|
|
 |
|
|
|
Security for Microsoft® Visual Basic® .NET
|
|
|
Author
|
|
Ed Robinson, Michael James Bond
|
|
|
Pages
|
416
|
|
Disk
|
N/A
|
|
Level
|
Beg/Int
|
|
Published
|
05/28/2003
|
|
ISBN
|
9780735619197
|
|
Price
|
$49.99
To see this book's discounted price, select a reseller below.
|
|
|
|
|
|
|
|
|
Index
A
access
code. See code-access security
directories, 38-41
permission for. See permissions
roles. See role-based security
settings, storing, 68
Web services, 107
Access, Microsoft
authentication, 291-296
authorization, 295
database sample for exercises, 6
EmployeeDatabase.mdb, 363
Full Rights model, 292-293
locking down, 297-298
None authentication option, 292
Owner-Admin model, 293
password authentication, 292
permissions, 295
service packs for, 298
setting up authentication, 293-296
user-level security, 292-296
VBA code protection, 297
Windows NT file protection, 297
workgroup creation, 294
accounts
Administrator, 279
Anonymous users, 39, 80, 86
disabling, 278-279
guest user, 289, 290
sa, 134, 299
SQL Server, 298
Achilles, 214
ACT (Microsoft Application Center Test), 213-214
Active Directory
advantages for authorization, 42
permissions for, 60
referencing services, 36
searching for roles, 35-38
ActiveX
buffer overrun vulnerability, 154
deployment, 228
ad hoc testing, 209, 210-211
Administrator accounts, disabling, 279
Aimster, 277
AllowPartiallyTrustedCallers attribute, 48, 241-242
Anakrino, 202, 214
analyzing for vulnerabilities. See also threat analysis
identifying threats, 321-324
methods for avoiding damage, list of, 320
overview, 320-321
prioritizing threats, 324-326
anomaly detection, 331
anonymity as an issue, 356-357
anonymizer.com, 356
Anonymous users, 39, 80, 86
anti-replay protection, 359
antivirus software, 272
ANTS, 214
API functions, 342
Apple OS vulnerabilities, 352
application firewalls, 315
application-level attacks
buffer overruns, 153-154, 350-352
child-application attacks, 151-153
cross-site scripting. See cross-site scripting attacks
denial of service. See denial of service (DoS) attacks
directory-based attacks, 127-131
file-based attacks, 127-131
real-world considerations, 155
SQL-injection. See SQL-injection attacks
XSS. See cross-site scripting attacks
architecture
designing secure, 307-311
diagrams for threat analysis, 339-341
distributed, 307
minimum security measures, 311
named-pipes vs. TCP-IP, 310-311
arms race nature of security, 350-352, 355
ASP.NET
anonymous users, 39
authenticated users, 39
BUILTIN qualifier, 41
cross-site scripting attack vulnerability, 141-144
Passport for. See Passport authentication
Request object, 172-174
role-based authorization, 38-41
validator controls, 160-163
Web Forms, 65-66
Web.config file, Authorization section, 39-41
zone assignment, 65-66
ASP.NET authentication
adding secure areas, 78-80
Anonymous users, denying access to, 80
authorization with, 76
choosing a method for, 98
EmployeeManagementWeb sample application, 77
Forms authentication, 76-83
None option, 76
real-world considerations, 98
types of, 75-76
Windows integrated security for, 76, 84-87
.aspx pages, sample default page, 367
assemblies, strong vs. weak naming, 239-240
Assembly keyword, 343
Assert, 48
attack signature detection, 331
attack surface area
defined, 185
reducing for platforms. See locking down
attacks. See also threats
ActiveX vulnerability, 154
advantages of .NET, 155
assessing damage from, 333
attacker's view, taking, 200-201
bandwidth starvation, 123
buffer overruns, 153-154, 350-352
bypassing UI attacks, 327
child-application attacks, 151-153
code access, 202
CPU starvation, 122, 124
creating scenarios based on inroads, 203-204
cross-site scripting. See cross-site scripting attacks
decomposing applications, 200
denial of service. See denial of service (DoS) attacks
deploying fixes for, 334
detecting. See detecting attacks
detection systems, on, 332
device names, 131
directory-based, 127-131
file-based, 127-131
fixes, 333
input-related, 158
inventory of installed components, 200
memory starvation, 122, 124-127
network hijacking, 214
planning responses for, 334
preserving evidence of, 333
prioritizing scenarios, 204-206
real-world considerations, 155, 334-335
resource starvation, 122, 124-127
responding to, 333-334
restoring systems after, 333
root cause detection, 333
scenarios. See scenarios, attack
social engineering, 354-355
SQL-injection. See SQL-injection attacks
steps after detecting, 335
steps in securing from, 319
stopping damage from, 333
system crash DoS, 123
testing to prevent. See testing
threat mitigation, 326-328
tools available for, 355
user notification of, 334
XSS. See cross-site scripting attacks
attributes, security policy permission, 254-255
auditing
activity types, based on, 358
Big Brother systems, 357-358
enabling, 276
importance of, 357
SQL Server, 300
trace-back, 357
trails, creating, 113-115
authentication
ASP.NET. See ASP.NET authentication
database, 284-290, 291-296
forms. See Forms authentication, ASP.NET
Microsoft Access, 291-296
Mixed Mode, 285-287
Passport See Passport authentication
passwords, encrypted, 24
privacy issues, 357
role-based. See role-based security
SQL Server. See SQL Server authentication
user-level security for Access, 292-296
Web services with, 107
Windows See Windows authentication
Windows integrated security, 84-87
X.509 certificates, 233-235
Authenticode signing
overview, 235-238
sample application, 243-253
setup packages, 251-253
SignCode.exe, signing with, 248-249
strong naming, compared to, 242-243
timestamp services, 248
authorization
ASP.NET-based, 38-41
AzMan, 361
column level, 291
databases, 284, 291, 295
Microsoft Access, 295
real world-problems, 41-42
role-based. See role-based security
row level, 291
SQL Server, 291
table level, 291
Web services, for, 107
Authorization Manager (AzMan), 361
automated unit testing, 209, 211-212, 214
AzMan (Authorization Manager), 361
B
back doors
eliminating, 314
locking down, 273
backing up servers, 272
bandwidth starvation attacks, 123
Big Brother systems, 357-358
binaries, scanning, 200
BIOS passwords, 277-278
blueprints of applications, 201-203
browsers
hidden field vulnerability, 203
IE security zones, 57
SSL support, 103
brute force attacks, 17
budget limitations, 304
buffer overrun attacks
overview of, 153-154
SQL Slammer worm, 306, 329, 350-352
bugs, Web security, 102
builds
Authenticode with, 238
obfuscating, 264-266
bypassing UI attack, 327
C
cabinet (.CAB) files
overview, 228
sandbox with, 231
when to use, 230
canonical filenames, 128
CAS. See code-access security
casing, 159
CERT Web site, 352
certificate authorities, 104, 234-235
certificates. See digital certificates
challenges to designing security, 304-305
CharacterCasing property of TextBox, 159
ChDir keyword, 342
ChDrive keyword, 342
child-applications attacks, 151-153
cipher text, 3
class library zone assignments, 65
client-server applications
architecture recommended, 310
auditing, enabling, 276
BIOS passwords, 277-278
disabling auto logon, 275
file-sharing software, 277
floppy drives, disabling booting from, 278
locking down, 275-278
MBSA with, 275
NTFS recommended, 275
screen saver passwords, 277
sharing, turning off, 276-277
spoofing hashes, 7
turning off services, 276
Windows clients, 275-278
clsEmployee sample class, 367
Cobalt server appliance vulnerabilities, 352
code
access. See code-access security
managed, 361
obfuscating, 264-266
code samples
.aspx sample, 367
DPAPI, 375-376
EmployeeDatabase.mdb, 363
EmployeeManagementWeb, 77, 367-370
EMS. See Employee Management System sample application
encryption demo, 363
practice files for chapters, 363
TogglePassportEnvironment utility, 363, 371
Web site for, 363
code-access security
chained calls, 61
components, restricting, 45
cooperating with system, 68-71
defaults, 47
defined, 45
Demands, 47, 48
deployment, 67, 228, 230-232
digital signatures, 67
evidence, 46, 56
file access sample, 51-54
functions blocked by default, 47
goals of, 45, 55
highly-trusted applications, 46
highly-untrusted applications, 46
Internet Explorer zones, 57
Internet warning, 47
isolated storage, 68-71
loading options for applications, 67
location factor, 46
luring attacks, 60-61
modifying policy, 67-68
network share file access, 52-54
next generation applications, 73
OS restrictions, 50-51
permission types, 46
preemption of roles, 49-50
preventing execution, means of, 47
purpose of, 46
role-based security, compared to, 49
safe vs. unsafe actions, 46
sandboxes, 231-232
security zones, 56-60
SecurityException, 54
settings, storing, 68
single computer, applications on, 51-52
system components, 48
tactics for critical operations, 66
trust, 46, 56-60
unexpected results from, 48
Windows Installer for permissions with, 231
collisions, 11
column level authorization, 291
COM interop-based exceptions, 193
commenting in code, 347
CompareValidator, 160
components
access, restricting, 45
code security of. See code-access security
diagramming for threat analysis, 339
conflicts, multiuser, 184
constants, viewing, 202
control systems, 102
controls, validating input of, 160-163
cookies
attacks with, 341, 345
Cookie Pal, 214
Cookies collection, 172
Forms authentication generated, 78, 81
costs, increasing, trend of, 355
CPU starvation attacks, 122, 124
crashes
DoS attacks creating, 122-124
exceptions caused by, 185
Create keyword, 342
credit cards, 116
cross-site scripting attacks
dangerous HTML scripts, 145
defensive techniques, 148-151
defined, 141
escape sequences, 149
HTML entities, 149
HTML link creation for, 147-148
input length checks, 151
inserting false logon pages, 146-148
problems with HTML, 145-148
Request.QueryString, 151
Server.HtmlEncode, 148-151
Server.UrlEncode, 149-151
testing against, 203
turning off Request object validation, 145
ValidateRequest attribute, 144, 150
VB .NET 2003 protection from, 144
vulnerable application example, 141-144
CSRs (certificate signing requests), 104
currency validation, 166-167
CustomValidator, 161
cyber-terrorism, 352-354
D
Dashboard sample form, 364
data authentication, 359
Data Encryption Standard. See Triple-DES
data or input tampering attacks, 327
databases
Access, Microsoft. See Access, Microsoft
Access authentication, 291-296
administrating accounts, 285
authentication, 284-296
authorization, 284, 289-291, 295
blank password problem, 285
column-level authorization, 291
importance of, 283
locking down, 284
logons, setting up, 287-288
Mixed Mode authentication, 285-287
permissions for, 295
privilege assignment, 289-290
removing unencrypted fields, 22-23
row-level authorization, 291
sample for exercises, 6
single authentication method, 285
SQL. See SQL Server, Microsoft
SQL authentication. See SQL Server authentication
SQL injection. See SQL-injection attacks
SQL Slammer worm, 306, 329, 350-352
table-level authorization, 291
testing security of, 203
Windows Authentication, changing to 286-287
dates, validating, 165-167
debugging features, 209-210
Declare keyword, 342
decompiling, 264
decomposing, 200
decryption. See also encryption
defined, 3
private key, 13-14
default behavior, 312
default installations, lack of security of, 269
delay signing, 246-247
Delete keyword, 342
Demands, 47, 48
demilitarized zones (DMZs), 309
denial of service (DoS) attacks
application crash form, 122, 124
CPU starvation attacks, 122, 124
defending against, 123-127
defined, 45, 122
on domain-name servers, 353-354
forms of, 122-123
input, limiting, 126-127
memory starvation form, 122, 124-127
mitigation techniques for, 327
.NET vulnerability to, 122
network bandwidth starvation form, 123
requests, limiting, 123
resource starvation form, 122, 124-127
SQL-injection for, 134
stress testing to prevent, 213
system crash form, 123
deployment
ActiveX components, 228
ASP.NET Web server applications, 243
Authenticode signing, 235-238
cabinet files, 228, 230-231
certificates. See digital certificates
checklist for, 266-267
code-access security, 67, 228, 230-232
delay signing, 246-247
fixes for attacks, 334
Internet distribution, advantages of, 232
measures to secure, list of, 225-226
methods of, 226-230
.MSI deployment packages, 260-264
.NET Framework Configuration tool, 263
.NET security policy updates, 254-264
no-touch, 227, 229, 231, 237, 316
obfuscating code, 264-266
packaging costs, 232
real-world considerations, 267-268
sample application, 243-253
setup packages, signing, 251-253
strong names. See strong-name signatures
timestamp services, 248
user options, allowing, 228
viewing certificates, 249-251
Windows Installer, 227-228, 230
XCopy for, 226-227, 229
Deployment Wizard, Microsoft Visual Studio .NET, 227
DES. See Triple-DES
design steps
architectural security, 307-311
back doors, eliminating, 314
beginning with security, 306-307
believing attacks will come, 305-306
challenges to, 304-305
firewalls, 314-315
level of security, picking, 307
maintenance considerations, 316-317
minimum security measures in architecture, 311
missteps, 303-304
modeling vulnerabilities, 311-312
named-pipes vs. TCP/IP, 310-311
off switches, 317
overview, 304
serious attitude development, 305-306
simplicity, 312-313
team education, 307
threat analysis, 321
usability, 312-313
Windows OS security features, 312
detecting attacks
anomaly detection, 331
confidence in, 332
early detection, 329-330
exception handlers, 331
feedback to users, 330
following the attack, 330-331
hardware inventories, 331
human factors, 332
IDSs for, 331
in-progress, 330-331
logging activity, 330, 331
monitoring news groups, 330
overview of, 329
real-world considerations, 334-335
reboots, unscheduled, 331
redundancy, 332
signature detection, 331
snapshots of data, 332
deterrence, 320
development team, education of, 307
device names, use in attacks, 131
digital certificates
application integrity assurance, 236
Authenticode signing, 235-238
CSRs, 104
defined, 103
hash value security policy attribute, 255
installing, 104
private keys for, 234-235
publisher identity, 235, 255
purpose of, 232-233
root certificates, 104
sample application, 243-253
setup packages, 251-253
signatures, checking, 237-238
Software Publisher Certificates, 234, 246
SSL, 103-105
strong names. See strong-name signatures
test certificates, 104-105, 244-246
timestamp services, 248
validity of, 104
VeriSign, obtaining from, 104
viewing, 249-251
X.509, 233-235
Dir keyword, 342
direct user input, 158-163
directories
Active Directory, 35-37, 42, 60
directory-based attacks, 127-131
DirectoryServicesPermission, 60
restricting access to, 38-41
root, hackers finding, 127
security for private key encryption, 17
disabling auto logon, 275
disassembling code, 202
disk space attacks. See resource starvation attacks
distributed architecture recommended, 307
DLLs (dynamic-link libraries), 204, 240-242
DMZs (demilitarized zones), 309
DNS permission, 58, 61
documentation, 339, 347
domain controllers, 278
domain-name system root servers, 353
DoS attacks. See denial of service (DoS) attacks
Dotfuscator, 264-266
DPAPI encryption, functions, sample, 375-376
drives, physical
FAT file system, 271, 275
NTFS formatting, 275
sharing, locking down, 276
DumpBin, 214
dynamic loading, attacks against, 151-153
E
early detection of attacks, 329-330
elevation of privilege attacks, 324
Employee Management System sample application
clsEmployee class, 367
database for, 363, 371-374
frmAddNew, 365
frmDashboard, 364
frmManage, 366
frmMyInfo, 365
frmRemoveUser, 366
overview, 5-6
valid usernames for, 364
Employee Management Web sample application, 77, 367-370
EmployeeDatabase.mdb, 6, 363, 371-374
encryption
baseball example, 4
brute force attacks, 17
defined, 3
demo application, 363, 370-371
export restrictions on, 22
file integrity, verifying, 25
folders, of, 275
goals of, 4
insecure transport, as solution for, 24-25
Internet transmissions using, 25
key-based. See private key encryption
private key. See private key encryption
public key. See public key encryption
purposes of, 24
SSL. See SSL (secure sockets layer)
Environment keyword, 342
environment variable permissions, 58, 61
error messages, flawed, 186-187
ErrorProvider class, 159
errors. See exceptions
Ethereal, 100
event logs, 58, 62, 195
evidence, code-access, 46, 56, 255
exceptions
adding handlers, 187-190, 193-194
bubbling up, 192
causes, 184-185
COM interop-based, 193
crashes as causes, 185
database-generated, 186
detecting attacks, 331
encryption, logging, 377
error messages reporting, 186-187
file-related, 185
Finally clauses, 191
global exception handlers, 192-194
handling. See handling exceptions
help for users, 186
input related, 184
logging, 186, 188-190, 195
multiuser conflicts, 184
network errors causing, 185
On ErrorGoTo statements, 191-192
purpose, 183
real-world considerations, 195-196
resources, lack of causing, 185
sample application, 187-191
security issues, 185
stress causing, 185
Try...Catch blocks, 191-192
Execute keyword, 342
existing software design challenge, 305
exploits, 102
export restrictions on encryption, 22
extensibility, dangers of, 199
F
FAT file system, 271, 275
file-based attacks, 127-131
files
code-based security, 52-54
exceptions arising from problems with, 185
FileMon, 214
FileOpen function, 47, 71
non-canonical names, 128-129
permissions, 58, 62, 275
sharing, software, 277
Finally clauses, 191
firewalls
design considerations, 314-315
installing, 279
locking down, need for, 270-271
purpose of, 314
recommended, 311
Windows integrated security with, 84
fixes for attacks, deploying, 334
folders, permissions for, 50
footprinting, 200
Form collection, 172, 343
forms, Windows. See Windows Forms
Forms authentication, ASP.NET
adding secure areas, 78-80
Anonymous user access, denying, 80
best use for, 98
Config file for, 79
cookies for, 78, 81
defined, 76
encryption for, 83
FormsAuthentication class, 78
logging out, code for, 82-83
login pages, 77-78, 81-83
process of, 77-78
setting, 81
forms-based security. See Forms authentication, ASP.NET
FormsIdentity objects, 29-30
frmAddNew sample form, 365
frmDashboard sample form, 364
frmLogin sample form, 364
frmManage sample form, 366
frmMyInto sample form, 365
frmRemoveUser sample form, 366
Full Rights model, 292-293
Full Trust
limits of, 56
permissions under, 60
functions
buffer overrun vulnerability, 154
obfuscating, 264-266
vulnerability, 203
G
games as a security risk, 325
GenericIdentity objects, 29-30, 34
GenericPrincipal objects, 30, 32, 34
GetFullPath method, 129
Global XML Architecture (GXA), 108-109
government initiatives, 360
grace, 183
groups
Active Directory vs. Windows NT domains, 37
adding for SQL authentication, 287-288
advantages of, 41-42
guest user, 289, 290
GXA (Global XML Architecture), 108-109
H
hacking tools, 355
handling exceptions
adding handlers, 187-190, 193-194
database exceptions, 186
error reports to users, 186-187
global exceptions, 192-194
help for users, 186
logging, 186, 188-190, 195
On ErrorGoTo, 191-192
real world considerations, 195-196
rules for, 186-187
sample application, 187-191
Try...Catch, 191-192
hardware inventories, 331
hash digests
algorithms for, 11
collisions, 11
defined, 6
function for, 375
function returning, 7-9
password protection with, 7
PublicKeyToken, 240
storing, 8-9
strong-name signatures with, 238
verifying passwords, 9-10
hash value security policy attribute, 255
hashes
collisions, 11
defined, 5
digests. See hash digests
display format for, 6
function returning digests, 7-9
SHA-1, 6-10, 375
spoofing, 7
storing hash digests, 8-9
verifying passwords with, 9-10
hidden field vulnerability, 203, 215-216
hiding user input fields, 23-24
highly-trusted applications, 46
highly-untrusted applications, 46
hops, 100
hotfixes, 316
HTML script attacks. See cross-site scripting attacks
HtmlEncode method, 173
HTTP
verbs, limiting, 308
headers, viewing, 214
https://
purpose of, 103
URLs, changing for, 106
human factors in attack detection, 332
humans as a design challenge, 305
I
identifying threats, 321-324
Identity, 28-30
IDSs (intrusion detection systems), 331
IIS (Internet Information Services)
attacking with SQL-injection, 134
direct connection attacks on, 345
disabling unecessary services, 279
IUSR_<computername>, 280
locking down, 279-280
logging, enabling, 280
sample sites, 280
script maps, disabling, 279
SSL sections, specifying, 105-106
unnecessary client services, 276
URLScan, 274-275, 280
version 6.0, 361
IIS Lockdown tool, 273-274, 279, 280
ILDasm, 202, 214
Impersonation, 84, 87
Index Server, 279
information disclosure attacks, 323
input
ASP.NET validator controls, 160-163
attacker goals with, 202
attacks, 327
direct user input, 158-163
exceptions caused by, 184
free-form, 158
hidden-field vulnerability, 23-24, 203, 215-216
identifying sources of, 158
keywords, dangerous, 342
kinds of, 157
nonuser, 174-176
numeric, validating, 165-167
Request objects, 172
subroutine input, 177-181
validation. See validation
Windows Forms, 159
installing practice files, 5
intercepting data attacks, 328
intercepting Internet messages, 100-101
interception of logon data, 345
Intermediate Language Disassembler (ILDasm.Exe), 202, 214
Internet
encryption for, 25
security exceptions, 48
Untrusted Sites zone, 57-59, 64
zones. See security zones
Internet Explorer, Microsoft, 57
Internet Information Services. See IIS (Internet Information Services)
Internet zone, 57-59. See also security zones
intranets
architecture recommended, 309
Local Intranet zone, 56, 58-63, 68
Medium Trust security level, 54
security exceptions, 48
Untrusted Sites zone, adding to, 64
Windows integrated security recommended for, 84
IP numbers, resolving, 359
IPSec, 299, 359
IPv6 (Internet Protocol version 6), 359-360
isolated storage, 68-71
Isolated Storage Administration tool, 71
IsolatedFileStorage, 62
IsolatedStorageFilePermission, 58
IsValid property, 161-162
IUSR_<computername>, 280
J-K
JohnTheRipper, 214
Kazaa, 277
keys
defined, 11
private. See private key encryption
public. See public key encryption
keywords, dangerous, table of, 342, 344
Kill keyword, 47, 342
L
L0phtCrack, 214
LANs. See intranets; networks
LC4, 214
LDAP (Lightweight Directory Access Protocol), 35
least privilege, principle of, 28, 135, 272
Lightweight Directory Access Protocol (LDAP), 35
Link, 214
LinkDemand, 48
Linux vulnerabilities, 352
Local Intranet zone
defined, 56
isolated storage support, 68
luring attacks, 60
permissions for, 58-59, 61-63
scope of, 63
locking down
.NET Framework, 280-281
accounts, 278
antivirus software, 272
auditing, enabling, 276
auto logon, 275
automated tools for, 273-275
back doors, closing, 273
backing up data, 272
BIOS passwords, 277-278
clients, 275-278
databases, 284
defined, 269
domain controllers, 278
encrypting folders, 275
file-sharing software, 277
firewalls for, 270-271, 279
floppy drives, booting from, 278
fundamental principles of, 271-273
IIS, 273-274, 279-280
least privilege principle, 272
maintenance, 272
MBSA. See MBSA (Microsoft Baseline Security Analyzer)
Microsoft Access, 297-298
NTFS file system, 271, 275
patches, OS security, 272
physical security, 271
purpose of, 269-270
real-world considerations, 281
servers, 278-279
service packs, 272
sharing, 276-277
SQL Server, 298-300
strong user passwords, 272
tools for, 273-275
turning off services, 276
URLScan, 274-275, 280
Windows 9x, 271
Windows clients, 275-278
Windows NT, 271
Windows servers, 278-279
logging
attacks altering logs, 332
automated unit testing, 212
exceptions handled, 186, 188-190, 195
detecting attacks, 330, 331
encryption exceptions, 377
IIS, enabling, 280
monitoring logs, 316
SQL Server, 300
viewing remotely, 195
logging out, 82-83
logons
auto logon, disabling, 275
eliminating repetition, 34
Forms authentication, 77-78, 81-83
frmLogin sample, 364
HTML scripting attacks using, 146-148
login.aspx sample, 368
passwords. See passwords
recommendation, 312
SQL-injection attacks using, 133-134
users. See user names
Windows Authentication, setting up, 287-288
LSADump2, 214
luring attacks, 45, 60-61
M
maintenance
application upgrades, 316
challenges, 305
designing for, 316-317
hotfixes, 316
importance, 272
off switch design, 317
service packs, 316
managed code, 361
manual testing, 209-211
MaxLength property of TextBox, 159
MBSA (Microsoft Baseline Security Analyzer)
auto logon detection, 275
client services, detecting unnecessary, 276
IIS sample site detection, 280
NTFS detection, 275
overview, 273
Medium Trust security level
effects of, 54
permissions with, 56
setting to, 71
memory starvation attacks, 122, 124-127
MessageQueuePermission, 60
Microsoft Access. See Access, Microsoft
Microsoft Application Center Test (ACT), 213, 214
Microsoft Group Policy, 263
Microsoft Internet Explorer. See Internet Explorer, Microsoft
Microsoft .NET Passport Security. See Passport authentication
Microsoft Security Baseline Analyzer. See MBSA (Microsoft Baseline Security Analyzer)
Microsoft security initiatives, 221, 360-361
Microsoft SQL Server Profiler, 214
Microsoft Systems Management Server (SMS), 263
Microsoft Trustworthy Computing initiative, 221, 361
Microsoft Visual Studio .NET Deployment Wizard, 227
Microsoft Windows. See specific versions of Windows
mitigating threats, 326-328
Mitnick, Kevin, 319
Mixed Mode SQL Server authentication, 285-287
MkDir keyword, 342
money limitations, 304
MSFTPSVC service, 276
MSN Messenger, 89
multiuser conflicts, 184
My Computer zone
defined, 56
Full Trust permissions, 60
permissions, 58-59
sandbox, outside of, 231
N
named-pipes, 310-311
Napster, 277
.NET Framework
Configuration tool, 263
locking down, 280-281
security policy updates, 254-264
service packs, 281
Netcat, 214
NetMon, 214
Netscape browsers, 84
network bandwidth starvation attacks, 123
network firewalls. See firewalls
network redirection tools, 214
network shares
file access, code-based, 52-54
goals of code-access security, 55
Local Intranet zone default, 64
simulating on single computers, 52
networks
exceptions arising from, 185
intranets. See intranets
zones in. See security zones
news groups, monitoring, 330
non-canonical filenames, 128-129
nonrepudiation, 323
nonuser input, 174-176
no-touch deployment
Authenticode, 237
overview, 227
sandbox, 231
upgrades using, 316
when to use, 229
NTFS file system, 271, 275
numeric input, validating, 165-167
NUnit, 212, 214
O
obfuscating code, 264-266
off switches, 317
OleDbPermission, 60
On ErrorGoTo statements, 191-192
one-way cryptography, 5-6. See also hashes
Open keyword, 341-342
Operating System security restrictions, 50-51
operating system vulnerabilities, non-Windows, 352
Owner-Admin model, 293
P
packet sniffing tools, 100
Page objects, IsValid property, 161-162
Page_Load events, 95-96, 106
Params collection, 172, 343
Parse method, 165-167
partially trusted DLLs, 240-242
passphrases, 17
Passport authentication
Administration Utility, 94
advantages, 88
best use, 98
client setup, 90-92
creating the application, 94-96
defined, 76
encryption key, 93-94
fields for new applications, 92-93
live environment restoration, 91
MSN Messenger, 89
Page_Load handler, 95-96
passport, acquiring, 90
PassportIdentity object, 29-30, 89
preproduction environment, 89
preproduction passport signup, 91
process, 89
purpose, 88
registering new applications, 92-94
SDK installation, 90
server configuration, 94
SiteID, obtaining, 92-93
soft sign-ins, 97
steps for implementing, 89
switching environments, 90-92
PasswordChar property of TextBox, 159
password-cracking attacks, 328
passwords
Access database authentication, 292
authenticating, 24
BIOS, 277-278
blank, 60, 285
constants, stored as, 202
hash digests, 7-9
hiding entry, 23-24
IIS version 6.0, 361
mitigating threats, 328
removing fields from databases, 22-23
screen saver, 277
SQL Server, 299
strong, 272
time-outs for accepting, 328
tools for cracking, 214
unencrypted, dangers, 7
verifying with hash digests, 9-10
patches
not installing, reasons, 351
OS security, 272
recommended, 311
paths
GetFullPath method, 129
noncanonical, 128
parsing in Windows, 152
PEAP (Protected Extensible Authentication Protocol), 361
people as a design challenge, 305
PerformanceCounterPermission, 60
permissions
code-access. See code-access security
evidence, 255
full, granting, 60, 255
Local Intranet zone, 61-63
Microsoft Access, 295
modifying policy, 67-68
policy manager, 259
purpose, 55
security policy attributes, table, 254-255
security zones, granting, 56-60
SQL Server, 291, 299
testing for appropriate, 217-218
trust level defaults, 58-60
Trusted Sites zone, 61-63
version differences, 63
physical security, locking down, 271
plain text, 3
planning
response plans for attacks, 334
testing, 198-200, 208-213
threat analysis, 339
policy manager, 259
ports, 314-315
posing as users attacks, 328
practice files for chapters, 5, 363
Principal, 28-30
principle of least privilege, 28
printing, permission for, 58, 62
prioritizing threats, 324-326
privacy, 356-359
private key encryption
applications, 12
brute force attacks, 17
decryption function, 13-14
defined, 11
DES. See Triple-DES
directory security, 17
encrypting keys, 18-19
export restrictions, 22
function, creating, 12-14, 375
installation issues, 18
login credentials as keys, 17-18
safety of keys, 17-19
SSL, 103
storing data with, 15-16
storing keys safely, 17-19
privileges
child-application attacks, effects, 152
elevating, attack by, 45
least, principle, 28, 135, 272
SQL Server, 289-290
testing for appropriate, 217-218
profiling, 200, 214
Protected Extensible Authentication Protocol (PEAP), 361
PSNs (Processor serial numbers), 357
public function vulnerability, 203, 327, 343
public key encryption
defined, 19
functions for, creating, 21-22, 376
private key component of, 19
purpose of, 19-20
RSA algorithm for, 21
slowness of, 21
Public keyword, 203, 327, 343
publisher identity security policy attribute, 255
PWDump, 214
Q-R
QueryString collection, 172-173, 343
RangeValidator, 160
reboots, unscheduled, 331
reducing the attack surface, 185
Reflection keyword, 343
reflection permission, 58, 62
registry, permission to write to, 58
regular expressions
examples, table, 165
importing class, 169
path validation, 130
RegularExpressionValidator, 161-163
SQL-injection attacks, preventing, 136
validation, 165
replication of sites by hackers, 200
repudiation
defined, 113
attacks, 323, 328
Request object, 172-174
Request.Form warnings, 143-145
RequiredFieldValidator, 160
requirements, inherently insecure goals, 305
resource starvation attacks, 122, 124-127
resources
exceptions caused by lack, 185
stress testing, 212-213
responding to attacks, 333-334
reverse-engineering tools, 214
RmDir keyword, 342
role-based security
Active Directory, 35-38, 42
anonymous users, 39
ASP.NET authorization, 38-41
assigning roles, 31-34
authentication, 29, 39
code-access security, compared to, 49
database structure, sample, 31
database-based system advantages, 42
directories, restricting access, 38-41
disabling functionality, 31-34
dividing areas of responsibility, 28
FormsIdentity objects, 29-30
functions, sample, 377
GenericIdentity objects, 29-30, 34
GenericPrincipal objects, 30, 32, 34
goals, 28
groups, 37, 41-42
Identity, 28-30
loading roles from databases, 31-34
Name property, 30
PassportIdentity objects, 29-30
preemption by code-access security, 49-50
Principal, 28-30
principle of least privilege, 28
purpose, 27
real-world problems, 41-42
RoleBasedSecurity.vb, 375-378
sample roles, 28
tables holding assignments, 31
user interfaces, 33
Windows integrated security, 34-38
WindowsIdentity objects, 29-30
WindowsPrincipal objects, 30
root directory, finding in attacks, 127
row level authorization, 291
RSA encryption, 21-22
S
sa account, 134, 299
sandboxes, 231-232
scalability, effect on DoS attacks, 327
scenarios, attack
attacker's view, taking, 200-201
brainstorming, 200-204
creating based on inroads, 203-204
defined, 200
generating tests for, 206-208
including all in testing, 206
prioritizing, 204-206
relevance of tests to, 207
threat prioritization, 206
scoped addresses, 360
screen saver passwords, 277
script kiddies, 355
scripts, disabling, 200
Secure Hashing Algorithm. See SHA-1
secure sockets layer. See SSL (secure sockets layer)
Security Adjustment Wizard, 53
security policy
changing, 67-68
updates, 254-264
security zones
ASP.NET, 65-66
code-access permissions granted in, 56-60
default trust levels, 56-57
determination by .NET, 63-66
Internet, 57, 58-59
Internet Explorer, 57
loading options for applications, 67
Local Intranet, 56, 58-59, 61-63
My Computer, 56, 58-59
showing available, 53
symbols for, 56
trust levels, changing, 59
Trusted Sites, 56, 58-59, 61-63
Untrusted Sites, 57, 58-59
Windows Forms assignments, 64-65
SecurityLibrary.vb, 7, 375-378
SecurityPermission, 59, 62
self-testing code, 209-210
servers
locking down, 278-279
service packs, 272, 281, 316
ServerVariables collection, 172
service packs
locking down, 272, 281
maintaining, 316
Microsoft Access, 298
ServiceControllerPermission, 60
SHA-1
defined, 6
display format for hashes, 6
function, 375
function returning, 7-9
hash digests, 6
verification, 9-10
shares
file, 276-277
network, 52-55, 64
Shell command
attacks against, 151-153
code-access default, 47
defined, 343
Show function, 47
signatures, digital. See digital certificates
SignCode.exe, 248-249
simplicity, 312-313
Slammer worm, 306, 329, 350-352
SMTPSVC service, 276
social engineering attacks, 354-355
sockets, 60
Software Publisher Certificates, 234, 246
source code, attackers accessing, 202
spoofing
attacks, 323
hashes, 7
strong names to prevent, 239
SQL Server, Microsoft
access restriction, 299
account for running, 298
attacks, injection. See SQL-injection attacks
auditing, 300
Authentication. See SQL Server Authentication
authentication. See SQL Server authentication
authorization, 289-291
buffer overruns, 350-352
clustering, 310
directory access, restricting, 298
encryption, 299
IPSec, 299
locking down, 298-300
logging, 300
named-pipes vs. TCP/IP, 310-311
passwords, 299
permissions, 291, 299
port, 315
SA account, 299
sample database, 372-374
stored procedures, adding to, 374
stored procedures for authorization, 291
system commands, danger of, 298
xp_cmdshell, 298-299
SQL Server Authentication, 284-287
SQL Server authentication
administration considerations, 285
administrative permission privileges, 289
advantages of Windows Authentication, 285
blank passwords, 285
changing Mixed to Windows Authentication, 286-287
default users, 289
determining logged-on users, 288-289
groups, adding, 287-288
guest user, 289, 290
logons, setting up, 287-288
mechanisms, 284
Mixed Mode, 285-287
public role, 290
roles, 290
Windows Authorization, 285-287
SQL Server authorization, 289-291
SQL Server Profiler, 214
SQL Slammer worm, 306, 329, 350-352
SqlClientPermission, 60
SQL-injection attacks
application execution, 134-135
defensive techniques, 135-140
defined, 132
EMS sample defense, 138-140
example, 132
final parameter checks, 140
IIS, stopping, 134
input validation, 135-136
least privilege principle, 135
logon issues, 133-134
Microsoft Access databases, 132, 135
parameterized query defense, 136-137
sa account, 134
stored procedure defense, 137
testing against, 203
user names, 133-134
xp_cmdshell command, 134-135
SSL (secure sockets layer)
adding to applications, 105-106
advantages, 102-103
bidirectionality, 103
browser support, 103
certificates, 103-105
disadvantages, 103
ease of implementation, 102
https://, 103, 106
IIS sections, specifying, 105-106
methodology, 103-104
Page_Load events, 106
private key generation, 103
purpose, 102
requirements, software, 103
resources, consumption, 103
setting up, references, 105
speed, effects on, 103
SQL Server, 299
validating input, 164
Web services using, 108, 111-112
staff as a design challenge, 305
steps for designing security. See design steps
storage
drives, 275-276
isolated, 68-71
stored procedures
adding to SQL Server, 374
SQL-injection attack defense, 137
stress, exceptions from, 185
stress testing, 209, 212-214
STRIDE security threat model, 323-324
strong name security policy attribute, 255
strong passwords, 272
strong-name signatures
Authenticode, compared to, 242-243
benefits, 239
creating applications, 244
defined, 238
delay signing, 246-247
DLLs with, 240-242
hash digests, 238
integrity assurance, 239
.NET assemblies, 204
operation, 239
partially trusted DLLs, 240-242
parts, 238
public keys, 238
PublicKeyToken, 240
recommended use, 243
representation, 240
sample application, 243-253
spoofing, preventing, 239
unique identity guarantees, 239
version integrity, 239
weak names, compared to, 239-240
strong-named .NET assemblies, 204
subroutine input, validating, 177-181
Sun Microsystems vulnerabilities, 352
symmetric encryption. See private key encryption
system components, code-access security techniques, 48
system crash DoS attacks, 123
T
table level authorization, 291
tampering with data attacks, 323
tax, security as a, 304
TCP-IP vs. named-pipes, 310-311
Teleport Pro, 214
Telnet service, 276
terrorism, 352-354
testing
approaches, 208-213
attacker's view, taking, 200-201
automated unit testing, 209, 211-212, 214
benefits of security emphasis, 199-200
beta feedback, role, 220
blueprints of applications, 201-203
brainstorming scenarios, 200-204
components of, 198
cost, 208, 220
creating tools for, 214-217
database security, 203
debugging features for, 209-210
deployment environments, in, 217-218
DLL spoofing, 204
features, security vs. usefulness, 199
filtering tests, 207-208
generating tests, 206-208
hidden fields, 203, 215-216
importance, 197-198, 218
inroads, scenarios based on, 203-204
insufficient, 218-219
lateness mistake, 218-219
manual testing, 209-211
mistakes, common, 218-221
network redirection tools, 214
NUnit tool, 212, 214
password cracking tools, 214
permission levels, 217-218
plan development, 198-200
plan execution, 208-213
prioritizing scenarios, 204-206
prioritizing tests, 198, 207-208
profile tools, 214
public functions, 203
real-world considerations, 221-222
relevance to scenarios, 207
retasked components, 219
reverse-engineering tools, 214
schedules, 198
security aspect, 199-200
self-testing code, 209-210
stress testing, 209, 212-214
target configurations, 199
third-party components, 220-221
tools for, 213-217
unknown issues, narrowing, 219
URL-based attacks, 204
usage scenarios, 198
user name input, 206-207
WebTester sample application, 215-217
XML file vulnerability, 203
text boxes, validating input, 159
third-party components, danger, 220-221
Thread objects, 344
threat analysis
allocating time, 338
architectural sketches, 339-341
cost considerations, 338
defined, 321
documentation, 339
EMS example, prioritized table of threats, 344-346
key concepts, 337
listing threats, 339-344
modeling in design phase, 311-312
planning, 339
prioritizing components, 338
prioritizing threats, 344-346
response development, 346-347
reviewing code, 341-344
steps in process, 337
vulnerabilities, analyzing for, 321-326
threats. See also attacks
analyzing for. See analyzing for vulnerabilities; threat analysis
bypassing UI attack, 327
identifying, 321-324
intercepting data attacks, 328
methods for avoiding damage, 320
mitigating, 326-328
modeling in design phase, 311-312
password-cracking attacks, 328
posing as users, 328
prioritizing, 324-326, 344-346
real-world considerations, 334-335
response options, 346
severity, factors, 324
tracking, 325-326
time limitations, 304
timestamp services, 248
TlntSvr service, 276
TogglePassportEnvironment utility, 363, 371
tools
hackers, used by, 355
locking down platforms, for, 273-275
testing with, 213-217
Web-page manipulation, 214
trace-back, 357
tracing routes, 100
tracking threats, 325-326
training development teams, 307
transactions
audit trails, 113-115
repudiation, 113, 323, 328
transport-level security. See SSL (secure sockets layer)
trends in security
arms race intensification, 355
authentication, 357
Big Brother systems, 357-358
cost increases, 355
government initiatives, 360
IPv6 (Internet Protocol version 6), 359-360
Microsoft initiatives, 360-361
privacy issues, 356-359
trace-back, 357
unified systems, 354-355
virus intensification, 355
Triple-DES
decryption function, 13-14
defined, 12
function using, creating, 12-14
passphrases, 17
safety of keys, 17-19
trust levels
code-access permission defaults, 56-60
definition of trust, 46
defaults for zones, 56-57
Full Trust, 56
permissions associated with, 58-60
Trusted Sites zone
defined, 56
permissions, 58-59, 61-63
scope, 64
Trustworthy Computing Initiative, 221, 361
Try...Catch blocks, 191-192
Type keyword, 343
U
UI attacks, 327. See also input
UIPermission, 59, 63
unified systems, 354-355
Unix vulnerabilities, 352
Untrusted Sites zone
defined, 57
permissions, 58-59
scope, 64
upgrades, 316. See also deployment
URL-based attacks, 204
URLScan
architecture, place in, 308
locking down with, 274-275, 280
recommended, 311
usability, 312-313
user names
Identity objects containing, 29
limiting length, 136
testing evaluation, 206-207
unrecognized, attempts with, 330
users, designing for, 313
V
Validate events, 159
validation
ASP.NET controls, 160-163
bowling scores example, 167-172, 177-181
canonicalization errors, 128-131
client-side, 160, 173-174
CompareValidator, 160
currency input, 166-167
CustomValidator, 161
dates, 165-167
defense-in-depth, 161
direct user input, 158-163
Dos attacks, preventing, 126
ErrorProvider class, 159
free-form input, 158
functions, sample, 377-378
HTML script, turning off, 144-145
HtmlEncode method, 173
importance, 157
input-related attacks, 158
inputs to SQL statements, 135-136
IsValid property, checking, 161-162
length of input, limiting, 159, 169, 172
nonuser input, 174-176
numeric input, 165-167
Page_Load events, 162
Parse method, 165-167
prices changed by clients, 173-174
RangeValidator, 160
regular expressions, 130, 165
RegularExpressionValidator, 161-163
Request object input, 172-174
RequiredFieldValidator, 160
server-side, 160
SQL-injection attacks using, 133
SSL, 164
subrouting input, 177-181
text boxes, 159
tools, 159
user names, 206-207
Validate events, 159
Validate method of controls, 162
ValidationSummary control, 161
Web application input, 172-174
Windows Forms tools, 159
VBA (Visual Basic for Applications), 297
VBscript, disabling, 200
VeriSign, 104
version integrity, 239
viruses
attachments containing, 72
intensifying trend, 355
scanning recommended, 311
Visual Studio .NET Deployment Wizard, 227
vulnerabilities. See also threats
analyzing. See analyzing for vulnerabilities
increasing number, 351
methods for avoiding damage, 320
non-Windows OSs, 352
Web applications, 102
W
W3SVC service, 276
Warhol viruses, 351
weak names, 239-240
Web applications
defined, 116
services. See Web services
vulnerabilities, 102
Web services
access issues, 107
authentication issues, 107
authorization issues, 107
design considerations, 107-108
Enhancements download, 107, 109
GXA, 108-109
managed security issues, 108
platform compatibility, 107
SSL, 108, 111-112
test mode, 108
Windows authentication, 109-112
WMI reporting example, 109-112
Web sites
ASP.NET. See ASP.NET
basic principles of security, 116
replication by hackers, 200
Web.Config files
Authorization section, 39, 40-41
Forms authentication, 81
Forms authorization, 79
Passport authentication, setting, 94
Web-page manipulation tools, 214
WebPermission, 60
WebTester sample application, 215-217
WEP, 355
Windows 9x, locking down, 271
Windows 2003 Server, 361
Windows API functions, 342
Windows authentication. See Windows integrated security
Windows Authentication
advantages over SQL Server Authentication, 285
changing from Mixed Mode, 286-287
determining logged-on users, 288-289
logons, setting up, 287-288
recommendation, 312
SQL Server 2000, for, 285
Web services, securing, 109-112
Windows clients
auditing, enabling, 276
BIOS passwords, 277-278
disabling auto logon, 275
file-sharing software, 277
floppy drives, disabling booting from, 278
locking down, 275-278
MBSA with, 275
NTFS recommended, 275
screen saver passwords, 277
sharing, turning off, 276-277
turning off services, 276
Windows Forms
adding to Web pages, 64
Authenticode signing, 243-253
no-touch deployment, 227, 229
strong-name signing, 243-253
validation tools, 159
zone assignments, 64-65
Windows Installer, 227-228, 230-231
Windows integrated security
advantages, 42, 84
anonymous logins, denying, 86
ASP.NET authentication, 76, 84-87
best use, 98
creating applications using, 84-87
domain restriction, 84
firewalls, 84
Impersonation, 84, 87
Netscape browsers, 84
purpose, 34
using with applications, 36-38
Windows NT
file protection for Microsoft Access, 297
locking down, 271
Windows servers
2003 version, 361
locking down, 278-279
service packs, 272
WindowsIdentity objects, 29-30
WindowsPrincipal objects, 30
WMI (Windows Management Instrumentation)
purpose, 112-113
Web services example, 109-112
WS-Security, 108
X
X.509 certificates
Authenticode signing, 235-238
elements, 233
obtaining, 234
purpose, 233
sample application, 243-253
setup packages, 251-253
SignCode.exe, signing with, 248-249
Software Publisher Certificates, 246
test certificate creation, 244-246
timestamp services, 248
viewing, 249-251
XCopy deployment
overview, 226-227
sandbox, 231
when to use, 229
XML (eXtensible Markup Language)
GXA, 108-109
services. See Web services
vulnerability from, 203
Xolox, 277
xp_cmdshell command, 134-135, 298-299
XSS attacks. See cross-site scripting attacks
Z
zones, security. See security zones
Last Updated: May 29, 2003
|
