Book Review: The .NET Developer's Guide to Windows Security
The .NET Developer's Guide to Windows Security
by Keith Brown
392 pages, $44.99
Code in C#
Note the title of Keith Brown's latest book carefully: this is not a guide to
.NET security. So you won't find code access security or the details of setting
up your web.config file to support impersonation here. What you will find
is a great set of explanations of fundamental security concepts as they are
implemented on Windows. This is information that just about every developer
needs, but very few comprehend fully.
Here's a quick test. You do not need this book if you can easily define all
of the terms in this list: Window station, null session, security descriptor,
ACL, protocol transition, token, CurrentPrincipal. Confused? Lost? You probably
need this book.
The book is broken up into 75 short topics arranged insix parts: The Big
Picture, Security Context, Access Control, COM(+) and Enterprise Services,
Network Security, Miscellaneous. This makes it really easy to open up and read
just the few pages you need when you're struggling with something like storing
passwords or running a program as another user. Keith's writing is exceptionally
clear and his instructions and examples (and fairly rare bits of code) are all
Along the way, he makes a strong pitch for running as a non-admin in your day
to day development work. This is a somewhat-controversial recommendation,
because many of the tools we use are not written so as to work when used in that
fashion. Still, it's a worthwhile exercise, and the instructions here will help
you get over the bumps faster. The payoff is threefold: you learn how painful
much software is for non-admins, you learn how to write software that non-admin
users can run, and you protect your own computer from raging malware.
If you'd like to sample the writing here, Keith has taken the unusual step of
putting the entire text of the book out on the Web on its own wiki.
I'd recommend buying the dead trees version as well if you find yourself getting
use from the thoughts and teachings here. It's the sort of thing you should have
on your shelf for reference and browsing.
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.