The .NET Developer's Guide to Windows Security(Microsoft .net Development Series) by Keith Brown

From the Publisher

"As usual, Keith masterfully explains complex security issues in down-to-earth and easy-to-understand language. I bet you'll reach for this book often when building your next software application."
—Michael Howard, coauthor, Writing Secure Code

"When it comes to teaching Windows security, Keith Brown is 'The Man.' In The.NET Developer's Guide to Windows Security, Keith has written a book that explains the key security concepts of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, and teaches you both how to apply them and how to implement them in C# code. By organizing his material into short, clear snippets, Brown has made a complicated subject highly accessible."
—Martin Heller, senior contributing editor at Byte.com and owner of Martin Heller & Co.

"Keith Brown has a unique ability to describe complex technical topics, such as security, in a way that can be understood by mere mortals (such as myself). Keith's book is a must read for anyone attempting to keep up with Microsoft's enhancements to its security features and the next major version of.NET."
—Peter Partch, principal software engineer, PM Consulting

"Keith's book is a collection of practical, concise, and carefully thought out nuggets of security insight. Every.NET developer would be wise to keep a copy of this book close at hand and to consult it first when questions of security arise during application development."
—Fritz Onion, author of Essential ASP.NET with Examples in C#

The.NET Developer's Guide to Windows Security is required reading for.NET programmers who want to developsecure Windows applications. Readers gain a deep understanding of Windows security and the know-how to program secure systems that run on Windows Server 2003, Windows XP, and Windows 2000.

Author Keith Brown crystallizes his application security expertise into 75 short, specific guidelines. Each item is clearly explained, cross-referenced, and illustrated with detailed examples. The items build on one another until they produce a comprehensive picture of what tools are available and how developers should use them.

The book highlights new features in Windows Server 2003 and previews features of the upcoming version 2.0 of the.NET Framework. A companion Web site includes the source code and examples used throughout the book.

Topics covered include:

• Kerberos authentication
• Access control
• Impersonation
• Network security
• Constrained delegation
• Protocol transition
• Securing enterprise services
• Securing remoting
• How to run as a normal user and live a happy life
• Programming the Security Support Provider Interface (SSPI) in Visual Studio.NET 2005

Battle-scarred and emerging developers alike will find in The.NET Developer's Guide to Windows Security bona-fide solutions to the everyday problems of securing Windows applications.

Product Details

• Table of Contents
• Forewords & Introductions

Table of Contents

Forewords & Introductions

This book was written for the many thousands of people involved in designing and writing software for the Microsoft.NET platform. It is chock-full of tips and insights about user-based security, which I like to term "Windows security" because it's been around in one form or another since Windows NT first shipped. Given the plethora of books that cover the new security features in the.NET Framework, such as code access security and ASP.NET forms authentication, I decided to write a book to help folks with the basics of Windows security, a topic that most other books miss entirely or get subtly or blatantly wrong. This book is in some sense a second edition of my first security book, Programming Windows Security, but I hope that you will find it immensely more approachable and practical. I've tried to distill the Zen of these topics into small tidbits of information—items that link to one another—allowing you to read the book in any order that suits you. I hope that you'll find the format of 75 concise tidbits of information helpful as a reference. The "what is" items focus on explaining concepts, while the "how to" items focus on helping you perform a common task.

Within these pages I cover security features in various versions of Windows based on Windows NT. This includes Windows 2000, Windows XP Professional, and Windows Server 2003, but does not include 16-bit Windows or any of the Win9X flavors (Windows 95/98, Windows ME, Windows XP Home Edition). So, when I talk about "Windows" I'm referring to the versions based on Windows NT. Whenever I talk about the file system, I'm assuming that you're using NTFS, not FAT partitions. Whenever I talk about domains, I'massuming Windows 2000 or greater. If you're still living with a Windows NT 4 domain, you have my sincere condolences!

Many people have expressed surprise that I occasionally talk about Win32 APIs and refer to Win32 header files in a book for.NET programmers. I wish I didn't have to do this, but as anyone who has experience with the.NET Framework knows, the framework class library wraps only a fraction of the functionality of the Windows platform as of this writing. The coverage will get better over time, but to do many things in Windows (including security programming), you often need to call native Win32 APIs. Even as version 2.0 of the framework is being revealed in beta 1, you can see that coverage increasing, but it's still not complete. In any case, I've tried to make it clear in the prose when I'm talking about a Win32 API versus a.NET Framework class, and I've provided lots of sample code and helper classes written in Managed C++ that you can leverage to avoid having to call those APIs yourself.

This book can be found online (in its entirety) in hyperlinked form on the Web at winsecguide.net, where I believe you'll find it to be a great reference when you're connected. I plan to continue filling in more items over time, so subscribe to the RSS feed on the book for news. You can also download samples and tools that I mention in the book from this Web site. Errata will be posted to this site as well, so if you find a problem please let me know.

Good luck in your endeavors!

Keith Brown
Highlands Ranch, CO
http://www.pluralsight.com/keith