The .NET Developer’s Guide to Windows Security

PRObooks

The .NET Developer s Guide to Windows Security

Keith Brown is the current go-to guy for .NET securityprogramming issues, and his book The.NET Developer sGuide to Windows Security provides ample evidence about why he has thatreputation. I ve already added this book to my list of required reading for anyserious .NET developer.

But first, a word of warning: Don t do as I did and see .NET and Security in the title and mentally prepare for a book about code accesssecurity, the System.Security namespace, and CLR security issues. Although allthat is lightly covered, this is not a book about .NET security programming. Itis, however, a book about Windows security and how to understand and cope withWin32 security issues from a .NET perspective. This focus makes it a uniqueoffering and a valuable resource indeed.

Another thing that makes the book unique is its structure.It consists of 75 of what the author calls items, short essays (typically twoto four pages) that cover a single concept, and organized into six parts.Reading the book from front to back as I did works, but you can also jumparound to the topics that interest you most. There is plenty ofcross-referencing to related items, so it s easy to read on a thread ofinterest.

Best of all, the author writes clearly and has a knack forexplaining complex concepts well. That certainly doesn t mean that the book isalways an easy read, particularly if the reader doesn t have a minimum level ofunderstanding of how Win32 and its security objects work. That keeps me fromrecommending this book as a first introduction to the topic, but if you rewilling to read items through a couple of times and then go off and do your ownresearch, you ll get full benefit from the book.

Part I, The Big Picture, showcases the author s strengths andis probably the best section in the book. Here you ll find items that coverthreat modeling, security principles (such as defense in depth), and mypersonal favorite topic, running and developing code as a least privilege user.

Then the author takes off the kid gloves and dives intoWindows security with a vengeance. Part II, Security Context, delves into SIDs,tokens, and other Windows security objects and concepts. If you re like me,your reading pace will slow here as you assimilate some difficult and obscuresecurity topics. The remaining parts in the book continue in like fashion,covering access control, COM(+) andEnterpriseServices, network security, and miscellaneous topics.

This is a conceptual book to help the reader understandthe big picture of narrow concepts; it is not code-intense. What code is thereis mostly C# and C++; all of the samples are short and simple enough that theyshould be understandable by programmers in any language.

In a slightly bizarre twist on Steal This Book!, the entire book is available online at http://pluralsight.com/wiki/default.aspx/Keith.GuideBook.HomePage.The author posted each item as he finished it over the last year or so, thus whettingreaders appetites. You can sample what you want and then buy a copy online, orread it all online. Please buy a copy, both, as the author says, to support hisfamily and his publisher, as well as because this is a great book to read shortsections of when you have a few minutes offline (yes, for that reason it is a great bathroom book!).

Even if you re a developer who thinks you don t care aboutsecurity, I highly recommend you get this book because Windows security willassuredly bite you in the butt sometime, and this book will help you throughthe crisis.

Don Kiely

Rating:

Title: The .NET Developer s Guide to WindowsSecurity

Author: KeithBrown

Publisher: Addison-WesleyProfessional

ISBN: 0-321-22835-9

Web Site: http://www.awprofessional.com

Price: US$44.99

Page Count: 408pages