Techniques for DoS Attacks
,
Defensive Techniques for DoS Attacks
,
Defensive Techniques for DoS Attacks
,
Defending Against Memory and Resource DoS Attacks
,
SQL-Injection Attacks
,
Stress Testing
,
Mitigating Threats
,
Cyber-Terrorism
.NET vulnerability to,
Application Attacks and How to Avoid Them
application crash form,
Application Attacks and How to Avoid Them
,
Defensive Techniques for DoS Attacks
CPU starvation attacks,
Application Attacks and How to Avoid Them
,
Defensive Techniques for DoS Attacks
defending against,
Denial of Service Attacks
defined,
Code-Access Security
,
Application Attacks and How to Avoid Them
forms of,
Application Attacks and How to Avoid Them
input, limiting,
Defending Against Memory and Resource DoS Attacks
memory starvation form,
Application Attacks and How to Avoid Them
,
Defensive Techniques for DoS Attacks
mitigation techniques for,
Mitigating Threats
network bandwidth starvation form,
Denial of Service Attacks
on domain-name servers,
Cyber-Terrorism
requests, limiting,
Denial of Service Attacks
resource starvation form,
Application Attacks and How to Avoid Them
,
Defensive Techniques for DoS Attacks
SQL-injection for,
SQL-Injection Attacks
stress testing to prevent,
Stress Testing
system crash form,
Denial of Service Attacks
deployment,
Ensuring That Your Code Will Run Safely
,
Securing Your Application for Deployment
,
Securing Your Application for Deployment
,
Securing Your Application for Deployment
,
XCopy Deployment
,
XCopy Deployment
,
Windows Installer Deployment
,
Windows Installer Deployment
,
Windows Installer Deployment
,
Windows Installer Deployment
,
Cabinet-File Deployment
,
Cabinet-File Deployment
,
Cabinet-File Deployment
,
Cabinet-File Deployment
,
Cabinet-File Deployment
,
Deploy and Run Your Application in the .NET Security Sandbox
,
Deploy and Run Your Application in the .NET Security Sandbox
,
Deploy and Run Your Application in the .NET Security Sandbox
,
Obtain an X.509 Certificate from a Certificate Authority
,
Authenticode Signing
,
When to Use Authenticode Signing
,
Strong-Named Visual Basic .NET .DLLs and Partial Trust
,
Should You Authenticode-Sign and Strong-Name Your Application?
,
Should You Authenticode-Sign and Strong-Name Your Application?
,
Strong Naming, Certificates, and Signing Exercise
,
Strong Naming, Certificates, and Signing Exercise
,
Strong Naming, Certificates, and Signing Exercise
,
Strong Naming, Certificates, and Signing Exercise
,
Deploying .NET Security Policy Updates
,
Deploy .NET Enterprise Security Policy Updates
,
Deploy .NET Enterprise Security Policy Updates
,
Deploy .NET Enterprise Security Policy Updates
,
Obscurity <> Security
,
Deployment Checklist
,
Step 10: Design for Maintenance
,
Prepare for a Response
.MSI deployment packages,
Deploy .NET Enterprise Security Policy Updates
.NET Framework Configuration tool,
Deploy .NET Enterprise Security Policy Updates
.NET security policy updates,
Deploying .NET Security Policy Updates
ActiveX components,
Windows Installer Deployment
ASP.NET Web server applications,
Should You Authenticode-Sign and Strong-Name Your Application?
Authenticode signing,
Obtain an X.509 Certificate from a Certificate Authority
cabinet files,
Windows Installer Deployment
,
Cabinet-File Deployment
certificates,
Authenticode Signing
(see )
checklist for,
Obscurity <> Security
code-access security,
Ensuring That Your Code Will Run Safely
,
Windows Installer Deployment
,
Cabinet-File Deployment
delay signing,
Strong Naming, Certificates, and Signing Exercise
fixes for attacks,
Prepare for a Response
Internet distribution, advantages of,
Deploy and Run Your Application in the .NET Security Sandbox
measures to secure, list of,
Securing Your Application for Deployment
methods of,
Securing Your Application for Deployment
no-touch,
XCopy Deployment
,
Cabinet-File Deployment
,
Deploy and Run Your Application in the .NET Security Sandbox
,
When to Use Authenticode Signing
,
Step 10: Design for Maintenance
obfuscating code,
Deploy .NET Enterprise Security Policy Updates
packaging costs,
Deploy and Run Your Application in the .NET Security Sandbox
real-world considerations,
Deployment Checklist
sample application,
Should You Authenticode-Sign and Strong-Name Your Application?
setup packages, signing,
Strong Naming, Certificates, and Signing Exercise
strong names,
Strong-Named Visual Basic .NET .DLLs and Partial Trust
(see )
timestamp services,
Strong Naming, Certificates, and Signing Exercise
user options, allowing,
Windows Installer Deployment
viewing certificates,
Strong Naming, Certificates, and Signing Exercise
Windows Installer,
XCopy Deployment
,
Cabinet-File Deployment
XCopy for,
Securing Your Application for Deployment
,
Cabinet-File Deployment
Deployment Wizard, Microsoft Visual Studio .NET,
XCopy Deployment
DES,
Private Key Encryption
(see )
design steps,
Ten Steps to Designing a Secure Enterprise System
,
Ten Steps to Designing a Secure Enterprise System
,
Ten Steps to Designing a Secure Enterprise System
,
Design Challenges
,
Design Challenges
,
Step 1: Believe You Will Be Attacked
,
Step 2: Design and Implement Security at the Beginning
,
Step 2: Design and Implement Security at the Beginning
,
Step 2: Design and Implement Security at the Beginning
,
Step 4: Design a Secure Architecture
,
Named-Pipes vs. TCP-IP
,
Named-Pipes vs. TCP-IP
,
Step 5: Threat-Model the Vulnerabilities
,
Step 5: Threat-Model the Vulnerabilities
,
Step 5: Threat-Model the Vulnerabilities
,
Step 8: No Back Doors
,
Step 8: No Back Doors
,
Step 10: Design for Maintenance
,
Step 10: Design for Maintenance
,
Analyze for Threats and Vulnerabilities
architectural security,
Step 2: Design and Implement Security at the Beginning
back doors, eliminating,
Step 8: No Back Doors
beginning with security,
Step 1: Believe You Will Be Attacked
believing attacks will come,
Design Challenges
challenges to,
Ten Steps to Designing a Secure Enterprise System
firewalls,
Step 8: No Back Doors
level of security, picking,
Step 2: Design and Implement Security at the Beginning
maintenance considerations,
Step 10: Design for Maintenance
minimum security measures in architecture,
Named-Pipes vs. TCP-IP
missteps,
Ten Steps to Designing a Secure Enterprise System
modeling vulnerabilities,
Named-Pipes vs. TCP-IP
named-pipes vs. TCP/IP,
Step 4: Design a Secure Architecture
off switches,
Step 10: Design for Maintenance
overview,
Ten Steps to Designing a Secure Enterprise System
serious attitude development,
Design Challenges
simplicity,
Step 5: Threat-Model the Vulnerabilities
team education,
Step 2: Design and Implement Security at the Beginning
threat analysis,
Analyze for Threats and Vulnerabilities
usability,
Step 5: Threat-Model the Vulnerabilities
Windows OS security features,
Step 5: Threat-Model the Vulnerabilities
detecting attacks,
Detection
,
Detection
,
Early Detection
,
Early Detection
,
Early Detection
,
Early Detection
,
Early Detection
,
Detecting That an Attack Has Taken Place or Is in Progress
,
Detecting That an Attack Has Taken Place or Is in Progress
,
Detecting That an Attack Has Taken Place or Is in Progress
,
Detecting That an Attack Has Taken Place or Is in Progress
,
Detecting That an Attack Has Taken Place or Is in Progress
,
Detecting That an Attack Has Taken Place or Is in Progress
,
Detecting That an Attack Has Taken Place or Is in Progress
,
Determining Whether to Trust Your Detection Mechanisms
,
Determining Whether to Trust Your Detection Mechanisms
,
Determining Whether to Trust Your Detection Mechanisms
,
Determining Whether to Trust Your Detection Mechanisms
,
Prepare for a Response
anomaly detection,
Detecting That an Attack Has Taken Place or Is in Progress
confidence in,
Determining Whether to Trust Your Detection Mechanisms
early detection,
Detection
exception handlers,
Detecting That an Attack Has Taken Place or Is in Progress
feedback to users,
Early Detection
following the attack,
Early Detection
hardware inventories,
Detecting That an Attack Has Taken Place or Is in Progress
human factors,
Determining Whether to Trust Your Detection Mechanisms
IDSs for,
Detecting That an Attack Has Taken Place or Is in Progress
in-progress,
Early Detection
logging activity,
Early Detection
,
Detecting That an Attack Has Taken Place or Is in Progress
monitoring news groups,
Early Detection
overview of,
Detection
real-world considerations,
Prepare for a Response
reboots, unscheduled,
Detecting That an Attack Has Taken Place or Is in Progress
redundancy,
Determining Whether to Trust Your Detection Mechanisms
signature detection,
Detecting That an Attack Has Taken Place or Is in Progress
snapshots of data,
Determining Whether to Trust Your Detection Mechanisms
deterrence,
Threats—Analyze, Prevent, Detect, and Respond
development team, education of,
Step 2: Design and Implement Security at the Beginning
device names, use in attacks,
Enforce Canonical Filenames
digital certificates,
Secure Sockets Layer
,
Secure Sockets Layer
,
How SSL Works
,
How SSL Works
,
How SSL Works
,
How SSL Works
,
How SSL Works
,
How SSL Works
,
Deploy and Run Your Application in the .NET Security Sandbox
,
Digital Certificates
,
Obtain an X.509 Certificate from a Certificate Authority
,
Obtain an X.509 Certificate from a Certificate Authority
,
Obtain an X.509 Certificate from a Certificate Authority
,
Obtain an X.509 Certificate from a Certificate Authority
,
Authenticode Signing
,
When to Use Authenticode Signing
,
Strong-Named Visual Basic .NET .DLLs and Partial Trust
,
Should You Authenticode-Sign and Strong-Name Your Application?
,
Strong Naming, Certificates, and Signing Exercise
,
Strong Naming, Certificates, and Signing Exercise
,
Strong Naming, Certificates, and Signing Exercise
,
Strong Naming, Certificates, and Signing Exercise
,
Strong Naming, Certificates, and Signing Exercise
,
Update .NET Enterprise Security Policy
,
Update .NET Enterprise Security Policy
application integrity assurance,
Authenticode Signing
Authenticode signing,
Obtain an X.509 Certificate from a Certificate Authority
CSRs,
How SSL Works
defined,
Secure Sockets Layer
hash value security policy attribute,
Update .NET Enterprise Security Policy
installing,
How SSL Works
private keys for,
Obtain an X.509 Certificate from a Certificate Authority
publisher identity,
Obtain an X.509 Certificate from a Certificate Authority
,
Update .NET Enterprise Security Policy
purpose of,
Deploy and Run Your Application in the .NET Security Sandbox
root certificates,
How SSL Works
sample application,
Should You Authenticode-Sign and Strong-Name Your Application?
setup packages,
Strong Naming, Certificates, and Signing Exercise
signatures, checking,
When to Use Authenticode Signing
Software Publisher Certificates,
Obtain an X.509 Certificate from a Certificate Authority
,
Strong Naming, Certificates, and Signing Exercise
SSL,
Secure Sockets Layer
strong names,
Strong-Named Visual Basic .NET .DLLs and Partial Trust
(see )
test certificates,
How SSL Works
,
Strong Naming, Certificates, and Signing Exercise
timestamp services,
Strong Naming, Certificates, and Signing Exercise
validity of,
How SSL Works
VeriSign, obtaining from,
How SSL Works
viewing,
Strong Naming, Certificates, and Signing Exercise
X.509,
Digital Certificates
Dir keyword,
Review Code for Threats
direct user input,
Validating Input
directories,
Keeping Private Keys Safe
,
Windows Integrated Security
,
Windows Integrated Security
,
Role-Based Authorization in the Real World
,
Security Zones and Permissions
,
Security Zones and Permissions
,
Defending Against Memory and Resource DoS Attacks
,
Defending Against Memory and Resource DoS Attacks
Active Directory,
Windows Integrated Security
,
Role-Based Authorization in the Real World
,
Security Zones and Permissions
directory-based attacks,
Defending Against Memory and Resource DoS Attacks
DirectoryServicesPermission,
Security Zones and Permissions
restricting access to,
Windows Integrated Security
root, hackers finding,
Defending Against Memory and Resource DoS Attacks
security for private key encryption,
Keeping Private Keys Safe
disabling auto logon,
Automated Tools
disassembling code,
Create a Blueprint of Your Application
disk space attacks,
Application Attacks and How to Avoid Them
(see )
distributed architecture recommended,
Step 2: Design and Implement Security at the Beginning
DLLs (dynamic-link libraries),
Create Scenarios Based on Inroads for Attack
,
Strong Names vs. Weak Names
DMZs (demilitarized zones),
Step 4: Design a Secure Architecture
DNS permission,
Security Zones and Permissions
,
Security Zones and Permissions
documentation,
Prioritize Analysis Based on the Function of Each Component
,
Respond to Threats
domain controllers,
Implement BIOS Password Protection
domain-name system root servers,
Cyber-Terrorism
DoS attacks,
Defensive Techniques for DoS Attacks
(see )
Dotfuscator,
Deploy .NET Enterprise Security Policy Updates
DPAPI encryption, functions, sample,
Contents of SecurityLibrary.vb
drives, physical,
"I’m Already Protected. I’m Using a Firewall."
,
Automated Tools
,
Automated Tools
,
Enable Auditing
FAT file system,
"I’m Already Protected. I’m Using a Firewall."
,
Automated Tools
NTFS formatting,
Automated Tools
sharing, locking down,
Enable Auditing
DumpBin,
Testing Tools
dynamic loading, attacks against,
Use Server.HtmlEncode and Server.UrlEncode
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset