Home Page Icon
Home Page
Table of Contents for
Index
Close
Index
by Michael James Bond, Ed Robinson
Security for Microsoft® Visual Basic® .NET
Security for Microsoft® Visual Basic® .NET
Introduction
How to Use This Book
How to Use the Code Samples
Create a Desktop Shortcut for Running Tools
A Final Word
Corrections, Comments, and Help
Acknowledgments
I. Development Techniques
1. Encryption
Practice Files
Hash Digests
Private Key Encryption
Keeping Private Keys Safe
Public Key Encryption
Hiding Unnecessary Information
Encryption in the Real World
Summary
2. Role-Based Authorization
Role-Based Authorization Exercise
Windows Integrated Security
ASP.NET Authentication and Authorization
Role-Based Authorization in the Real World
Summary
3. Code-Access Security
How Actions Are Considered Safe or Unsafe
What Prevents Harmful Code from Executing?
It’s On By Default
Security Features and the Visual Basic .NET Developer
Code-Access Security vs. Application Role-Based Security
Code-Access Security Preempts Application Role-Based Security
Run Your Code in Different Security Zones
What Code-Access Security Is Meant To Protect
Permissions—The Basis of What Your Code Can Do
Security Zones and Trust Levels
Security Zones and Permissions
Local Intranet, Internet, and Trusted Sites Zones
How Visual Basic .NET Determines Zone
Ensuring That Your Code Will Run Safely
Cooperating with the Security System
Code-Access Security in the Real World
Summary
4. ASP.NET Authentication
EmployeeManagementWeb Practice Files
Forms Authentication
Windows Integrated Security Authentication
Passport Authentication
Install the Passport SDK
ASP.NET Authentication in the Real World
Summary
5. Securing Web Applications
Secure Sockets Layer
How SSL Works
Securing Web Services
Implementing an Audit Trail
Securing Web Applications in the Real World
Summary
II. Ensuring Hack-Resistant Code
6. Application Attacks and How to Avoid Them
Denial of Service Attacks
Defensive Techniques for DoS Attacks
Defending Against Memory and Resource DoS Attacks
File-Based or Directory-Based Attacks
Defensive Technique for File-Based or Directory-Based Attacks
Enforce Canonical Filenames
SQL-Injection Attacks
Defensive Techniques for SQL-Injection Attacks
Validate Input Parameters
Use Parameterized Queries
Add a Stored Procedure to Validate the User
Cross-Site Scripting Attacks
When HTML Script Injection Becomes a Problem
Defensive Techniques for Cross-Site Scripting Attacks
Use Server.HtmlEncode and Server.UrlEncode
Check All Input for Content and Length
Child-Application Attacks
Defensive Technique for Child-Application Attacks
Use Quotes Around All Path Names
Guarding Against Attacks in the Real World
Summary
7. Validating Input
Working with Input Types and Validation Tools
Direct User Input
Validation Tools Available to Windows Forms Applications
Validation Tools Available to ASP.NET Web Applications
General Language Validation Tools
Regular Expressions
Parse Method
Web Application Input
Don’t Rely on Data Sent to the Client
Nonuser Input
Input to Subroutines
Summary
8. Handling Exceptions
Where Exceptions Occur
Exception Handling
Global Exception Handlers
Exception Handling in the Real World
Summary
9. Testing for Attack-Resistant Code
Plan of Attack—The Test Plan
Brainstorm—Generate Security-Related Scenarios
Take the Attacker’s View
Create a Blueprint of Your Application
Create Scenarios Based on Inroads for Attack
Get Focused—Prioritize Scenarios
Prioritize Security-Related Scenarios Based on Threats
Generate Tests
Filter and Prioritize Tests for Each Scenario
Attack—Execute the Plan
Testing Approaches
Writing Self-Testing Code
Ad Hoc, or Manual, Testing
Automated Unit Testing
Stress Testing
Testing Tools
Create Your Own Test Tools
Example: Create a Test Tool for Testing Web Applications
Test in the Target Environment
Make Testing for Security a Priority
Common Testing Mistakes
Testing Too Little, Too Late
Failing to Test and Retest for Security
Failing to Factor In the Cost of Testing
Relying Too Much on Beta Feedback
Assuming Third-Party Components Are Safe
Testing in the Real World
Summary
III. Deployment and Configuration
10. Securing Your Application for Deployment
Deployment Techniques
XCopy Deployment
No-Touch Deployment
Windows Installer Deployment
Cabinet-File Deployment
Code-Access Security and Deployment
Deploy and Run Your Application in the .NET Security Sandbox
Certificates and Signing
Digital Certificates
X.509 Certificate
Obtain an X.509 Certificate from a Certificate Authority
Keep Your Private Keys Safe
Authenticode Signing
When to Use Authenticode Signing
When the Authenticode Signature Is Checked
Incorporate Authenticode Signing in Your Build Process
Strong-Name Signing
Strong Names vs. Weak Names
Strong-Named Visual Basic .NET .DLLs and Partial Trust
Authenticode Signing vs. Strong Naming
Should You Authenticode-Sign and Strong-Name Your Application?
Strong Naming, Certificates, and Signing Exercise
Deploying .NET Security Policy Updates
Update .NET Enterprise Security Policy
Deploy .NET Enterprise Security Policy Updates
Protecting Your Code—Obfuscation
Obscurity <> Security
Deployment Checklist
Deployment in the Real World
Summary
11. Locking Down Windows, Internet Information Services, and .NET
"I’m Already Protected. I’m Using a Firewall."
Fundamental Lockdown Principles
Automated Tools
Locking Down Windows Clients
Format Disk Drives Using NTFS
Disable Auto Logon
Enable Auditing
Turn Off Unnecessary Services
Turn Off Unnecessary Sharing
Use Screen-Saver Passwords
Remove File-Sharing Software
Implement BIOS Password Protection
Disable Boot from Floppy Drive
Locking Down Windows Servers
Isolate Domain Controller
Disable and Delete Unnecessary Accounts
Install a Firewall
Locking Down IIS
Disable Unnecessary Internet Services
Disable Unnecessary Script Maps
Remove Samples
Enable IIS Logging
Restrict IUSR_<computername>
Install URLScan
Locking Down .NET
Summary
12. Securing Databases
Core Database Security Concepts
SQL Server Authentication
Determining Who Is Logged On
How SQL Server Assigns Privileges
SQL Server Authorization
Microsoft Access Authentication and Authorization
Microsoft Access User-Level Security Models
Locking Down Microsoft Access
Locking Down SQL Server
Summary
IV. Enterprise-Level Security
13. Ten Steps to Designing a Secure Enterprise System
Design Challenges
Step 1: Believe You Will Be Attacked
Step 2: Design and Implement Security at the Beginning
Step 3: Educate the Team
Step 4: Design a Secure Architecture
Named-Pipes vs. TCP-IP
If You Do Nothing Else...
Step 5: Threat-Model the Vulnerabilities
Step 6: Use Windows Security Features
Step 7: Design for Simplicity and Usability
Step 8: No Back Doors
Step 9: Secure the Network with a Firewall
Step 10: Design for Maintenance
Summary
14. Threats—Analyze, Prevent, Detect, and Respond
Analyze for Threats and Vulnerabilities
Identify and Prioritize
Identify Threats
Prioritize Threats
Prevent Attacks by Mitigating Threats
Mitigating Threats
Detection
Early Detection
Detecting That an Attack Has Taken Place or Is in Progress
Determining Whether to Trust Your Detection Mechanisms
Humans: The Key to Success
Respond to an Attack
Prepare for a Response
Security Threats in the Real World
Summary
15. Threat Analysis Exercise
Analyze for Threats
Allocate Time
Prioritize Analysis Based on the Function of Each Component
Plan and Document Your Threat Analysis
Create a Laundry List of Threats
Draw Architectural Sketch and Review for Threats
Review Code for Threats
Prioritize Threats
Respond to Threats
Summary
16. Future Trends
The Arms Race of Hacking
No Operating System Is Safe
Cyber-Terrorism
What Happens Next?
Responding to Security Threats
Privacy vs. Security
The IPv6 Internet Protocol
Government Initiatives
Microsoft Initiatives
Summary
A. Guide to the Code Samples
Employee Management System
Employee Management Web
Encryption Demo
TogglePassportEnvironment utility
Employee Database Structure
Migrating the Employee Database to SQL Server 2000
B. Contents of SecurityLibrary.vb
Hash Digests
Private Key Encryption
DPAPI Encryption
Public Key Encryption
Logging Exceptions
Role-Based Security
Validating Input
C. About the Authors
Ed Robinson
Michael Bond
Index
About the Authors
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Index
Next
Next Chapter
Index
L
L0phtCrack,
Testing Tools
LANs,
Step 4: Design a Secure Architecture
(see , )
LC4,
Testing Tools
LDAP (Lightweight Directory Access Protocol),
Windows Integrated Security
least privilege, principle of,
Role-Based Authorization
,
SQL-Injection Attacks
,
Fundamental Lockdown Principles
Lightweight Directory Access Protocol (LDAP),
Windows Integrated Security
Link,
Testing Tools
LinkDemand,
It’s On By Default
Linux vulnerabilities,
The Arms Race of Hacking
Local Intranet zone,
Security Zones and Trust Levels
,
Security Zones and Permissions
,
Security Zones and Permissions
,
Security Zones and Permissions
,
Local Intranet, Internet, and Trusted Sites Zones
,
Ensuring That Your Code Will Run Safely
defined,
Security Zones and Trust Levels
isolated storage support,
Ensuring That Your Code Will Run Safely
luring attacks,
Security Zones and Permissions
permissions for,
Security Zones and Permissions
,
Security Zones and Permissions
scope of,
Local Intranet, Internet, and Trusted Sites Zones
locking down,
Locking Down Windows, Internet Information Services, and .NET
,
Locking Down Windows, Internet Information Services, and .NET
,
Locking Down Windows, Internet Information Services, and .NET
,
"I’m Already Protected. I’m Using a Firewall."
,
"I’m Already Protected. I’m Using a Firewall."
,
"I’m Already Protected. I’m Using a Firewall."
,
"I’m Already Protected. I’m Using a Firewall."
,
"I’m Already Protected. I’m Using a Firewall."
,
Fundamental Lockdown Principles
,
Fundamental Lockdown Principles
,
Fundamental Lockdown Principles
,
Fundamental Lockdown Principles
,
Fundamental Lockdown Principles
,
Fundamental Lockdown Principles
,
Fundamental Lockdown Principles
,
Fundamental Lockdown Principles
,
Fundamental Lockdown Principles
,
Fundamental Lockdown Principles
,
Fundamental Lockdown Principles
,
Automated Tools
,
Automated Tools
,
Automated Tools
,
Automated Tools
,
Automated Tools
,
Automated Tools
,
Automated Tools
,
Enable Auditing
,
Enable Auditing
,
Enable Auditing
,
Turn Off Unnecessary Sharing
,
Turn Off Unnecessary Sharing
,
Implement BIOS Password Protection
,
Implement BIOS Password Protection
,
Implement BIOS Password Protection
,
Implement BIOS Password Protection
,
Implement BIOS Password Protection
,
Disable and Delete Unnecessary Accounts
,
Disable and Delete Unnecessary Accounts
,
Remove Samples
,
Remove Samples
,
Locking Down .NET
,
Securing Databases
,
Locking Down Microsoft Access
,
Locking Down Microsoft Access
.NET Framework,
Remove Samples
accounts,
Implement BIOS Password Protection
antivirus software,
Fundamental Lockdown Principles
auditing, enabling,
Enable Auditing
auto logon,
Automated Tools
automated tools for,
Fundamental Lockdown Principles
back doors, closing,
Fundamental Lockdown Principles
backing up data,
Fundamental Lockdown Principles
BIOS passwords,
Turn Off Unnecessary Sharing
clients,
Automated Tools
databases,
Securing Databases
defined,
Locking Down Windows, Internet Information Services, and .NET
domain controllers,
Implement BIOS Password Protection
encrypting folders,
Automated Tools
file-sharing software,
Turn Off Unnecessary Sharing
firewalls for,
Locking Down Windows, Internet Information Services, and .NET
,
Disable and Delete Unnecessary Accounts
floppy drives, booting from,
Implement BIOS Password Protection
fundamental principles of,
"I’m Already Protected. I’m Using a Firewall."
IIS,
Fundamental Lockdown Principles
,
Disable and Delete Unnecessary Accounts
least privilege principle,
Fundamental Lockdown Principles
maintenance,
Fundamental Lockdown Principles
MBSA,
Automated Tools
(see )
Microsoft Access,
Locking Down Microsoft Access
NTFS file system,
"I’m Already Protected. I’m Using a Firewall."
,
Automated Tools
patches, OS security,
Fundamental Lockdown Principles
physical security,
"I’m Already Protected. I’m Using a Firewall."
purpose of,
Locking Down Windows, Internet Information Services, and .NET
real-world considerations,
Locking Down .NET
servers,
Implement BIOS Password Protection
service packs,
Fundamental Lockdown Principles
sharing,
Enable Auditing
SQL Server,
Locking Down Microsoft Access
strong user passwords,
Fundamental Lockdown Principles
tools for,
Fundamental Lockdown Principles
turning off services,
Enable Auditing
URLScan,
Automated Tools
,
Remove Samples
Windows 9x,
"I’m Already Protected. I’m Using a Firewall."
Windows clients,
Automated Tools
Windows NT,
"I’m Already Protected. I’m Using a Firewall."
Windows servers,
Implement BIOS Password Protection
logging,
Exception Handling
,
Exception Handling
,
Global Exception Handlers
,
Global Exception Handlers
,
Automated Unit Testing
,
Remove Samples
,
Locking Down SQL Server
,
Step 10: Design for Maintenance
,
Early Detection
,
Detecting That an Attack Has Taken Place or Is in Progress
,
Determining Whether to Trust Your Detection Mechanisms
,
Logging Exceptions
attacks altering logs,
Determining Whether to Trust Your Detection Mechanisms
automated unit testing,
Automated Unit Testing
detecting attacks,
Early Detection
,
Detecting That an Attack Has Taken Place or Is in Progress
encryption exceptions,
Logging Exceptions
exceptions handled,
Exception Handling
,
Exception Handling
,
Global Exception Handlers
IIS, enabling,
Remove Samples
monitoring logs,
Step 10: Design for Maintenance
SQL Server,
Locking Down SQL Server
viewing remotely,
Global Exception Handlers
logging out,
Forms Authentication
logons,
Role-Based Authorization
,
Role-Based Authorization Exercise
,
EmployeeManagementWeb Practice Files
,
Forms Authentication
,
SQL-Injection Attacks
,
When HTML Script Injection Becomes a Problem
,
Automated Tools
,
SQL Server Authentication
,
Microsoft Access Authentication and Authorization
,
Step 5: Threat-Model the Vulnerabilities
,
Employee Management System
,
Employee Management Web
auto logon, disabling,
Automated Tools
eliminating repetition,
Role-Based Authorization Exercise
Forms authentication,
EmployeeManagementWeb Practice Files
,
Forms Authentication
frmLogin sample,
Employee Management System
HTML scripting attacks using,
When HTML Script Injection Becomes a Problem
login.aspx sample,
Employee Management Web
passwords,
Microsoft Access Authentication and Authorization
(see )
recommendation,
Step 5: Threat-Model the Vulnerabilities
SQL-injection attacks using,
SQL-Injection Attacks
users,
Role-Based Authorization
(see )
Windows Authentication, setting up,
SQL Server Authentication
LSADump2,
Testing Tools
luring attacks,
Code-Access Security
,
Security Zones and Permissions
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset