Improving Web Application Security: Threats and - CGISecurity

More documents

Recommendations

Info

766 Improving Web Application Security: Threats and Countermeasures●●IISLockdown. The IISLockdown tool reduces your computer’s attack surface byhardening default IIS and Windows configuration settings and by removingunnecessary IIS extensions. IISLockown also installs the “404.dll” ISAPI filter,which is used to report “404 File Not Found” messages when disabled extensionsare requested.You can download the IISLockdown tool from http://download.microsoft.com/download/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe.URLScan. URLScan is an ISAPI filter that rejects or allows HTTP requests basedon a configurable set of rules. It is integrated with IISLockdown, although you canalso download it separately. It comes with customizable templates for eachsupported server role.To install URLScan without IISLockdown, see Microsoft Knowledge Basearticle 307608, “INFO: Availability of URLScan Version 2.5 Security Tool,”at http://support.microsoft.com/default.aspx?scid=kb;en-us;307608, in theMicrosoft Knowledge Base.Steps to Secure Your Developer WorkstationTo secure your developer workstation, perform the following tasks:●●●●●●Run using a least privileged accountPatch and updateSecure IISSecure SQL Server and MSDEEvaluate your configuration categoriesStay secureRun Using a Least-Privileged AccountYou should develop applications using a non administrator account. Doing so isimportant primarily to limit the exposure of the logged on user and to help you todesign more secure software. For example, if you design, develop, and test anapplication while you are interactively logged in as an administrator, you are muchmore likely to end up with software that requires administrative privileges to run.You should not generally log on using the local administrator account. The accountthat you use on a daily basis should not be a member of the local Administratorsgroup. Sometimes you might still need an account that has administrative privileges— for example, when you install software or edit the registry. Because the defaultlocal administrator account is well known, however, and it is the target of manyattacks, create a non-standard administrator account and use this only when it isrequired.
How To: Secure Your Developer Workstation 767 To create accounts for development1. Remove your current user account from the Administrators group if it is amember.2. Create a new custom administration account using a nonstandard name andstrong password.3. Use your non-administrator account to logon interactively on a daily basis. Whenyou need to run a command with administrative privileges, use your customadministration account with the Runas.exe command line utility.Running Privileged CommandsTo run a privileged command, you can use one of the following techniques totemporarily change your security context:● Use the Runas.exe utility from a command line. The following command showsyou how to use the Runas.exe utility to launch a command console that runsunder your custom administration account.runas.exe /user:mymachine\mycustomadmin cmd.exe●●By executing Cmd.exe, you start a new command window that runs under thesecurity context of the user you specify with the /user switch. Any program youlaunch from this command window also runs under this context.Use Run As from Windows Explorer. You can right-click an executable file inWindows Explorer and click Run As. To display this item on Windows 2000, holdthe shift key down and then right-click an executable file. When you click Run As,you are prompted for the credentials of the account you want to use to run theexecutable file.Use Run As shortcuts. You can create quick launch and desktop shortcuts to easilyrun applications using a privileged user account. The following example shows ashortcut that you can use to run Windows Explorer (Explorer.exe) using theadministrator account:%windir%\System32\runas.exe /user:administrator explorerNote If using a non-administrator account proves impractical for your environment, still test yourapplication or component while running as a least privileged user to catch and correct problemsbefore deploying. For example, your application might incorrectly require administrator privilegeswithout your realizing it, which would cause the application to fail when it is deployed in a productionenvironment.
Page 1:
Improving WebApplication SecurityTh
Page 4 and 5:
Information in this document, inclu
Page 6 and 7:
viImproving Web Application Securit
Page 8 and 9:
viiiImproving Web Application Secur
Page 10 and 11:
xImproving Web Application Security
Page 12 and 13:
xiiImproving Web Application Securi
Page 14 and 15:
xivImproving Web Application Securi
Page 16 and 17:
xviImproving Web Application Securi
Page 18 and 19:
xviiiImproving Web Application Secu
Page 20 and 21:
xxImproving Web Application Securit
Page 22 and 23:
xxiiImproving Web Application Secur
Page 27 and 28:
Contents xxvii.NET Remoting Securit
Page 29 and 30:
Contents xxixStaying Secure (contin
Page 31 and 32:
Contents xxxiASP.NET Architecture o
Page 33 and 34:
Contents xxxiiiSummary ............
Page 35 and 36:
Contents xxxvIndex of Checklists 68
Page 37 and 38:
Contents xxxviiChecklistSecuring Da
Page 39 and 40:
Contents xxxixHow ToIndex 743How To
Page 41 and 42:
Contents xliRestricting Server-to-S
Page 43 and 44:
ForewordsForeword by Mark CurpheyWh
Page 45 and 46:
Forewords xlvForeword by Joel Scamb
Page 47:
Forewords xlviiFinally, techniques
Page 50 and 51:
lImproving Web Application Security
Page 52 and 53:
liiImproving Web Application Securi
Page 54 and 55:
livImproving Web Application Securi
Page 56 and 57:
lviImproving Web Application Securi
Page 58 and 59:
lviiiImproving Web Application Secu
Page 60 and 61:
lxImproving Web Application Securit
Page 62 and 63:
lxiiImproving Web Application Secur
Page 64 and 65:
lxivImproving Web Application Secur
Page 66 and 67:
lxviImproving Web Application Secur
Page 68 and 69:
lxviiiImproving Web Application Sec
Page 70 and 71:
lxxImproving Web Application Securi
Page 72 and 73:
lxxiiImproving Web Application Secu
Page 75 and 76:
Fast Track — How To Implementthe
Page 77 and 78:
Fast Track — How To Implement the
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85:
Part IIntroduction to Threats andCo
Page 88 and 89:
4 Part I: Introduction to Threats a
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
10 Part I: Introduction to Threats
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 129 and 130:
3Threat ModelingIn This Chapter●
Page 131 and 132:
Chapter 3: Threat Modeling 47Threat
Page 133 and 134:
Chapter 3: Threat Modeling 49Archit
Page 135 and 136:
Chapter 3: Threat Modeling 51Figure
Page 137 and 138:
Chapter 3: Threat Modeling 53Identi
Page 139 and 140:
Chapter 3: Threat Modeling 55Docume
Page 141 and 142:
Chapter 3: Threat Modeling 57●●
Page 143 and 144:
Chapter 3: Threat Modeling 59●●
Page 145 and 146:
Chapter 3: Threat Modeling 61Note I
Page 147 and 148:
Chapter 3: Threat Modeling 63Risk =
Page 149 and 150:
Chapter 3: Threat Modeling 65Table
Page 151:
Part IIDesigning SecureWeb Applicat
Page 154 and 155:
70 Part II: Designing Secure Web Ap
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
100 Part II:Designing Secure Web Ap
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 211:
Part IIIBuilding Secure WebApplicat
Page 214 and 215:
130 Part III: Building Secure Web A
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 265 and 266:
8Code Access Security in PracticeIn
Page 267 and 268:
Chapter 8: Code Access Security in
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303:
Page 306 and 307:
Page 308 and 309:
Page 310 and 311:
Page 312 and 313:
Page 314 and 315:
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
Page 322 and 323:
Page 324 and 325:
Page 326 and 327:
Page 328 and 329:
Page 330 and 331:
Page 332 and 333:
Page 334 and 335:
Page 336 and 337:
Page 338 and 339:
Page 340 and 341:
Page 342 and 343:
Page 344 and 345:
Page 346 and 347:
Page 348 and 349:
Page 350 and 351:
Page 352 and 353:
Page 354 and 355:
Page 356 and 357:
Page 358 and 359:
Page 360 and 361:
Page 362 and 363:
Page 364 and 365:
Page 366 and 367:
Page 368 and 369:
Page 370 and 371:
Page 372 and 373:
Page 374 and 375:
Page 376 and 377:
Page 378 and 379:
Page 380 and 381:
Page 383 and 384:
11Building Secure ServicedComponent
Page 385 and 386:
Chapter 11: Building Secure Service
Page 387 and 388:
Page 389 and 390:
Page 391 and 392:
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
Page 399 and 400:
Page 401:
Page 404 and 405:
Page 406 and 407:
Page 408 and 409:
Page 410 and 411:
Page 412 and 413:
Page 414 and 415:
Page 416 and 417:
Page 418 and 419:
Page 420 and 421:
Page 422 and 423:
Page 424 and 425:
Page 426 and 427:
Page 428 and 429:
Page 430 and 431:
Page 432 and 433:
Page 434 and 435:
Page 436 and 437:
Page 438 and 439:
Page 440 and 441:
Page 442 and 443:
Page 444 and 445:
Page 446 and 447:
Page 448 and 449:
Page 450 and 451:
Page 452 and 453:
Page 454 and 455:
Page 456 and 457:
Page 458 and 459:
Page 460 and 461:
Page 462 and 463:
Page 464 and 465:
Page 466 and 467:
Page 468 and 469:
Page 470 and 471:
Page 472 and 473:
Page 474 and 475:
Page 476 and 477:
Page 478 and 479:
Page 480 and 481:
Page 482 and 483:
Page 485:
Part IVSecuring Your Network,Host,
Page 488 and 489:
404 Part IV: Securing Your Network,
Page 490 and 491:
Page 492 and 493:
Page 494 and 495:
Page 496 and 497:
Page 498 and 499:
Page 500 and 501:
Page 502 and 503:
Page 504 and 505:
Page 506 and 507:
Page 508 and 509:
Page 510 and 511:
Page 512 and 513:
Page 514 and 515:
Page 516 and 517:
Page 518 and 519:
Page 520 and 521:
Page 522 and 523:
Page 524 and 525:
Page 526 and 527:
Page 528 and 529:
Page 530 and 531:
Page 532 and 533:
Page 534 and 535:
Page 536 and 537:
Page 538 and 539:
Page 540 and 541:
Page 542 and 543:
Page 544 and 545:
Page 546 and 547:
Page 548 and 549:
Page 550 and 551:
Page 552 and 553:
Page 554 and 555:
Page 556 and 557:
Page 558 and 559:
Page 560 and 561:
Page 562 and 563:
Page 564 and 565:
Page 566 and 567:
Page 568 and 569:
Page 570 and 571:
Page 572 and 573:
Page 574 and 575:
Page 576 and 577:
Page 578 and 579:
Page 580 and 581:
Page 582 and 583:
Page 585 and 586:
18Securing Your Database ServerIn T
Page 587 and 588:
Chapter 18: Securing Your Database
Page 589 and 590:
Page 591 and 592:
Page 593 and 594:
Page 595 and 596:
Page 597 and 598:
Page 599 and 600:
Page 601 and 602:
Page 603 and 604:
Page 605 and 606:
Page 607 and 608:
Page 609 and 610:
Page 611 and 612:
Page 613 and 614:
Page 615 and 616:
Page 617 and 618:
Page 619 and 620:
Page 621 and 622:
Page 623 and 624:
Page 625:
Page 628 and 629:
Page 630 and 631:
Page 632 and 633:
Page 634 and 635:
Page 636 and 637:
Page 638 and 639:
Page 640 and 641:
Page 642 and 643:
Page 644 and 645:
Page 646 and 647:
Page 648 and 649:
Page 650 and 651:
Page 652 and 653:
Page 654 and 655:
Page 656 and 657:
Page 658 and 659:
Page 660 and 661:
Page 662 and 663:
Page 664 and 665:
Page 666 and 667:
Page 668 and 669:
Page 670 and 671:
Page 672 and 673:
Page 674 and 675:
Page 676 and 677:
Page 678 and 679:
Page 680 and 681:
Page 682 and 683:
Page 684 and 685:
Page 686 and 687:
Page 689 and 690:
21Code ReviewIn This Chapter●●
Page 691 and 692:
Chapter 21: Code Review 607For exam
Page 693 and 694:
Chapter 21: Code Review 609Identify
Page 695 and 696:
Chapter 21: Code Review 611Check to
Page 697 and 698:
Chapter 21: Code Review 613Check th
Page 699 and 700:
Chapter 21: Code Review 615Buffer O
Page 701 and 702:
Chapter 21: Code Review 617Is Your
Page 703 and 704:
Chapter 21: Code Review 619●Does
Page 705 and 706:
Chapter 21: Code Review 621Do You S
Page 707 and 708:
Chapter 21: Code Review 623The foll
Page 709 and 710:
Chapter 21: Code Review 625●Do yo
Page 711 and 712:
Chapter 21: Code Review 627●Do yo
Page 713 and 714:
Chapter 21: Code Review 629●●Is
Page 715 and 716:
Chapter 21: Code Review 631Do You V
Page 717 and 718:
Chapter 21: Code Review 633Do You S
Page 719 and 720:
Chapter 21: Code Review 635Do You E
Page 721 and 722:
Chapter 21: Code Review 637Check th
Page 723 and 724:
Chapter 21: Code Review 639Do You P
Page 725 and 726:
Chapter 21: Code Review 641Search f
Page 727 and 728:
22Deployment ReviewIn This Chapter
Page 729 and 730:
Chapter 22: Deployment Review 645Pa
Page 731 and 732:
Chapter 22: Deployment Review 647
Page 733 and 734:
Page 735 and 736:
Chapter 22: Deployment Review 651Re
Page 737 and 738:
Chapter 22: Deployment Review 653Fo
Page 739 and 740:
Page 741 and 742:
Chapter 22: Deployment Review 657Ma
Page 743 and 744:
Page 745 and 746:
Chapter 22: Deployment Review 661Th
Page 747 and 748:
Chapter 22: Deployment Review 663Th
Page 749 and 750:
Chapter 22: Deployment Review 665Ac
Page 751 and 752:
Page 753 and 754:
Chapter 22: Deployment Review 669Ho
Page 755 and 756:
Page 757 and 758:
Chapter 22: Deployment Review 673Fi
Page 759 and 760:
Chapter 22: Deployment Review 675Au
Page 761 and 762:
Chapter 22: Deployment Review 677SQ
Page 763 and 764:
Page 765 and 766:
Related Security ResourcesRelated M
Page 767 and 768:
Related Security Resources 683Commu
Page 769:
Related Security Resources 685Commo
Page 772 and 773:
688 Improving Web Application Secur
Page 774 and 775:
Page 776 and 777:
Page 778 and 779:
Page 780 and 781:
Page 782 and 783:
Page 784 and 785:
Page 786 and 787:
Page 788 and 789:
Page 790 and 791:
Page 793 and 794:
Checklist:Securing Enterprise Servi
Page 795:
Checklist: Securing Enterprise Serv
Page 798 and 799:
Page 801 and 802: Checklist:Securing Data AccessHow t
Page 803: Checklist: Securing Data Access 719
Page 806 and 807: 722 Improving Web Application Secur
Page 819 and 820: Checklist:Security Review for Manag
Page 821 and 822: Checklist: Security Review for Mana
Page 823 and 824: Checklist: Security Review for Mana
Page 825: Checklist: Security Review for Mana
Page 829 and 830: How To:Implement Patch ManagementAp
Page 831 and 832: How To: Implement Patch Management
Page 839 and 840: How To:Harden the TCP/IP StackAppli
Page 841 and 842: How To: Harden the TCP/IP Stack 757
Page 847: How To: Harden the TCP/IP Stack 763
Page 861 and 862: How To:Use IPSec for Filtering Port
Page 863 and 864: How To: Use IPSec for Filtering Por
Page 871 and 872: How To:Use the Microsoft BaselineSe
Page 873 and 874: How To: Use the Microsoft Baseline
Page 875 and 876: How To: Use the Microsoft Baseline
Page 877: How To: Use the Microsoft Baseline
Page 885 and 886: How To:Use URLScanApplies ToSummary
Page 887 and 888: How To: Use URLScan 803Throttling R
Page 889 and 890: How To:Create a CustomEncryption Pe
Page 891 and 892: How To: Create a Custom Encryption
Page 901 and 902:
How To: Create a Custom Encryption
Page 903 and 904:
Page 905 and 906:
Page 907 and 908:
How To:Use Code Access Security Pol
Page 909 and 910:
How To: Use Code Access Security Po
Page 911 and 912:
Page 913 and 914:
Page 915:
Page 918 and 919:
patterns & practicesProven practice
show all

Improving Web Application Security: Threats and - CGISecurity

Create successful ePaper yourself

Delete template?

Save as template?