Book Review: The .NET Developer's Guide to Windows Security

• By Mike Gunderloy
• January 4, 2005

The .NET Developer's Guide to Windows Security
by Keith Brown
Addison-Wesley, 2005
392 pages, $44.99
Code in C#
ISBN 0-321-22835-9

Note the title of Keith Brown's latest book carefully: this is not a guide to .NET security. So you won't find code access security or the details of setting up your web.config file to support impersonation here. What you will find is a great set of explanations of fundamental security concepts as they are implemented on Windows. This is information that just about every developer needs, but very few comprehend fully.

Here's a quick test. You do not need this book if you can easily define all of the terms in this list: Window station, null session, security descriptor, ACL, protocol transition, token, CurrentPrincipal. Confused? Lost? You probably need this book.

The book is broken up into 75 short topics arranged insix parts: The Big Picture, Security Context, Access Control, COM(+) and Enterprise Services, Network Security, Miscellaneous. This makes it really easy to open up and read just the few pages you need when you're struggling with something like storing passwords or running a program as another user. Keith's writing is exceptionally clear and his instructions and examples (and fairly rare bits of code) are all illuminating.

Along the way, he makes a strong pitch for running as a non-admin in your day to day development work. This is a somewhat-controversial recommendation, because many of the tools we use are not written so as to work when used in that fashion. Still, it's a worthwhile exercise, and the instructions here will help you get over the bumps faster. The payoff is threefold: you learn how painful much software is for non-admins, you learn how to write software that non-admin users can run, and you protect your own computer from raging malware.

If you'd like to sample the writing here, Keith has taken the unusual step of putting the entire text of the book out on the Web on its own wiki. I'd recommend buying the dead trees version as well if you find yourself getting use from the thoughts and teachings here. It's the sort of thing you should have on your shelf for reference and browsing.