Get a FREE fully-working copy of Steganos Security Suite 7 (worth £49.99) when you sign up to the Practical PC Newsletter. Review: The .NET Developers Guide to Windows Security
Iain Laskey finds his programming skills were missing something.
| Product | The .NET Developers Guide to Windows Security |
|---|---|
| Company | Addison Wesley |
| Web | www.awprofessional.com |
| Price | From £34.99 |
| We like | Self-contained lessons in practical defensive programming |
| We don't like | Slight editing problems |
| Rating | 9/10 |
| Requirements |
As someone who has programmed for nearly 25 years on and off, I may be about to make an embarrassing admission. Beyond user logon and verification and obvious stuff like permissioning on databases, I have never much considered security. I always assumed that to be the Operating System's job. As I started to read The .NET Developers Guide to Windows Security I had one hell of a wakeup call.
It's probably best to say what this book isn't first of all. It isn't a detailed guide to possible threats and it won't teach you any programming beyond its remit of security issues.
What is does cover is all the information about how Windows handles security in all its various layers. Early on it shows how to build a development environment that is running under user privileges only. Most developers run as admins and as such create programs that are tested in an environment that allows them access to everything. This is clearly dangerous both in terms of ensuring "normal" people can run their applications and also leaves the developer's machines open to abuse. With a few simple steps you can lock down your machine but still run the few tasks that need admin rights by using elevated privileges only where you need them.
The bulk of the book is made up of 75 "Items". Each one is relatively self contained although they do cross reference to other items where required. Within this format are effectively 75 lessons on different aspects of Windows security architecture. These cover how it works and how as a programmer you can make use of the various features available to you. Each item is liberally illustrated with screen shots and diagrams making it easier to visualise what is going on in what is often a fairly abstract concept.
The early chapters are more generalised and cover threat modelling, principles of defence, auditing and suchlike. Here the author helps to develop the right mindset in the reader of defensive thinking and coding as well as general environment issues.
The book then continues with more in-depth discussions of Window's security operations and subsystems. Here you can learn about privileges, tokens and access control lists (ACLs). Each discussion is clear and easy to read. Given the subject matter it is a surprisingly enjoyable read and not at all dry.
Subsequent sections cover COM+ and network security and examine authentication, impersonation and role based security. At the network level the author describes Kerberos, Service Principle Names, SSPI, CIA and more. Note though that much of the SSPI material assumes access to the as yet unreleased Visual Studio 2005.
The last few Items cover password prompting, storing data securely on the PC and software deployment via group policies.
Conclusion
As I noted at the beginning, this book was a revelation to me. It really opened my eyes up to just how responsible programmers need to be to make the most of the myriad of security services Windows has to offer. People who are unfamiliar with user permissions, roles, groups and more common Windows security configuration tools may find some aspects a little confusing at first. It may be worth having Google handy as you read through. I also noticed a number of typos which always raises concerns about the quality of the final editing.
Obviously no system can be 100% safe but following the guidelines and coding examples in this book will help you to develop systems with multiple levels of security allowing much safer processing of your data. In some ways the title is misleading as there is a lot here that non .NET developers can use but to really get the best from it, you need to be working in the .NET environment using the newest versions of Windows. If you program in any serious way in .NET, you need to buy, read and digest the information this book has to offer.
