• Cover

  Page 1

• Copyright

  Page 3

• Table of Contents

  Page 6

• Introduction

  Page 14

• + Part I: Development Techniques

  Page 18

  • + Chapter 1: Encryption

    Page 20

    • Practice Files

      Page 22

    • Hash Digests

      Page 23

    • + Private Key Encryption

      Page 28

      • Keeping Private Keys Safe

        Page 34

    • Public Key Encryption

      Page 36

    • Hiding Unnecessary Information

      Page 39

    • Encryption in the Real World

      Page 41

    • Summary

      Page 42

  • + Chapter 2: Role-Based Authorization

    Page 44

    • Role-Based Authorization Exercise

      Page 48

    • Windows Integrated Security

      Page 51

    • ASP.NET Authentication and Authorization

      Page 55

    • Role-Based Authorization in the Real World

      Page 58

    • Summary

      Page 59

  • + Chapter 3: Code-Access Security

    Page 62

    • How Actions Are Considered Safe or Unsafe

      Page 63

    • What Prevents Harmful Code from Executing?

      Page 64

    • It's On By Default

      Page 64

    • Security Features and the Visual Basic .NET Developer

      Page 65

    • + Code-Access Security vs. Application Role-Based Security

      Page 66

      • Code-Access Security Preempts Application Role-Based Security

        Page 66

    • + Run Your Code in Different Security Zones

      Page 68

      • What Code-Access Security Is Meant to Protect

        Page 72

      • Permissions — The Basis of What Your Code Can Do

        Page 72

      • Ensuring That Your Code Will Run Safely

        Page 83

      • Cooperating with the Security System

        Page 85

    • Code-Access Security in the Real World

      Page 89

    • Summary

      Page 90

  • + Chapter 4: ASP NET Authentication

    Page 92

    • EmployeeManagementWeb Practice Files

      Page 94

    • Forms Authentication

      Page 94

    • Windows Integrated Security Authentication

      Page 101

    • + Passport Authentication

      Page 105

      • Install the Passport SDK

        Page 107

    • ASP.NET Authentication in the Real World

      Page 115

    • Summary

      Page 115

  • + Chapter 5: Securing Web Applications

    Page 116

    • + Secure Sockets Layer

      Page 119

      • How SSL Works

        Page 120

    • Securing Web Services

      Page 124

    • Implementing an Audit Trail

      Page 130

    • Securing Web Applications in the Real World

      Page 133

    • Summary

      Page 133

• + Part II: Ensuring Hack-Resistant Code

  Page 136

  • + Chapter 6: Application Attacks and How to Avoid Them

    Page 138

    • + Denial of Service Attacks

      Page 139

      • Defensive Techniques for DoS Attacks

        Page 140

    • + File-Based or Directory-Based Attacks

      Page 144

      • Defensive Technique for File-Based or Directory-Based Attacks

        Page 145

    • + SQL-Injection Attacks

      Page 149

      • Defensive Techniques for SQL-Injection Attacks

        Page 152

    • + Cross-Site Scripting Attacks

      Page 158

      • When HTML Script Injection Becomes a Problem

        Page 162

      • Defensive Techniques for Cross-Site Scripting Attacks

        Page 165

    • + Child-Application Attacks

      Page 168

      • Defensive Technique for Child-Application Attacks

        Page 170

    • Guarding Against Attacks in the Real World

      Page 172

    • Summary

      Page 173

  • + Chapter 7: Validating Input

    Page 174

    • + Working with Input Types and Validation Tools

      Page 175

      • Direct User Input

        Page 175

      • General Language Validation Tools

        Page 182

      • Web Application Input

        Page 189

      • Nonuser Input

        Page 191

      • Input to Subroutines

        Page 194

    • Summary

      Page 198

  • + Chapter 8: Handling Exceptions

    Page 200

    • Where Exceptions Occur

      Page 201

    • Exception Handling

      Page 203

    • Global Exception Handlers

      Page 209

    • Exception Handling in the Real World

      Page 212

    • Summary

      Page 213

  • + Chapter 9: Testing for Attack-Resistant Code

    Page 214

    • + Plan of Attack — The Test Plan

      Page 215

      • Brainstorm — Generate Security-Related Scenarios

        Page 217

      • Get Focused — Prioritize Scenarios

        Page 221

      • Generate Tests

        Page 223

    • + Attack — Execute the Plan

      Page 225

      • Testing Approaches

        Page 225

      • Testing Tools

        Page 230

      • Test in the Target Environment

        Page 234

      • Make Testing for Security a Priority

        Page 235

    • + Common Testing Mistakes

      Page 235

      • Testing Too Little, Too Late

        Page 235

      • Failing to Test and Retest for Security

        Page 236

      • Failing to Factor In the Cost of Testing

        Page 237

      • Relying Too Much on Beta Feedback

        Page 237

      • Assuming Third-Party Components Are Safe

        Page 237

    • Testing in the Real World

      Page 238

    • Summary

      Page 239

• + Part III: Deployment and Configuration

  Page 240

  • + Chapter 10: Securing Your Application for Deployment

    Page 242

    • + Deployment Techniques

      Page 243

      • XCopy Deployment

        Page 243

      • No-Touch Deployment

        Page 244

      • Windows Installer Deployment

        Page 244

      • Cabinet-File Deployment

        Page 245

    • + Code-Access Security and Deployment

      Page 247

      • Deploy and Run Your Application in the .NET Security Sandbox

        Page 248

    • + Certificates and Signing

      Page 249

      • Digital Certificates

        Page 249

      • Authenticode Signing

        Page 252

      • Strong-Name Signing

        Page 255

      • Authenticode Signing vs. Strong Naming

        Page 259

      • Strong Naming, Certificates, and Signing Exercise

        Page 260

    • + Deploying .NET Security Policy Updates

      Page 271

      • Update .NET Enterprise Security Policy

        Page 271

      • Deploy .NET Enterprise Security Policy Updates

        Page 276

    • + Protecting Your Code — Obfuscation

      Page 281

      • Obscurity <> Security

        Page 282

    • Deployment Checklist

      Page 283

    • Deployment in the Real World

      Page 284

    • Summary

      Page 285

  • + Chapter 11: Locking Down Windows, Internet Information Services, and .NET

    Page 286

    • " I'm Already Protected. I'm Using a Firewall."

      Page 287

    • Fundamental Lockdown Principles

      Page 288

    • Automated Tools

      Page 290

    • + Locking Down Windows Clients

      Page 292

      • Format Disk Drives Using NTFS

        Page 292

      • Disable Auto Logon

        Page 292

      • Enable Auditing

        Page 293

      • Turn Off Unnecessary Services

        Page 293

      • Turn Off Unnecessary Sharing

        Page 293

      • Use Screen-Saver Passwords

        Page 294

      • Remove File-Sharing Software

        Page 294

      • Implement BIOS Password Protection

        Page 294

      • Disable Boot from Floppy Drive

        Page 295

    • + Locking Down Windows Servers

      Page 295

      • Isolate Domain Controller

        Page 295

      • Disable and Delete Unnecessary Accounts

        Page 295

      • Install a Firewall

        Page 296

    • + Locking Down IIS

      Page 296

      • Disable Unnecessary Internet Services

        Page 296

      • Disable Unnecessary Script Maps

        Page 296

      • Remove Samples

        Page 297

      • Enable IIS Logging

        Page 297

      • Restrict IUSR_< computername>

        Page 297

      • Install URLScan

        Page 297

    • Locking Down .NET

      Page 297

    • Summary

      Page 298

  • + Chapter 12: Securing Databases

    Page 300

    • Core Database Security Concepts

      Page 301

    • + SQL Server Authentication

      Page 301

      • Determining Who Is Logged On

        Page 305

      • How SQL Server Assigns Privileges

        Page 306

    • SQL Server Authorization

      Page 308

    • + Microsoft Access Authentication and Authorization

      Page 308

      • Microsoft Access User-Level Security Models

        Page 309

    • Locking Down Microsoft Access

      Page 314

    • Locking Down SQL Server

      Page 315

    • Summary

      Page 317

• + Part IV: Enterprise-Level Security

  Page 318

  • + Chapter 13: Ten Steps to Designing a Secure Enterprise System

    Page 320

    • Design Challenges

      Page 321

    • Step 1: Believe You Will Be Attacked

      Page 322

    • Step 2: Design and Implement Security at the Beginning

      Page 323

    • Step 3: Educate the Team

      Page 324

    • + Step 4: Design a Secure Architecture

      Page 324

      • Named-Pipes vs. TCP-IP

        Page 327

      • If You Do Nothing Else…

        Page 328

    • Step 5: Threat-Model the Vulnerabilities

      Page 328

    • Step 6: Use Windows Security Features

      Page 329

    • Step 7: Design for Simplicity and Usability

      Page 329

    • Step 8: No Back Doors

      Page 331

    • Step 9: Secure the Network with a Firewall

      Page 331

    • Step 10: Design for Maintenance

      Page 333

    • Summary

      Page 334

  • + Chapter 14: Threats — Analyze, Prevent, Detect, and Respond

    Page 336

    • + Analyze for Threats and Vulnerabilities

      Page 337

      • Identify and Prioritize

        Page 338

    • + Prevent Attacks by Mitigating Threats

      Page 343

      • Mitigating Threats

        Page 343

    • + Detection

      Page 346

      • Early Detection

        Page 346

      • Detecting That an Attack Has Taken Place or Is in Progress

        Page 347

    • + Respond to an Attack

      Page 350

      • Prepare for a Response

        Page 351

    • Security Threats in the Real World

      Page 351

    • Summary

      Page 352

  • + Chapter 15: Threat Analysis Exercise

    Page 354

    • + Analyze for Threats

      Page 354

      • Allocate Time

        Page 355

      • Plan and Document Your Threat Analysis

        Page 356

      • Create a Laundry List of Threats

        Page 356

      • Prioritize Threats

        Page 361

    • Respond to Threats

      Page 363

    • Summary

      Page 364

  • + Chapter 16: Future Trends

    Page 366

    • + The Arms Race of Hacking

      Page 367

      • No Operating System Is Safe

        Page 369

      • Cyber-Terrorism

        Page 369

      • What Happens Next?

        Page 371

      • + Responding to Security Threats

        Page 373

        • Privacy vs. Security

          Page 373

        • The IPv6 Internet Protocol

          Page 376

        • Government Initiatives

          Page 377

        • Microsoft Initiatives

          Page 377

      • Summary

        Page 379

• Appendix A: Guide to the Code Samples

  Page 380

• Appendix B: Contents of SecurityLibrary.vb

  Page 392

• + Index

  Page 396

  • A

    Page 396

  • B

    Page 398

  • C

    Page 398

  • D

    Page 399

  • E

    Page 401

  • F

    Page 402

  • G

    Page 402

  • H

    Page 402

  • I

    Page 403

  • J

    Page 404

  • K

    Page 404

  • L

    Page 404

  • M

    Page 404

  • N

    Page 405

  • O

    Page 405

  • P

    Page 405

  • Q

    Page 407

  • R

    Page 407

  • S

    Page 407

  • T

    Page 409

  • U

    Page 411

  • V

    Page 411

  • W

    Page 412

  • X

    Page 412

  • Z

    Page 413

Learn the techniques that every developer who works with Visual Basic .NET should know about designing, developing, and developing security-enhanced applications for Microsoft Windows® and the Web. Visual Basic .NET experts Ed Robinson and Mike Bond introduce critical security concepts using straightforward language and step-by-step examples. You get clear, end-to-end guidance--covering application design, coding techniques, testing methods, and deployment strategies, along with direction on how to help secure the operating system and related infrastructure and services.

Discover how to:

• Design a security-enhanced architecture

• Understand the most common vulnerabilities and how to write code to prevent them

• Implement authentication and authorization techniques in your applications

• Learn techniques for encryption, input validation, and exception handling

• Add Windows, Forms, and Passport authentication to Web applications

• Perform a security threat analysis and implement countermeasures

• Think like a hacker--and uncover security holes

• Create a setup for your application that implements security during installation

• Lock down the Windows operating system, Microsoft IIS, Microsoft SQL Server®, and Microsoft Access® databases