Improving Web Application Security: Threats and Countermeasures

W

W3C

security FAQ, 685

XML encryption standard, 337

Web anonymous users groups, 436

Web application group , 436

Web applications

architecture and design issues, 7071

auditing and logging, 9596

authentication practices, 81

authorization, 83

configuration management of, 8687

creating, 827

design issues, 71

groups, 436

security policies, 73

session management, 9091

vulnerabilities, 7172

Web controls and user controls

in ASP.NET, 263

in input validation, 263272

regular expressions, 264265

Web facing administration interfaces, 412

Web farms

ASP.NET application and Web services, 584

checklists, 702

deployment issues, 104

keys, 571

Web method authorization

HttpContext.User, 336

secure Web services, 336

Web pages and controls

code injection, 255256

design considerations, 260263

input sanitizing, 269

overview, 253254

parameter manipulation, 258259

session hijacking, 256257

threats and countermeasures, 254255

URL authorization, 279

Web site partitioning, 278

Web permissions

Web server configuration, 654

Web servers, 455456

Web process identity, 554

Web servers, 466469

building, 432

checklists, 723728

configuration categories, 427

configuration deployment review, 644651

configuration Enterprise Services, 664668

configuration with Machine.config, 657663

methodology for securing, 426429

overview, 421422

remote administration, 471473

restricting communication, 779782

running the .NET Framework, lxviii

service packs and patches, 470

simplifying and automating security, 473474

snapshot of ideal security configuration, 466469

staying secure, 469

steps for securing Web servers, 433

threats and countermeasures, 422423

using IPSec to limit communication with, 779

Web Service Description Language. See WSDL

Web Service Endpoint Authorization, 336

Web services

application server, 481, 485

ASP.NET, 248249, 573575

auditing and logging, 341

authentication, 332335

authorization, 335336

checklists, 705707

code access security, 212, 342

code review, 634635

constraining connections, 212

deployment, 103, 343

design considerations, 324325

endpoint authorization, 336

exception management, 339340

facade layer to communicate with Enterprise Services, 315

how to secure, lxix

input validation, 326331

network service accounts, 325

overview, 319320

parameter manipulation, 339

proxy, 333

proxy considerations, 341342

sensitive data, 337339

serviced components , 315

threats and countermeasures, 320321

<trust> element, 326

types of exceptions, 339

UrlAuthorizationModule files, 336

Web server configuration, 663664

Web Services Enhancements 1.0, 319320

Web sites

communities and newsgroups, 683685

locations, 653

Microsoft Security-Related, 681682

notification, 684

partitioning, 561, 634

partitioning Web pages and controls, 261, 278

Third-Party Security-Related Web Sites, 682

Web.config

ACLs, 555

ASP.NET application and Web services, 547555

how to make settings more secure, lxviii

plaintext in, 621

secure forms authentication in, 277

WebDAV, 439

protocol, 440

and protocol review, 646

WebMethod attribute, 326

WebPermission, 143, 212, 342

in partial trust Web applications, 232

WebPermissionAttribute class, 212

<wellknown> element, 359360

Win32 DLLs, 169

Windows 2000

application isolation features, 590

ASP.NET architecture, 591592

Windows

authentication, 384, 553, 566

authentication accounts, 672

authentication and code review, 640

authentication and data access, 373, 379

authentication and Enterprise Services applications, 304

authentication to the state database, 662

authentication with file authorization, 284

authentication with HttpContext.User, 284

authentication,and ASP.NET, 355

guest accounts, 516

installation with service packs, 433

service, 486

updating, 768

Windows Server 2003

application isolation features for, 590

on ASP.NET architecture, 592594

Windows Update

for acquiring patches, 751752

to secure developer workstations, 768

Windows-only authentication, 527528

WindowsIdentity type, 141

WindowsPrincipal type, 141

Winreg key, 450

work item reports , 66

World Wide Web Consortium. See W3C

worms

application server, 478479

described, 21, 426

.Write, 609610

write and execute permissions, 455

write permissions, 456

WSDL

ASP.NET application and Web services, 574575

and configuration data, 323

restricting access to, 664

WSE

authentication solutions, 325

privacy and integrity requirements, 325