sa account, 278
salt, adding, 184–186
schema, XML encryption, 334–339
secret questions, 38–42
secrets, protecting, 190–195
secure data access code, writing, 274–302
Secure Sockets Layer (SSL)
blocking basic authentication without, 70–72
and client certificate mapping, 69–70
and cookie security, 130
defined, 196
how it works, 196
processing overhead, 204
protecting communications, 196–198
and rule of least privilege, 272
system requirements, 196–197
security, user threat summary, 2–3.See also security policy summaries
security checks
overriding, 379–385
role-based, 392–396
security policies, 364, 396–399
security policy summaries
brute-force attacks, 86
building login forms, 57–58
changing passwords, 27
connecting to data sources, 279
cookie issues, 131
creating random numbers, 188
credential harvesting, 16
data reflecting, 229
designing secure tokens, 116–117
double decoding, 239
easily guessed credentials, 12
educating users, 44
employing file authorization, 92–93
employing symmetric cryptography, 156–177
encapsulating, 236
encoding data, 233
ensuring least privilege, 272
error handling, 322
exception handling, 241
hardening server applications, 250
honey drops, 243
identifying input sources, 207–211
idle accounts, 18
increasing token security, 144
involving users, 45
keeping memory clean, 190
limiting database attack surface, 270
making session tokens more secure, 141–142
parameterizing, 237
Passport authentication, 78
password aging and history issues, 25
pattern matching, 226
preventing Web site informatio leakage, 315
programming defensively, 218
protecting communications with SSL, 198
protecting secrets, 195
reading and writing to data files, 302
reducing attack exposure, 247
reducing attack scope, 248
resetting passwords, 33–34
role-based and resource-based user authorization, 91
secret questions, 42
securing database location, 265
securing databases, 274
sending information via e-mail, 36
session state, 123–124
SQL injection attacks, 291
storing passwords, 22
strong passwords, 10
syntax checking, 240
temporary passwords, 37–38
token mechanisms, 119
URL authorization, 99
using forms authentication, 65
validator controls, 222
View State feature, 135
Windows authentication, 75
working with hashing algorithms, 186
writing secure HTML code, 314
writing secure SQL code, 296
XML digital signatures, 357
XML encryption, 348
SecurityPermission class, 375
secutil.exe tool, 417
sensitive information
role of secret questions, 38–42
sending via e-mail, 34–36
Server object
UrlPathEncode method, 232, 233
server-side code, limiting attack scope, 248
server-side code access
defined, 206
double decoding, 237–239
preventing, 227–229
role of honey pots, 241–243
SERVER_NAME server variable, 209, 210
ServerVariables collection, 215, 216
ServerVariables property, 208
ServiceControllerPermission class, 375
session fixation
defined, 111
designing secure tokens, 113–117
keeping tokens alive, 142–144
protecting cookies, 124–131
and View State feature, 131–135
session hijacking
designing secure tokens, 113–117
keeping tokens alive, 142–144
protecting cookies, 124–131
session tokens, destroying, 142–144
sessions
role of tokens, 110–111
terminating, 142–144
Set Registry utility, 417
setreg.exe tool, 417
SHA-1 hashing algorithm
defined, 180
verifying data integrity, 182–183
in web.config file, 58, 59, 61, 62
SHA-256 hashing algorithm, 180
SHA-384 hashing algorithm, 180
SHA-512 hashing algorithm, 180, 203
SHA1CryptoServiceProvider class, 414
shell commands
escaping data, 225–226
exception handling, 241
side-channel leakage, 155
signatures, digital.See digitally signed XML documents
signcode.exe tool, 417
signing XML data, 348–357
SiteIdentityPermission class, 375
skip verification, as code group membership condition, 371
sn.exe tool, 417
Snort, 242
.soap files, 62
social engineering
and administrative accounts, 12
empowering users, 42–45
preventing credential harvesting, 13–16
preventing information leaks, 314–315
SocketPermission class, 375
Software Publisher Certificate Test utility, 416
SQL, writing secure code, 291–296
SQL Authentication, 276–277
SQL injection
building login forms, 55–58
escaping data, 225–226
examples, 280–285
filtering and escaping dangerous characters, 285–287
parameterizing, 236–237
preventing, 280–291
role of honey pots, 241–243
SQL query strings, 280–281
SQL Server
application roles, 279
database authorization, 278–279
fixed database roles, 279
managing session state, 119, 122–123
recording login attempts, 267–268
and rule of least privilege, 271
user-defined database roles, 279
SQL statements
Catch statement, 290
escaping data, 225–226
role of SQLParameter collection, 287–288
syntax checking, 239–240
Try statement, 290
SqlClientPermission class, 375
SQLParameter collection, 287–288
stack walking, 366–367
state, session
checklist for secure token design, 113–117
client vs. server management and storage, 150
enhancing built-in ASP.NET features, 135–144
maintaining, 113–124
managing with ASP.NET State Service, 119, 120–122
managing with SQL Server, 119, 122–123
methods for storing, 119–124
and session termination, 142–144
and token mechanisms, 117–119
storeadm.exe tool, 417
stored procedures, when to use, 292
storing passwords, 19–22
strict data typing, enabling, 212–213
strong data typing, enabling, 212–213
Strong Name utility, 417
strong names
as code group membership condition, 371
as type of evidence, 368
strong passwords, enforcing, 4–10
StrongNameIdentityPermission class, 375
structured error handling, 318–322
summaries.See code audit summaries; coding standards summaries; security policy summaries
symmetric cryptography
vs. asymmetric cryptography, 177
establishing keys, 170–173
key algorithms, 414
layering ciphers, 167–169
role of initialization vector, 170, 173–176
security policy summary, 177
selecting algorithms, 166–169
SymmetricAlgorithm class, 163
syntax errors, 317
System.Random class, 187