Programming Windows Security
Keith Brown

ISBN-10: 0201604426
ISBN-13: 9780201604429

Publisher: Addison-Wesley Professional
Copyright: 2000
Format: Paper; 608 pp
Published: 07/05/2000

Suggested retail price: $44.99
Buy from myPearsonStore

This is one of only a few security books that target software developers. Most are directed at network administrators who want to configure their systems to avoid attacks. Yet Windows programmers have lots of tools at their disposal for securing their applications and most are completely unaware that these tools exist. The first part of the book identifies the crucial elements that a developer must master (e.g. cryptography, authentication, access control, credentials) in order to understand NT security. The second part of the book deals with application of these elements to various tools and programming techniques (COM(+), MTS, MSMQ, Active Directory).

The complete developer's guide to Windows 2000/NT security!

  • Kerberos authentication, COM+ security extensions, Active Directory security, and more.
  • Security implications of COM+, MTS, MSMQ and other key Microsoft technologies.
  • Avoiding unwanted "Access Denied" messages and other problems Windows 2000/NT security can cause developers.



Preface.

I. MODEL 1.

1. The Players.

Principals.

Authorities.

Machines as Principals.

Authentication.

Trust.

Summary.

2. The Environment.

Logon Sessions.

Tokens.

The System Logon Session.

Window Stations.

Processes.

Summary.

3. Enforcement.

Authorization.

Discovering Authorization Attributes.

Distributed Applications.

Objects and Security Descriptors.

Access Control Strategies.

Choosing a Model.

Caching Mechanisms.

Summary.

II. MECHANICS.

4. Logon Sessions.

Logon Session 999.

Daemon Logon Sessions.

Network Logon Sessions.

Interactive Logon Sessions.

Network Credentials.

Tokens.

Memory Allocation and Error Handling Strategies.

Using Privileges.

Impersonation.

Restricting Authorization Attributes.

Terminating a Logon Session.

Summary.

5. Window Stations and Profiles.

What Is a Window Station?

Window Station Permissions.

Natural Window Station Allocation.

Daemons in the Lab.

Other Window Stations.

Exploring Window Stations.

Closing Window Station Handles.

Window Stations and Access Control.

Desktops.

Jobs, Revisited.

Processes.

Summary.

6. Access Control and Accountability.

Permissions.

Anatomy of a Security Descriptor.

Where Do Security Descriptors Come From?

Security Descriptor Usage Patterns.

How ACLs Work.

Security Descriptors and Built-in Objects.

Security Descriptors and Private Objects.

Hierarchical Object Models and ACL Inheritance.

ACL Programming.

Handles.

Summary.

III. DISTRIBUTION.

7. Network Authentication.

The NTLM Authentication Protocol.

The Kerberos v5 Authentication Protocol.

SSPI.

SPNEGO: Simple and Protected Negotiation.

Summary.

8. The File Server.

Lan Manager.

Lan Manager Sessions.

Clients and Sessions.

Use Records.

NULL Sessions.

Dealing with Conflict.

Drive Letter Mappings.

Named Pipes.

SMB Signing.

Summary.

9. COM(+).

The MSRPC Security Model.

The COM Security Model.

COM Interception.

Activation Requests.

More COM Interception: Access Control.

Plugging Obscure Security Holes.

Security in In-Process Servers?

Surrogates and Declarative Security.

COM Servers Packaged as Services.

Legacy Out-of-Process Servers.

Launching Servers via the COM SCM.

A Note on Choosing a Server Identity.

Access Checks in the Middle Tier.

The COM+ Security Model: Configured Components.

Catalog Settings.

Applications and Role-Based Security.

Making Sense of COM+ Access Checks.

Which Components Need Role Assignments?

Security in COM+ Library Applications.

Fine-Grained Access Control: IsCallerInRole.

Call Context Tracking.

Tips for Debugging COM Security Problems.

Summary.

10. IIS.

Authentication on the Web.

Public Key Cryptography.

Certificates.

Secure Sockets Layer.

Certificate Revocation.

From Theory to Practice: Obtaining and Installing a Web Server Certificate.

Requiring HTTPS via the IIS Metabase.

Managing Web Applications.

Client Authentication.

Server Applications.

IIS as a Gateway into COM+.

Miscellaneous Topics.

Where to Get More Information.

Summary.

Appendix: Some Parting Words.

Well-Known SIDs.

Printing SIDs in Human Readable Form.

Adding Domain Principals in Windows 2000.

Adding Groups in Windows 2000.

Adding Local Accounts and Aliases.

Privileges and Logon Rights.

Secrets: The Windows Password Stash.

Glossary.

Bibliography.

Index. 0201604426T04062001

Keith Brown focuses on application security at Pluralsight, which he cofounded with several other .NET experts to foster a community, develop content, and provide premier training. Keith regularly speaks at conferences, including TechEd and WinDev, and serves as a contributing editor and columnist to MSDN Magazine.



"Keith Brown lucidly explains the Win32 security architecture and how it pervades Windows NT and Windows 2000. He demystifies authentication, authorization, auditing, COM+ security, logon sessions, and much more."
--George V. Reilly, IIS Performance Lead, Microsoft

Windows security has often been considered a dry and unapproachable topic. For years, the main examples of programming security were simply exercises in ACL manipulation. Programming Windows Security is a revelation providing developers with insight into the way Windows security really works. This book shows developers the essentials of security in Windows 2000, including coverage of Kerberos, SSL, job objects, the new ACL model, COM+ and IIS 5.0. Also included are highlights of the differences between security in Windows 2000 and in Windows NT 4.0.

Programming Windows Security is written by an experienced developer specifically for use by other developers. It focuses on the issues of most concern to developers today: the design and implementation of secure distributed systems using the networking infrastructure provided by Windows, the file server, the web server, RPC servers, and COM(+) servers.

Topics covered include:

  • COM(+) security, from the ground up
  • IIS security
  • How the file system redirector works and why developers should care
  • The RPC security model
  • Kerberos, NTLM, and SSL authentication protocols and SSPI
  • Services and the Trusted Computing Base (TCB)
  • Logon sessions and tokens
  • Window stations, desktops, and user profiles
  • The Windows 2000 ACL model, including the new model of inheritance
  • Using private security descriptors to secure objects
  • Accounts, groups, aliases, privileges, and passwords
  • Comparison of three strategies for performing access control--impersonation, role-centric, and object-centric--and their impact on the design of a distributed application

Programming Windows Security provides the most comprehensive coverage of COM(+) security available in one place, culled from the author's extensive experience in diagnosing COM security problems in the lab and via correspondence on the DCOM mailing list.



0201604426B04062001

View a Sample Chapter PDF:

Pearson Higher Education offers special pricing when you choose to package your text with other student resources. If you're interested in creating a cost-saving package for your students, contact your Pearson Higher Education representative for pricing and ordering information.

This title is a member of the DevelopMentor Series, which also contains the titles below . You can also visit the DevelopMentor Series page.

    Now Stan Lippman brings you C# using his famed primer format. C# PRIMER is a comprehensive, example-driven introduction to this new object-oriented programming language.

    First, the student will tour the language, looking at built-in features such as the class mechanism, class inheritance, and interface inheritance--all while building small programs. Next, the student will explore the various library domains supported within the .NET class framework while learning how to use the language and class framework to solve problems and build quality programs. Stan Lippman includes coverage of fundamentals such as namespaces, exception handling, and unified type system. He presents a wide-ranging tour of the .NET class library, introducing ADO.NET and establishing database connections and the use of XML. He provides XML programming using the firehose and DOM parser models, XSLT, XPATH, and schemas. He also focuses on ASP.NET Web Form Designer, walking through the page life-cycle and caching, and providing a large number of examples. C# PRIMER provides a solid foundation to build upon and a refreshingly unbiased voice on Microsoft's vehicle to effective and efficient Web-based programming.

  • 0201729555C# Primer: A Practical Approach
    Lippman
    © 2002 | Addison-Wesley Professional | Paper; 416 pages | Estimated Availability: 12/10/2001
    ISBN-10: 0201729555 | ISBN-13: 9780201729559
    Brief Description | Buy from myPearsonStore

  • 0201753065Component Development for the Java™ Platform
    Halloway
    © 2002 | Addison-Wesley Professional | Paper; 368 pages | Instock
    ISBN-10: 0201753065 | ISBN-13: 9780201753066
    Buy from myPearsonStore

  • 0201708523Developing Applications with Visual Studio.NET
    Grimes
    © 2002 | Addison-Wesley Professional | Paper; 832 pages | Out of Stock
    ISBN-10: 0201708523 | ISBN-13: 9780201708523


    • Written by a leading COM authority, this unique book reveals the essence of COM, helping developers to truly understand the why, not just the how, of COM. Understanding the motivation for the design of COM and its distributed aspects is critical for developers who wish to go beyond simplistic applications of COM and become truly effective COM programmers, and to stay current with extensions, such as Microsoft Transaction Server and COM+. Box examines COM from the perspective of a C++ developer, offering a familiar frame of reference to ease you into the topic.

  • 0201634465Essential COM
    Box
    © 1998 | Addison-Wesley Professional | Paper; 464 pages | Instock
    ISBN-10: 0201634465 | ISBN-13: 9780201634464
    Brief Description | Buy from myPearsonStore

    • Essential XML Quick Reference is the most comprehensive and authoritative book available. Covering all of XML, as well as many related protocols and technologies, this book provides a handy, one-stop resource to XML syntax, usage, and programming techniques. Each chapter provides a topic overview, explanations of various elements, and several meaningful examples.

  • 0201740958Essential XML Quick Reference: A Programmer's Reference to XML, XPath, XSLT, XML Schema, SOAP, and More
    Skonnard & Gudgin
    © 2002 | Addison-Wesley Professional | Paper; 432 pages | Instock
    ISBN-10: 0201740958 | ISBN-13: 9780201740950
    Brief Description | Buy from myPearsonStore

    • The Extensible Markup Language (XML) has been anointed as the universal duct tape for all software integration problems despite XML's relatively humble origins in the world of document management systems. Essential XML presents a software engineering-focused view of XML and investigates how XML can be used as a component integration technology much like COM or CORBA. Written for software developers and technical managers, this book demonstrates how XML can be used as the glue between independently developed software components (or in the marketecture terminology du jour, how XML can act as the backplane for B2B e-commerce applications).

  • 0201709147Essential XML: Beyond MarkUp
    Box, Skonnard & Lam
    © 2000 | Addison-Wesley Professional | Paper; 400 pages | Instock
    ISBN-10: 0201709147 | ISBN-13: 9780201709148
    Brief Description | Buy from myPearsonStore

    • This is one of only a few security books that target software developers. Most are directed at network administrators who want to configure their systems to avoid attacks. Yet Windows programmers have lots of tools at their disposal for securing their applications and most are completely unaware that these tools exist. The first part of the book identifies the crucial elements that a developer must master (e.g. cryptography, authentication, access control, credentials) in order to understand NT security. The second part of the book deals with application of these elements to various tools and programming techniques (COM(+), MTS, MSMQ, Active Directory).

  • 0201604426Programming Windows Security
    Brown
    © 2000 | Addison-Wesley Professional | Paper; 608 pages | Instock
    ISBN-10: 0201604426 | ISBN-13: 9780201604429
    Brief Description | Buy from myPearsonStore

    • Series: The DevelopMentor Series

    This is the authoritative tutorial to the JSP 2.0 and Servlets 2.4 specifications written by JSP W3C expert committee members—Jayson Falkner, JSPInsider founder and WebMaster, and Kevin Jones, DevelopMentor UK co-founder. Servlets and JavaServer Pages™ is a complete guide to building web applications using Java Servlets and JavaServer Pages. The book covers the basics including installing a JSP/Servlet environment on your computer, HTTP, HTML forms, JSP 2.0, Servlets 2.4, custom tag libraries, and the JSTL 1.0. The book also covers the most complex topics of error handling, design patterns, internationalization and multi-lingual sites, security, sessions and state management, database connectivity, and building sites that can produce multiformats of content on the fly. This book explains how to create applications using the Servlet and JSP specifications that are robust, performant and scaleable!

  • 0321136497Servlets and JavaServer Pages™: The J2EE™ Technology Web Tier
    Falkner & Jones
    © 2004 | Addison-Wesley Professional | Paper; 784 pages | Instock
    ISBN-10: 0321136497 | ISBN-13: 9780321136497
    Brief Description | Buy from myPearsonStore

    • Transactional COM+ explains how COM+ works and shows students how to use the technology to its fullest potential as a framework for developing scalable applications. It examines the theory behind COM+, why traditional object-oriented models are inappropriate for scalable systems, and the importance of transactions. This book goes beyond the rationale behind the technology and the details of its implementation to present practical, concrete guidelines for using COM+ to build applications that scale.

  • 0201615940Transactional COM+: Building Scalable Applications
    Ewald
    © 2001 | Addison-Wesley Professional | Paper; 464 pages | Instock
    ISBN-10: 0201615940 | ISBN-13: 9780201615944
    Brief Description | Buy from myPearsonStore

Pearson Higher Education offers special pricing when you choose to package your text with other student resources. If you're interested in creating a cost-saving package for your students contact your Pearson Higher Education representative.


Copyright ©2008 Pearson Education. All rights reserved. Legal Notice | Privacy Policy | Permissions