Web applications
hiding unused code, 244–245
limiting access to code, 246
locking down file system access in IIS, 297–298
parameterizing input, 236–237
reducing attack scope, 247–248
reducing exposure to attacks, 244–247
Web servers
ways to gain unauthorized access, 191
ways to protect secrets, 192–195
Web sites
as code group membership condition, 371
preventing information leakage, 314–315
as type of evidence, 368
web.config file
cleartext passwords in, 58
and configuration hierarchy, 98–99
machineKey setting, 150
URL authorization, 93–95
.webinfo files, 63
WebPermission class, 375
wildcards, avoiding, 292
Windows Authentication, 276
Windows authentication
blocking administrator logins, 73–75
blocking basic authentication without SSL, 70–72
and client certificate mapping, 69–70
digest, 67–68
overview, 65–66
principal and identity objects, 89
which method to use, 70–75
Windows principals, 363
WindowsPrincipal object, 388–389
WMI classes, and least privilege principle, 247–248
writing to data files, 296–302