You are previewing Improving Web Application Security: Threats and Countermeasures.
O'Reilly logo
Improving Web Application Security: Threats and Countermeasures

Book Description

Gain a solid foundation for designing, building, and configuring security-enhanced Microsoft® ASP.NET Web applications. This expert guide describes a systematic, task-based approach to security that can be applied to both new and existing applications.

Table of Contents

  1. Improving Web Application Security: Threats and Countermeasures
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. Forewords
      1. Foreword by Mark Curphey
        1. Mark Curphey
      2. Foreword by Joel Scambray
        1. Joel Scambray
      3. Foreword by Erik Olson
        1. Erik Olson
      4. Foreword by Michael Howard
        1. Michael Howard
    3. Introduction
      1. Why We Wrote This Guide
      2. What Is a Hack-Resilient Application?
      3. Scope of This Guide
        1. Securing the Network, Host, and Application
        2. Technologies in Scope
      4. Who Should Read This Guide
      5. How to Use This Guide
        1. Applying the Guidance to Your Role
        2. Applying the Guidance to Your Product Life Cycle
        3. Microsoft Solutions Framework
      6. Organization of This Guide
        1. Solutions at a Glance
        2. Fast Track
        3. Parts
          1. Part I, Introduction to Threats and Countermeasures
          2. Part II, Designing Secure Web Applications
          3. Part III, Building Secure Web Applications
          4. Part IV, Securing Your Network, Host, and Application
          5. Part V, Assessing Your Security
        4. Checklists
        5. "How To" Articles
      7. Approach Used in This Guide
        1. Secure Your Network, Host, and Application
        2. Focus on Threats
        3. Follow a Principle-Based Approach
      8. Positioning of This Guide
        1. Volume I, Building Secure ASP.NET Applications
        2. Volume II, Improving Web Application Security
      9. Feedback and Support
        1. Feedback on the Guide
        2. Technical Support
        3. Community and Newsgroup Support
      10. The Team Who Brought You This Guide
        1. Contributors and Reviewers
      11. Tell Us About Your Success
      12. Summary
    4. Solutions at a Glance
      1. Architecture and Design Solutions
      2. Development Solutions
      3. Administration Solutions
    5. Fast Track — How To Implement the Guidance
      1. Goal and Scope
      2. The Holistic Approach
      3. Securing Your Network
      4. Securing Your Host
      5. Securing Your Application
      6. Identify Threats
      7. Applying the Guidance to Your Product Life Cycle
      8. Implementing the Guidance
      9. Who Does What?
        1. RACI Chart
      10. Summary
    6. I. Introduction to Threats and Countermeasures
      1. 1. Web Application Security Fundamentals
        1. We Are Secure — We Have a Firewall
        2. What Do We Mean By Security?
          1. The Foundations of Security
        3. Threats, Vulnerabilities, and Attacks Defined
        4. How Do You Build a Secure Web Application?
        5. Secure Your Network, Host, and Application
        6. Securing Your Network
          1. Network Component Categories
        7. Securing Your Host
          1. Host Configuration Categories
        8. Securing Your Application
          1. Application Vulnerability Categories
        9. Security Principles
        10. Summary
        11. Additional Resources
      2. 2. Threats and Countermeasures
        1. Overview
        2. How to Use This Chapter
        3. Anatomy of an Attack
          1. Survey and Assess
          2. Exploit and Penetrate
          3. Escalate Privileges
          4. Maintain Access
          5. Deny Service
        4. Understanding Threat Categories
          1. STRIDE
          2. STRIDE Threats and Countermeasures
        5. Network Threats and Countermeasures
          1. Information Gathering
          2. Sniffing
          3. Spoofing
          4. Session Hijacking
          5. Denial of Service
        6. Host Threats and Countermeasures
          1. Viruses, Trojan Horses, and Worms
          2. Footprinting
          3. Password Cracking
          4. Denial of Service
          5. Arbitrary Code Execution
          6. Unauthorized Access
        7. Application Threats and Countermeasures
        8. Input Validation
          1. Buffer Overflows
            1. Example of Code Injection Through Buffer Overflows
          2. Cross-Site Scripting
            1. Example of Cross-Site Scripting
          3. SQL Injection
            1. Example of SQL Injection
          4. Canonicalization
        9. Authentication
          1. Network Eavesdropping
          2. Brute Force Attacks
          3. Dictionary Attacks
          4. Cookie Replay Attacks
          5. Credential Theft
        10. Authorization
          1. Elevation of Privilege
          2. Disclosure of Confidential Data
          3. Data Tampering
          4. Luring Attacks
        11. Configuration Management
          1. Unauthorized Access to Administration Interfaces
          2. Unauthorized Access to Configuration Stores
          3. Retrieval of Plaintext Configuration Secrets
          4. Lack of Individual Accountability
          5. Over-privileged Application and Service Accounts
        12. Sensitive Data
          1. Access to Sensitive Data in Storage
          2. Network Eavesdropping
          3. Data Tampering
        13. Session Management
          1. Session Hijacking
          2. Session Replay
          3. Man in the Middle Attacks
        14. Cryptography
          1. Poor Key Generation or Key Management
          2. Weak or Custom Encryption
          3. Checksum Spoofing
        15. Parameter Manipulation
          1. Query String Manipulation
          2. Form Field Manipulation
          3. Cookie Manipulation
          4. HTTP Header Manipulation
        16. Exception Management
          1. Attacker Reveals Implementation Details
          2. Denial of Service
        17. Auditing and Logging
          1. User Denies Performing an Operation
          2. Attackers Exploit an Application Without Leaving a Trace
          3. Attackers Cover Their Tracks
        18. Summary
        19. Additional Resources
      3. 3. Threat Modeling
        1. Overview
        2. Before You Begin
        3. How to Use This Chapter
        4. Threat Modeling Principles
          1. The Process
          2. The Output
        5. Step 1. Identify Assets
        6. Step 2. Create an Architecture Overview
          1. Identify What the Application Does
          2. Create an Architecture Diagram
          3. Identify the Technologies
        7. Step 3. Decompose the Application
          1. Identify Trust Boundaries
          2. Identify Data Flow
          3. Identify Entry Points
          4. Identify Privileged Code
          5. Document the Security Profile
        8. Step 4. Identify the Threats
          1. Identify Network Threats
          2. Identify Host Threats
          3. Identify Application Threats
          4. Using Attack Trees and Attack Patterns
            1. Creating Attack Trees
            2. Attack Patterns
        9. Step 5. Document the Threats
        10. Step 6. Rate the Threats
          1. Risk = Probability * Damage Potential
          2. High, Medium, and Low Ratings
          3. DREAD
        11. What Comes After Threat Modeling?
          1. Generating a Work Item Report
        12. Summary
        13. Additional Resources
    7. II. Designing Secure Web Applications
      1. 4. Design Guidelines for Secure Web Applications
        1. Overview
        2. How to Use This Chapter
        3. Architecture and Design Issues for Web Applications
        4. Deployment Considerations
          1. Security Policies and Procedures
          2. Network Infrastructure Components
          3. Deployment Topologies
          4. Intranet, Extranet, and Internet
        5. Input Validation
          1. Assume All Input Is Malicious
          2. Centralize Your Approach
          3. Do Not Rely on Client-Side Validation
          4. Be Careful with Canonicalization Issues
          5. Constrain, Reject, and Sanitize Your Input
            1. Constrain Input
            2. Validate Data for Type, Length, Format, and Range
            3. Reject Known Bad Input
            4. Sanitize Input
          6. In Practice
        6. Authentication
          1. Separate Public and Restricted Areas
          2. Use Account Lockout Policies for End-User Accounts
          3. Support Password Expiration Periods
          4. Be Able to Disable Accounts
          5. Do Not Store Passwords in User Stores
          6. Require Strong Passwords
          7. Do Not Send Passwords Over the Wire in Plaintext
          8. Protect Authentication Cookies
        7. Authorization
          1. Use Multiple Gatekeepers
          2. Restrict User Access to System Level Resources
          3. Consider Authorization Granularity
        8. Configuration Management
          1. Secure Your Administration Interfaces
          2. Secure Your Configuration Stores
          3. Separate Administration Privileges
          4. Use Least Privileged Process and Service Accounts
        9. Sensitive Data
          1. Secrets
            1. Do Not Store Secrets if You Can Avoid It
            2. Do Not Store Secrets in Code
            3. Do Not Store Database Connections, Passwords, or Keys in Plaintext
            4. Avoid Storing Secrets in the LSA
            5. Use DPAPI for Encrypting Secrets
          2. Sensitive Per User Data
            1. Retrieve Sensitive Data on Demand
              1. Cache the Encrypted Secret
              2. Cache the Plaintext Secret
            2. Encrypt the Data or Secure the Communication Channel
            3. Do Not Store Sensitive Data in Persistent Cookies
            4. Do Not Pass Sensitive Data Using the HTTP-GET Protocol
        10. Session Management
          1. Use SSL to Protect Session Authentication Cookies
          2. Encrypt the Contents of the Authentication Cookies
          3. Limit Session Lifetime
          4. Protect Session State from Unauthorized Access
        11. Cryptography
          1. Do Not Develop Your Own Cryptography
          2. Keep Unencrypted Data Close to the Algorithm
          3. Use the Correct Algorithm and Correct Key Size
          4. Secure Your Encryption Keys
            1. Use DPAPI to Avoid Key Management
            2. Cycle Your Keys Periodically
        12. Parameter Manipulation
          1. Encrypt Sensitive Cookie State
          2. Make Sure that Users Do Not Bypass Your Checks
          3. Validate All Values Sent from the Client
          4. Do Not Trust HTTP Header Information
        13. Exception Management
          1. Do Not Leak Information to the Client
          2. Log Detailed Error Messages
          3. Catch Exceptions
        14. Auditing and Logging
          1. Audit and Log Access Across Application Tiers
          2. Consider Identity Flow
          3. Log Key Events
          4. Secure Log Files
          5. Back Up and Analyze Log Files Regularly
        15. Design Guidelines Summary
        16. Summary
        17. Additional Resources
      2. 5. Architecture and Design Review for Security
        1. Overview
        2. How to Use This Chapter
        3. Architecture and Design Review Process
        4. Deployment and Infrastructure Considerations
          1. Does the Network Provide Secure Communication?
          2. Does Your Deployment Topology Include an Internal Firewall?
          3. Does Your Deployment Topology Include a Remote Application Server?
          4. What Restrictions Does Infrastructure Security Impose?
          5. Have You Considered Web Farm Issues?
          6. What Trust Levels Does the Target Environment Support?
        5. Input Validation
          1. How Do You Validate Input?
          2. What Do You Do with the Input?
        6. Authentication
          1. Do You Separate Public and Restricted Access?
          2. Have You Identified Service Account Requirements?
          3. How Do You Authenticate the Caller?
          4. How Do You Authenticate with the Database?
          5. Do You Enforce Strong Account Management Practices?
        7. Authorization
          1. How Do You Authorize End Users?
          2. How Do You Authorize the Application in the Database?
          3. How Do You Restrict Access to System-Level Resources?
        8. Configuration Management
          1. Do You Support Remote Administration?
          2. Do You Secure Configuration Stores?
          3. Do You Separate Administrator Privileges?
        9. Sensitive Data
          1. Do You Store Secrets?
          2. How Do You Store Sensitive Data?
          3. Do You Pass Sensitive Data Over the Network?
          4. Do You Log Sensitive Data?
        10. Session Management
          1. How Are Session Identifiers Exchanged?
          2. Do You Restrict Session Lifetime?
          3. How Is the Session State Store Secured?
        11. Cryptography
          1. Why Do You Use Particular Algorithms?
          2. How Do You Secure Encryption Keys?
        12. Parameter Manipulation
          1. Do You Validate All Input Parameters?
          2. Do You Pass Sensitive Data in Parameters?
          3. Do You Use HTTP Header Data for Security?
        13. Exception Management
          1. Do You Use Structured Exception Handling?
          2. Do You Reveal Too Much Information to the Client?
        14. Auditing and Logging
          1. Have You Identified Key Activities to Audit?
          2. Have You Considered How to Flow Original Caller Identity?
          3. Have You Considered Secure Log File Management Policies?
        15. Summary
        16. Additional Resources
    8. III. Building Secure Web Applications
      1. 6. .NET Security Overview
        1. Overview
        2. How to Use This Chapter
        3. Managed Code Benefits
        4. User vs. Code Security
          1. Role-Based Security
          2. Code Access Security
        5. .NET Framework Role-Based Security
          1. Principals and Identities
          2. PrincipalPermission Objects
            1. Declarative Security
            2. Imperative Security
            3. Declarative vs. Imperative Security
              1. Advantages of Declarative Security
              2. Advantages of Imperative Security
          3. Role-Based Security Checks
          4. URL Authorization
            1. Configuring Access to a Specific File
        6. .NET Framework Security Namespaces
          1. System.Security
          2. System.Web.Security
          3. System.Security.Cryptography
          4. System.Security.Principal
          5. System.Security.Policy
          6. System.Security.Permissions
        7. Summary
        8. Additional Resources
      2. 7. Building Secure Assemblies
        1. Overview
        2. How to Use This Chapter
        3. Threats and Countermeasures
          1. Unauthorized Access or Privilege Elevation, or both
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          2. Code Injection
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          3. Information Disclosure
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          4. Tampering
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
        4. Privileged Code
          1. Privileged Resources
          2. Privileged Operations
        5. Assembly Design Considerations
          1. Identify Privileged Code
            1. Identify Privileged Resources
            2. Identify Privileged Operations
          2. Identify the Trust Level of Your Target Environment
            1. Full Trust Environments
            2. Partial Trust Environment
              1. Supporting Partial Trust Callers
            3. Why Worry About the Target Environment?
          3. Sandbox Highly Privileged Code
          4. Design Your Public Interface
        6. Class Design Considerations
          1. Restrict Class and Member Visibility
          2. Seal Non-Base Classes
          3. Restrict Which Users Can Call Your Code
          4. Expose Fields Using Properties
        7. Strong Names
          1. Security Benefits of Strong Names
          2. Using Strong Names
          3. Delay Signing
          4. ASP.NET and Strong Names
            1. Global Assembly Cache Requirements
          5. Authenticode vs. Strong Names
        8. Authorization
        9. Exception Management
          1. Use Structured Exception Handling
          2. Do Not Log Sensitive Data
          3. Do Not Reveal Sensitive System or Application Information
          4. Consider Exception Filter Issues
          5. Consider an Exception Management Framework
        10. File I/O
          1. Avoid Untrusted Input for File Names
          2. Do Not Trust Environment Variables
          3. Validate Input File Names
          4. Constrain File I/O Within Your Application’s Context
        11. Event Log
        12. Registry
          1. HKEY_LOCAL_MACHINE
          2. HKEY_CURRENT_USER
          3. Reading from the Registry
        13. Data Access
        14. Unmanaged Code
          1. Validate Input and Output String Parameters
          2. Validate Array Bounds
          3. Check File Path Lengths
          4. Compile Unmanaged Code With the /GS Switch
          5. Inspect Unmanaged Code for Dangerous APIs
        15. Delegates
          1. Do Not Accept Delegates from Untrusted Sources
        16. Serialization
          1. Do Not Serialize Sensitive Data
          2. Validate Serialized Data Streams
          3. Partial Trust Considerations
        17. Threading
          1. Do Not Cache the Results of Security Checks
          2. Consider Impersonation Tokens
          3. Synchronize Static Class Constructors
          4. Synchronize Dispose Methods
        18. Reflection
        19. Obfuscation
        20. Cryptography
          1. Use Platform-provided Cryptographic Services
          2. Key Generation
            1. Generate Random Keys
            2. Use PasswordDeriveBytes for Password-Based Encryption
            3. Prefer Large Keys
          3. Key Storage
            1. Use DPAPI to Avoid Key Management
              1. User Key vs. Machine Key
            2. Do Not Store Keys in Code
            3. Restrict Access to Persisted Keys
          4. Key Exchange
          5. Key Maintenance
            1. Cycle Keys Periodically
              1. Key Compromise
            2. Protect Exported Private Keys
        21. Summary
        22. Additional Resources
      3. 8. Code Access Security in Practice
        1. Overview
        2. How to Use This Chapter
        3. Code Access Security Explained
          1. Code
          2. Evidence
          3. Permissions
            1. Restricted and Unrestricted Permissions
            2. Demands
            3. Link Demands
          4. Assert, Deny, and PermitOnly Methods
          5. Policy
          6. Code Groups
          7. How Does It Work?
          8. How Is Policy Evaluated?
            1. How Do Permission Requests Affect the Policy Grant?
            2. Policy Evaluation at a Policy Level
            3. Exclusive and Level Final Code Groups
        4. APTCA
          1. Avoid Using APTCA
          2. Diagnosing APTCA Issues
        5. Privileged Code
          1. Privileged Resources
          2. Privileged Operations
        6. Requesting Permissions
          1. RequestMinimum
          2. RequestOptional
          3. RequestRefused
          4. Implications of Using RequestOptional or RequestRefuse
        7. Authorizing Code
          1. Restrict Which Code Can Call Your Code
          2. Restrict Inheritance
          3. Consider Protecting Cached Data
          4. Protect Custom Resources with Custom Permissions
        8. Link Demands
          1. Luring Attacks
          2. Performance and Link Demands
          3. Calling Methods with Link Demands
          4. Mixing Class and Method Level Link Demands
          5. Interfaces and Link Demands
          6. Structures and Link Demands
          7. Virtual Methods and Link Demands
        9. Assert and RevertAssert
          1. Use the Demand / Assert Pattern
          2. Reduce the Assert Duration
        10. Constraining Code
          1. Using Policy Permission Grants
          2. Using Stack Walk Modifiers
        11. File I/O
          1. Constraining File I/O within your Application’s Context
            1. Using PermitOnly to Restrict File I/O
            2. Configuring Code Access Security Policy to Restrict File I/O
          2. Requesting FileIOPermission
        12. Event Log
          1. Constraining Event Logging Code
          2. Requesting EventLogPermission
        13. Registry
          1. Constraining Registry Access
          2. Requesting RegistryPermission
        14. Data Access
        15. Directory Services
          1. Constraining Directory Service Access
          2. Requesting DirectoryServicesPermission
        16. Environment Variables
          1. Constraining Environment Variable Access
          2. Requesting EnvironmentPermission
        17. Web Services
          1. Constraining Web Service Connections
        18. Sockets and DNS
          1. Constraining Socket Access
          2. Requesting SocketPermission and DnsPermission
        19. Unmanaged Code
          1. Use Naming Conventions to Indicate Risk
          2. Request the Unmanaged Code Permission
          3. Sandbox Unmanaged API Calls
          4. Use SuppressUnmanagedCodeSecurity with Caution
            1. Using SuppressUnmanagedCodeSecurity with P/Invoke
            2. Using SuppressUnmanagedCodeSecurity with COM Interop
        20. Delegates
          1. Consider Restricting Permissions for the Delegate
          2. Do Not Assert a Permission Before Calling a Delegate
        21. Serialization
          1. Restricting Serialization
        22. Summary
        23. Additional Resources
      4. 9. Using Code Access Security with ASP.NET
        1. Overview
        2. How to Use This Chapter
        3. Resource Access
        4. Full Trust and Partial Trust
        5. Configuring Code Access Security in ASP.NET
          1. Configuring Trust Levels
          2. Locking the Trust Level
        6. ASP.NET Policy Files
        7. ASP.NET Policy
          1. Inside an ASP.NET Policy File
          2. Permission State and Unrestricted Permissions
          3. The ASP.NET Named Permission Set
          4. Substitution Parameters
        8. Developing Partial Trust Web Applications
          1. Why Partial Trust?
          2. Problems You Might Encounter
        9. Trust Levels
        10. Approaches for Partial Trust Web Applications
        11. Customize Policy
        12. Sandbox Privileged Code
          1. A Sandboxing Pattern
        13. Deciding Which Approach to Take
          1. Customizing Policy
          2. Sandboxing
        14. Medium Trust
          1. Reduced Attack Surface
          2. Application Isolation
        15. Medium Trust Restrictions
          1. OLE DB
            1. Sandboxing
          2. Event Log
            1. Accessing the Event Log
            2. Sandboxing
          3. Web Services
            1. Using Default Credentials
          4. Registry
            1. Customizing Policy
        16. Summary
        17. Additional Resources
      5. 10. Building Secure ASP.NET Pages and Controls
        1. Overview
        2. How to Use This Chapter
        3. Threats and Countermeasures
          1. Code Injection
            1. Attacks
            2. Vulnerabilities
            3. Countermeasures
          2. Session Hijacking
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          3. Identity Spoofing
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          4. Parameter Manipulation
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          5. Network Eavesdropping
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          6. Information Disclosure
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
        4. Design Considerations
          1. Use Server-Side Input Validation
          2. Partition Your Web Site
          3. Consider the Identity That Is Used for Resource Access
          4. Protect Credentials and Authentication Tickets
          5. Fail Securely
          6. Consider Authorization Granularity
          7. Place Web Controls and User Controls in Separate Assemblies
          8. Place Resource Access Code in a Separate Assembly
        5. Input Validation
          1. Constrain, Then Sanitize
          2. Regular Expressions
            1. RegularExpressionValidator Control
            2. Regex Class
            3. Regular Expression Comments
          3. String Fields
            1. Names
            2. Social Security Numbers
          4. Date Fields
          5. Numeric Fields
            1. Range Checks
          6. Sanitizing Input
          7. Validating HTML Controls
          8. Validating Input Used for Data Access
          9. Validating Input Used For File I/O
            1. Using MapPath
          10. Common Regular Expressions
        6. Cross-Site Scripting
          1. Validate Input
          2. Encode Output
            1. Data-Bound Controls
            2. Sanitizing Free Format Input
          3. Defense in Depth Countermeasures
            1. Set the Correct Character Encoding
              1. Validating Unicode Characters
            2. Use the ASP.NET validateRequest Option
            3. Install URLScan on Your Web Server
            4. Use the HttpOnly Cookie Option
            5. Use the <frame> Security Attribute
            6. Use the innerText Property
        7. Authentication
          1. Forms Authentication
          2. Partition Your Web Site
          3. Secure Restricted Pages with SSL
          4. Use URL Authorization
          5. Secure the Authentication Cookie
            1. Restrict the Authentication Cookie-to-HTTPS Connections
            2. Encrypt the Cookie
            3. Limit Cookie Lifetime
            4. Consider Using a Fixed Expiration Period
            5. Do not Persist Authentication Cookies
            6. Keep Authentication and Personalization Cookies Separate
            7. Use Distinct Cookie Names and Paths
          6. Use Absolute URLs for Navigation
          7. Use Secure Credential Management
            1. Use One-Way Hashes for Passwords
            2. Use Strong Passwords
            3. Prevent SQL Injection
        8. Authorization
          1. Use URL Authorization for Page and Directory Access Control
          2. Use File Authorization with Windows Authentication
          3. Use Principal Demands on Classes and Methods
          4. Use Explicit Role Checks for Fine-Grained Authorization
        9. Impersonation
          1. Using Programmatic Impersonation
        10. Sensitive Data
          1. Do not Pass Sensitive Data from Page to Page
          2. Avoid Plaintext Passwords in Configuration Files
          3. Use DPAPI to Avoid Key Management
          4. Do Not Cache Sensitive Data
        11. Session Management
          1. Require Authentication for Sensitive Pages
          2. Do Not Rely on Client-Side State Management Options
          3. Do Not Mix Session Tokens and Authentication Tokens
          4. Use SSL Effectively
          5. Secure the Session Data
        12. Parameter Manipulation
          1. Protect View State with MACs
            1. Server.Transfer
          2. Use Page.ViewStateUserKey to Counter One-Click Attacks
          3. Maintain Sensitive Data on the Server
          4. Validate Input Parameters
        13. Exception Management
          1. Return Generic Error Pages to the Client
          2. Implement Page-Level or Application-Level Error Handlers
        14. Auditing and Logging
          1. EventLogPermission
        15. Summary
        16. Additional Resources
      6. 11. Building Secure Serviced Components
        1. Overview
        2. How to Use This Chapter
        3. Threats and Countermeasures
          1. Network Eavesdropping
          2. Unauthorized Access
          3. Unconstrained Delegation
          4. Disclosure of Configuration Data
          5. Repudiation
        4. Design Considerations
          1. Role-Based Authorization
          2. Sensitive Data Protection
          3. Audit Requirements
          4. Application Activation Type
          5. Transactions
          6. Code Access Security
        5. Authentication
          1. Use (At Least) Call Level Authentication
        6. Authorization
          1. Enable Role-Based Security
          2. Enable Component Level Access Checks
          3. Enforce Component Level Access Checks
        7. Configuration Management
          1. Use Least Privileged Run-As Accounts
          2. Avoid Storing Secrets in Object Constructor Strings
          3. Avoid Unconstrained Delegation
        8. Sensitive Data
        9. Auditing and Logging
          1. Audit User Transactions
        10. Building a Secure Serviced Component
          1. Assembly Implementation
          2. Serviced Component Class Implementation
        11. Code Access Security Considerations
        12. Deployment Considerations
          1. Firewall Restrictions
            1. Using Web Services
            2. DTC Requirements
        13. Summary
        14. Additional Resources
      7. 12. Building Secure Web Services
        1. Overview
        2. How to Use This Chapter
        3. Threats and Countermeasures
          1. Unauthorized Access
            1. Vulnerabilities
            2. Countermeasures
          2. Parameter Manipulation
            1. Vulnerabilities
            2. Countermeasures
          3. Network Eavesdropping
            1. Vulnerabilities
            2. Countermeasures
          4. Disclosure of Configuration Data
            1. Vulnerabilities
            2. Countermeasures
          5. Message Replay
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
        4. Design Considerations
          1. Authentication Requirements
          2. Privacy and Integrity Requirements
          3. Resource Access Identities
          4. Code Access Security
        5. Input Validation
          1. Strongly Typed Parameters
          2. Loosely Typed Parameters
          3. XML Data
          4. SQL Injection
          5. Cross-Site Scripting
        6. Authentication
          1. Platform Level Authentication
            1. Basic Authentication
            2. Integrated Windows Authentication
          2. Message Level Authentication
            1. User Name and Password
              1. User Name and Password Digest
              2. User Name and Password Digest with Nonce and Timestamp
            2. Kerberos Tickets
            3. X.509 Certificates
          3. Application Level Authentication
        7. Authorization
          1. Web Service Endpoint Authorization
          2. Web Method Authorization
          3. Programmatic Authorization
        8. Sensitive Data
          1. XML Encryption
            1. Asymmetric Encryption Using X.509 Certificates
            2. Symmetric Encryption Using Shared Keys
            3. Symmetric Encryption Using Custom Binary Tokens
          2. Encrypting Parts of a Message
        9. Parameter Manipulation
        10. Exception Management
          1. Using SoapExceptions
          2. Application Level Error Handling in Global.asax
        11. Auditing and Logging
        12. Proxy Considerations
        13. Code Access Security Considerations
        14. Deployment Considerations
          1. Intranet Deployment
          2. Extranet Deployment
          3. Internet Deployment
        15. Summary
        16. Additional Resources
      8. 13. Building Secure Remoted Components
        1. Overview
        2. How to Use This Chapter
        3. Threats and Countermeasures
          1. Unauthorized Access
            1. Vulnerabilities
            2. Countermeasures
          2. Network Eavesdropping
            1. Vulnerabilities
            2. Countermeasures
          3. Parameter Manipulation
            1. Vulnerabilities
            2. Countermeasures
          4. Serialization
            1. Vulnerabilities
            2. Countermeasures
        4. Design Considerations
          1. Do Not Expose Remoted Objects to the Internet
          2. Use the HttpChannel to Take Advantage of ASP.NET Security
          3. Use the TcpChannel Only in Trusted Server Scenarios
            1. TcpChannel Considerations
        5. Input Validation
          1. Serialization Attacks
          2. MarshalByRefObject Attacks
        6. Authentication
          1. ASP.NET Hosting
            1. Turn off Anonymous Authentication in IIS
            2. Configure ASP.NET for Windows Authentication
            3. Configure Client Credentials
              1. Using Default Credentials
              2. Using Alternate Credentials
            4. Increase Performance with Authenticated Connection Sharing
            5. Force Clients to Authenticate With Each Call
            6. Control the Use of Authenticated Connections
          2. Custom Process Hosting
            1. Do Not Pass Plaintext Credentials over the Network
            2. Do Not Trust IPrincipal Objects Passed From the Client
        7. Authorization
          1. Use IPSec for Machine Level Access Control
          2. Enable File Authorization for User Access Control
          3. Authorize Users with Principal-Based Role Checks
          4. Consider Limiting Remote Access
        8. Sensitive Data
          1. Using IPSec
          2. Using SSL
          3. Using a Custom Encryption Sink
            1. Implementing a Custom Encryption Sink
        9. Denial of Service
        10. Exception Management
          1. Using a Custom Channel Sink
        11. Auditing and Logging
          1. Using a Custom Channel Sink
        12. Code Access Security (CAS) Considerations
        13. Summary
        14. Additional Resources
      9. 14. Building Secure Data Access
        1. Overview
        2. How to Use This Chapter
        3. Threats and Countermeasures
          1. SQL Injection
            1. Vulnerabilities
            2. Countermeasures
          2. Disclosure of Configuration Data
            1. Vulnerabilities
            2. Countermeasures
          3. Disclosure of Sensitive Application Data
            1. Vulnerabilities
            2. Countermeasures
          4. Disclosure of Database Schema and Connection Details
            1. Vulnerabilities
            2. Countermeasures
          5. Unauthorized Access
            1. Vulnerabilities
            2. Countermeasures
          6. Network Eavesdropping
            1. Vulnerabilities
            2. Countermeasures
        4. Design Considerations
          1. Use Windows Authentication
          2. Use Least Privileged Accounts
          3. Use Stored Procedures
          4. Protect Sensitive Data in Storage
            1. Why not DPAPI?
          5. Use Separate Data Access Assemblies
        5. Input Validation
        6. SQL Injection
          1. Preventing SQL Injection
          2. Constrain Input
          3. Use Type Safe SQL Parameters
            1. Using the Parameters Collection with Stored Procedures
            2. Using the Parameters Collection with Dynamic SQL
          4. Using Parameter Batching
          5. Using Filter Routines
          6. Using LIKE Clauses
        7. Authentication
          1. Use Windows Authentication
          2. Protect the Credentials for SQL Authentication
          3. Connect Using a Least Privileged Account
        8. Authorization
          1. Restrict Unauthorized Callers
          2. Restrict Unauthorized Code
          3. Restrict the Application in the Database
        9. Configuration Management
          1. Use Window Authentication
          2. Secure Your Connection Strings
            1. Encrypt the Connection String
            2. Store Encrypted Connection Strings Securely
            3. Do Not Use Persist Security Info=‘True’ or ‘Yes’
          3. Secure UDL Files with Restricted ACLs
        10. Sensitive Data
          1. Encrypt Sensitive Data if You Need to Store It
            1. Using 3DES Encryption
          2. Secure Sensitive Data Over the Network
          3. Store Password Hashes with Salt
            1. Creating a Salt Value
            2. Creating a Hash Value (with Salt)
            3. More Information
        11. Exception Management
          1. Trap and Log ADO.NET Exceptions
            1. Trapping Exceptions
            2. Logging Exceptions
          2. Ensure Database Connections Are Closed
          3. Use a Generic Error Page in Your ASP.NET Applications
        12. Building a Secure Data Access Component
        13. Code Access Security Considerations
        14. Deployment Considerations
          1. Firewall Restrictions
          2. Connection String Management
          3. Login Account Configuration
          4. Logon Auditing
          5. Data Privacy and Integrity on the Network
        15. Summary
        16. Additional Resources
    9. IV. Securing Your Network, Host, and Application
      1. 15. Securing Your Network
        1. Overview
        2. How to Use This Chapter
        3. Threats and Countermeasures
          1. Information Gathering
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          2. Sniffing
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          3. Spoofing
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          4. Session Hijacking
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          5. Denial of Service
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
        4. Methodology
          1. Router
          2. Firewall
          3. Switch
        5. Router Considerations
          1. Patches and Updates
          2. Protocols
            1. Use Ingress and Egress Filtering
            2. Screen ICMP Traffic from the Internal Network
            3. Prevent TTL Expired Messages with Values of 1 or 0
            4. Do Not Receive or Forward Directed Broadcast Traffic
          3. Administrative Access
            1. Disable Unused Interfaces
            2. Apply Strong Password Policies
            3. Use Static Routing
            4. Audit Web Facing Administration Interfaces
          4. Services
          5. Auditing and Logging
          6. Intrusion Detection
        6. Firewall Considerations
          1. Patches and Updates
          2. Filters
          3. Logging and Auditing
          4. Perimeter Networks
            1. Advantages of a Perimeter Network
            2. Disadvantages of a Perimeter Network
        7. Switch Considerations
          1. Patches and Updates
          2. VLANs
          3. Insecure Defaults
          4. Services
          5. Encryption
        8. Additional Considerations
        9. Snapshot of a Secure Network
        10. Summary
        11. Additional Resources
      2. 16. Securing Your Web Server
        1. Overview
        2. How to Use This Chapter
        3. Threats and Countermeasures
          1. Profiling
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          2. Denial of Service
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          3. Unauthorized Access
            1. Vulnerabilities
            2. Countermeasures
          4. Arbitrary Code Execution
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          5. Elevation of Privileges
            1. Vulnerabilities
            2. Countermeasures
          6. Viruses, Worms, and Trojan Horses
            1. Vulnerabilities
            2. Countermeasures
        4. Methodology for Securing Your Web Server
          1. Configuration Categories
        5. IIS and .NET Framework Installation Considerations
          1. What Does IIS Install?
          2. What Does the .NET Framework Install?
        6. Installation Recommendations
          1. IIS Installation Recommendations
          2. .NET Framework Installation Recommendations
          3. Including Service Packs with a Base Installation
        7. Steps for Securing Your Web Server
        8. Step 1. Patches and Updates
          1. Detect and Install Patches and Updates
          2. Update the .NET Framework
        9. Step 2. IISLockdown
          1. Install and Run IISLockdown
            1. Log Files
            2. Web Anonymous Users and Web Application Groups
            3. The 404.dll
            4. URLScan
            5. Reversing IISLockdown Changes
            6. More Information
          2. Install and Configure URLScan
            1. Reversing URLScan Changes
            2. More Information
        10. Step 3. Services
          1. Disable Unnecessary Services
          2. Disable FTP, SMTP, and NNTP Unless You Require Them
          3. Disable the ASP.NET State Service Unless You Require It
        11. Step 4. Protocols
          1. Disable or Secure WebDAV
          2. Harden the TCP/IP Stack
          3. Disable NetBIOS and SMB
            1. Disabling NetBIOS
            2. Disabling SMB
        12. Step 5. Accounts
          1. Delete or Disable Unused Accounts
          2. Disable the Guest Account
          3. Rename the Administrator Account
          4. Disable the IUSR Account
          5. Create a Custom Anonymous Web Account
          6. Enforce Strong Password Policies
          7. Restrict Remote Logons
          8. Disable Null Sessions (Anonymous Logons)
            1. Additional Considerations
        13. Step 6. Files and Directories
          1. Restrict the Everyone Group
          2. Restrict Access to the IIS Anonymous Account
          3. Secure or Remove Tools, Utilities and SDKs
          4. Remove Sample Files
          5. Additional Considerations
        14. Step 7. Shares
          1. Remove Unnecessary Shares
          2. Restrict Access to Required Shares
          3. Additional Considerations
        15. Step 8. Ports
          1. Restrict Internet-Facing Ports to TCP 80 and 443
          2. Encrypt or Restrict Intranet Traffic
        16. Step 9. Registry
          1. Restrict Remote Administration of the Registry
          2. Secure the SAM (Stand-alone Servers Only)
        17. Step 10. Auditing and Logging
          1. Log All Failed Logon Attempts
          2. Log All Failed Actions Across the File System
          3. Relocate and Secure the IIS Log Files
          4. Archive Log Files for Offline Analysis
          5. Audit Access to the Metabase.bin File
          6. Additional Considerations
        18. Step 11. Sites and Virtual Directories
          1. Move Your Web site to a Non-System Volume
          2. Disable the Parent Paths Setting
          3. Remove Potentially Dangerous Virtual Directories
          4. Remove or Secure RDS
            1. Removing RDS
            2. Securing RDS
          5. Set Web Permissions
          6. Remove or Secure FrontPage Server Extensions
        19. Step 12. Script Mappings
          1. Map IIS File Extensions
            1. Why Map to the 404.dll?
          2. Map .NET Framework File Extensions
            1. Additional Considerations
        20. Step 13. ISAPI Filters
          1. Remove Unused ISAPI Filters
        21. Step 14. IIS Metabase
          1. Restrict Access to the Metabase Using NTFS Permissions
          2. Restrict Banner Information Returned by IIS
        22. Step 15. Server Certificates
          1. Validate Your Server Certificate
        23. Step 16. Machine.Config
          1. Map Protected Resources to HttpForbiddenHandler
            1. Disable .NET Remoting
          2. Verify That Tracing Is Disabled
          3. Verify That Debug Compiles Are Disabled
          4. Verify That ASP.NET Errors Are Not Returned to Clients
          5. Verify Session State Settings
        24. Step 17. Code Access Security
          1. Remove All Permissions for the Local Intranet Zone
          2. Remove All Permissions for the Internet Zone
        25. Snapshot of a Secure Web Server
        26. Staying Secure
          1. Audit Group Membership
          2. Monitor Audit Logs
          3. Stay Current With Service Packs and Patches
          4. Perform Security Assessments
          5. Use Security Notification Services
        27. Remote Administration
          1. Securing Terminal Services
            1. Install Terminal Services
            2. Configure Terminal Services
            3. Copying Files over RDP
        28. Simplifying and Automating Security
        29. Summary
        30. Additional Resources
      3. 17. Securing Your Application Server
        1. Overview
        2. How to Use This Chapter
        3. Threats and Countermeasures
          1. Network Eavesdropping
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          2. Unauthorized Access
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          3. Viruses, Worms, and Trojan Horses
            1. Vulnerabilities
            2. Countermeasures
        4. Methodology
        5. Communication Channel Considerations
          1. Enterprise Services
          2. .NET Remoting
          3. Web Services
          4. SQL Server
        6. Firewall Considerations
          1. Enterprise Services
            1. Web Services
            2. DTC Requirements
          2. .NET Remoting
          3. Web Services
          4. SQL Server
        7. .NET Remoting Security Considerations
          1. Hosting in a Windows Service (TCP Channel)
          2. Hosting in IIS (HTTP Channel)
        8. Enterprise Services (COM+) Security Considerations
          1. Secure the Component Services Infrastructure
            1. What Does the Operating System Install?
            2. What Does the .NET Framework Install?
            3. Patches and Updates
            4. Services
              1. Disable the Microsoft DTC If It Is Not Required
            5. Ports
              1. Port Ranges
              2. Static Endpoint Mapping
            6. COM+ Catalog
          2. Secure Enterprise Services Applications
            1. Identity (Run As)
            2. Authentication Level
            3. COM+ Role-Based Security
              1. Enable Role-Based Security
              2. Enable Component-Level Access Checks
              3. Enforce Component-Level Access Checks
            4. Impersonation
            5. CRM Log Files
            6. Application Assemblies
        9. Summary
        10. Additional Resources
      4. 18. Securing Your Database Server
        1. Overview
        2. How to Use This Chapter
        3. Threats and Countermeasures
          1. SQL Injection
            1. Vulnerabilities
            2. Countermeasures
          2. Network Eavesdropping
            1. Vulnerabilities
            2. Countermeasures
          3. Unauthorized Server Access
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
          4. Password Cracking
            1. Vulnerabilities
            2. Attacks
            3. Countermeasures
        4. Methodology for Securing Your Server
          1. Configuration Categories
        5. SQL Server Installation Considerations
          1. What Does SQL Server Install?
        6. SQL Server Installation Recommendations
          1. Before Running SQL Server Setup
          2. Installing SQL Server
        7. Steps for Securing Your Database Server
        8. Step 1. Patches and Updates
          1. Detect Missing Service Packs and Updates
          2. Patching MSDE
        9. Step 2. Services
          1. Disable Unused SQL Server Services
          2. Disable the Microsoft DTC (if not required)
        10. Step 3. Protocols
          1. Restrict SQL Server to TCP/IP
          2. Harden the TCP/IP Stack
          3. Additional Considerations
        11. Step 4. Accounts
          1. Secure the SQL Server Service Account
            1. Accessing the Network from SQL Server
          2. Delete or Disable Unused Accounts
          3. Disable the Windows Guest Account
          4. Rename the Administrator Account
          5. Enforce Strong Password Policy
          6. Restrict Remote Logons
          7. Disable Null Sessions (Anonymous Logons)
          8. Additional Considerations
        12. Step 5. Files and Directories
          1. Verify Permissions on SQL Server Install Directories
          2. Verify Everyone Group Does Not Have Permissions for SQL Server Files
          3. Secure Setup Log Files
          4. Secure or Remove Tools, Utilities, and SDKs
          5. Additional Considerations
        13. Step 6. Shares
          1. Remove Unnecessary Shares
          2. Restrict Access to Required Shares
          3. Additional Considerations
        14. Step 7. Ports
          1. Restrict Access to the SQL Server Port
          2. Configure Named Instances to Listen on the Same Port
          3. Configure the Firewall to Support DTC Traffic (if necessary)
          4. Additional Considerations
        15. Step 8. Registry
          1. Verify Permissions for the SQL Server Registry Keys
          2. Secure the SAM (Stand-alone Servers Only)
        16. Step 9. Auditing and Logging
          1. Log All Failed Windows Logon Attempts
          2. Log All Failed Actions Across the File System
          3. Enable SQL Server Login Auditing
          4. Additional Considerations
        17. Step 10. SQL Server Security
          1. Set SQL Server Authentication to Windows Only
          2. Set SQL Server Audit Level to Failure or All
          3. Run SQL Server Using a Least Privileged Account
        18. Step 11. SQL Server Logins, Users, and Roles
          1. Use a Strong sa (System Administrator) Password
          2. Remove the SQL Guest User Account
          3. Remove the BUILTIN\Administrators Server Login
          4. Do Not Grant Permissions for the Public Role
          5. Additional Considerations
        19. Step 12. SQL Server Database Objects
          1. Remove the Sample Databases
          2. Secure Stored Procedures
          3. Secure Extended Stored Procedures
          4. Restrict cmdExec Access to the sysadmin Role
        20. Snapshot of a Secure Database Server
        21. Additional Considerations
        22. Staying Secure
          1. Perform Regular Backups
          2. Audit Group Membership
          3. Monitor Audit Logs
          4. Stay Current with Service Packs and Patches
          5. Perform Security Assessments
          6. Use Security Notification Services
        23. Remote Administration
          1. Securing Terminal Services
            1. Install Terminal Services
            2. Configure Terminal Services
            3. Copying Files over RDP
        24. Summary
        25. Additional Resources
      5. 19. Securing Your ASP.NET Application and Web Services
        1. Overview
        2. How to Use This Chapter
        3. Methodology
        4. What You Must Know
          1. ASP.NET Process Model
          2. ASP.NET Account
          3. Aspnet_setreg.exe and Process, Session, and Identity
          4. Impersonation is Not the Default
          5. HttpForbiddenHandler, Urlscan, and the 404.dll
          6. AppSettings
        5. Machine.Config and Web.Config Explained
          1. Hierarchical Policy Evaluation
          2. <location>
            1. Applying Configuration Settings to Specific Files
            2. Applying Application Configuration Settings in Machine.config
            3. Locking Configuration Settings
        6. Machine.Config and Web.Config Guidelines
          1. ACLs and Permissions
            1. Machine.config
            2. Web.config
        7. Trust Levels in ASP.NET
          1. <trust>
        8. Process Identity for ASP.NET
          1. <processModel>
            1. Use the Default ASPNET Account
            2. Use a Least Privileged Custom Account
            3. Encrypt <processModel> Credentials
            4. Do Not Run ASP.NET as SYSTEM
        9. Impersonation
          1. <identity>
            1. Impersonating the Original Caller
            2. Impersonating a Fixed Identity
              1. Act as Part of the Operating System
            3. NTFS Permission Requirements
        10. Authentication
          1. <authentication>
          2. Forms Authentication Guidelines
            1. Partition Your Web Site
            2. Set Protection="All"
            3. Use Small Cookie Time-out Values
            4. Consider Using a Fixed Expiration Period
            5. Use SSL with Forms Authentication
            6. If You Do Not Use SSL, Set slidingExpiration = "false"
            7. Do Not Use the <credentials> Element on Production Servers
            8. Configure the MachineKey
            9. Use Unique Cookie Names and Paths
        11. Authorization
          1. File Authorization
          2. URL Authorization
            1. URL Authorization Notes
        12. Session State
          1. <sessionState>
          2. Securing a SQL Server Session State Store
            1. Use Windows Authentication to the Database
            2. Encrypt the sqlConnectionString
            3. Limit the Application’s Login in the Database
            4. Secure the Channel
          3. Securing the Out-of-Process State Service
            1. Use a Least Privileged Account to Run the State Service
            2. Secure the Channel
            3. Consider Changing the Default Port
            4. Encrypt the stateConnectionString
        13. View State
          1. <pages>
        14. Machine Key
          1. Use Unique Encryption Keys with Multiple Applications
          2. Set validation="SHA1"
          3. Generate Keys Manually For Web Farms
        15. Debugging
          1. <compilation>
        16. Tracing
          1. <trace>
        17. Exception Management
          1. <customErrors>
        18. Remoting
        19. Web Services
          1. Disable Web Services if They Are Not Required
          2. Disable Unused Protocols
          3. Disable the Automatic Generation of WSDL
        20. Forbidden Resources
          1. Map Protected Resources to HttpForbiddenHandler
        21. Bin Directory
          1. Secure the Bin Directory
            1. Remove Web Permissions
            2. Remove All Authentication Settings
        22. Event Log
        23. File Access
        24. ACLs and Permissions
        25. Registry
        26. Data Access
          1. Configuring Data Access for Your ASP.NET Application
        27. UNC Shares
          1. Accessing Files on UNC Shares
          2. Hosting Applications on UNC Shares
            1. Code Access Security Considerations
        28. COM/DCOM Resources
        29. Denial of Service Considerations
          1. <httpRuntime>
        30. Web Farm Considerations
          1. Session State
          2. Encryption and Verification
          3. DPAPI
        31. Snapshot of a Secure ASP.NET Application
        32. Summary
        33. Additional Resources
      6. 20. Hosting Multiple Web Applications
        1. Overview
        2. ASP.NET Architecture on Windows 2000
        3. ASP.NET Architecture on Windows Server 2003
          1. Configuring ACLs for Network Service
        4. Isolating Applications by Identity
          1. Anonymous Account Impersonation
          2. Fixed Identity Impersonation
        5. Isolating Applications with Application Pools
        6. Isolating Applications with Code Access Security
        7. Forms Authentication Issues
        8. UNC Share Hosting
        9. Summary
    10. V. Assessing Your Security
      1. 21. Code Review
        1. Overview
        2. FxCop
        3. Performing Text Searches
          1. Search for Hard-Coded Strings
            1. Automating Findstr
          2. ILDASM
        4. Cross-Site Scripting (XSS)
          1. Identify Code That Outputs Input
            1. Searching for ".Write"
          2. Identify Potentially Dangerous HTML Tags and Attributes
          3. Identify Code That Handles URLs
          4. Check That Output Is Encoded
          5. Check for Correct Character Encoding
          6. Check the validateRequest Attribute
          7. Check the HttpOnly Cookie Option
          8. Check the <frame> Security Attribute
          9. Check the Use of the innerText and innerHTML Properties
          10. More Information
        5. SQL Injection
        6. Buffer Overflows
        7. Managed Code
          1. Is Your Class Design Secure?
          2. Do You Create Threads?
          3. Do You Use Serialization?
          4. Do You Use Reflection?
          5. Do You Handle Exceptions?
          6. Do You Use Cryptography?
          7. Do You Store Secrets?
          8. Do You Use Delegates?
        8. Code Access Security
          1. Do You Support Partial-Trust Callers?
          2. Do You Restrict Access to Public Types and Members?
          3. Do You Use Declarative Security Attributes?
          4. Do You Call Assert?
          5. Do You Use Permission Demands When You Should?
          6. Do You Use Link Demands?
          7. Do You Use Potentially Dangerous Permissions?
          8. Do You Compile With the /unsafe Option?
        9. Unmanaged Code
        10. ASP.NET Pages and Controls
          1. Do You Disable Detailed Error Messages?
          2. Do You Disable Tracing?
          3. Do You Validate Form Field Input?
          4. Are You Vulnerable to XSS Attacks?
          5. Do You Validate Query String and Cookie Input?
          6. Do You Secure View State?
          7. Are Your Global.asax Event Handlers Secure?
          8. Do You Provide Adequate Authorization?
        11. Web Services
          1. Do You Expose Restricted Operations or Data?
          2. How Do You Authorize Callers?
          3. Do You Constrain Privileged Operations?
          4. Do You Use Custom Authentication?
          5. Do You Validate All Input?
          6. Do You Validate SOAP Headers?
        12. Serviced Components
          1. Do You Use Assembly Level Metadata?
          2. Do You Prevent Anonymous Access?
          3. Do You Use a Restricted Impersonation Level?
          4. Do You Use Role-Based Security?
          5. Do You Use Object Constructor Strings?
          6. Do You Audit in the Middle Tier
        13. Remoting
          1. Do You Pass Objects as Parameters?
          2. Do You Use Custom Authentication and Principal Objects?
          3. How Do You Configure Proxy Credentials?
        14. Data Access Code
          1. Do You Prevent SQL Injection?
          2. Do You Use Windows Authentication?
          3. Do You Secure Database Connection Strings?
          4. How Do You Restrict Unauthorized Code?
          5. How Do You Secure Sensitive Data in the Database?
          6. Do You Handle ADO .NET Exceptions?
          7. Do You Close Database Connections?
        15. Summary
        16. Additional Resource
      2. 22. Deployment Review
        1. Overview
        2. Web Server Configuration
          1. Patches and Updates
          2. Services
          3. Protocols
          4. Accounts
          5. Files and Directories
          6. Shares
          7. Ports
          8. Registry
          9. Auditing and Logging
        3. IIS Configuration
          1. IISLockdown
          2. URLScan
          3. Sites and Virtual Directories
            1. Web Site Location
            2. Script Mappings
            3. Anonymous Internet User Accounts
            4. Auditing and Logging
            5. Web Permissions
            6. IP Address and Domain Name Restrictions
            7. Authentication
            8. Parent Path Setting
            9. FrontPage Server Extensions (FPSE)
          4. ISAPI Filters
          5. IIS Metabase
          6. Server Certificates
        4. Machine.Config
          1. <trace>
          2. <httpRunTime>
          3. <compilation>
          4. <pages>
          5. <customErrors>
          6. <authentication>
            1. Forms Authentication
          7. <identity>
          8. <authorization>
          9. <machineKey>
          10. <trust>
          11. <sessionState>
          12. <httpHandlers>
          13. <processModel>
        5. Web Services
        6. Enterprise Services
          1. Accounts
          2. Files and Directories
          3. Authentication
            1. Server Applications
            2. Library Applications
          4. Authorization
          5. Remote Serviced Components
        7. Remoting
          1. Port Considerations
          2. Hosting in ASP.NET with the HttpChannel
          3. Hosting in a Custom Process with the TcpChannel
        8. Database Server Configuration
          1. Patches and Updates
          2. Services
          3. Protocols
          4. Accounts
          5. Files and Directories
          6. Shares
          7. Ports
          8. Registry
          9. Auditing and Logging
          10. SQL Server Security
          11. SQL Server Logins, Users, and Roles
          12. SQL Server Database Objects
        9. Network Configuration
          1. Router
          2. Firewall
          3. Switch
        10. Summary
    11. A. Related Security Resources
      1. Related Microsoft patterns & practices Guidance
        1. More Information
      2. Security-Related Web Sites
        1. Microsoft Security-Related Web Sites
        2. Third-Party, Security-Related Web Sites
      3. Microsoft Security Services
      4. Partners and Service Providers
      5. Communities and Newsgroups
        1. Newsgroup Home Pages
      6. Patches and Updates
        1. Service Packs
      7. Alerts and Notification
        1. Microsoft Security Notification Services
        2. Third Party Security Notification Services
      8. Additional Resources
        1. Checklists and Assessment Guidelines
        2. Common Criteria
        3. Reference Hub
        4. Security Knowledge in Practice
        5. Vulnerabilities
        6. World Wide Web Security FAQ
    12. B. Index of Checklists
      1. Overview
      2. Designing Checklist
      3. Building Checklists
      4. Securing Checklists
      5. Assessing Checklist
    13. C. Checklist: Architecture and Design Review
      1. How to Use This Checklist
      2. Deployment and Infrastructure Considerations
      3. Application Architecture and Design Considerations
        1. Input Validation
        2. Authentication
        3. Authorization
        4. Configuration Management
        5. Sensitive Data
        6. Session Management
        7. Cryptography
        8. Parameter Manipulation
        9. Exception Management
        10. Auditing and Logging
    14. D. Checklist: Securing ASP.NET
      1. How to Use This Checklist
      2. Design Considerations
      3. Application Categories Considerations
        1. Input Validation
        2. Authentication
        3. Authorization
        4. Configuration Management
        5. Sensitive Data
        6. Session Management
        7. Parameter Manipulation
        8. Exception Management
        9. Auditing and Logging
      4. Configuration File Settings
        1. Web Farm Considerations
        2. Hosting Multiple Applications
        3. ACLs and Permissions
        4. Application Bin Directory
    15. E. Checklist: Securing Web Services
      1. How to Use This Checklist
      2. Design Considerations
      3. Development Considerations
        1. Input Validation
        2. Authentication
        3. Authorization
        4. Sensitive Data
        5. Parameter Manipulation
        6. Exception Management
        7. Auditing and Logging
        8. Proxy Considerations
      4. Administration Considerations
    16. F. Checklist: Securing Enterprise Services
      1. How to Use This Checklist
      2. Developer Checks
        1. Authentication
        2. Authorization
        3. Configuration Management
        4. Sensitive Data
        5. Auditing and Logging
        6. Deployment Considerations
        7. Impersonation
      3. Administrator Checklist
    17. G. Checklist: Securing Remoting
      1. How to Use This Checklist
      2. Design Considerations
      3. Input Validation
      4. Authentication
      5. Authorization
      6. Configuration Management
      7. Sensitive Data
      8. Exception Management
      9. Auditing and Logging
    18. H. Checklist: Securing Data Access
      1. How to Use This Checklist
      2. SQL Injection Checks
      3. Authentication
      4. Authorization
      5. Configuration Management
      6. Sensitive Data
      7. Exception Management
      8. Deployment Considerations
    19. I. Checklist: Securing Your Network
      1. How to Use This Checklist
      2. Router Considerations
      3. Firewall Considerations
      4. Switch Considerations
    20. J. Checklist: Securing Your Web Server
      1. How to Use This Checklist
        1. Patches and Updates
        2. IISLockdown
        3. Services
        4. Protocols
        5. Accounts
        6. Files and Directories
        7. Shares
        8. Ports
        9. Registry
        10. Auditing and Logging
        11. Sites and Virtual Directories
        12. Script Mappings
        13. ISAPI Filters
        14. IIS Metabase
        15. Server Certificates
        16. Machine.config
        17. Code Access Security
        18. Other Check Points
      2. Dos and Don’ts
    21. K. Checklist: Securing Your Database Server
      1. How to Use This Checklist
      2. Installation Considerations for Production Servers
      3. Patches and Updates
      4. Services
      5. Protocols
      6. Accounts
      7. Files and Directories
      8. Shares
      9. Ports
      10. Registry
      11. Auditing and Logging
      12. SQL Server Security
      13. SQL Server Logins, Users, and Roles
      14. SQL Server Database Objects
      15. Additional Considerations
      16. Staying Secure
    22. L. Checklist: Security Review for Managed Code
      1. How to Use This Checklist
      2. General Code Review Guidelines
      3. Managed Code Review Guidelines
        1. Assembly-Level Checks
        2. Class-Level Checks
        3. Cryptography
        4. Secrets
        5. Exception Management
        6. Delegates
        7. Serialization
        8. Threading
        9. Reflection
        10. Unmanaged Code Access
      4. Resource Access Considerations
        1. File I/O
        2. Event Log
        3. Registry
        4. Environment Variables
      5. Code Access Security Considerations
    23. M. How To: Index
    24. N. How To: Implement Patch Management
      1. Applies To
      2. Summary
      3. What You Must Know
        1. The Patch Management Process
        2. The Role of MBSA in Patch Management
        3. Backups and Patch Management
      4. Before You Begin
        1. Tools You Will Need
      5. Contents
      6. Detecting
        1. MBSA Output Explained
      7. Assessing
      8. Acquiring
      9. Testing
        1. Methods for Testing Security Patches
        2. Confirming the Installation of a Patch
        3. Uninstalling a Security Patch
      10. Deploying
        1. Using Software Update Services (SUS)
        2. Using Systems Management Server (SMS)
      11. Maintaining
        1. Performing Security Assessments
        2. Using Security Notification Services
      12. Additional Considerations
      13. Additional Resources
    25. O. How To: Harden the TCP/IP Stack
      1. Applies To
      2. Summary
      3. What You Must Know
      4. Contents
      5. Protect Against SYN Attacks
        1. Enable SYN Attack Protection
        2. Set SYN Protection Thresholds
        3. Set Additional Protections
      6. Protect Against ICMP Attacks
      7. Protect Against SNMP Attacks
      8. AFD.SYS Protections
      9. Additional Protections
        1. Protect Screened Network Details
        2. Avoid Accepting Fragmented Packets
        3. Do Not Forward Packets Destined for Multiple Hosts
        4. Only Firewalls Forward Packets Between Networks
        5. Mask Network Topology Details
      10. Pitfalls
      11. Additional Resources
    26. P. How To: Secure Your Developer Workstation
      1. Applies To
      2. Summary
      3. Before You Begin
      4. Steps to Secure Your Developer Workstation
      5. Run Using a Least-Privileged Account
        1. Running Privileged Commands
        2. More Information
      6. Patch and Update
        1. Using Windows Update
        2. Using MBSA
        3. Using Automatic Updates
      7. Secure IIS
        1. Install and Run IISLockdown
          1. Pitfalls
        2. Configure URLScan
          1. Pitfalls
      8. Secure SQL Server and MSDE
        1. Apply Patches for Each Instance of SQL Server and MSDE
        2. Analyze SQL Server and MSDE Security Configuration
      9. Evaluate Your Configuration Categories
      10. Stay Secure
    27. Q. How To: Use IPSec for Filtering Ports and Authentication
      1. Applies To
      2. Summary
      3. Contents
      4. What You Must Know
        1. Identify Your Protocol and Port Requirements
        2. IPSec Does Not Secure All Communication
        3. Firewalls and IPSec
        4. Filters, Filter Actions, and Rules
      5. Restricting Web Server Communication
        1. Summary of What You Just Did
      6. Restricting Database Server Communication
      7. Restricting Server-to-Server Communication
      8. Using IPSec Tools
        1. Netdiag.exe
        2. IPSecpol.exe
      9. Additional Resources
    28. R. How To: Use the Microsoft Baseline Security Analyzer
      1. Applies To
      2. Summary
      3. Contents
      4. Before You Begin
      5. What You Must Know
      6. Scanning for Security Updates and Patches
        1. Using the Graphical Interface
        2. Using the Command Line (Mbsacli.exe)
        3. Analyzing the Output
      7. Scanning Multiple Systems for Updates and Patches
      8. SQL Server and MSDE Specifics
      9. Scanning for Secure Configuration
        1. Performing the Scan
        2. Analyzing the Scan
        3. Correcting Issues Found
      10. Additional Information
        1. False Positives From Security Update Checks
        2. Requirements for Performing Remote Scans
        3. Password Scans
        4. Differences Between Mbsa.exe and Mbsacli.exe
      11. Additional Resources
    29. S. How To: Use IISLockdown.exe
      1. Applies To
      2. Summary
      3. What Does IISLockdown Do?
      4. Installing IISLockdown
      5. Running IISLockdown
      6. Log Files
      7. Undoing IISLockdown Changes
      8. Unattended Execution
      9. Pitfalls
    30. T. How To: Use URLScan
      1. Applies To
      2. Summary
      3. Contents
      4. Installing URLScan
      5. Log Files
      6. Removing URLScan
      7. Configuring URLScan
      8. Throttling Request Sizes with URLScan
      9. Debugging VS .NET with URLScan Installed
      10. Masking Content Headers (Banners)
      11. Pitfalls
      12. References
    31. U. How To: Create a Custom Encryption Permission
      1. Applies To
      2. Summary
      3. Before You Begin
      4. Summary of Steps
        1. Step 1. Create the EncryptionPermission Class
        2. Step 2. Create the EncryptionPermissionAttribute Class
        3. Step 3. Install the Permission Assembly in the GAC
        4. Step 4. Update the DPAPI Managed Wrapper Code
        5. Step 5. Call DPAPI from a Medium Trust Web Application
    32. V. How To: Use Code Access Security Policy to Constrain an Assembly
      1. Applies To
      2. Summary
      3. Before You Begin
      4. Summary of Steps
      5. Step 1. Create an Assembly That Performs File I/O
      6. Step 2. Create a Web Application
      7. Step 3. Test File I/O with No Code Access Security Constraints
      8. Step 4. Configure Code Access Security Policy to Constrain File I/O
      9. Step 5. Test File I/O With Code Access Security Constraints
    33. Index
    34. SPECIAL OFFER: Upgrade this ebook with O’Reilly