Richard Harrison, United Kingdom

Published March, 1999 by Prentice Hall PTR (ECS Professional)

Copyright 1999, 450 pp.
Paper Bound w/CD-ROM
ISBN 0-13-084465-9

Sign up for future
mailings on this subject.

See other books about:
    Network Security-Computer Science

Acknowledgments.
Introduction.
About the Author.
1. Security Is a Journey . . . Not a Destination.

What Does Security Mean? Trusted Systems. Access Controls. Data Confidentiality. Virus Protection. Auditability. Data Integrity. Availability. Nonrepudiation. Risk Management. Risk Assessment. Policy Definition. Ongoing Risk Assessment. Perfect Security. Physical Security. High Availability/Fault Tolerance. Backing Up Your System. Security and the Internet. Threats on the Internet. External Threats. Internal Threats. Web Security Requirements. The Web Server. The Network. The User's Desktop. Corporate Enterprise Systems. Microsoft Internet Security. Holes in Microsoft Security. Microsoft's Support for Security Issues. Security Advisor. Service Packs/Hot Fixes.

2. The Windows NT Security Environment.

Protecting the Windows NT System Resources. Windows NT Directory Services. User Accounts. User Groups. Workgroups and Domains. User Authentication. NTLM. Delegation. Kerberos. Object Security. The Security Descriptor. Permissions. Auditing. Ownership. Configuring the Security Descriptor. Access Control Lists. ACL Processing. Auditing the System. Windows NT Event Viewer. Privileges/User Rights. C2 Evaluation. Protecting the File System. NTFS vs. FAT. File and Directory Permissions. Directory Permissions. File Permissions. File and Directory Auditing. File and Directory Ownership. Protecting the Windows Registry. Registry Permissions. Registry Auditing. Registry Ownership. System Key. Passwords. Account Policies. Password Cracking. L0phtCrack. Obtaining Password Hashes. Strong Passwords. One-time Passwords. Secure Dynamics.

3. Network Security.

An Overview of TCP/IP Networking. Network Addresses. Hostnames and the Domain Name System. Subnet Masks. Allocation of IP Addresses. Port Numbers. IP Routing. Connecting to the Internet. Choosing an ISP. Establishing the Link. Remote Access Service. Linking to the Internet via the LAN. Secure Channel Services. Virtual Private Networks. Microsoft and VPNs. Protecting the Windows NT Server from Network Attacks. Blocking Nonessential TCP/IP Ports. IP forwarding. Firewalls. Packet Filtering. Application Proxy Servers. Locating a Firewall/Web Server. Web Server Behind the Firewall. Web Server Outside the Firewall. Web Server On a Perimeter Network. Microsoft Proxy Server. Web Proxy Server. Winsock Proxy Server. Windows Networking and SMB. Safe SMB. NetBIOS Auditing Tool.

4. IIS Web Server Security.

IIS Administration. The Microsoft Management Console . . . Windows-based. Administration. Internet Service Manager. Web-based Administration. IIS Administration Objects. IISAO and VB. Source Code. IISAO and Windows Scripting Host. Metabase. Metabase Backup. Web Site Operators. Accessing the Web Server. Web Directories. Home Directory. Virtual Directory. Subdirectory. Creating Directories. Access Permissions. Content Control. IP Controls. User Authentication by the Web Server. Authentication. The IUSR Account—Anonymous Authentication. Basic and Windows NT Challenge/Response Authentication. Authentication in Action. Anonymous Authentication. Basic Authentication. Windows NT Challenge/Response (NTLM). Delegation. Password Expiry. IIS Logging. Interpreting the ASCII Log Files. FrontPage/Visual InterDev Security. Setting Permissions.

5. Secure Channels.

Secure Channel Services. A Simple Guide to Cryptography. What Is Encryption? Encryption Strength. Symmetric (Secret Key) Cryptography. Asymmetric (Public Key) Cryptography. Digital Signature Encryption. Using a Message Digest. Signing the Document. Validating the Document. Digital Certificates and Certificate Authorities. X.509. How Secure Channels Work. Client-Server Authentication. Encrypting and Sending Messages. Authenticating Messages Against Tampering. Implementing Secure Channels. Configuring and Using Certificates in Internet. Information Server. Sending the Certificate Request. Installing the New Certificate. Enabling SSL. Configuring and Using Certificates in Internet Explorer. Installing the CA Certificate from Entrust. Inspecting the Installed CA Certificates. Installing a VeriSign Client Certificate. Deleting Personal Certificates. Accessing the Secured Content. Client Authentication Using Certificates. Certificate Mapping. Basic. Advanced.

6. Establishing Trust . . . and Protecting the Desktop.

Levels of Trust. Security Zones. Security Levels. Internet Explorer Administration Kit. Privacy. Personal and System Data. Profiling. Web Servers. Proxy Servers. Cookies. “Stealth” Cookies. Content Protection. RSACi. Accountability/Electronic Shrinkwrapping. ActiveX Control and Java Applets. Java. ActiveX Controls. Authenticode. How Safe Is Authenticode ? How to Distribute Safe Code. Creating Our Control. Packaging Our Control. Getting a Software Publishing Certificate. Using Microsoft Certificate Server. Signing the Code. Deploying the Control. The User's Experience.

7. ASP Security Fundamentals.

ASP Overview. ActiveX Scripting. Scripting Languages. The Power of Scripting. Client-side Scripting. Server-side Scripting. Business-Logic Confidentiality. ASP Intrinsic Objects. ActiveX Server Components. Using Components on the Server. ASP Session Security. ASP Sessions. Storing Context. Session Tracking. The Code. Session Handling. Session Hijacking.

8. ASP Application-Level Security.

ASP User Identification. Server Variables. ASP Authentication. How it was done—for our eyes only! global.asa. default.asp. link1.asp. bye.htm. checkauth.inc. Base 64. Authentication File. auth.txt Generator Code. butGo_Click. Encode64. Base64. Binary. ASP User Registration. How it was done—for our eyes only! global.asa. default.asp. link1.asp. checkreg.inc. register.asp. ASP Auditing. How it was done—for our eyes only! audit.inc. Example Log File. ASP Client Certificate Processing. How it was done—for our eyes only! default.asp. certificate.asp. profile.asp. Example Profile—bill@bill.com.txt. Protection Against an ASP Session Hijacker. How it was done—for our eyes only! default.asp. link1.asp. link3.asp. bye.htm. checkid.inc. debug.inc.

9. Creating Our Own Public Key Infrastructure with Microsoft Certificate Server.

Getting Started. Certificate Hierarchy. Installing Certificate Server. Server Certificate Enrollment. Automated Enrollment. Web Enrollment. Certificate Authority Certificate List. Client Certificate Enrollment. Certificate Server Architecture. Certificate Request Processing. Certificate Enrollment Control. Certificate Server Admin Tools. Certificate Administration Log Utility. Certificate Administration Queue Utility. Revoking Certificates. Revoking Certificates with Certificate Server. Getting IIS to Check Revoked Certificates. The “Extranet” Application. Application Strategy. Application Architecture. Policy Module. Application Logic. Requesting a Certificate. Handling a Certificate Request. E-mail and Collaboration Data Objects. Installing the Certificate. Applying the Certificate Issuing Policy. How it was done—for our eyes only! Web Site Code. default.asp. certreq.asp. certissue.asp. Example E-mail Message Containing a Certificate. cacerts.asp. unsuitable.asp. secured/default.asp. Policy Module Code. policy.cls. entry.bas. constants.bas.

10. Component Security with MTS.

MTS Fundamentals. MTS Explorer. Packages. Execution Environment. Distributed Transaction Coordination. Performance and Scalability. MTS and ASP. Reliability with Bulletproof Web Applications. Web Applications. Application Namespace. Creating a Web Application. Application Process Isolation. The Web Application Manager. Handling an HTTP Request for a Server Extension. Unloading Isolated Applications. Considerations for Isolated Applications. MTS Package Security. Package Identity. Declarative Security. Programmatic Security. Roles. MTS Security Administration. Creating a Package. Package Wizard. Component Wizard. Role Management. Creating a Role. Assigning Users to Roles. Assigning Roles to Components and Interfaces. Authentication Controls. Enabling Authorization Checking. Enabling DCOM Security. MTS Administration Permissions.

11. Web Database Security with MTS/ASP.

The “Guest Book” Application. Database Security Strategy. Component Architecture. Security Configuration. Windows NT Security. MTS Declarative Security. IIS Authentication Methods. Application Logic. Common Processing Issues. Project References. Parameter Passing. Error Handling. MTS Plumbing. Main Menu. Adding a Comment. Profile Assistant. Reading the Comments. MTS Programmatic Security. A Strange Occurrence. Deleting a Comment. MTS Declarative Security. How it was done—for our eyes only! Web Site Code. global.asa. default.asp. guestinsert.asp. guestread.asp. authguestread.asp. guestread.inc. guestdelete.asp. VB Software Component Code. IAnonymous—IAnonymous.cls. IManagement—IManagement.cls. General—general.bas. GuestBook Database Schema. Comments Table.

12.

Directory Services. What is a Directory Service? Industry Standards. Lightweight Directory Access Protocol. Directory Model. Operation. Active Directory Service Interface. ADSI Object Model. ADSI Schema. Active Directory Browser. ADSI in Action. Trawling the IIS4 Metabase. How it was done—for our eyes only! User Objects with Windows NTDS. How it was done—for our eyes only!

13. The “Alliance” Application.

Application Strategy. Component Architecture. Security Configuration. Windows NT Security. MTS Declarative Security. IIS Authentication Methods. Application Logic. Common Processing Issues. Home Menus. Register Details to Request Membership. ASP Script Processing . . . register.asp. MTS Component Processing . . . CreateUser. Enter Alliance Members Site. ASP Script Processing . . . enteralliance.asp. Permission Checker. Change Password. ASP Script Processing . . . changepw.asp. MTS Component Processing . . . ChangePassword. MTS SecurityProperty Object. Handle Pending Requests for Membership. ASP Script Processing . . . pending.asp. MTS Component Processing . . . GetPending. MTS Component Processing . . . ApplyDecisions. E-mail and Collaboration Data Objects. How it was done—for our eyes only! Web Site Code. default.asp. register.asp. enteralliance.asp. alliance/default.asp. alliance/changepw.asp. manager/default.asp. manager/pending.asp. VB Software Component Code. IOpen—IOpen.cls. IManagement—IManager.cls. General—general.bas.

14. Membership Server.

The Membership Server. Protecting the Membership Web Site. Levels of Access. Types of Users. Membership Authentication. Getting Started with Membership Server. Creating a Membership Server Instance. Membership Directory Manager. Mapping IIS to Membership Authentication. Membership Directory. Directory Information Tree. ou = Members. ou = Groups. Mapping Members onto Windows NT Security. Membership Authentication. Web Site Authentication. Membership Directory Authentication. Membership Users. Anonymous Users. Cookie-Identified Users. Automatic Cookie Authentication in Action. Testing it out. default.asp. dumpcookies.inc. Registered Users. Membership Sample Pages. HTML Forms Authentication in Action. Creating a User Group. Creating a User. Testing it out.

15. Active User Objects.

AUO . . . A Container of ADSI Objects. Dealing with User Directory Attributes. Reading Attributes: Default Provider. Reading Attributes: Secondary Providers. Setting Attributes. Site Vocabulary. Design Time Controls. Insert User Property DTC. Membership Design Time Controls. Membership Header DTC. Membership Attribute DTC. Membership Footer DTC. Editing User Attributes. User Attribute Editor. The “Members” Application. Application Strategy. Application Architecture. Application Logic. Register Details for Membership. Authentication. Attribute Maintenance. Cancel Membership. How it was done—for our eyes only! Web Site Code. default.asp. register.asp. complete.asp. _mem_bin/formslogin.asp. restricted/default.asp. restricted/membership.asp. restricted/detupdate.asp. restricted/pwupdate.asp. restricted/preferences.asp. restricted/cancel.asp. restricted/news.asp. Personalized Content. Content Sources. The Rule Manager. Rule One: user has not set any preferences. Rule Two: output items applicable to user. Format Rule Set DTC. How it was done—for our eyes only! restricted/news.asp. NewsItems Table.

Appendix.

Microsoft and the Active Platform. Microsoft and the Internet. Windows NT. ActiveX/COM. Component Object Model. The Need for Software Components. Software Component Characteristics. The Active Platform. Active Server Products. Windows D N A. Development Tools.

Index.
About the CD-ROM.

---

© Prentice-Hall, Inc. A Simon & Schuster Company Comments To webmaster@prenhall.com