Home Page Icon
Home Page
Table of Contents for
Cover
Close
Cover
by Michael James Bond, Ed Robinson
Security for Microsoft® Visual Basic® .NET
Security for Microsoft® Visual Basic® .NET
Introduction
How to Use This Book
How to Use the Code Samples
Create a Desktop Shortcut for Running Tools
A Final Word
Corrections, Comments, and Help
Acknowledgments
I. Development Techniques
1. Encryption
Practice Files
Hash Digests
Private Key Encryption
Keeping Private Keys Safe
Public Key Encryption
Hiding Unnecessary Information
Encryption in the Real World
Summary
2. Role-Based Authorization
Role-Based Authorization Exercise
Windows Integrated Security
ASP.NET Authentication and Authorization
Role-Based Authorization in the Real World
Summary
3. Code-Access Security
How Actions Are Considered Safe or Unsafe
What Prevents Harmful Code from Executing?
It’s On By Default
Security Features and the Visual Basic .NET Developer
Code-Access Security vs. Application Role-Based Security
Code-Access Security Preempts Application Role-Based Security
Run Your Code in Different Security Zones
What Code-Access Security Is Meant To Protect
Permissions—The Basis of What Your Code Can Do
Security Zones and Trust Levels
Security Zones and Permissions
Local Intranet, Internet, and Trusted Sites Zones
How Visual Basic .NET Determines Zone
Ensuring That Your Code Will Run Safely
Cooperating with the Security System
Code-Access Security in the Real World
Summary
4. ASP.NET Authentication
EmployeeManagementWeb Practice Files
Forms Authentication
Windows Integrated Security Authentication
Passport Authentication
Install the Passport SDK
ASP.NET Authentication in the Real World
Summary
5. Securing Web Applications
Secure Sockets Layer
How SSL Works
Securing Web Services
Implementing an Audit Trail
Securing Web Applications in the Real World
Summary
II. Ensuring Hack-Resistant Code
6. Application Attacks and How to Avoid Them
Denial of Service Attacks
Defensive Techniques for DoS Attacks
Defending Against Memory and Resource DoS Attacks
File-Based or Directory-Based Attacks
Defensive Technique for File-Based or Directory-Based Attacks
Enforce Canonical Filenames
SQL-Injection Attacks
Defensive Techniques for SQL-Injection Attacks
Validate Input Parameters
Use Parameterized Queries
Add a Stored Procedure to Validate the User
Cross-Site Scripting Attacks
When HTML Script Injection Becomes a Problem
Defensive Techniques for Cross-Site Scripting Attacks
Use Server.HtmlEncode and Server.UrlEncode
Check All Input for Content and Length
Child-Application Attacks
Defensive Technique for Child-Application Attacks
Use Quotes Around All Path Names
Guarding Against Attacks in the Real World
Summary
7. Validating Input
Working with Input Types and Validation Tools
Direct User Input
Validation Tools Available to Windows Forms Applications
Validation Tools Available to ASP.NET Web Applications
General Language Validation Tools
Regular Expressions
Parse Method
Web Application Input
Don’t Rely on Data Sent to the Client
Nonuser Input
Input to Subroutines
Summary
8. Handling Exceptions
Where Exceptions Occur
Exception Handling
Global Exception Handlers
Exception Handling in the Real World
Summary
9. Testing for Attack-Resistant Code
Plan of Attack—The Test Plan
Brainstorm—Generate Security-Related Scenarios
Take the Attacker’s View
Create a Blueprint of Your Application
Create Scenarios Based on Inroads for Attack
Get Focused—Prioritize Scenarios
Prioritize Security-Related Scenarios Based on Threats
Generate Tests
Filter and Prioritize Tests for Each Scenario
Attack—Execute the Plan
Testing Approaches
Writing Self-Testing Code
Ad Hoc, or Manual, Testing
Automated Unit Testing
Stress Testing
Testing Tools
Create Your Own Test Tools
Example: Create a Test Tool for Testing Web Applications
Test in the Target Environment
Make Testing for Security a Priority
Common Testing Mistakes
Testing Too Little, Too Late
Failing to Test and Retest for Security
Failing to Factor In the Cost of Testing
Relying Too Much on Beta Feedback
Assuming Third-Party Components Are Safe
Testing in the Real World
Summary
III. Deployment and Configuration
10. Securing Your Application for Deployment
Deployment Techniques
XCopy Deployment
No-Touch Deployment
Windows Installer Deployment
Cabinet-File Deployment
Code-Access Security and Deployment
Deploy and Run Your Application in the .NET Security Sandbox
Certificates and Signing
Digital Certificates
X.509 Certificate
Obtain an X.509 Certificate from a Certificate Authority
Keep Your Private Keys Safe
Authenticode Signing
When to Use Authenticode Signing
When the Authenticode Signature Is Checked
Incorporate Authenticode Signing in Your Build Process
Strong-Name Signing
Strong Names vs. Weak Names
Strong-Named Visual Basic .NET .DLLs and Partial Trust
Authenticode Signing vs. Strong Naming
Should You Authenticode-Sign and Strong-Name Your Application?
Strong Naming, Certificates, and Signing Exercise
Deploying .NET Security Policy Updates
Update .NET Enterprise Security Policy
Deploy .NET Enterprise Security Policy Updates
Protecting Your Code—Obfuscation
Obscurity <> Security
Deployment Checklist
Deployment in the Real World
Summary
11. Locking Down Windows, Internet Information Services, and .NET
"I’m Already Protected. I’m Using a Firewall."
Fundamental Lockdown Principles
Automated Tools
Locking Down Windows Clients
Format Disk Drives Using NTFS
Disable Auto Logon
Enable Auditing
Turn Off Unnecessary Services
Turn Off Unnecessary Sharing
Use Screen-Saver Passwords
Remove File-Sharing Software
Implement BIOS Password Protection
Disable Boot from Floppy Drive
Locking Down Windows Servers
Isolate Domain Controller
Disable and Delete Unnecessary Accounts
Install a Firewall
Locking Down IIS
Disable Unnecessary Internet Services
Disable Unnecessary Script Maps
Remove Samples
Enable IIS Logging
Restrict IUSR_<computername>
Install URLScan
Locking Down .NET
Summary
12. Securing Databases
Core Database Security Concepts
SQL Server Authentication
Determining Who Is Logged On
How SQL Server Assigns Privileges
SQL Server Authorization
Microsoft Access Authentication and Authorization
Microsoft Access User-Level Security Models
Locking Down Microsoft Access
Locking Down SQL Server
Summary
IV. Enterprise-Level Security
13. Ten Steps to Designing a Secure Enterprise System
Design Challenges
Step 1: Believe You Will Be Attacked
Step 2: Design and Implement Security at the Beginning
Step 3: Educate the Team
Step 4: Design a Secure Architecture
Named-Pipes vs. TCP-IP
If You Do Nothing Else...
Step 5: Threat-Model the Vulnerabilities
Step 6: Use Windows Security Features
Step 7: Design for Simplicity and Usability
Step 8: No Back Doors
Step 9: Secure the Network with a Firewall
Step 10: Design for Maintenance
Summary
14. Threats—Analyze, Prevent, Detect, and Respond
Analyze for Threats and Vulnerabilities
Identify and Prioritize
Identify Threats
Prioritize Threats
Prevent Attacks by Mitigating Threats
Mitigating Threats
Detection
Early Detection
Detecting That an Attack Has Taken Place or Is in Progress
Determining Whether to Trust Your Detection Mechanisms
Humans: The Key to Success
Respond to an Attack
Prepare for a Response
Security Threats in the Real World
Summary
15. Threat Analysis Exercise
Analyze for Threats
Allocate Time
Prioritize Analysis Based on the Function of Each Component
Plan and Document Your Threat Analysis
Create a Laundry List of Threats
Draw Architectural Sketch and Review for Threats
Review Code for Threats
Prioritize Threats
Respond to Threats
Summary
16. Future Trends
The Arms Race of Hacking
No Operating System Is Safe
Cyber-Terrorism
What Happens Next?
Responding to Security Threats
Privacy vs. Security
The IPv6 Internet Protocol
Government Initiatives
Microsoft Initiatives
Summary
A. Guide to the Code Samples
Employee Management System
Employee Management Web
Encryption Demo
TogglePassportEnvironment utility
Employee Database Structure
Migrating the Employee Database to SQL Server 2000
B. Contents of SecurityLibrary.vb
Hash Digests
Private Key Encryption
DPAPI Encryption
Public Key Encryption
Logging Exceptions
Role-Based Security
Validating Input
C. About the Authors
Ed Robinson
Michael Bond
Index
About the Authors
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Security for Microsoft® Visual Basic® .NET
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset