By Keith Brown
This book was written for the many thousands of people involved in designing and writing software for the Microsoft .NET platform. It is chock-full of tips and insights about user-based security, which I like to term "Windows security" because it's been around in one form or another since Windows NT first shipped. Given the plethora of books that cover the new security features in the .NET Framework, such as code access security and ASP.NET forms authentication, I decided to write a book to help folks with the basics of Windows security, a topic that most other books miss entirely or get subtly or blatantly wrong. This book is in some sense a second edition of my first security book, Programming Windows Security, but I hope that you will find it immensely more approachable and practical. I've tried to distill the Zen of these topics into small tidbits of information— items that link to one another— allowing you to read the book in any order that suits you. I hope that you’ll find the format of 75 concise tidbits of information helpful as a reference. The “what is” items focus on explaining concepts, while the “how to” items focus on helping you perform a common task.
Within these pages I cover security features in various versions of Windows based on Windows NT. This includes Windows 2000, Windows XP Professional, and Windows Server 2003, but does not include 16-bit Windows or any of the Win9X flavors (Windows 95/98, Windows ME, Windows XP Home edition). So, when I talk about "Windows" I'm referring to the versions based on Windows NT. Whenever I talk about the file system, I'm assuming that you're using NTFS, not FAT partitions. Whenever I talk about domains, I'm assuming Windows 2000 or greater. If you're still living with a Windows NT 4 domain, you have my sincere condolences!
Many people have expressed surprise that I occasionally talk about Win32 APIs and refer to Win32 header files in a book for .NET programmers. I wish I didn’t have to do this, but as anyone who has experience with the .NET Framework knows, the framework class library wraps only a fraction of the functionality of the Windows platform as of this writing. The coverage will get better over time, but to do many things in Windows (including security programming), you often need to call native Win32 APIs. Even as version 2.0 of the framework is being revealed in beta 1, you can see that coverage increasing, but it’s still not complete. In any case, I’ve tried to make it clear in the prose when I’m talking about a Win32 API versus a .NET Framework class, and I’ve provided lots of sample code and helper classes written in Managed C++ that you can leverage to avoid having to call those APIs yourself.
This book can be found online (in its entirety) in hyperlinked form on the Web at winsecguide.net, where I believe you'll find it to be a great reference when you're connected. I plan to continue filling in more items over time, so subscribe to the RSS feed on the book for news. You can also download samples and tools that I mention in the book from this Web site. Errata will be posted to this site as well, so if you find a problem please let me know.
This book was written for the many thousands of people involved in designing and writing software for the Microsoft .NET platform. It is chock-full of tips and insights about user-based security, which I like to term "Windows security" because it's been around in one form or another since Windows NT first shipped. Given the plethora of books that cover the new security features in the .NET Framework, such as code access security and ASP.NET forms authentication, I decided to write a book to help folks with the basics of Windows security, a topic that most other books miss entirely or get subtly or blatantly wrong. This book is in some sense a second edition of my first security book, Programming Windows Security, but I hope that you will find it immensely more approachable and practical. I've tried to distill the Zen of these topics into small tidbits of information— items that link to one another— allowing you to read the book in any order that suits you. I hope that you’ll find the format of 75 concise tidbits of information helpful as a reference. The “what is” items focus on explaining concepts, while the “how to” items focus on helping you perform a common task.
Within these pages I cover security features in various versions of Windows based on Windows NT. This includes Windows 2000, Windows XP Professional, and Windows Server 2003, but does not include 16-bit Windows or any of the Win9X flavors (Windows 95/98, Windows ME, Windows XP Home edition). So, when I talk about "Windows" I'm referring to the versions based on Windows NT. Whenever I talk about the file system, I'm assuming that you're using NTFS, not FAT partitions. Whenever I talk about domains, I'm assuming Windows 2000 or greater. If you're still living with a Windows NT 4 domain, you have my sincere condolences!
Many people have expressed surprise that I occasionally talk about Win32 APIs and refer to Win32 header files in a book for .NET programmers. I wish I didn’t have to do this, but as anyone who has experience with the .NET Framework knows, the framework class library wraps only a fraction of the functionality of the Windows platform as of this writing. The coverage will get better over time, but to do many things in Windows (including security programming), you often need to call native Win32 APIs. Even as version 2.0 of the framework is being revealed in beta 1, you can see that coverage increasing, but it’s still not complete. In any case, I’ve tried to make it clear in the prose when I’m talking about a Win32 API versus a .NET Framework class, and I’ve provided lots of sample code and helper classes written in Managed C++ that you can leverage to avoid having to call those APIs yourself.
This book can be found online (in its entirety) in hyperlinked form on the Web at winsecguide.net, where I believe you'll find it to be a great reference when you're connected. I plan to continue filling in more items over time, so subscribe to the RSS feed on the book for news. You can also download samples and tools that I mention in the book from this Web site. Errata will be posted to this site as well, so if you find a problem please let me know.
