Introduction

xxi

Part I Introduction to .NET Security

(66)

Chapter 1 Understanding .NET Security

(20)

An Overview of .NET Framework Enhancements

(6)

Using Role-based Security

(2)

Executing Code in the Managed Environment

(2)

Security Problems .NET Can't Stop

(7)

Stupid User Tricks

(1)

Some External Forces

(1)

Poorly Patched Systems

(1)

Inept Enterprise Policies

(2)

Windows File Protection Vulnerabilities

(1)

.NET Framework Security Architecture Considerations

(3)

Securing the Binary Output

(1)

Understanding the Effects of Garbage Collection

(1)

Considering the Requirements of Object-Oriented Programming

(1)

Understanding Native Code Access Concerns

(2)

Summary

(2)

Chapter 2 .NET Framework Security Overview

(28)

Locating the Security Information You Need

(4)

Dealing with Patches

(1)

Locating General Security Tips for Everyone

(1)

Finding .NET Framework Specific Security Tips

(1)

Understanding the System.Runtime.Remoting.Contexts Namespace

(3)

Contexts Namespace Overview

(1)

SynchronizationAttribute Attribute Example

(2)

Understanding the System.Security Namespace

(4)

Security Namespace Overview

(1)

SecurityManager Class Example

(3)

Understanding the System.Security.Cryptography Namespace

(4)

Cryptography Namespace Structure Overview

(1)

Cryptography Namespace Structure Example

(3)

Understanding the System.Security.Permissions Namespace

(1)

Understanding the System.Security.Policy Namespace

(1)

Understanding the System.Security.Principal Namespace

(1)

Understanding the System.Web.Security Namespace

(1)

Understanding the System.DirectoryServices Namespace

(9)

DirectoryServices Namespace Overview

(1)

DirectoryServices Namespace Example

(8)

Summary

(1)

Chapter 3 Avoiding Common Errors and Traps

(16)

Preventing Data Entry Errors

(8)

Putting the Time back into Access

(1)

Checking the Data Range

(2)

Checking the Data Length

(2)

Keeping Unnecessary Characters Controlled

(2)

Providing Precise Help

(1)

Stopping Buffer Overruns

(1)

Understanding How Buffer Overruns Work

(1)

Keeping Exploits Controlled

(1)

Controlling Access

(2)

Understanding Code Access Control Issues

(1)

Understanding User Access Control Issues

(1)

Setting Privileges Appropriately

(1)

Avoiding Canonical Representation Issues

(1)

Summary

(3)

Part II Desktop and LAN Security

(164)

Chapter 4 .NET Role-Based Security Techniques

(38)

Understanding How .NET Role-Based Security Differs

(13)

Defining Code Access Security versus Role-based Security

(4)

Defining Membership and Evidence

(2)

Using Permission Objects

(4)

Using Principal and Identity Objects

(2)

Using the Permission View Tool

(4)

Using the .NET Framework Configuration Tool

(5)

Working with Code Groups

(2)

Creating and Defining Permission Sets

(1)

Defining Policy Assemblies

(1)

Adding Configured Applications

(1)

Defining Effective Declarative Security

(1)

Defining Effective Imperative Security

(1)

Securing the Registry

(5)

Using the RegistryPermission Class

(3)

A Word about Registry Security

(1)

Developing a Secure Desktop Application Installation

(8)

Using the StrongNameIdentityPermission Class

(5)

Using the System.Reflection.Assembly.Evidence Property

103

(3)

Summary

106

(1)

Chapter 5 Policies and Code Groups in Detail

107

(40)

Using the Code Access Security Policy Tool

108

(10)

Listing the Permissions and Code Groups

109

(2)

Making Group Modifications

111

(2)

Making Permission Modifications

113

(3)

Adding an Assembly

116

(1)

Resolving Security Errors in Assemblies

117

(1)

Using the .NET Wizards

118

(1)

Using Code Groups

118

(21)

Understanding the Default Groups

119

(1)

Working with Code Groups

120

(8)

Adding New Permissions

128

(11)

Using Policy Objects

139

(6)

Installing a New Permission

140

(2)

Creating a Code Group Based on the Permission

142

(1)

Designing a Named Permission Test Program

143

(2)

Summary

145

(2)

Chapter 6 Validation and Verification Issues

147

(24)

Ensuring Trust in the Managed Environment

148

(1)

Validating Your Code

149

(11)

Checking the Intermediate Language (IL) Code

150

(1)

Validating the Standard Check

151

(1)

Circumventing and Fixing the Standard Check

152

(4)

Protecting Your Code with Dotfuscator

156

(3)

Creating a Security Deployment Package

159

(1)

Relying on the AppDomain for Managed Code

160

(4)

Accessing Another Application

160

(3)

Understanding Component Access Problems

163

(1)

Extending the AppDomain to Unmanaged Code

164

(5)

Working with External Functions

165

(2)

Working with External Programs

167

(2)

Summary

169

(2)

Chapter 7 .NET Cryptographic Techniques

171

(32)

Administering the Cryptographic Settings

172

(12)

Using the Certification Authority Utility

173

(6)

Managing the Cryptographic Classes

179

(5)

Understanding the Supported Cryptographic Methods

184

(3)

Beware of the Cracked Symmetric Algorithm

185

(1)

Learning about the Asymmetric Algorithm

186

(1)

Encrypting and Decrypting Files

187

(9)

Using Symmetric Cryptography

187

(2)

Using Asymmetric Cryptography

189

(6)

Deriving a Key from a Password

195

(1)

Using the System.Security.Cryptography.X5O9Certificates Namespace

196

(3)

Using Hash Functions

199

(1)

Summary

200

(3)

Chapter 8 LAN Security Requirements

203

(28)

Working with Sockets

205

(7)

Using the SocketPermission Class

205

(4)

Using the Secure Socket Layer (SSL) Protocol

209

(1)

Using the System.Net.NetworkCredential and System.Net.CredentialCache Classes

210

(2)

Understanding RPC Security

212

(1)

Working with DCOM

213

(7)

Maintaining Control with COM Attributes

214

(2)

Developing a Component with Attributes

216

(1)

Creating a Test Application

217

(3)

Developing a Secure Server Application Installation

220

(1)

Working with COM+

220

(9)

Creating a COM+ Component

221

(2)

Working with the SecurityCallContext Class

223

(2)

Adding Security to a COM+ Application

225

(4)

Summary

229

(2)

Part III Web-based Security

231

(104)

Chapter 9 Web Sever Security

233

(30)

Keeping the Server Safe

235

(14)

Authentication Techniques

236

(10)

Authorization Techniques

246

(3)

Communication with Other Servers

249

(1)

Administering the Server

249

(4)

Using the Microsoft Baseline Security Analyzer

250

(2)

Using the IIS Lockdown Tool

252

(1)

Avoiding Distributed Denial of Service (DDOS) Attacks

253

(5)

Don't Process Out-of-Band (OOB) Messages

254

(1)

Using the Performance Counter Approach

254

(4)

Overcoming Apparent Communication Errors

258

(1)

Using Web-based Application Testing Techniques

259

(1)

Developing a Secure Web-based Application Installation

260

(1)

Summary

261

(2)

Chapter 10 Web Data Security

263

(36)

Defining the Database Connection

264

(13)

Securing the DBMS

265

(2)

Developing a Database Application

267

(10)

Stemming the Tide of Leaking Information

277

(1)

Implementing Data Encryption

278

(1)

Understanding Remoting and Data Encryption

279

(15)

Understanding Automatic Deserialization

280

(1)

Understanding Remoting and Code Access Security

281

(2)

Creating a Remoting Component

283

(3)

Creating a Remoting Host Application

286

(2)

Creating a Remoting Client Application

288

(5)

Using HttpChannel Security

293

(1)

Using SSL to Communicate Credentials

294

(4)

Adding SSL Support to a Server

294

(2)

Creating an SSL Application

296

(2)

Summary

298

(1)

Chapter 11 Securing XML and Web Services

299

(36)

Securing Web Services

301

(11)

XML and Security

302

(1)

Web Service Proxy Security Considerations

303

(2)

Working with SoapHttpClientProtocol Class Security

305

(3)

Working with DiscoveryClientProtocol Class Security

308

(4)

Using the System.Security.Cryptography.Xml Namespace

312

(6)

Understanding the System.Security.Cryptography.Xml Namespace

313

(1)

Creating and Verifying XML Digital Signatures

314

(4)

Working with WS-Security

318

(2)

Working with the eXtensible Access Control Markup Language

320

(1)

Using the Visual Studio .NET Passport Features

321

(4)

Passport Features in the System.Web.Security Namespace

323

(1)

A Simple Passport Example

323

(2)

Using the Web Service Features of COM+ 1.5

325

(7)

Performing the Application Setup

326

(2)

Creating a Simple COM+ Test Application

328

(4)

Verifying the Application Is Safe

332

(1)

Summary

332

(3)

Part IV Other Security Topics

335

(104)

Chapter 12 Active Directory Security

337

(26)

Monitoring Active Directory

338

(5)

Using the AD SI Viewer Utility

339

(3)

Other Active Directory Tools

342

(1)

Using Active Directory in Place of the Registry

343

(2)

Understanding Domain Trust Relationships

345

(8)

Defining the Domain Trust Issues

345

(1)

Working Directly with the Domain Controller

346

(7)

Managing Directory Services

353

(9)

Using Declarative Active Directory Security

353

(1)

Using Imperative Active Directory Security

354

(3)

Defining Write Access to Active Directory

357

(5)

Summary

362

(1)

Chapter 13 Wireless Device Security

363

(26)

.NET Compact Framework Security Considerations

365

(9)

Understanding Wireless Security Issues

365

(2)

Discovering Which Classes Apply to Both Environments

367

(2)

Developing a Simple .NET Compact Framework Program

369

(5)

The Two Environments of Wireless Programs

374

(6)

Overcoming Direct Execution Problems

375

(1)

Avoiding Browser-Based Application Issues

376

(4)

Effects of Security Policy on Mobile Applications

380

(1)

Component Calling Limitations

381

(1)

Using the System.Web.Security Namespace

382

(4)

Defining File Security Using the FileAuthorizationModule Class

383

(1)

Defining Form Security Using the FormsAuthentication Class

384

(2)

Summary

386

(3)

Chapter 14 Win32 API Overview

389

(24)

Knowing When to Use the Win3 2 API

391

(4)

Win32 API and .NET Framework Differences

391

(1)

Avoiding Dangerous APIs

392

(3)

Understanding the Windows Security API

395

(4)

Considering Access Problems with the Win32 API

399

(2)

Using the Run As Windows Feature

399

(1)

Understanding Resources Both Granted and Denied

400

(1)

Using the Access Control Editor

401

(2)

Using the Security Configuration Editor

403

(2)

Working with SIDs

405

(3)

Accessing an ACE Directly

408

(3)

Summary

411

(2)

Chapter 15 Win32 API Advanced Techniques

413

(26)

Working with the DACZ

414

(4)

Working with the SACL

418

(7)

Writing the Auditing Code

418

(5)

Running the Application

423

(1)

Considering a Security Setting Alternative

424

(1)

Securing Controls and Components

425

(1)

Securing Files

426

(3)

Using the RegGetKeySecurity() and RegSetKeySecurity() Functions

429

(3)

Working with Remote Unmanaged Components

432

(5)

Setting Up the General DCOM Environment

432

(2)

Using the General DCOM Security Options

434

(1)

Working with Component Level Security

435

(1)

Setting the Authentication Level

436

(1)

Summary

437

(2)

Glossary

439

(16)

Index

455

Rent More, Save More! Use code: ECRENTAL

Rent More, Save More! Use code: ECRENTAL

5% off 1 book, 7% off 2 books, 10% off 3+ books

.NET Development Security Solutions

Summary

Author Biography

Table of Contents

Supplemental Materials

Rewards Program