You are previewing The .NET Developer's Guide to Windows Security.
O'Reilly logo
The .NET Developer's Guide to Windows Security

Book Description

"As usual, Keith masterfully explains complex security issues in down-to-earth and easy-to-understand language. I bet you'll reach for this book often when building your next software application."
--Michael Howard, coauthor, Writing Secure Code

"When it comes to teaching Windows security, Keith Brown is 'The Man.' InThe .NET Developer's Guide to Windows Security,Keith has written a book that explains the key security concepts of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, and teaches you both how to apply them and how to implement them in C# code. By organizing his material into short, clear snippets, Brown has made a complicated subject highly accessible."
--Martin Heller, senior contributing editor at Byte.com and owner of Martin Heller & Co.

"Keith Brown has a unique ability to describe complex technical topics, such as security, in a way that can be understood by mere mortals (such as myself). Keith's book is a must read for anyone attempting to keep up with Microsoft's enhancements to its security features and the next major version of .NET."
--Peter Partch, principal software engineer, PM Consulting

"Keith's book is a collection of practical, concise, and carefully thought out nuggets of security insight. Every .NET developer would be wise to keep a copy of this book close at hand and to consult it first when questions of security arise during application development."
--Fritz Onion, author of Essential ASP.NET with Examples in C#

The .NET Developer's Guide to Windows Security is required reading for .NET programmers who want to develop secure Windows applications. Readers gain a deep understanding of Windows security and the know-how to program secure systems that run on Windows Server 2003, Windows XP, and Windows 2000.

Author Keith Brown crystallizes his application security expertise into 75 short, specific guidelines. Each item is clearly explained, cross-referenced, and illustrated with detailed examples. The items build on one another until they produce a comprehensive picture of what tools are available and how developers should use them.

The book highlights new features in Windows Server 2003 and previews features of the upcoming version 2.0 of the .NET Framework. A companion Web site includes the source code and examples used throughout the book.

Topics covered include:

  • Kerberos authentication

  • Access control

  • Impersonation

  • Network security

  • Constrained delegation

  • Protocol transition

  • Securing enterprise services

  • Securing remoting

  • How to run as a normal user and live a happy life

  • Programming the Security Support Provider Interface (SSPI) in Visual Studio.NET 2005

Battle-scarred and emerging developers alike will find in The .NET Developer's Guide to Windows Security bona-fide solutions to the everyday problems of securing Windows applications.



Table of Contents

  1. Copyright
    1. Dedication
  2. Praise for The .NET Developer's Guide to Windows Security
  3. Microsoft .NET Development Series
    1. Titles in the Series
  4. Preface
  5. Acknowledgments
  6. I. The Big Picture
    1. 1. What Is Secure Code?
    2. 2. What Is a Countermeasure?
    3. 3. What Is Threat Modeling?
    4. 4. What Is the Principle of Least Privilege?
    5. 5. What Is the Principle of Defense in Depth?
    6. 6. What Is Authentication?
    7. 7. What Is a Luring Attack?
    8. 8. What Is a Nonprivileged User?
    9. 9. How to Develop Code as a Non-Admin
      1. The Secondary Logon Service
      2. But I Hate the Command Prompt!
      3. Network Credentials
      4. A Sample Setup for a VS.NET Developer
      5. Debugging
      6. Creating Web Projects in VS.NET
      7. Writing Code That Can Be Used by a Non-Admin
      8. Isolated Storage
      9. Installation Tips
    10. 10. How to Enable Auditing
    11. 11. How to Audit Access to Files
  7. II. Security Context
    1. 12. What Is a Security Principal?
    2. 13. What Is a SID?
    3. 14. How to Program with SIDs
    4. 15. What Is Security Context?
      1. Security Context in the .NET Framework
    5. 16. What Is a Token?
    6. 17. What Is a Logon Session?
    7. 18. What Is a Window Station?
    8. 19. What Is a User Profile?
    9. 20. What Is a Group?
      1. The Mechanics of Group Expansion
      2. But What about NTLM?
      3. Latency and Authenticity
    10. 21. What Is a Privilege?
    11. 22. How to Use a Privilege
    12. 23. How to Grant or Revoke Privileges via Security Policy
    13. 24. What Are WindowsIdentity and WindowsPrincipal?
    14. 25. How to Create a WindowsPrincipal Given a Token
    15. 26. How to Get a Token for a User
      1. Calling LogonUser
      2. The SSPI Workaround
    16. 27. What Is a Daemon?
    17. 28. How to Choose an Identity for a Daemon
    18. 29. How to Display a User Interface from a Daemon
    19. 30. How to Run a Program as Another User
    20. 31. What Is Impersonation?
      1. Pitfalls to Watch For
    21. 32. How to Impersonate a User Given Her Token
      1. Impersonation in ASP.NET
    22. 33. What Is Thread.CurrentPrincipal?
    23. 34. How to Track Client Identity Using Thread.CurrentPrincipal
    24. 35. What Is a Null Session?
    25. 36. What Is a Guest Logon?
    26. 37. How to Deal with Unauthenticated Clients
  8. III. Access Control
    1. 38. What Is Role-Based Security?
    2. 39. What Is ACL-Based Security?
    3. 40. What Is Discretionary Access Control?
    4. 41. What Is Ownership?
    5. 42. What Is a Security Descriptor?
    6. 43. What Is an Access Control List?
    7. 44. What Is a Permission?
    8. 45. What Is ACL Inheritance?
    9. 46. How to Take Ownership of an Object
    10. 47. How to Program ACLs
    11. 48. How to Persist a Security Descriptor
    12. 49. What Is Authorization Manager?
      1. Introducing Authorization Manager
      2. A Sample App: The Corporate Library
      3. Authorization Store
      4. The AzMan Runtime Interface
      5. Stores, Applications, and Scopes
      6. Application Groups
      7. Scripts
      8. Supporting Authorization Scripts
      9. Auditing
      10. Conclusion
  9. IV. COM(+) and EnterpriseServices
    1. 50. What Is the COM(+) Authentication Level?
    2. 51. What Is the COM(+) Impersonation Level?
    3. 52. What Is CoInitializeSecurity?
      1. Windows XP Service Pack 2
    4. 53. How to Configure Security for a COM(+) Client
    5. 54. How to Configure the Authentication and Impersonation Levels for a COM+ Application
    6. 55. How to Configure the Authentication and Impersonation Levels for an ASP.NET Application
    7. 56. How to Implement Role-Based Security for an Enterprise Services Application
    8. 57. How to Configure Process Identity for a COM(+) Server Application
  10. V. Network Security
    1. 58. What Is CIA?
      1. Message Authentication Codes
    2. 59. What Is Kerberos?
      1. Cross-Domain Authentication and Domain Trusts
      2. What Else Is in a Ticket?
      3. User-to-User Authentication
    3. 60. What Is a Service Principal Name (SPN)?
    4. 61. How to Use Service Principal Names
    5. 62. What Is Delegation?
    6. 63. What Is Protocol Transition?
    7. 64. How to Configure Delegation via Security Policy
    8. 65. What Is SSPI?
    9. 66. How to Add CIA to a Socket-Based App Using SSPI
    10. 67. How to Add CIA to .NET Remoting
    11. 68. What Is IPSEC?
    12. 69. How to Use IPSEC to Protect Your Network
  11. VI. Miscellaneous
    1. 70. How to Store Secrets on a Machine
      1. Secrets in ASP.NET Configuration Files
      2. The DataProtection Class
    2. 71. How to Prompt for a Password
    3. 72. How to Programmatically Lock the Console
    4. 73. How to Programmatically Log Off or Reboot the Machine
    5. 74. What is Group Policy?
    6. 75. How to Deploy Software Securely via Group Policy
  12. BIBLIOGRAPHY