Security for Microsoft Visual Basic .NET

Introduction xiii Part I Development Techniques Encryption 3(24) Practice Files 5(1) Hash Digests 6(5) Private Key Encryption 11(8) Keeping Private Keys Safe 17(2) Public Key Encryption 19(3) Hiding Unnecessary Information 22(2) Encryption in the Real World 24(1) Summary 25(2) Role-Based Authorization 27(18) Role-Based Authorization Exercise 31(3) Windows Integrated Security 34(4) ASP.NET Authentication and Authorization 38(3) Role-Based Authorization in the Real World 41(1) Summary 42(3) Code-Access Security 45(30) How Actions Are Considered Safe or Unsafe 46(1) What Prevents Harmful Code from Executing? 47(1) It's On By Default 47(1) Security Features and the Visual Basic .NET Developer 48(1) Code-Access Security vs. Application Role-Based Security 49(2) Code-Access Security Preempts Application Role-Based Security 49(2) Run Your Code in Different Security Zones 51(21) What Code-Access Security Is Meant to Protect 55(1) Permissions---The Basis of What Your Code Can Do 55(11) Ensuring That Your Code Will Run Safely 66(2) Cooperating with the Security System 68(4) Code-Access Security in the Real World 72(1) Summary 73(2) ASP.NET Authentication 75(24) EmployeeManagementWeb Practice Files 77(1) Forms Authentication 77(7) Windows Integrated Security Authentication 84(4) Passport Authentication 88(10) Install the Passport SDK 90(8) ASP.NET Authentication in the Real World 98(1) Summary 98(1) Securing Web Applications 99(22) Secure Sockets Layer 102(5) How SSL Works 103(4) Securing Web Services 107(6) Implementing an Audit Trail 113(3) Securing Web Applications in the Real World 116(1) Summary 116(5) Part II Ensuring Hack-Resistant Code Application Attacks and How to Avoid Them 121(36) Denial of Service Attacks 122(5) Defensive Techniques for DoS Attacks 123(4) File-Based or Directory-Based Attacks 127(5) Defensive Technique for File-Based or Directory-Based Attacks 128(4) SQL-Injection Attacks 132(9) Defensive Techniques for SQL-Injection Attacks 135(6) Cross-Site Scripting Attacks 141(10) When HTML Script Injection Becomes a Problem 145(3) Defensive Techniques for Cross-Site Scripting Attacks 148(3) Child-Application Attacks 151(4) Defensive Technique for Child-Application Attacks 153(2) Guarding Against Attacks in the Real World 155(1) Summary 156(1) Validating Input 157(26) Working with Input Types and Validation Tools 158(23) Direct User Input 158(7) General Language Validation Tools 165(7) Web Application Input 172(2) Nonuser Input 174(3) Input to Subroutines 177(4) Summary 181(2) Handling Exceptions 183(14) Where Exceptions Occur 184(2) Exception Handling 186(6) Global Exception Handlers 192(3) Exception Handling in the Real World 195(1) Summary 196(1) Testing for Attack-Resistant Code 197(28) Plan of Attack---The Test Plan 198(10) Brainstorm---Generate Security-Related Scenarios 200(4) Get Focused---Prioritize Scenarios 204(2) Generate Tests 206(2) Attack---Execute the Plan 208(10) Testing Approaches 208(5) Testing Tools 213(4) Test in the Target Environment 217(1) Make Testing for Security a Priority 218(1) Common Testing Mistakes 218(3) Testing Too Little, Too Late 218(1) Failing to Test and Retest for Security 219(1) Failing to Factor in the Cost of Testing 220(1) Relying Too Much on Beta Feedback 220(1) Assuming Third-Party Components Are Safe 220(1) Testing in the Real World 221(1) Summary 222(3) Part III Deployment and Configuration Securing Your Application for Deployment 225(44) Deployment Techniques 226(4) XCopy Deployment 226(1) No-Touch Deployment 227(1) Windows Installer Deployment 227(1) Cabinet-File Deployment 228(2) Code-Access Security and Deployment 230(2) Deploy and Run Your Application in the .NET Security Sandbox 231(1) Certificates and Signing 232(22) Digital Certificates 232(3) Authenticode Signing 235(3) Strong-Name Signing 238(4) Authenticode Signing vs. Strong Naming 242(1) Strong Naming, Certificates, and Signing Exercise 243(11) Deploying .NET Security Policy Updates 254(10) Update .NET Enterprise Security Policy 254(5) Deploy .NET Enterprise Security Policy Updates 259(5) Protecting Your Code---Obfuscation 264(2) Obscurity <> Security 265(1) Deployment Checklist 266(1) Deployment in the Real World 267(1) Summary 268(1) Locking Down Windows, Internet Information Services, and .NET 269(14) ``I'm Already Protected. I'm Using a Firewall.'' 270(1) Fundamental Lockdown Principles 271(2) Automated Tools 273(2) Locking Down Windows Clients 275(3) Format Disk Drives Using NTFS 275(1) Disable Auto Logon 275(1) Enable Auditing 276(1) Turn Off Unnecessary Services 276(1) Turn Off Unnecessary Sharing 276(1) Use Screen-Saver Passwords 277(1) Remove File-Sharing Software 277(1) Implement BIOS Password Protection 277(1) Disable Boot from Floppy Drive 278(1) Locking Down Windows Servers 278(1) Isolate Domain Controller 278(1) Disable and Delete Unnecessary Accounts 278(1) Install a Firewall 279(1) Locking Down IIS 279(1) Disable Unnecessary Internet Services 279(1) Disable Unnecessary Script Maps 279(1) Remove Samples 280(1) Enable IIS Logging 280(1) Restrict IUSR_<computername> 280(1) Install URLScan 280(1) Locking Down .NET 280(1) Summary 281(2) Securing Databases 283(20) Core Database Security Concepts 284(1) SQL Server Authentication 284(7) Determining Who Is Logged On 288(1) How SQL Server Assigns Privileges 289(2) SQL Server Authorization 291(1) Microsoft Access Authentication and Authorization 291(6) Microsoft Access User-Level Security Models 292(5) Locking Down Microsoft Access 297(1) Locking Down SQL Server 298(2) Summary 300(3) Part IV Enterprise-Level Security Ten Steps to Designing a Secure Enterprise System 303(16) Design Challenges 304(1) Step 1: Believe You Will Be Attacked 305(1) Step 2: Design and Implement Security at the Beginning 306(1) Step 3: Educate the Team 307(1) Step 4: Design a Secure Architecture 307(4) Named-Pipes vs. TCP-IP 310(1) If You Do Nothing Else... 311(1) Step 5: Threat-Model the Vulnerabilities 311(1) Step 6: Use Windows Security Features 312(1) Step 7: Design for Simplicity and Usability 312(2) Step 8: No Back Doors 314(1) Step 9: Secure the Network with a Firewall 314(2) Step 10: Design for Maintenance 316(1) Summary 317(2) Threats---Analyze, Prevent, Detect, and Respond 319(18) Analyze for Threats and Vulnerabilities 320(6) Identify and Prioritize 321(5) Prevent Attacks by Mitigating Threats 326(3) Mitigating Threats 326(3) Detection 329(4) Early Detection 329(1) Detecting That an Attack Has Taken Place or Is in Progress 330(3) Respond to an Attack 333(1) Prepare for a Response 334(1) Security Threats in the Real World 334(1) Summary 335(2) Threat Analysis Exercise 337(12) Analyze for Threats 337(9) Allocate Time 338(1) Plan and Document Your Threat Analysis 339(1) Create a Laundry List of Threats 339(5) Prioritize Threats 344(2) Respond to Threats 346(1) Summary 347(2) Future Trends 349(14) The Arms Race of Hacking 350(4) No Operating System Is Safe 352(1) Cyber-Terrorism 352(2) What Happens Next? 354(2) Responding to Security Threats 356(6) Privacy vs. Security 356(3) The IPv6 Internet Protocol 359(1) Government Initiatives 360(1) Microsoft Initiatives 360(2) Summary 362(1) Guide to the Code Samples 363(12) Contents of SecurityLibrary.vb 375(4) Index 379