Programming Windows Security [Paperback]

Keith Brown (Author)

Book Description

ISBN-10: 0201604426 | ISBN-13: 978-0201604429 | Publication Date: July 15, 2000 | Edition: 1

Windows 2000 and NT offer programmers powerful security tools that few developers use to the fullest -- and many are completely unaware of. In Programming Windows Security, a top Windows security expert shows exactly how to apply them in enterprise applications. Keith Brown starts with a complete roadmap to the Windows 2000 security architecture, describing every component and how they all fit together. He reviews the "actors" in a secure system, including principals, authorities, authentication, domains, and the local security authority; and the role of trust in secure Windows 2000 applications. Developers will understand the security implications of the broader Windows 2000 environment, including logon sessions, tokens, and window stations. Next, Brown introduces Windows 2000 authorization and access control, including groups, aliases, roles, privileges, security descriptors, DACLs and SACLs - showing how to choose the best access strategy for any application. In Part II, he walks developers through using each of Windows 2000's security tools, presenting techniques for building more secure setup programs, using privileges at runtime, working with window stations and user profiles, and using Windows 2000's dramatically changed ACLs. Finally, Brown provides techniques and sample code for network authentication, working with the file system redirector, using RPC security, and making the most of COM/COM+ security.

Editorial Reviews

From the Inside Flap

As with most of my friends, I learned to program Windows by reading Charles Petzold's classic tome, Programming Windows. I then moved on to Jefferey Richter's seminal book for systems developers, Advanced Windows NT. Finally, I moved into the realm of objects with Kraig Brockschmidt's Inside OLE 2. With the release of Windows NT 4.0, I started using (and eventually teaching) COM as a way to build distributed applications. Until this point in my life, I'd been able to safely ignore security, and had long since suppressed the pangs of guilt I used to feel when passing NULL for LPSECURITY_ATTRIBUTES. Little did I know that my life was about to change forever.

It was a beautiful sunny day in Bellevue, Washington, when I drove up to the offices of Saros, a software development company where I was scheduled to give my first on-site presentation of Essential COM, DevelopMentor's flagship COM course that included coverage of the relatively new Windows NT 4.0 feature called DCOM. All the students in the class had packed in their own computers (these students were worn and grizzled Windows programmers, some of whom had lost the covers to their machines long ago). What made the situation interesting was that some of the students had machines belonging to various Windows NT domains, whereas others had standalone machines not associated with any domain. One student was even running Windows 95. It was a recipe for disaster. Everything had been going smoothly, and the students (and myself) were thoroughly enjoying the class, but the radical configuration in the classroom put quite a crimp in the DCOM lab exercise that morning. Virtually all the students were getting E_ACCESSDENIED and various and sundry error codes, and of course they all looked to me to fix the problem. I failed miserably that day, and had to admit to myself (and the students) that I didn't yet have a good enough grasp of Windows security to solve their problems. I've rarely felt so small.

Shortly after this soul-wrenching experience, I dedicated myself to the pursuit of a deep and practical understanding of Windows security. I solidified my commitment by agreeing to write a new course for DevelopMentor about services and security, and proceeded to spend three months of virtually uninterrupted time studying and experimenting with the Windows security APIs. I never knew that I'd end up falling in love. Since then, I've learned loads more and answered hundreds of questions on the DCOM mailing list regarding security issues, and reached thousands of students, conference attendees, and readers of Microsoft Systems Journal (now MSDN Magazine) with the message that security is a fascinating and approachable topic.

As the culmination of my effort, this book attempts to fill the gaping hole in the Windows systems programming canon by providing a reference for programmers that covers Windows security from the basics of principals, authorities, logon sessions, and DACLs all the way through COM+ security, one of the most subtle and sensitive beasts you'll encounter as a Windows programmer.

As a side effect of my predilection for distributed programming, this book is unique in that it addresses security with the distributed systems developer in mind; in fact, the original title of the book was Distributed Security in Windows NT. Of course, Microsoft's decision to rename their (beta, at the time) operating system from "Windows NT 5.0" to "Windows 2000" didn't bode well for my original title. Frankly, Distributed Security in Windows NT/2000 sounded really goofy. Thus the new title.

In any case, if you're a programmer who, not unlike myself a few years ago, feels a hollowness in the pit of your stomach as a result of being asked to add a security-related feature or debug a security-related problem in an application, I hope you"ll find that this book completes you. Which Windows?

This book covers security programming on Windows 2000 and Windows NT 4. Therefore, to avoid crossing the reader's eyes with "Windows 2000/NT" or similar nastiness, I'll simply refer to both of these operating systems as Windows. If I find the need to say anything specific about a distinct operating system (including Windows 9x), I'll use the full name. Who Should Read This Book

This book was written for professional software developers involved in systems programming on Windows. The third part of the book was written for the subset of these programmers developing distributed systems (especially those using COM).

The first part of the book (the first three chapters) intentionally has no code in it, and instead speaks to the big picture, introducing terminology and concepts that will likely be useful not just for programmers but also for technical managers and advanced Windows users. If you are a manager and want to get a better understanding of Windows security, borrow this book from one of the developers on your team and rip out the first three chapters for yourself. Sharing a common terminology will help you and your development team play better together. What a Developer Should Already Know

I assume you have a basic understanding of Windows system programming; that is, you know the difference between a process and a thread, and you've written a DLL before and perhaps even written a service or two. I casually mention features such as thread local storage and assume that you know what I'm talking about. If you're unsure of your ability in this area, my favorite book on the subject is Advanced Windows, by Jefferey Richter (as of this writing the fourth edition is hot off the press).

In the COM chapter (Chapter 9), I assume you feel comfortable with the basics of IUnknown and that you know what a proxy and stub are. If you're unsure, my favorite COM book is Essential COM by Don Box.

Much of the later material in the COM chapter talks about COM+ features in Windows 2000, which Essential COM doesn't address (as of this writing, Essential COM is in its first edition). My favorite COM+ book in print as I write this is Programming Distributed Applications with COM and Visual Basic 6.0 by Ted Pattison. Tim Ewald's book Transactional COM+: Designing Scalable Applications will likely be a must-read as well, although it's not yet gone to press as I write this.

Although this book often shows full declarations of Windows API functions, I won't always bother to tell you the details of what each and every parameter means if it's not relevant to the topic at hand. I hope you find that this book works well as a complement to the Windows API documentation, as opposed to a replacement for it. How to Approach This Book

I know that most developers don't relish thinking about security issues, which is often why security ends up getting retrofitted into existing products (or left until the last minute in new products). Most of my students are really surprised to learn that security is actually quite an interesting topic, and they really enjoy sitting through DevelopMentor's security class. However, I'm aware that this is a self-selecting group; these folks have chosen to take the class, often because there is a distinct set of problems that they need to be able to solve, whether they like it or not. Whatever your predisposition is toward security, I designed this book to be readable front to back, but also to be readable in chunks.

Many people will buy this book because it contains (at least as of this writing) an exhaustive coverage of COM security, and will want to dive right in to the chapter on COM. However, you can't possibly understand COM security without having a basic understanding of the fundamentals, and no matter how much I urge folks to read chapter 4, there will be a large group of people who don't have the time for this. If it's you I'm describing, do spend the time to read the first three (very short) chapters of this book before you start diving into the nitty-gritty details of COM security. These chapters will help you develop a more intuitive feel for how Windows security works and why it works the way it does. This Is Not a Cookbook

In the vein of my last book project, Effective COM (coauthored with Don Box, Tim Ewald, and Chris Sells), I've purposely avoided making this a cookbook that provides lots of code for you to cut and paste to solve a particular set of problems that you may or may not be faced with. Instead, this book is about helping you understand how things work. I'd love to see a Windows security cookbook written. I find that cookbooks increase my long-term productivity once I have a basic understanding of the topic at hand.

The code snippets in this book should all compile correctly. However, although some of them might be appropriate for cutting and pasting into your projects, be aware that a number of them exist solely to foster insight and understanding and will necessarily be a bit more abstract than what you'd expect to find in a cookbook. The Bad Guys

Often I'll refer to the "bad guys" when I want to indicate someone who may be trying to break into your system either to do malicious damage, or just for fun. The bad guys

From the Back Cover

"Keith Brown lucidly explains the Win32 security architecture and how it pervades Windows NT and Windows 2000. He demystifies authentication, authorization, auditing, COM+ security, logon sessions, and much more."
--George V. Reilly, IIS Performance Lead, Microsoft

Windows security has often been considered a dry and unapproachable topic. For years, the main examples of programming security were simply exercises in ACL manipulation. Programming Windows Security is a revelation providing developers with insight into the way Windows security really works. This book shows developers the essentials of security in Windows 2000, including coverage of Kerberos, SSL, job objects, the new ACL model, COM+ and IIS 5.0. Also included are highlights of the differences between security in Windows 2000 and in Windows NT 4.0.

Programming Windows Security is written by an experienced developer specifically for use by other developers. It focuses on the issues of most concern to developers today: the design and implementation of secure distributed systems using the networking infrastructure provided by Windows, the file server, the web server, RPC servers, and COM(+) servers.

Topics covered include:

• COM(+) security, from the ground up
• IIS security
• How the file system redirector works and why developers should care
• The RPC security model
• Kerberos, NTLM, and SSL authentication protocols and SSPI
• Services and the Trusted Computing Base (TCB)
• Logon sessions and tokens
• Window stations, desktops, and user profiles
• The Windows 2000 ACL model, including the new model of inheritance
• Using private security descriptors to secure objects
• Accounts, groups, aliases, privileges, and passwords
• Comparison of three strategies for performing access control--impersonation, role-centric, and object-centric--and their impact on the design of a distributed application

Programming Windows Security provides the most comprehensive coverage of COM(+) security available in one place, culled from the author's extensive experience in diagnosing COM security problems in the lab and via correspondence on the DCOM mailing list.

0201604426B04062001

See all Editorial Reviews

Product Details

• Paperback: 608 pages
• Publisher: Addison-Wesley Professional; 1 edition (July 15, 2000)
• Language: English
• ISBN-10: 0201604426
• ISBN-13: 978-0201604429
• Product Dimensions: 9.4 x 7.1 x 1.3 inches
• Shipping Weight: 2.1 pounds (View shipping rates and policies)
• Average Customer Review: 4.3 out of 5 stars  See all reviews (24 customer reviews)
• Amazon Best Sellers Rank: #1,068,648 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

4 of 4 people found the following review helpful:

5.0 out of 5 stars Every Windows programmer should read this book, May 31, 2001

By 

John Bigley (Auburn, Ca USA) - See all my reviews
(REAL NAME)   

This review is from: Programming Windows Security (Paperback)

This is the most comprehensive Windows security book for programmers there is. There are many books out there on how to administer Windows security, but very few on how to program it. About two years ago I started on a project that implemented fine-grained private object security and read everything I could find on the topic; there wasn't much. During that project I was able to read some very useful articles from Keith in MSJ/MSDN magazine. This book includes topics covered in his magazine articles, but adds more detail. It also covers more topics and pulls it all together in one comprehensive book. Even though I thought that I had been exposed to most of what this book covers I went ahead and read it. I still learned a lot, especially about logon sessions and Windows stations and how they affect the security of your application. I think that every Windows developer should read this book because what this book covers affects you even if you are not interested in security. Web programmers should make sure to check out the section on IIS. This book would have saved me so much time if I would have had it two years ago. I read some of the other reviews and found the ones about the font size kind of ridiculous. Everyone has his or her personal preferences on font and style, but I am reviewing this book based on content. I give this book five stars.

3 of 3 people found the following review helpful:

5.0 out of 5 stars Another big win from DevelopMentor..., October 5, 2001

By 

Todd A. Keller (Redmond, WA United States) - See all my reviews

This review is from: Programming Windows Security (Paperback)

I've been a professional software engineer on Win16/Win32 platforms for over 11 years, doing COM development for most of that time. I have never encountered a source of technical information that comes close to the lucidity or completeness of the Developmentor Series.

Keith Brown's contribution to this series on Windows security continues the tradition of solid, well researched and clearly written treatise on topics that affect, and should concern, every developer who is serious about producing high quality code on the Win32 platform.

Most developers trip over security because the fundamentals of identity, authentication, etc. are not well understood. This book provides a thorough introduction to the ideas that underly secure systems as well as a complete explanation of how they are implemented by Win32. Very useful for those of us who don't bend spoons with our minds for a living (still laughing over that analogy--thanks Keith!)

If you use COM (and who writes for Win32 and doesn't these days?) then the wisdom in Chapter 9 alone is worth the price of the book.

3 of 3 people found the following review helpful:

4.0 out of 5 stars Definitely a Worthwhile Purchase, March 19, 2001

By 

Hugh K. Boyd - See all my reviews

This review is from: Programming Windows Security (Paperback)

Anyone involved in Windows NT/2000 security development would benefit from adding this book to their library. Brown definitely does an excellent job of explaining one of the more difficult aspects of Windows NT/2000 development -- in fact, I'd say that his treatment of ACLs, security descriptors, desktops, window stations and access tokens is among the best that I have read. The only reason that I don't rate this book with 5 stars is that it does not include anything on the LSA APIs. These are some of the more intimidating APIs that a security developer will ever tangle with, but they are essential for such handy little tasks as joining workstations to domains, creating and/or modifying user or group machine rights, or coding replacement GINA dlls. You can find some pretty decent refrences to these APIs (as well as some decent code examples) on msdn dot microsoft dot com, but you have to hunt for them. Having the LSA included in a handy reference such as this book would definitely make it worthy of a five star rating!