The net developers guide to windows security

Book description

«As usual, Keith masterfully explains complex security issues
in down-to-earth and easy-to-understand language. I bet you’ll
reach for this book often when building your next software
application.»
—Michael Howard, coauthor, Writing Secure Code

«When it comes to teaching Windows security, Keith Brown is
‘The Man.’ InThe .NET Developer’s Guide to Windows
Security,Keith has written a book that explains the key
security concepts of Windows NT, Windows 2000, Windows XP, and
Windows Server 2003, and teaches you both how to apply them and how
to implement them in C# code. By organizing his material into
short, clear snippets, Brown has made a complicated subject highly
accessible.»
—Martin Heller, senior contributing editor at Byte.com and owner
of Martin Heller & Co.

«Keith Brown has a unique ability to describe complex
technical topics, such as security, in a way that can be understood
by mere mortals (such as myself). Keith’s book is a must read for
anyone attempting to keep up with Microsoft’s enhancements to its
security features and the next major version of .NET.»
—Peter Partch, principal software engineer, PM Consulting

«Keith’s book is a collection of practical, concise, and
carefully thought out nuggets of security insight. Every .NET
developer would be wise to keep a copy of this book close at hand
and to consult it first when questions of security arise during
application development.»
—Fritz Onion, author of Essential ASP.NET with Examples in
C#

The .NET Developer’s Guide to Windows Security is
required reading for .NET programmers who want to develop secure
Windows applications. Readers gain a deep understanding of Windows
security and the know-how to program secure systems that run on
Windows Server 2003, Windows XP, and Windows 2000.

Author Keith Brown crystallizes his application security
expertise into 75 short, specific guidelines. Each item is clearly
explained, cross-referenced, and illustrated with detailed
examples. The items build on one another until they produce a
comprehensive picture of what tools are available and how
developers should use them.

The book highlights new features in Windows Server 2003 and
previews features of the upcoming version 2.0 of the .NET
Framework. A companion Web site includes the source code and
examples used throughout the book.

Topics covered include:

• Kerberos authentication

• Access control

• Impersonation

• Network security

• Constrained delegation

• Protocol transition

• Securing enterprise services

• Securing remoting

• How to run as a normal user and live a happy life

• Programming the Security Support Provider Interface (SSPI) in
  Visual Studio.NET 2005

Battle-scarred and emerging developers alike will find in
The .NET Developer’s Guide to Windows Security
bona-fide solutions to the everyday problems of securing Windows
applications.

«As usual, Keith masterfully explains complex security issues in down-to-earth and easy-to-understand language. I bet you’ll reach for this book often when building your next software application.»
—Michael Howard, coauthor, Writing Secure Code

«When it comes to teaching Windows security, Keith Brown is ‘The Man.’ In The .NET Developer’s Guide to Windows Security, Keith has written a book that explains the key security concepts of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, and teaches you both how to apply them and how to implement them in C# code. By organizing his material into short, clear snippets, Brown has made a complicated subject highly accessible.»
—Martin Heller, senior contributing editor at Byte.com and owner of Martin Heller & Co.

«Keith Brown has a unique ability to describe complex technical topics, such as security, in a way that can be understood by mere mortals (such as myself). Keith’s book is a must read for anyone attempting to keep up with Microsoft’s enhancements to its security features and the next major version of .NET.»
—Peter Partch, principal software engineer, PM Consulting

«Keith’s book is a collection of practical, concise, and carefully thought out nuggets of security insight. Every .NET developer would be wise to keep a copy of this book close at hand and to consult it first when questions of security arise during application development.»
—Fritz Onion, author of Essential ASP.NET with Examples in C#

The .NET Developer’s Guide to Windows Security is required reading for .NET programmers who want to develop secure Windows applications. Readers gain a deep understanding of Windows security and the know-how to program secure systems that run on Windows Server 2003, Windows XP, and Windows 2000.

Author Keith Brown crystallizes his application security expertise into 75 short, specific guidelines. Each item is clearly explained, cross-referenced, and illustrated with detailed examples. The items build on one another until they produce a comprehensive picture of what tools are available and how developers should use them.

The book highlights new features in Windows Server 2003 and previews features of the upcoming version 2.0 of the .NET Framework. A companion Web site includes the source code and examples used throughout the book.

Topics covered include:

• Kerberos authentication
• Access control
• Impersonation
• Network security
• Constrained delegation
• Protocol transition
• Securing enterprise services
• Securing remoting
• How to run as a normal user and live a happy life
• Programming the Security Support Provider Interface (SSPI) in Visual Studio.NET 2005

Battle-scarred and emerging developers alike will find in The .NET Developer’s Guide to Windows Security bona-fide solutions to the everyday problems of securing Windows applications.

1 online resource (xv, 392 pages) :

«As usual, Keith masterfully explains complex security issues in down-to-earth and easy-to-understand language. I bet you’ll reach for this book often when building your next software application.» —Michael Howard, coauthor, Writing Secure Code «When it comes to teaching Windows security, Keith Brown is ‘The Man.’ In The .NET Developer’s Guide to Windows Security, Keith has written a book that explains the key security concepts of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, and teaches you both how to apply them and how to implement them in C# code. By organizing his material into short, clear snippets, Brown has made a complicated subject highly accessible.» —Martin Heller, senior contributing editor at Byte.com and owner of Martin Heller & Co. «Keith Brown has a unique ability to describe complex technical topics, such as security, in a way that can be understood by mere mortals (such as myself). Keith’s book is a must read for anyone attempting to keep up with Microsoft’s enhancements to its security features and the next major version of .NET.» —Peter Partch, principal software engineer, PM Consulting «Keith’s book is a collection of practical, concise, and carefully thought out nuggets of security insight. Every .NET developer would be wise to keep a copy of this book close at hand and to consult it first when questions of security arise during application development.» —Fritz Onion, author of Essential ASP.NET with Examples in C# The .NET Developer’s Guide to Windows Security is required reading for .NET programmers who want to develop secure Windows applications. Readers gain a deep understanding of Windows security and the know-how to program secure systems that run on Windows Server 2003, Windows XP, and Windows 2000. Author Keith Brown crystallizes his application security expertise into 75 short, specific guidelines. Each item is clearly explained, cross-referenced, and illustrated with detailed examples. The items build on one another until they produce a comprehensive picture of what tools are available and how developers should use them. The book highlights new features in Windows Server 2003 and previews features of the upcoming version 2.0 of the .NET Framework. A companion Web site includes the source code and examples used throughout the book. Topics covered include: Kerberos authentication Access control Impersonation Network security Constrained delegation Protocol transition Securing enterprise servi..

Includes bibliographical references (pages 379-380) and index

Print version record

Electronic reproduction. [S.l.] : HathiTrust Digital Library

Master and use copy. Digital master created according to Benchmark for Faithful Digital Reproductions of Monographs and Serials, Version 1. Digital Library Federation, December 2002

digitized 2010

A month ago I started a new reading regime where I get up an hour earlier and head off to a café for an hour’s reading before work. It’s a very nice arrangement, since I seem to be in the perfect state of mind for a bit of technical reading first thing in the morning, and an hour is just about the right length of time to absorb stuff before my brain starts to hit overload.

I’ve had this book sitting on my bookshelf unread for a year or two, so it was the perfect candidate to kick off the new regime.

The book is formatted as a list of 75 items such as; “How to Run a Program as Another User”, “What is Role-Based Security”, “How to Use Service Principle Names”. The author, Keith Brown, has an easy to read style that dispatches answers clearly and expertly. Like all the best technical books, he doesn’t just say how things work, but often includes a little history about why they work that way. He’s also quick to outline best practices and share his opinion about the best security choices.

I think most Windows developers, me included, have a cargo-cult view of Windows Security. We pick up various tips and half-truths over the years and get around most security issues by a process of trial and error. All too often we simply give our applications elevated permissions simply because that’s the only way we can get them to work. A book like this should be essential reading, but unfortunately security is often some way down our list of priorities.

Keith Browns first and often repeated message is that we should always develop as a standard user. I’ve been doing this at home for some years now; in fact my first ever post on this blog back in 2005 was on this very subject. However, I can’t think of a single assignment I’ve had where my client’s developers where not logged in as Administrator. What little I do know about security has come from my standard user development experience, it makes you fully aware of what privileges your software is demanding and I’ve found I’ve been bitten far less by security related bugs. Working as a standard user is a message that’s drummed home throughout the book and is probably the best advice you could take away from it.

I’ve also gained a real insight into the way logon sessions work and how security tokens attach to them. I had no idea that every Windows resource has an owner and the implications of ownership. The sections on Kerberos, delegation and impersonation were also real eye-openers.

So if you too have misty ideas about how security works, you owe to yourself to read this book. Sure it’s not a very sexy subject, but it’ll make you a far better developer.

The .NET Developer’s Guide to Windows Security PDF

Author(s): Keith Brown

Publisher: Addison-Wesley Professional, Year: 2004

ISBN: 9780321228352

The .NET Developer’s Guide to Windows Security….

This book covers about the .NET security in Microsoft Windows Operating System platform such as Windows NT , Windows 2000 , Windows XP Professional and Windows Server 2003. Think about protection , detection , and reaction in a typical computer system. You might have to think hard to come up with any detection and reaction countermeasures because the focus is almost always on protection. The hardware of the machine provides isolation between processes. This is  protection. Cryptography is the basis for even more protection: data integrity protection , authentication , protection from eavesdropping , and so on. Further protection is on the horizon with Microsoft’s proposed Next Generation Secure Computing Base (NGSCB) .

When you design secure systems , try to think of protection countermeasures as a jeweler thinks of a safe. They exist to buy you time. Design detection and reaction into your systems as well. For example , you could instrument your server processes with WMI ( Windows Management Instrumentation ) and then use WMI to report security statistics and automatically react , or provide further alerts to the administrator. This is an area we all need to be working harder to perfect.

Repudiation is where the attacker denies having performed some act. This is particularly important to consider if you plan on prosecuting an attacker. A common protection against repudiation is a a secure log file , with timestamped events. One interesting considerations with these types of logs is the kind of data you store in them. If the log file were to be included in a court subpoena , would it be more damaging to your company to reveal it? Be careful what you put in there!…

Desktop applications should be designed to conform to the Windows Logo guidelines to ensure that they don’t attempt to write to protected parts of the file system or registry. When you ship programs that  don’t follow these guidelines , they break when users attempt to run with least privilege ( under normal , nonadministrative user accounts ). If you don’t want your Mom browsing the web as an administrator , then start writing programs that she can use as a normal user.

Lastly , this book explain about the .NET security in Microsoft Windows Operating System platform , how we can secure our windows box and add security measures to our operating system.Topics covered include Kerberos authentication , access control , impersonation , network security , constrained delegation , protocol transition , securing enterprise services , secure remoting and Programming the Security Support Provider Interface ( SSPI ) in Visual Studio.NET 2005. Some of the article is taken as an exceprt from the book – The .NET Developer’s Guide to Windows Security written by Keith Brown and published by Addison-Wesley – Pearson Education.

«As usual, Keith masterfully explains complex security issues in down-to-earth and easy-to-understand language. I bet you’ll reach for this book often when building your next software application.»
—Michael Howard, coauthor, Writing Secure Code

«When it comes to teaching Windows security, Keith Brown is ‘The Man.’ In The .NET Developer’s Guide to Windows Security, Keith has written a book that explains the key security concepts of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, and teaches you both how to apply them and how to implement them in C# code. By organizing his material into short, clear snippets, Brown has made a complicated subject highly accessible.»
—Martin Heller, senior contributing editor at Byte.com and owner of Martin Heller & Co.

«Keith Brown has a unique ability to describe complex technical topics, such as security, in a way that can be understood by mere mortals (such as myself). Keith’s book is a must read for anyone attempting to keep up with Microsoft’s enhancements to its security features and the next major version of .NET.»
—Peter Partch, principal software engineer, PM Consulting

«Keith’s book is a collection of practical, concise, and carefully thought out nuggets of security insight. Every .NET developer would be wise to keep a copy of this book close at hand and to consult it first when questions of security arise during application development.»
—Fritz Onion, author of Essential ASP.NET with Examples in C#

The .NET Developer’s Guide to Windows Security is required reading for .NET programmers who want to develop secure Windows applications. Readers gain a deep understanding of Windows security and the know-how to program secure systems that run on Windows Server 2003, Windows XP, and Windows 2000.

Author Keith Brown crystallizes his application security expertise into 75 short, specific guidelines. Each item is clearly explained, cross-referenced, and illustrated with detailed examples. The items build on one another until they produce a comprehensive picture of what tools are available and how developers should use them.

The book highlights new features in Windows Server 2003 and previews features of the upcoming version 2.0 of the .NET Framework. A companion Web site includes the source code and examples used throughout the book.

Topics covered include:

• Kerberos authentication
• Access control
• Impersonation
• Network security
• Constrained delegation
• Protocol transition
• Securing enterprise services
• Securing remoting
• How to run as a normal user and live a happy life
• Programming the Security Support Provider Interface (SSPI) in Visual Studio.NET 2005

Battle-scarred and emerging developers alike will find in The .NET Developer’s Guide to Windows Security bona-fide solutions to the everyday problems of securing Windows applications.