"As usual, Keith masterfully explains complex security issues
in down-to-earth and easy-to-understand language. I bet you'll
reach for this book often when building your next software
--Michael Howard, coauthor, Writing Secure Code
"When it comes to teaching Windows security, Keith Brown is
'The Man.' InThe .NET Developer's Guide to Windows
Security,Keith has written a book that explains the key
security concepts of Windows NT, Windows 2000, Windows XP, and
Windows Server 2003, and teaches you both how to apply them and how
to implement them in C# code. By organizing his material into
short, clear snippets, Brown has made a complicated subject highly
--Martin Heller, senior contributing editor at Byte.com and owner of Martin Heller & Co.
"Keith Brown has a unique ability to describe complex
technical topics, such as security, in a way that can be understood
by mere mortals (such as myself). Keith's book is a must read for
anyone attempting to keep up with Microsoft's enhancements to its
security features and the next major version of .NET."
--Peter Partch, principal software engineer, PM Consulting
"Keith's book is a collection of practical, concise, and
carefully thought out nuggets of security insight. Every .NET
developer would be wise to keep a copy of this book close at hand
and to consult it first when questions of security arise during
--Fritz Onion, author of Essential ASP.NET with Examples in C#
The .NET Developer's Guide to Windows Security is required reading for .NET programmers who want to develop secure Windows applications. Readers gain a deep understanding of Windows security and the know-how to program secure systems that run on Windows Server 2003, Windows XP, and Windows 2000.
Author Keith Brown crystallizes his application security expertise into 75 short, specific guidelines. Each item is clearly explained, cross-referenced, and illustrated with detailed examples. The items build on one another until they produce a comprehensive picture of what tools are available and how developers should use them.
The book highlights new features in Windows Server 2003 and previews features of the upcoming version 2.0 of the .NET Framework. A companion Web site includes the source code and examples used throughout the book.
Topics covered include:
Securing enterprise services
How to run as a normal user and live a happy life
Programming the Security Support Provider Interface (SSPI) in Visual Studio.NET 2005
Battle-scarred and emerging developers alike will find in The .NET Developer's Guide to Windows Security bona-fide solutions to the everyday problems of securing Windows applications.
Table of Contents
- Praise for The .NET Developer's Guide to Windows Security
- Microsoft .NET Development Series
I. The Big Picture
- 1. What Is Secure Code?
- 2. What Is a Countermeasure?
- 3. What Is Threat Modeling?
- 4. What Is the Principle of Least Privilege?
- 5. What Is the Principle of Defense in Depth?
- 6. What Is Authentication?
- 7. What Is a Luring Attack?
- 8. What Is a Nonprivileged User?
- 9. How to Develop Code as a Non-Admin
- 10. How to Enable Auditing
- 11. How to Audit Access to Files
II. Security Context
- 12. What Is a Security Principal?
- 13. What Is a SID?
- 14. How to Program with SIDs
- 15. What Is Security Context?
- 16. What Is a Token?
- 17. What Is a Logon Session?
- 18. What Is a Window Station?
- 19. What Is a User Profile?
- 20. What Is a Group?
- 21. What Is a Privilege?
- 22. How to Use a Privilege
- 23. How to Grant or Revoke Privileges via Security Policy
- 24. What Are WindowsIdentity and WindowsPrincipal?
- 25. How to Create a WindowsPrincipal Given a Token
- 26. How to Get a Token for a User
- 27. What Is a Daemon?
- 28. How to Choose an Identity for a Daemon
- 29. How to Display a User Interface from a Daemon
- 30. How to Run a Program as Another User
- 31. What Is Impersonation?
- 32. How to Impersonate a User Given Her Token
- 33. What Is Thread.CurrentPrincipal?
- 34. How to Track Client Identity Using Thread.CurrentPrincipal
- 35. What Is a Null Session?
- 36. What Is a Guest Logon?
- 37. How to Deal with Unauthenticated Clients
III. Access Control
- 38. What Is Role-Based Security?
- 39. What Is ACL-Based Security?
- 40. What Is Discretionary Access Control?
- 41. What Is Ownership?
- 42. What Is a Security Descriptor?
- 43. What Is an Access Control List?
- 44. What Is a Permission?
- 45. What Is ACL Inheritance?
- 46. How to Take Ownership of an Object
- 47. How to Program ACLs
- 48. How to Persist a Security Descriptor
- 49. What Is Authorization Manager?
IV. COM(+) and EnterpriseServices
- 50. What Is the COM(+) Authentication Level?
- 51. What Is the COM(+) Impersonation Level?
- 52. What Is CoInitializeSecurity?
- 53. How to Configure Security for a COM(+) Client
- 54. How to Configure the Authentication and Impersonation Levels for a COM+ Application
- 55. How to Configure the Authentication and Impersonation Levels for an ASP.NET Application
- 56. How to Implement Role-Based Security for an Enterprise Services Application
- 57. How to Configure Process Identity for a COM(+) Server Application
V. Network Security
- 58. What Is CIA?
- 59. What Is Kerberos?
- 60. What Is a Service Principal Name (SPN)?
- 61. How to Use Service Principal Names
- 62. What Is Delegation?
- 63. What Is Protocol Transition?
- 64. How to Configure Delegation via Security Policy
- 65. What Is SSPI?
- 66. How to Add CIA to a Socket-Based App Using SSPI
- 67. How to Add CIA to .NET Remoting
- 68. What Is IPSEC?
- 69. How to Use IPSEC to Protect Your Network
- 70. How to Store Secrets on a Machine
- 71. How to Prompt for a Password
- 72. How to Programmatically Lock the Console
- 73. How to Programmatically Log Off or Reboot the Machine
- 74. What is Group Policy?
- 75. How to Deploy Software Securely via Group Policy
- Title: The .NET Developer's Guide to Windows Security
- Release date: September 2004
- Publisher(s): Addison-Wesley Professional
- ISBN: 0321228359