Improving Web Application Security: Threats and Countermeasures

I

ICMP

common messages, 410

protecting against attacks, 759

screening from the internal network, 410411

IDC, 302

identifier exchange, 118

identity, 594599

<identity> element

ASP.NET application and Web services, 558559

encrypting credentials for, 559

impersonation, 286

Web server configuration, 660

identity flow, 96

identity obfuscation. See spoofing

identity objects

per authentication type, 134

role-based security, 134

identity permissions, 184

identity (run as), 493

identity spoofing

described, 257

Web pages and controls, 257258

<identity username = password= />, 546

IDisposable, 617

IDS. See Intrusion Detection Systems

IIS 5, ASP.NET architecture on Windows 2000, 591

IIS 6

allow IIS to control password option, 597

ASP.NET architecture on Windows 2000, 592593

IIS

anonymous account, 446447

to configure virtual directory, 332

developer workstations, 770771

file extensions, 457

hosting, 486487

installation defaults, 430

installed on an NTFS volume, 648

log files, 452

metabase, 429, 460, 656

metabase checklists, 727

metabase vulnerabilities, 429

and .NET framework installation considerations, 430432

for programmatic impersonation, 286287

securing for developer workstations, 770772

turning off anonymous authentication, 355

W3C extended log file format auditing, 453

web server configuration, 652656

IISlockd.exe, 435436

IISLockdown. See also IISLockdown.exe

checklists, 723

securing for developer workstations, 770771

undoing changes, 798

URLScan without, 437438

Web server configuration, 652

Web servers, 435

IISLockdown.exe

described, 795796

how to use, 795799

installing, 796

running, 797

Ildasm.exe, 607

ILease interface, 364

imperative principal permission demands, 285

imperative security, 135136, 624

impersonation. See also <identity> element

of anonymous accounts, 595597

application server, 497

ASP.NET, 286

ASP.NET application and Web services, 546547, 558559

and ASP.NET applications, 286

checklist, 711

code, 618

of fixed identities, 286, 597599

impersonation levels

choosing, 666667

code review, 636637

configuring with <processModel> element, 306

serviced components , 306307

impersonation model providing per end user authorization granularity, 84

impersonation tokens, 172

ImpersonationLevel=ImpersonationLevelOption.Identify, 306307

implementation technologies, 52

indexes

of checklists, 687688

of "how to" articles, 743

information disclosure, 17

assemblies, 148

described, 259

Web pages and controls, 259260

information gathering

described, 1819

network security, 405

infrastructure

checklists, 689

restrictions on security, 103

ingress and egress filtering, 410

inheritance

restricted, 198

restricting, 198

inheritance hierarchy, 806

innerHTML property, 277, 613

innerText property, 277, 613

input

assuming maliciousness of, 75

centralizing , 75

constraining, 77, 264, 376

fields, 610

file names , 164

rejection , 77

sanitizing, 7879, 269

validation, 2425

validation for Web applications, 7477

where to constrain, 79

input parameters

system.text.RegularExpressions.Regex for validating, 293

validating, 293

input validation

centralized approach, 75

checklist, 690, 705, 715

checklists, 696

for cross-site scripting, 273

data access, 376

how to perform, lxvii

remoted objects, 353

secure Web services, 326331

server-side, 260

strategy, 77

vulnerabilities, 105107

in Web controls and user controls, 263272

insecure defaults, 417

installation

production server considerations, 729

Web server recommendations, 432

integrated Windows authentication, 332333

integrity

as element of security, 5

on the network, 399

requirements, 325

interactive accounts, 665

interfaces

explicit, 627

and link demands, 202

unused, 412

intermediate language, 130131

internal DNS servers, 414

internal networks, 410411

Internet

clients and remoting, 668

deployment, 344

remoted objects, 352

Web applications, 74

zone permissions, 465

Internet Data Center. See IDC

intersections, 187188

intranet

deployment, 343

traffic, 449

Web applications, 74

introduction, vlviilii

Intrusion Detection Systems, 413, 679

network security, 413

IP addresses

and calling Web services, 249250

restrictions, 654

revealing , 656

IP filter lists, 778, 780

IP networks, 417

<IPermission> element, 229

IPrincipal objects

passed from the client, 358

TCPChannel considerations, 353

unauthorized access, 350

IPrincipal.IsInRole, 285286, 336

method, 137

IPSec

creating and applying policy, 781782

for filtering ports and authentication, 777786

and firewalls, 778

for machine level access control, 359

remoted objects, 361

with the TCPChannel, 481

tools, using, 785

using for filtering ports and authentication, 777786

using tools, 785

IPSecpol.exe, 785

ISAPI filters

checklists, 727

vulnerabilities, 429

Web server configuration, 655

Web servers, 429, 459460

IsCallerInRole method, 313

ISerializable interface, 218, 618

ISerializable.GetObjectData implementation, 218

IsolateApps setting, 601

IsolatedStorageFilePermission, 142, 233

IsolatedStoragePermission, 142, 193

IUnrestrictedPermission interface, 199, 805

IUSR accounts, 443