| Foreword | ix |
| Preface | xi |
| PART I INTRODUCTION AND DESIGN | |
| CHAPTER 1 Security 101 | 3 |
| Why Build Secure Applications? | 3 |
| Security Defined | 4 |
| Why Is Security Difficult? | 4 |
| The Golden Rules (and Some Others) | 7 |
| Threats, Safeguards, Vulnerabilities, and Attacks | 12 |
| CHAPTER 2 A Process for Building Secure Web Applications | 15 |
| A Security Design Process | 16 |
| Application Design | 26 |
| An Example | 28 |
| PART II TECHNOLOGIES AND TRADE-OFFS | |
| CHAPTER 3 Windows 2000 Security Overview | 43 |
| The Impact of Active Directory | 44 |
| Authenticated Logon | 46 |
| Authentication | 46 |
| Privileges | 47 |
| User Accounts and Groups | 48 |
| Domains and Workgroups | 48 |
| DOMAIN/Account Names and User Principal Names | 49 |
| Managing Accounts | 51 |
| Security Identifiers (SIDs) | 53 |
| Tokens | 54 |
| Access Control Lists | 57 |
| Impersonation | 68 |
| Delegation | 69 |
| Miscellaneous Windows 2000 Security Features | 73 |
| CHAPTER 4 Internet Explorer Security Overview | 85 |
| Privacy | 86 |
| Code Safety and Malicious Content | 87 |
| Security Zones | 89 |
| SSL/TLS and Certificates | 93 |
| Cookie Security | 95 |
| CHAPTER 5 Internet Information Services Security Overview | 99 |
| Internet Authentication | 100 |
| Configuring SSL/TLS | 134 |
| IIS Authorization—the Marriage of Windows 2000 Security and the Web | 149 |
| IIS Process Identities | 154 |
| CHAPTER 6 SQL Server Security Overview | 163 |
| Security Modes | 163 |
| Logins, Users, and Permissions | 166 |
| Network Security Options | 169 |
| SQL Server Logins | 170 |
| SQL Server Database Users | 175 |
| SQL Server Database Roles | 178 |
| SQL Server Permissions | 181 |
| CHAPTER 7 COM+ Security Overview | 191 |
| Architecture | 192 |
| COM+ Authentication | 194 |
| COM+ Authorization | 199 |
| Debugging Tips | 210 |
| Using DCOM over the Internet | 212 |
| CHAPTER 8 Practical Authentication and Authorization | 217 |
| Where to Perform Authentication and Authorization | 218 |
| Application vs. Operating System Identity Flow | 222 |
| Relative IIS Authentication Performance | 222 |
| Example Authentication and Authorization Scenarios | 223 |
| A Warning About Custom Authentication and Passwords | 244 |
| CHAPTER 9 Practical Privacy, Integrity, Auditing, and Nonrepudiation | 247 |
| Privacy and Integrity Overview | 248 |
| Where Privacy and Integrity Issues Occur | 250 |
| Mitigating Privacy and Integrity Threats | 255 |
| Auditing | 276 |
| An Introduction to Nonrepudiation | 279 |
| PART III IN PRACTICE | |
| CHAPTER 10 Building a Secure Solution | 287 |
| Putting Together a Secure Solution | 289 |
| Speed vs. Security Trade-Offs | 303 |
| Configuration Checklists | 305 |
| CHAPTER 11 Troubleshooting Secure Solutions | 309 |
| Tools and Logs Available to You | 309 |
| The Art of Reading a Windows 2000 Logon Event | 315 |
| The Art of Reading an IIS Log Entry | 321 |
| Problems and Solutions | 322 |
| CHAPTER 12 Securing Against Attack | 337 |
| Why People Attack Web Servers | 338 |
| How People Attack Web Servers | 339 |
| Some Common Attacks | 353 |
| How to Detect Whether You’re Under Attack | 362 |
| User Input Attacks | 375 |
| What to Do If You’re Under Attack | 383 |
| Staying Up-to-Date on Security Issues | 384 |
| A Final Thought | 385 |
| PART IV REFERENCE | |
| CHAPTER 13 Security Administration with ADSI, WMI, and COM+ | 389 |
| What Is WMI? | 390 |
| What Is ADSI? | 390 |
| Example Management and Security Configuration Code | 391 |
| CHAPTER 14 An Introduction to Kerberos Authentication in Windows 2000 | 407 |
| What Is Kerberos Authentication? | 408 |
| How Kerberos Authentication Works | 410 |
| Helpful Tools | 413 |
| Kerberos Ticket Flow | 414 |
| CHAPTER 15 An Introduction to Cryptography and Certificates in Windows 2000 | 423 |
| The Fundamentals of Cryptography | 424 |
| The Basics of Certificates | 434 |
| Cryptography and Certificates in Windows 2000 | 450 |
| Bibliography | 471 |
| INDEX | 477 |
| E-BOOK APPENDIXES | |
| Appendix A Windows 2000 Well-Known SIDs | |
| Appendix B Strong Passwords | |
| Appendix C Windows 2000 Default Ports | |
| Appendix D Internet Information Services Authentication Summary | |
| Appendix E Security-Related IIS Server Variables | |
| Appendix F Secure Web Server Checklist | |
