Improving Web Application Security: Threats and - CGISecurity

More documents

Recommendations

Info

420 Part IV: Securing Your Network, Host, and ApplicationAdditional ResourcesFor more information, see the following articles:● “Network Ingress Filtering” at http://www.rfc-editor.org/rfc/rfc2267.txt.●●●●“Improving Security on Cisco Routers” at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml.“Configuring Broadcast Suppression” at http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00800eb778.html.“Cisco IOS Intrusion Detection System Software App Overview”at http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns292/networking_solutions_white_paper09186a008010e5c8.shtml.”Configuring VLANs” at http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800e47e1.html#1020847.
16Securing Your Web ServerIn This Chapter●●●●OverviewA proven methodology to secure Web serversAn explanation of the most common Web server security threatsSteps to secure your serverA reference table that illustrates a secure Web serverA secure Web server provides a protected foundation for hosting your Webapplications, and Web server configuration plays a critical role in your Webapplication’s security. Badly configured virtual directories, a common mistake, canlead to unauthorized access. A forgotten share can provide a convenient back door,while an overlooked port can be an attacker’s front door. Neglected user accountscan permit an attacker to slip by your defenses unnoticed.What makes a Web server secure? Part of the challenge of securing your Web serveris recognizing your goal. As soon as you know what a secure Web server is, you canlearn how to apply the configuration settings to create one. This chapter provides asystematic, repeatable approach that you can use to successfully configure a secureWeb server.The chapter begins by reviewing the most common threats that affect Web servers.It then uses this perspective to create a methodology. The chapter then puts themethodology into practice, and takes a step-by-step approach that shows you how toimprove your Web server’s security. While the basic methodology is reusable acrosstechnologies, the chapter focuses on securing a Web server running the MicrosoftWindows 2000 operating system and hosting the Microsoft .NET Framework.
Page 1:
Improving WebApplication SecurityTh
Page 4 and 5:
Information in this document, inclu
Page 6 and 7:
viImproving Web Application Securit
Page 8 and 9:
viiiImproving Web Application Secur
Page 10 and 11:
xImproving Web Application Security
Page 12 and 13:
xiiImproving Web Application Securi
Page 14 and 15:
xivImproving Web Application Securi
Page 16 and 17:
xviImproving Web Application Securi
Page 18 and 19:
xviiiImproving Web Application Secu
Page 20 and 21:
xxImproving Web Application Securit
Page 22 and 23:
xxiiImproving Web Application Secur
Page 27 and 28:
Contents xxvii.NET Remoting Securit
Page 29 and 30:
Contents xxixStaying Secure (contin
Page 31 and 32:
Contents xxxiASP.NET Architecture o
Page 33 and 34:
Contents xxxiiiSummary ............
Page 35 and 36:
Contents xxxvIndex of Checklists 68
Page 37 and 38:
Contents xxxviiChecklistSecuring Da
Page 39 and 40:
Contents xxxixHow ToIndex 743How To
Page 41 and 42:
Contents xliRestricting Server-to-S
Page 43 and 44:
ForewordsForeword by Mark CurpheyWh
Page 45 and 46:
Forewords xlvForeword by Joel Scamb
Page 47:
Forewords xlviiFinally, techniques
Page 50 and 51:
lImproving Web Application Security
Page 52 and 53:
liiImproving Web Application Securi
Page 54 and 55:
livImproving Web Application Securi
Page 56 and 57:
lviImproving Web Application Securi
Page 58 and 59:
lviiiImproving Web Application Secu
Page 60 and 61:
lxImproving Web Application Securit
Page 62 and 63:
lxiiImproving Web Application Secur
Page 64 and 65:
lxivImproving Web Application Secur
Page 66 and 67:
lxviImproving Web Application Secur
Page 68 and 69:
lxviiiImproving Web Application Sec
Page 70 and 71:
lxxImproving Web Application Securi
Page 72 and 73:
lxxiiImproving Web Application Secu
Page 75 and 76:
Fast Track — How To Implementthe
Page 77 and 78:
Fast Track — How To Implement the
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85:
Part IIntroduction to Threats andCo
Page 88 and 89:
4 Part I: Introduction to Threats a
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
10 Part I: Introduction to Threats
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 129 and 130:
3Threat ModelingIn This Chapter●
Page 131 and 132:
Chapter 3: Threat Modeling 47Threat
Page 133 and 134:
Chapter 3: Threat Modeling 49Archit
Page 135 and 136:
Chapter 3: Threat Modeling 51Figure
Page 137 and 138:
Chapter 3: Threat Modeling 53Identi
Page 139 and 140:
Chapter 3: Threat Modeling 55Docume
Page 141 and 142:
Chapter 3: Threat Modeling 57●●
Page 143 and 144:
Chapter 3: Threat Modeling 59●●
Page 145 and 146:
Chapter 3: Threat Modeling 61Note I
Page 147 and 148:
Chapter 3: Threat Modeling 63Risk =
Page 149 and 150:
Chapter 3: Threat Modeling 65Table
Page 151:
Part IIDesigning SecureWeb Applicat
Page 154 and 155:
70 Part II: Designing Secure Web Ap
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
100 Part II:Designing Secure Web Ap
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 211:
Part IIIBuilding Secure WebApplicat
Page 214 and 215:
130 Part III: Building Secure Web A
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 265 and 266:
8Code Access Security in PracticeIn
Page 267 and 268:
Chapter 8: Code Access Security in
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303:
Page 306 and 307:
Page 308 and 309:
Page 310 and 311:
Page 312 and 313:
Page 314 and 315:
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
Page 322 and 323:
Page 324 and 325:
Page 326 and 327:
Page 328 and 329:
Page 330 and 331:
Page 332 and 333:
Page 334 and 335:
Page 336 and 337:
Page 338 and 339:
Page 340 and 341:
Page 342 and 343:
Page 344 and 345:
Page 346 and 347:
Page 348 and 349:
Page 350 and 351:
Page 352 and 353:
Page 354 and 355:
Page 356 and 357:
Page 358 and 359:
Page 360 and 361:
Page 362 and 363:
Page 364 and 365:
Page 366 and 367:
Page 368 and 369:
Page 370 and 371:
Page 372 and 373:
Page 374 and 375:
Page 376 and 377:
Page 378 and 379:
Page 380 and 381:
Page 383 and 384:
11Building Secure ServicedComponent
Page 385 and 386:
Chapter 11: Building Secure Service
Page 387 and 388:
Page 389 and 390:
Page 391 and 392:
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
Page 399 and 400:
Page 401:
Page 404 and 405:
Page 406 and 407:
Page 408 and 409:
Page 410 and 411:
Page 412 and 413:
Page 414 and 415:
Page 416 and 417:
Page 418 and 419:
Page 420 and 421:
Page 422 and 423:
Page 424 and 425:
Page 426 and 427:
Page 428 and 429:
Page 430 and 431:
Page 432 and 433:
Page 434 and 435:
Page 436 and 437:
Page 438 and 439:
Page 440 and 441:
Page 442 and 443:
Page 444 and 445:
Page 446 and 447:
Page 448 and 449:
Page 450 and 451:
Page 452 and 453:
Page 454 and 455: 370 Part III: Building Secure Web A
Page 485: Part IVSecuring Your Network,Host,
Page 488 and 489: 404 Part IV: Securing Your Network,
Page 554 and 555:
470 Part IV: Securing Your Network,
Page 556 and 557:
Page 558 and 559:
Page 560 and 561:
Page 562 and 563:
Page 564 and 565:
Page 566 and 567:
Page 568 and 569:
Page 570 and 571:
Page 572 and 573:
Page 574 and 575:
Page 576 and 577:
Page 578 and 579:
Page 580 and 581:
Page 582 and 583:
Page 585 and 586:
18Securing Your Database ServerIn T
Page 587 and 588:
Chapter 18: Securing Your Database
Page 589 and 590:
Page 591 and 592:
Page 593 and 594:
Page 595 and 596:
Page 597 and 598:
Page 599 and 600:
Page 601 and 602:
Page 603 and 604:
Page 605 and 606:
Page 607 and 608:
Page 609 and 610:
Page 611 and 612:
Page 613 and 614:
Page 615 and 616:
Page 617 and 618:
Page 619 and 620:
Page 621 and 622:
Page 623 and 624:
Page 625:
Page 628 and 629:
Page 630 and 631:
Page 632 and 633:
Page 634 and 635:
Page 636 and 637:
Page 638 and 639:
Page 640 and 641:
Page 642 and 643:
Page 644 and 645:
Page 646 and 647:
Page 648 and 649:
Page 650 and 651:
Page 652 and 653:
Page 654 and 655:
Page 656 and 657:
Page 658 and 659:
Page 660 and 661:
Page 662 and 663:
Page 664 and 665:
Page 666 and 667:
Page 668 and 669:
Page 670 and 671:
Page 672 and 673:
Page 674 and 675:
Page 676 and 677:
Page 678 and 679:
Page 680 and 681:
Page 682 and 683:
Page 684 and 685:
Page 686 and 687:
Page 689 and 690:
21Code ReviewIn This Chapter●●
Page 691 and 692:
Chapter 21: Code Review 607For exam
Page 693 and 694:
Chapter 21: Code Review 609Identify
Page 695 and 696:
Chapter 21: Code Review 611Check to
Page 697 and 698:
Chapter 21: Code Review 613Check th
Page 699 and 700:
Chapter 21: Code Review 615Buffer O
Page 701 and 702:
Chapter 21: Code Review 617Is Your
Page 703 and 704:
Chapter 21: Code Review 619●Does
Page 705 and 706:
Chapter 21: Code Review 621Do You S
Page 707 and 708:
Chapter 21: Code Review 623The foll
Page 709 and 710:
Chapter 21: Code Review 625●Do yo
Page 711 and 712:
Chapter 21: Code Review 627●Do yo
Page 713 and 714:
Chapter 21: Code Review 629●●Is
Page 715 and 716:
Chapter 21: Code Review 631Do You V
Page 717 and 718:
Chapter 21: Code Review 633Do You S
Page 719 and 720:
Chapter 21: Code Review 635Do You E
Page 721 and 722:
Chapter 21: Code Review 637Check th
Page 723 and 724:
Chapter 21: Code Review 639Do You P
Page 725 and 726:
Chapter 21: Code Review 641Search f
Page 727 and 728:
22Deployment ReviewIn This Chapter
Page 729 and 730:
Chapter 22: Deployment Review 645Pa
Page 731 and 732:
Chapter 22: Deployment Review 647
Page 733 and 734:
Page 735 and 736:
Chapter 22: Deployment Review 651Re
Page 737 and 738:
Chapter 22: Deployment Review 653Fo
Page 739 and 740:
Page 741 and 742:
Chapter 22: Deployment Review 657Ma
Page 743 and 744:
Page 745 and 746:
Chapter 22: Deployment Review 661Th
Page 747 and 748:
Chapter 22: Deployment Review 663Th
Page 749 and 750:
Chapter 22: Deployment Review 665Ac
Page 751 and 752:
Page 753 and 754:
Chapter 22: Deployment Review 669Ho
Page 755 and 756:
Page 757 and 758:
Chapter 22: Deployment Review 673Fi
Page 759 and 760:
Chapter 22: Deployment Review 675Au
Page 761 and 762:
Chapter 22: Deployment Review 677SQ
Page 763 and 764:
Page 765 and 766:
Related Security ResourcesRelated M
Page 767 and 768:
Related Security Resources 683Commu
Page 769:
Related Security Resources 685Commo
Page 772 and 773:
688 Improving Web Application Secur
Page 774 and 775:
Page 776 and 777:
Page 778 and 779:
Page 780 and 781:
Page 782 and 783:
Page 784 and 785:
Page 786 and 787:
Page 788 and 789:
Page 790 and 791:
Page 793 and 794:
Checklist:Securing Enterprise Servi
Page 795:
Checklist: Securing Enterprise Serv
Page 798 and 799:
Page 801 and 802:
Checklist:Securing Data AccessHow t
Page 803:
Checklist: Securing Data Access 719
Page 806 and 807:
Page 808 and 809:
Page 810 and 811:
Page 812 and 813:
Page 814 and 815:
Page 816 and 817:
Page 819 and 820:
Checklist:Security Review for Manag
Page 821 and 822:
Checklist: Security Review for Mana
Page 823 and 824:
Page 825:
Page 829 and 830:
How To:Implement Patch ManagementAp
Page 831 and 832:
How To: Implement Patch Management
Page 833 and 834:
Page 835 and 836:
Page 837 and 838:
Page 839 and 840:
How To:Harden the TCP/IP StackAppli
Page 841 and 842:
How To: Harden the TCP/IP Stack 757
Page 843 and 844:
Page 845 and 846:
Page 847:
Page 850 and 851:
Page 852 and 853:
Page 854 and 855:
Page 856 and 857:
Page 858 and 859:
Page 861 and 862:
How To:Use IPSec for Filtering Port
Page 863 and 864:
How To: Use IPSec for Filtering Por
Page 865 and 866:
Page 867 and 868:
Page 869 and 870:
Page 871 and 872:
How To:Use the Microsoft BaselineSe
Page 873 and 874:
How To: Use the Microsoft Baseline
Page 875 and 876:
Page 877:
Page 880 and 881:
Page 882 and 883:
Page 885 and 886:
How To:Use URLScanApplies ToSummary
Page 887 and 888:
How To: Use URLScan 803Throttling R
Page 889 and 890:
How To:Create a CustomEncryption Pe
Page 891 and 892:
How To: Create a Custom Encryption
Page 893 and 894:
Page 895 and 896:
Page 897 and 898:
Page 899 and 900:
Page 901 and 902:
Page 903 and 904:
Page 905 and 906:
Page 907 and 908:
How To:Use Code Access Security Pol
Page 909 and 910:
How To: Use Code Access Security Po
Page 911 and 912:
Page 913 and 914:
Page 915:
Page 918 and 919:
patterns & practicesProven practice
show all

Improving Web Application Security: Threats and - CGISecurity

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?