내보내기(0) 인쇄
모두 확장

Secure Code

업데이트 날짜: 2005년 8월

적용 대상: Windows Server 2003, Windows Server 2003 with SP1

No matter how strong the security of your server is, if the applications that it hosts are not programmed according to best security practices, your network might be vulnerable to attacks. As part of a defense-in-depth strategy, IIS administrators should work with developers to ensure that the code hosted on the server running IIS is as secure as possible. For example, developers can reduce the risk of certain types of attacks, such as cross-site scripting and SQL injection, by validating user input.

Cross-site scripting occurs when an attacker sends a link in e-mail to a user or otherwise points the user to a Web site, and the link actually contains malicious script code, which can be VBScript or JScript. As a result of cross-site scripting, an attacker potentially can perform such actions as reading cookies, instantiating browser plug-ins or native code and scripting it with untrusted data, and intercepting user input. Potential targets are any browsers that support scripting and any Web servers that support HTML forms.

In a SQL-injection attack, an attacker finds a way to modify a SQL command that is used in a dynamic Web page. The attacker typically crafts user input in a way that modifies the logic of the SQL command, so that the attacker is able to obtain information that would otherwise be unavailable.

Developers who write the applications that are hosted on your Web site must know how to include safeguards against these types of attacks. It is paramount that all user input be validated thoroughly. The book Writing Secure Code covers these and other Web application security issues in depth. For more information about Writing Secure Code, see Additional Resources for IIS 6.0 Security.

이 정보가 도움이 되었습니까?
(1500자 남음)
의견을 주셔서 감사합니다.

커뮤니티 추가 항목

추가
Microsoft는 MSDN 웹 사이트에 대한 귀하의 의견을 이해하기 위해 온라인 설문 조사를 진행하고 있습니다. 참여하도록 선택하시면 MSDN 웹 사이트에서 나가실 때 온라인 설문 조사가 표시됩니다.

참여하시겠습니까?
표시:
© 2014 Microsoft