Index
A
account hijackingassigning temporary passwords, 36–38
avoiding easily guessed credentials, 10–12
blocking brute-force attacks, 78–86
building login forms, 55–58
changing passwords, 25–27
defined, 3, 54
designing secure tokens, 113–117
empowering users, 42–45
enforcing strong passwords, 4–10
and forms authentication, 58–65
keeping tokens alive, 142–144
limiting idle accounts, 16–18
and Passport authentication, 75–78
password aging and history issues, 22–25
protecting cookies, 124–131
resetting lost or forgotten passwords, 28–42
secret questions, 38–42
sending information via e-mail, 34–36
token threats, 111
ways to store passwords, 19–22
and Windows authentication, 65–75
account lockouts, 79–81
accounts, user.See also users
empowering users, 42–45
idle, limiting, 16–18
locking against brute-force attacks, 79–81
administration pages, limiting access to, 246
administrative accounts, as targets, 12
algorithms, selecting, 166–169
aliases, 15.See also usernames
AllowRestrictedChars value, 250
application compromise, and reading and writing to data files, 296–302
application destruction, and reading and writing to data files, 296–302
applicationshiding unused code, 244–245
limiting access to code, 246
locking down file system access in IIS, 297–298
reading and writing to data files, 296–302
reducing attack scope, 247–248
reducing exposure to attack, 243–247
ASA files, vulnerabilities, 227
.asax files, 62
.ascx files, 62
.ashx files, 62
.asmx files, 62
ASP files, vulnerabilities, 227
AspMaxRequestEntityAllowed metabase setting, 249
ASP.NETauthorizing users, 86–102
blocking HTML user input, 231–233
vs. classic ASP, 212
and cryptography, 155–186
enhancing built-in state management features, 135–144
and forms authentication, 58–65
hardening server applications, 248–250
methods for bounds checking, 219–222
methods for storing session states, 119–124
resource filename extensions, 62–63
securing tokens, 110–144
validator controls, 220–222
View State feature, 131–135
and Windows authentication, 65–75
ASP.NET State Service, 119, 120–122
.aspx files, 62
Assert overrides, 380–382
asymmetric cryptography, 155, 156, 177–178, 414
auditing security code, 214
authentication.See also forms authentication; Windows authentication
building login forms, 55–58
C# code, 293, 294–295
database overview, 275–276
defined, 154, 275, 364
list of threats, 54
overview, 55, 364
VB.NET code, 293–294, 295, 296
authentication tokens, 110, 111
authorizationdatabase overview, 278–279
defined, 278, 364
.NET Framework overview, 364
authorizing users, 86–102
.axd files, 62