book

The .NET Developer's Guide to Windows Security

Name: The .NET Developer's Guide to Windows Security
Author: Keith Brown
ISBN: 0321228359

by Keith Brown

September 2004

Intermediate to advanced

408 pages

7h 25m

English

Addison-Wesley Professional

Read now

Unlock full access

Copyright
Dedication
Praise for The .NET Developer's Guide to Windows Security
Microsoft .NET Development Series
Titles in the Series
Preface
Acknowledgments
I. The Big Picture
1. What Is Secure Code?
2. What Is a Countermeasure?
3. What Is Threat Modeling?
4. What Is the Principle of Least Privilege?

5. What Is the Principle of Defense in Depth?
6. What Is Authentication?
7. What Is a Luring Attack?
8. What Is a Nonprivileged User?
9. How to Develop Code as a Non-Admin
The Secondary Logon ServiceBut I Hate the Command Prompt!Network CredentialsA Sample Setup for a VS.NET DeveloperDebuggingCreating Web Projects in VS.NETWriting Code That Can Be Used by a Non-AdminIsolated StorageInstallation Tips
10. How to Enable Auditing
11. How to Audit Access to Files
II. Security Context
12. What Is a Security Principal?
13. What Is a SID?
14. How to Program with SIDs
15. What Is Security Context?
Security Context in the .NET Framework
16. What Is a Token?
17. What Is a Logon Session?
18. What Is a Window Station?
19. What Is a User Profile?
20. What Is a Group?
The Mechanics of Group ExpansionBut What about NTLM?Latency and Authenticity
21. What Is a Privilege?
22. How to Use a Privilege
23. How to Grant or Revoke Privileges via Security Policy
24. What Are WindowsIdentity and WindowsPrincipal?
25. How to Create a WindowsPrincipal Given a Token
26. How to Get a Token for a User
Calling LogonUserThe SSPI Workaround
27. What Is a Daemon?
28. How to Choose an Identity for a Daemon
29. How to Display a User Interface from a Daemon
30. How to Run a Program as Another User
31. What Is Impersonation?
Pitfalls to Watch For
32. How to Impersonate a User Given Her Token
Impersonation in ASP.NET
33. What Is Thread.CurrentPrincipal?
34. How to Track Client Identity Using Thread.CurrentPrincipal
35. What Is a Null Session?
36. What Is a Guest Logon?
37. How to Deal with Unauthenticated Clients
III. Access Control
38. What Is Role-Based Security?
39. What Is ACL-Based Security?
40. What Is Discretionary Access Control?
41. What Is Ownership?
42. What Is a Security Descriptor?
43. What Is an Access Control List?
44. What Is a Permission?
45. What Is ACL Inheritance?
46. How to Take Ownership of an Object
47. How to Program ACLs
48. How to Persist a Security Descriptor
49. What Is Authorization Manager?
Introducing Authorization ManagerA Sample App: The Corporate LibraryAuthorization StoreThe AzMan Runtime InterfaceStores, Applications, and ScopesApplication GroupsScriptsSupporting Authorization ScriptsAuditingConclusion
IV. COM(+) and EnterpriseServices
50. What Is the COM(+) Authentication Level?
51. What Is the COM(+) Impersonation Level?
52. What Is CoInitializeSecurity?
Windows XP Service Pack 2
53. How to Configure Security for a COM(+) Client
54. How to Configure the Authentication and Impersonation Levels for a COM+ Application
55. How to Configure the Authentication and Impersonation Levels for an ASP.NET Application
56. How to Implement Role-Based Security for an Enterprise Services Application
57. How to Configure Process Identity for a COM(+) Server Application
V. Network Security
58. What Is CIA?
Message Authentication Codes
59. What Is Kerberos?
Cross-Domain Authentication and Domain TrustsWhat Else Is in a Ticket?User-to-User Authentication
60. What Is a Service Principal Name (SPN)?
61. How to Use Service Principal Names
62. What Is Delegation?
63. What Is Protocol Transition?
64. How to Configure Delegation via Security Policy
65. What Is SSPI?
66. How to Add CIA to a Socket-Based App Using SSPI
67. How to Add CIA to .NET Remoting
68. What Is IPSEC?
69. How to Use IPSEC to Protect Your Network
VI. Miscellaneous
70. How to Store Secrets on a Machine
Secrets in ASP.NET Configuration FilesThe DataProtection Class
71. How to Prompt for a Password
72. How to Programmatically Lock the Console
73. How to Programmatically Log Off or Reboot the Machine
74. What is Group Policy?
75. How to Deploy Software Securely via Group Policy
BIBLIOGRAPHY

Content preview from The .NET Developer's Guide to Windows Security

Chapter 35. What Is a Null Session?

A null session is how Windows represents an anonymous user. To understand how it is used, imagine the sort of code you have to write in a server to deal with authenticated clients. After authenticating a client using Kerberos (Item 59), say, your server receives a token for that client that contains group SIDs, and you can use that token to perform access checks against ACL'd resources (Item 39). For instance, given the client's token it's quite easy to check whether that client should be granted write access to a file. We can simply impersonate the client (Item 31) and try to open the file for writing. The operating system will compare the DACL on the file with the client's token (that we're impersonating) ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0321228359Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The .NET Developer's Guide to Windows Security

by Keith Brown

Chapter 35. What Is a Null Session?

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.