Security: MSDN Magazine Articles
MSDN Magazine: Security rss

All MSDN Magazine Topics
  • Security Briefs: A Follow-on Conversation about Threat Modeling
    Michael Howard - September 2009 2009
    This article explores the use of threat modeling to address security concerns in your applications.

  • Take Control: Use SharePoint to Manage Your Windows Services
    Pav Cherny - April 2009
    In this article, we show you how to integrate a Windows Services-based solution with SharePoint. The results enable you to provision, start, stop, and remove service instances through SharePoint 3.0 Central Administration.

  • Geneva Framework: Building A Custom Security Token Service
    Michele Leroux Bustamante - January 2009
    A Security Token Service, or STS, acts as a security gateway to authenticate callers and issue security tokens carrying claims that describe the caller. See how you can build a custom STS with the “Geneva” Framework.

  • Security Briefs: Getting Started With The SDL Threat Modeling Tool
    Adam Shostack - January 2009
    The Security Development Lifecycle (SDL) threat modeling tool helps you develop great threat models as a backbone of your security process. We'll show you how it works.

  • Geneva Framework: A Better Approach For Building Claims-Based WCF Services
    Michele Leroux Bustamante - December 2008
    Here we introduce Microsoft Code Name “Geneva,” the new framework for building claims-based applications and services, and federated security scenarios.

  • Security Quiz: Test Your Security IQ
    Michael Howard and Bryan Sullivan - November 2008
    Our security experts present 10 vulnerable pieces of code. Your mission is to find the holes (a.k.a. bad security practices) in the code.

  • Agile SDL: Streamline Security Practices For Agile Development
    Bryan Sullivan - November 2008
    Bryan Sullivan discusses the new SDL for Web applications and Agile projects with more compressed release cycles.

  • Access Control: Understanding Windows File And Registry Permissions
    John R. Michener - November 2008
    Understanding the ACLs that govern permissions and rights before an operation is allowed to proceed is critical to enhancing security.

  • Editor's Note: Can I See Some Identification?
    Howard Dierking - November 2008
    Security measures are highly context driven and change with circumstances. This month Howard Dierking spins a few security yarns to illustrate.

  • Security Briefs: Threat Models Improve Your Security Process
    Michael Howard - November 2008
    Using threat models to drive your security engineering process helps prioritize the code review, fuzz testing, and attack surface analysis tasks.

  • CLR Inside Out: Security In Silverlight 2
    Andrew Dai - October 2008
    Andrew Dai of the CLR team discusses the Transparency model, which creates a strong isolation boundary between privileged and unprivileged code for Silverlight apps.

  • Service Station: Authorization In WCF-Based Services
    Dominick Baier and Christian Weyer - October 2008
    Windows Communication Foundation (WCF) provides an easy role-based system and a more powerful and complex claims-based API for implementing authorization in services.

  • Security Briefs: SDL Embraces The Web
    Bryan Sullivan - September 2008
    In this installment we introduce you to new Web-oriented security guidance and tools straight from the Security Development Lifecycle (SDL) team at Microsoft.

  • Security Briefs: Reinvigorate your Threat Modeling Process
    Adam Shostack - July 2008
    In this column the author outlines some approaches to threat modeling that can be employed by development teams of any size.

  • Foundations: Adding Code Access Security to WCF, Part 2
    Juval Lowy - July 2008
    This month's column continues the discussion around code access security in WCF and partially trusted services.

  • { End Bracket }: Election Results Even Voters Can Trust
    Josh Benaloh - June 2008
    Surprisingly, cryptography can be applied to the electoral process to allow every individual voter to check the integrity of an election tally. Find out how here.

  • Security: Safer Authentication with a One-Time Password Solution
    Dan Griffin - May 2008
    One-time passwords offer solutions to dictionary attacks, phishing, interception, and lots of other security breaches. Here's how it all works.

  • Security Briefs: Penetration Testing
    James A. Whittaker - May 2008
    In this installment of Security Briefs, James Whittaker explains the rules and the pitfalls of penetration testing so you'll know how to avoid them.

  • Foundations: Code Access Security in WCF, Part 1
    Juval Lowy - April 2008
    Here we discuss code-access security in Windows Communication Foundation (WCF) and present a solution for enabling partially trusted clients for WCF services.

  • Security Briefs: Protecting Your Code with Visual C++ Defenses
    Michael Howard - March 2008
    Michael Howard outlines some of the buffer overrun defenses available in Visual C++ 2005 and beyond.

  • Office Space: Security Programming in SharePoint 2007
    Ted Pattison - February 2008
    This month Ted Pattison presents an overview of programming security and permissions for Windows SharePoint Services 3.0.

  • Look it Up: Managing Directory Security Principals in the .NET Framework 3.5
    Joe Kaplan and Ethan Wilansky - January 2008
    Here's an overview of the new System.DirectoryServices.AccountManagement class in the .NET Framework 3.5 and how it simplifies working with directory services.

  • Security: Authenticate Users Across Organizations Using ADFS
    Jack Couch - December 2007
    Jack Couch looks at how to set up ADFS and when to use it; he then shows how to connect to an outside organization to offer single sign-on.

  • Trustworthy Computing: Lessons Learned from Five Years of Building More Secure Software
    Michael Howard - November 2007
    Five years ago, Bill Gates issued a directive to enhance security across the board. Since then, many valuable lessons have been learned about building more secure software.

  • Crash Course: Analyze Crashes to Find Security Vulnerabilities in Your Apps
    A. Abouchaev, D. Hasse, S. Lambert, and G. Wroblewski - November 2007
    Here the authors analyze program crashes to help you understand if you have the potential for read or write violations in your applications, and how they can lead to security vulnerabilities.

  • Code Reviews: Find and Fix Vulnerabilities Before Your Application Ships
    M. Chmielewski, N. Clift, S. Fonrobert, and T. Ostwald - November 2007
    Code defects can be found using many approaches, but manual code reviews stand out in terms of precision and quality. We provide some best practices for planning and executing code reviews on your own team.

  • Fuzz Testing: Create a Custom Test Interface Provider for Team System
    Dan Griffin - November 2007
    Dan Griffin shows the extensibility of Visual Studio 2005 Team Edition for Software Testers by discussing the modification of the existing Test Interface Provider sample in the latest Visual Studio SDK and implements Fuzz Testing.

  • Editor's Note: Why Go to Extremes?
    Howard Dierking - November 2007
    This month Howard Dierking sheds some light on what we really mean when we talk about security.

  • Cutting Edge: AJAX Application Architecture, Part 1
    Dino Esposito - September 2007
    In the first of a two-part column, Dino explains AJAX from an architectural standpoint to help developers, architects, designers, and administrators better understand the issues that affect their sites.

  • Security Briefs: Exploring Claims-Based Identity
    Keith Brown - September 2007
    Keith Brown introduces you to the new identity model in the Microsoft .NET Framework 3.0.

  • .NET Matters: Tales from the CryptoRandom
    Stephen Toub and Shawn Farkas - September 2007
    Stephen Toub and Shawn Farkas discuss creating an adapter that takes the functionality of RNGCryptoServiceProvider and adapts it to the interface of Random.

  • Foundations: Declarative WCF Security
    Juval Lowy - August 2007
    Juval Lowy designs easily configured security settings for applications built on Windows Communication Foundation.

  • Security: Applying Cryptography Using The CNG API In Windows Vista
    Kenny Kerr - July 2007
    Cryptography Next Generation (CNG) is meant to be a long-term replacement for the CryptoAPI, providing replacements for all of the cryptographic primitives it offered.

  • Security Briefs: Active Directory Cache Dependencies
    Keith Brown - July 2007
    If you're not taking advantage of Active Directory, you should be. Learn the benefits from Keith Brown.

  • Security Briefs: Events in Windows Vista
    Keith Brown - May 2007


  • CLR Inside Out: New Library Classes in "Orcas"
    Mike Downen, Inbar Gazit, and Justin Van Patten - April 2007
    The next version of Visual Studio currently code-named “Orcas”supports advanced encryption algorithms, Elliptic curve cryptography, big integers, and other security enhancements. The CLR team explains.

  • Security Briefs: Improve Manageability through Event Logging
    Keith Brown - April 2007
    When something goes wrong, a manageable application will tell the administrator how to fix the problem. The Windows Event Log can provide the necessary information.

  • .NET Security: Support Certificates In Your Applications With The .NET Framework 2.0
    Dominick Baier - March 2007


  • Least Privilege: Teach Your Apps To Play Nicely With Windows Vista User Account Control
    Chris Corio - January 2007
    User Account Control in Windows Vista keeps the OS safe from intentional and accidental configuration changes.

  • Desktop Security: Create Custom Login Experiences With Credential Providers For Windows Vista
    Dan Griffin - January 2007
    Why is a change to the Windows logon plug-in interface so exciting? Because with credential providers you can customize the logon experience for your users.

  • Security Briefs: Using Protocol Transition—Tips from the Trenches
    Keith Brown - January 2007
    Now that Windows Server 2003 is widely deployed, Keith Brown addresses questions from readers who are trying to use protocol transition to build secure gateways into their intranets.

  • Secure Habits: 8 Simple Rules For Developing More Secure Code
    Michael Howard - November 2006
    Never trust data, model threats against your code, and other good advice from a security expert.

  • Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach
    Shawn Hernan, Scott Lambert, Tomasz Ostwald, Adam Shostack - November 2006
    Whenever you build a new system you should consider how an in¬truder might go about attacking it and then build in appropriate defenses at design time.

  • Single Sign-On: A Developer's Introduction To Active Directory Federation Services
    Keith Brown - November 2006
    Use Active Directory Federation Services to allow other organizations to use your Web applications without the need for you to grant access explicitly.

  • Smart Storage: Protect Your Data Via Managed Code And The Windows Vista Smart Card APIs
    Dan Griffin - November 2006
    Smart cards are a compelling alternative to the reliance on passwords, which are the weakest link in authentication systems. Get the Windows smart card programming basics here.

  • Extending SDL: Documenting And Evaluating The Security Guarantees Of Your Apps
    Mark Novak - November 2006
    In this article, the author presents an extension to the Security Development Lifecycle Which could promote a better flow of information between users and designers of software security features.

  • SQL Security: New SQL Truncation Attacks And How To Avoid Them
    Bala Neerumalla - November 2006
    Exploits using SQL injection have drawn a lot of attention for their ability to get through firewalls and intrusion detection systems to compromise your data layers. Whether it's a first-order or second-order injection, if you look at the basic code pattern, it is similar to any other injection issue where you use untrusted data in the construction of a statement.

  • Security Briefs: Limited User Problems and Split Knowledge
    Keith Brown - November 2006


  • Toolbox: Protecting Code, Persisting Data, and More
    Scott Mitchell - October 2006
    This month obfuscating your code, persisting your data, and a good read on SQL Server 2005.

  • Security Briefs: CardSpace, SqlMembershipProvider, and More
    Keith Brown - October 2006
    This month Keith Brown fields some reader questions on InfoCard turned CardSpace and passwords for SqlMembershipProvider.

  • Secure By Design: Your Field Guide To Designing Security Into Networking Protocols
    Mark Novak and Andrew Roths - September 2006
    If you were to build a new communications protocol from scratch, how would you address security? Here the authors take a look at that question and generate some valuable insights into secure protocols.

  • Security Briefs: Security in Windows Communication Foundation
    Keith Brown - August 2006
    Windows Communication Foundation provides three major protections— confidentiality, integrity, and authentication. This month Keith Brown explains what they can do for you.

  • CLR Inside Out: Using Strong Name Signatures
    Mike Downen - July 2006
    Strong name signatures (and signing in general) are a key facet of Microsoft® . NET Framework security. But regardless of how well designed . NET signatures may be, they won’t offer the maximum benefit if you don’t know how to use them properly.

  • Service Station: WSE 3.0, SOAP Transports, and More
    Aaron Skonnard - June 2006
    It's that time again. Time to answer some of the questions I get on a regular basis. This month I'll look at service orientation and policy-based compatibility, SOAP's transport-neutral design, and Web Services Enhancements (WSE) 3.0.

  • Extreme ASP.NET: Keeping secrets in ASP.NET 2.0.
    Rob Howard - May 2006
    Storing data securely in a configuration system is not an easy problem to solve. While I was on the ASP. NET team, this particular feature, secure connection string storage, looked as if it wouldn’t get done.

  • Security Briefs: Step-by-Step Guide to InfoCard
    Keith Brown - May 2006
    In my April 2006 column I began a discussion of InfoCard, the upcoming identity metasystem, which is being prepared for release in the Windows Vista™ timeframe. If you haven’t read that column, you should definitely start there because I’m going to assume you’re familiar with the basics I covered.

  • Security Briefs: A First Look at InfoCard
    Keith Brown - April 2006
    The Web can be annoying at times. I'm certain that I'm not alone in my frustration with filling out the same old forms on every Web site I visit. Like most other techies, I've acquired many tools over the years to help combat this repetition, and I even wrote my own password manager for my hundreds of different identities on the Web.

  • WSE Security: Protect Your Web Services Through The Extensible Policy Framework In WSE 3.0
    Tomasz Janczuk - February 2006
    This article describes the WSE policy framework, which allows you to describe constraints and requirements a Web service must enforce. Discussions include security scenarios in WSE 3.0 and extending the framework with custom constraints and requirements.

  • Security Briefs: Encrypting Without Secrets
    Keith Brown - January 2006
    Do you have a Web site or other system that deals in secrets of any sort? It seems like every time I give a security talk, people ask how to deal with the sticky problem of storing secrets. Connection strings with passwords are an obvious problem.

  • Security Briefs: Security Enhancements in the .NET Framework 2.0
    Keith Brown - Visual Studio 2005 Guided Tour 2006
    The.NET Framework 2.0 got quite a few security enhancements. This month Keith takes you on a whirlwind tour of the goodies you'll find there.

  • Are You in the Know?: Find Out What's New with Code Access Security in the .NET Framework 2.0
    Mike Downen - November 2005
    Unlike role-based security measures, code access security is not based on user identity. Instead, it is based on the identity of the code that is running, including information such as where the code came from. Here Mike Downen discusses the role of code access security (CAS) in .NET and outlines some key new features and changes in CAS for the .NET Framework 2.0.

  • Do You Trust It?: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0
    Shawn Farkas - November 2005
    When you allow your application to run arbitrary code through an add-in, you may expose users to unknown code, running the risk that malicious code will use your application as an entry point into the user's data. There are several techniques you can use to reduce the attack surface of your application, which Shawn Farkas discusses here.

  • Are You Protected?: Design and Deploy Secure Web Apps with ASP.NET 2.0 and IIS 6.0
    Mike Volodarsky - November 2005
    Ensuring the security of a Web application is critical and requires careful planning throughout the design, development, deployment, and operation phases. It is not something that can be slapped onto an existing application. In this article, Mike Volodarsky outlines best practices that allow you to take advantage of the security features of ASP.NET 2.0 and IIS 6.0 to build and deploy more secure Web applications.

  • Who Goes There?: Upgrade Your Site's Authentication with the New ASP.NET 2.0 Membership API
    Dino Esposito and Andrea Saltarello - November 2005
    Here Dino Esposito and Andrea Saltarello cover the plumbing of the Membership API and its inherently extensible nature, based on pluggable providers. To demonstrate the features, they take an existing ASP.NET 1.x authentication mechanism and port it to ASP.NET 2.0, exposing the legacy authentication mechanism through the new Membership API.

  • What Gives You the Right?: Combine the Powers of AzMan and WSE 3.0 to Protect Your Web Services
    Niels Flensted-Jensen - November 2005
    In this article, Niels Flensted-Jensen demonstrates how you can combine new and existing Microsoft technologies with minimal new code to provide flexible authorization for individual Web service methods. Windows 2003 Authorization Manager, Web Service Enhancements 3.0, and Enterprise Library all play a part.

  • How Do They Do It?: A Look Inside the Security Development Lifecycle at Microsoft
    Michael Howard - November 2005
    In this article, Microsoft security expert Michael Howard outlines how to apply the Security Development Lifecycle to your own software development processes. He explains how you can take some of the lessons learned at Microsoft when implementing SDL and use them in your own development process.

  • Editor's Note: Many Levels of Security
    - November 2005
    Every year at this time, we bring you our now-famous security issue. We recognize the vast importance of writing and deploying secure code—it affects so many areas of concern—which is why we devote an entire issue each year to the topic.

  • Security Briefs: Security Features in WSE 3.0
    Keith Brown - November 2005
    I've been spending a lot of time lately building secure Web services with the Microsoft® . NET Framework 2. 0, and Web Services Enhancements (WSE) 3. 0 has been a lifesaver for me, so I thought it would be appropriate to dedicate a column to security features in this new product.

  • Stay Alert: Use Managed Code To Generate A Secure Audit Trail
    Mark Novak - October 2005
    In today's security-conscious environments, a reliable audit trail is a valuable forensic tool The Windows Server 2003 operating system provides features that let you enable a wide range of applications to make use of auditing functionality. This article looks at auditing from the operating system perspective and describes a sample managed code implementation that will allow you to add auditing to your own server applications.

  • Best Practices: Fast, Scalable, and Secure Session State Management for Your Web Applications
    Mike Volodarsky - September 2005
    ASP.NET provides a number of ways to maintain user state, the most powerful of which is session state. This article takes an in-depth look at designing and deploying high-performance, scalable, secure session solutions, and presents best practices for both existing and new ASP.NET session state features straight from the ASP.NET feature team.

  • Security Briefs: Credentials and Delegation
    Keith Brown - September 2005
    I get loads of security questions from friends and former students, and recently I've gotten a number of questions about building secure data-driven Web sites for internal enterprise systems. I've decided to answer them here to hopefully save you some headaches in your own projects.

  • Hackers Beware: Keep Bad Guys at Bay with the Advanced Security Features in SQL Server 2005
    Don Kiely - June 2005
    Get a peek at the new security features in SQL Server 2005 from a developer's point of view. While there are lots of admin enhancements, there are also plenty of dev-specific security improvements you can take advantage of, such as endpoint authentication and support for the security context of managed code that executes on the server. Here Don Kiely elucidates.

  • Web Q&A: Locking Pop-Up Blocker, Mixed Authentication, and More
    Edited by Nancy Michell - June 2005


  • Security Briefs: Customizing GINA, Part 2
    Keith Brown - June 2005
    GINA, the Graphical Identification and Authentication component, is a part of WinLogon that you can customize or replace. Last month I introduced GINA customization; this month, I'm going to drill down to implement each of the GINA entry points.

  • Safe!: Repel Attacks on Your Code with the Visual Studio 2005 Safe C and C++ Libraries
    Martyn Lovell - May 2005
    When Visual Studio 2005 ships, it will include a major upgrade to the Visual C++ Libraries that was the result of a complete security review of the functions contained in the C Runtime Library, Standard C++ Library, ATL, and MFC. From that extensive review came the Safe C and C++ Libraries, which can improve the security and robustness of your apps.

  • Web Q&A: ASP.NET Performance, Notification, Keeping Sort Order, and More
    Edited by Nancy Michell - May 2005


  • Security Briefs: Customizing GINA, Part 1
    Keith Brown - May 2005
    Over the years I've had many people ask me to write about GINA, the Graphical Identification and Authentication component that serves as the gateway for interactive logons. This month I'll begin my coverage of this topic to help you get started if you're tasked to build such a beast.

  • Security: Unify Windows Forms and ASP.NET Providers for Credentials Management
    Juval Lowy - April 2005
    The .NET Framework 2.0 provides custom credentials management to ASP.NET apps out of the box. Using it, you can easily authenticate users without using Windows accounts. In this article the author presents a set of helper classes that let a Windows Forms application use the ASP.NET credentials management infrastructure as easily as if it were an ASP.NET application.

  • Web Q&A: Get Authentication Type, Get Screen Resolution, and More
    Edited by Nancy Michell - April 2005


  • Security: Manipulate Privileges in Managed Code Reliably, Securely, and Efficiently
    Mark Novak - March 2005
    When the author was faced with implementing support for changing a security descriptor on an object, he noticed there was not support for that operation in .NET. So he devised two solutions to the problem: the first, simpler one, is tailored to the .NET Framework 1.1 and can be used today. The second solution incorporates several advanced features available only in the .NET Framework 2.0. Both are presented here.

  • Security Briefs: Access Control List Editing in .NET
    Keith Brown - March 2005
    Access control lists (ACLs) can be complex beasts, and user interfaces for editing them are incredibly tricky to implement properly. That's why I was really excited when Windows® 2000 shipped with a programmable ACL editor, shown in Figure 1.

  • Web Q&A: ActiveX Privileges, Making Icon Files, Sticky Sessions, and More
    Edited by Nancy Michell - February 2005


  • Security Briefs: Security Enhancements in the .NET Framework 2.0
    Keith Brown - January 2005
    As I write this column, version 2. 0 of the Microsoft® . NET Framework is at Beta 1. When I got my bits, I hacked together a little program to dump all of the public members of all public types in the entire Framework and ran it on version 1.

  • .NET Matters: Sepia Tone, StringLogicalComparer, and More
    Stephen Toub - January 2005


  • Attack Surface: Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users
    Michael Howard - November 2004
    In this article, Microsoft security expert Michael Howard discusses the cardinal rules of attack surface reduction. His rules - reduce the amount of code executing by default, reduce the volume of code that is accessible to untrusted users by default, and limit the damage if the code is exploited - are explained along with the techniques to apply the rules to your code.

  • App Lockdown: Defend Your Apps and Critical User Info with Defensive Coding Techniques
    Kenny Kerr - November 2004
    Whether you're storing database connection strings, user credentials, or logon info, you'll need to practice good defensive programming techniques to avoid those surprise situations in which your data is exposed. In this article, author Kenny Kerry shows you how.

  • Cryptography: Employ Strong Encryption in Your Apps with Our CryptoUtility Component
    Michael Stuart and J Sawyer - November 2004
    When storing sensitive data, you need to be able to identify threats, determine how these threats interact with each other, and how issues can combine to constitute a vulnerability that will leave your data exposed. With a good understanding of the various cryptographic algorithms, salt, hashes, ACLs, and other available techniques, you'll be in a better position to protect your critical data.

  • Trustworthy Code: Exchange Data More Securely with XML Signatures and Encryption
    Mike Downen and Shawn Farkas - November 2004
    You can sign any kind of data using XML Signature, including part of an XML document, other XML documents, or other data of any format. However, in practice, XML signatures are most frequently used to sign other data represented in XML. In this article, the authors discuss the new standard and how you can benefit from it in your apps.

  • Safety in Windows: Manage Access to Windows Objects with ACLs and the .NET Framework
    Mark Novak - November 2004
    Until now, Microsoft did not provide explicit support in the .NET Framework for manipulating security settings. With the .NET Framework 1.x, access can only be granted to users via a series of cumbersome P/Invoke calls. By introducing the concepts of security objects and rules, the .NET Framework 2.0 allows developers to manipulate security settings of objects in a few easy steps using managed code. Want to know more? Read on.

  • Intrusion Prevention: Build Security Into Your Web Services with WSE 2.0 and ISA Server 2004
    Dino Esposito - November 2004
    Once you've addressed security in your code, it's time to look at the environment it runs in. Firewalls stop unauthorized traffic from getting into your network, and smart Web service-specific firewalls, like the one that comes with Internet Security and Acceleration (ISA) Server 2004, bring XML intrusion prevention to your system for that added layer of safety.

  • Service Station: Securing Web Services with WSE 2.0
    Aaron Skonnard - October 2004
    Beginning this month, The XML Files will run under the name Service Station. We have made this change so that the column can discuss broader topics such as Web services, service-oriented architecture, and the like.

  • Security Briefs: Password Minder Internals
    Keith Brown - October 2004
    In my last column I introduced Password Minder, the tool I use to manage all of my passwords. It generates a long, random password for each site I visit, and makes it possible for me to use the most complex passwords possible, without ever having to see the actual password material or type it in manually.

  • Data Security: Stop SQL Injection Attacks Before They Stop You
    Paul Litwin - September 2004
    To execute a SQL injection attack, a hacker writes a Web page that captures text in a textbox to be used to execute a query against a database. The hacker enters a malformed SQL statement into the textbox that causes the back-end database to perform operations the owners did not intend it to perform, like making unauthorized updates. This article explains how you can protect against the all too common SQL injection attack in your own database. The steps covered include data validation, proper exception handing, and much more.

  • The XML Files: What's New in WSE 2.0
    Aaron Skonnard - August 2004
    Microsoft has recently released Web Services Enhancements for Microsoft® . NET (WSE) 2. 0. WSE 2. 0 provides extensions to the existing ASP. NET Web services framework (. asmx) as well as a standalone messaging framework that's completely transport independent.

  • Wicked Code: Foiling Session Hijacking Attempts
    Jeff Prosise - August 2004
    Let's face it: every minute of every day, someone, somewhere, is patrolling the Web looking for sites to hack. ASP. NET developers must constantly be on their guard to ensure attempted hacks can't be successful.

  • Security Briefs: Mind Those Passwords!
    Keith Brown - July 2004


  • Security: Security Headaches? Take ASP.NET 2.0!
    Keith Brown - June 2004
    ASP.NET 2.0 provides significant advantages with respect to security, especially for folks developing Web sites that use Forms authentication. By providing a user profile repository with support for roles, Forms authentication will move beyond the purview of the ASP.NET internals guru, and should become much more broadly accessible. This article introduces security in ASP.NET 2.0 to give you a head start with upcoming features.

  • The XML Files: InfoPath 2003 SP1 Preview
    Aaron Skonnard - June 2004


  • .NET Column: Unexpected Errors in Managed Applications
    Jason Clark - June 2004


  • ClickOnce: Deploy and Update Your Smart Client Projects Using a Central Server
    Brian Noyes - May 2004
    ClickOnce is a new deployment technology that allows users to download and execute Windows-based client applications over the Web, a network share, or from a local disk. Users get the rich interactive and stateful experience of Windows Forms, but still have the ease of deployment and updates available to Web applications. ClickOnce applications can be run offline and support a variety of automatic and manual update scenarios.Learn all about it here.

  • Security Briefs: Beware of Fully Trusted Code
    Keith Brown - April 2004
    The vast majority of managed applications run with full trust, but based on my experience teaching . NET security to developers with a broad range of experience, most really don't understand the implications of fully trusted code.

  • Office 2003: Secure and Deploy Business Solutions with Microsoft Visual Studio Tools for Office
    Brian A. Randell and Ken Getz - March 2004
    Microsoft Visual Studio Tools for the Microsoft Office System is a new technology that brings the advanced features of Visual Studio .NET and the .NET Framework to applications built for Microsoft Office Word 2003 and Microsoft Office Excel 2003. Deploying solutions built with this technology requires that you understand how runtime security is enforced in managed applications and how to configure users' systems to run your solutions without introducing security holes.To promote that understanding, this article will demonstrate how to establish trust, explain policy considerations and permissions, and explain what trusted code is all about. Secure assembly deployment is also covered in detail.

  • Web Q&A: Hard Drive Security, Comparing Two Versions of a DB, and More SQL
    Edited by Nancy Michell - March 2004


  • Web Q&A: ANSI Chars in XML, E-commerce Architecture, and More
    Edited by Nancy Michell - February 2004


  • MSMQ and .NET: Send MSMQ Messages Securely Across the Internet with HTTP and SOAP
    David S. Platt - December 2003
    When creating a distributed system you frequently need to provide for communication between two entities that are not in sync. Microsoft Message Queue Server (MSMQ) provides the kind of store-and-forward messaging in a pre-built infrastructure that can help you address these kinds of messaging needs. In the past, MSMQ was accessed using a COM wrapper. Now there's a .NET wrapper that lets you accomplish your messaging goals easily from your Framework-based code. To illustrate the use of the wrapper, the author builds a messaging application, sends MSMQ messages over the Web, and discusses messaging security.

  • Protect It: Safeguard Database Connection Strings and Other Sensitive Settings in Your Code
    Alek Davis - November 2003
    Protecting application secrets, such as database connection strings and passwords, requires careful consideration of a number of pertinent factors such as how sensitive the data is, who could gain access to it, how to balance security, performance, and maintainability, and so forth. This article explains the fundamentals of data protection and compares a variety of techniques that can be used to protect application settings. The author discusses what to avoid, such as hiding keys in source code and the use of Local Security Authority. In addition, he presents some effective solutions such as the Data Protection API.

  • Encrypt It: Keep Your Data Secure with the New Advanced Encryption Standard
    James McCaffrey - November 2003
    The Advanced Encryption Standard (AES) is a National Institute of Standards and Technology specification for the encryption of electronic data. It is expected to become the accepted means of encrypting digital information, including financial, telecommunications, and government data. This article presents an overview of AES and explains the algorithms it uses. Included is a complete C# implementation and examples of encrypting .NET data. After reading this article you will be able to encrypt data using AES, test AES-based software, and use AES encryption in your systems.

  • Authorize It: Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager
    Keith Brown - November 2003
    Authorization Manager in Windows Server 2003 represents a significant improvement in the administration of role-based security, making it more scalable, flexible, and easier to implement. Using Authorization Manager, you can define roles and the tasks those roles can perform. You can nest roles to inherit characteristics from other roles, and you can define application groups. In addition, Authorization Manager lets you use scripts to modify permissions dynamically, and it allows you to wrap your security logic in a security policy that can be stored in Active Directory. Authorization Manager also includes an easy-to-use API for running access checks. The author discusses all of these topics and demonstrates them with a working sample.

  • Review It: Expert Tips for Finding Security Defects in Your Code
    Michael Howard - November 2003
    Reviewing code for security defects is a key ingredient in the software creation process, ranking alongside planning, design, and testing. Here the author reflects over his years of code security reviews to identify patterns and best practices that all developers can follow when tracking down potential security loopholes. The process begins by examining the environment the code runs in, considering the roles of the users who will run it, and studying the history of any security issues the code may have had. After gaining an understanding of these background issues, specific vulnerabilities can be hunted down, including SQL injection attacks, cross-site scripting, and buffer overruns. In addition, certain red flags, such as variable names like "password", "secret," and other obvious but common security blunders, can be searched for and remedied.

  • Secure It: WS-Security and Remoting Channel Sinks Give Message-Level Security to Your SOAP Packets
    Neeraj Srivastava - November 2003
    As more organizations adopt XML-based Web Services, the need for message-level security has become evident. WS-Security, now supported in the Microsoft .NET Framework, addresses this need. Using the WS-Security framework, developers can implement channel sinks to intercept Remoting messages as they pass through the .NET Remoting infrastructure. The sink can read the message, change it, and pass it along. During this process, the message can be signed for added security. This article explains how to implement a Remoting channel sink that will modify the Remoting message by including a UserName token in the header, then sign the body using the token.

  • Obfuscate It: Thwart Reverse Engineering of Your Visual Basic .NET or C# Code
    Gabriel Torok and Bill Leach - November 2003
    One of the advantages of the .NET architecture is that assemblies built with it contain lots of useful information that can be recovered using ILDASM, the intermediate language disassembler. A side effect, though, is that someone with access to your binaries can recover a good approximation of the original source code. Here the authors present program obfuscation as a way to deter reverse engineering. In addition, they discuss the different types of obfuscation technologies available and demonstrate the new obfuscation tool that is included in Visual Studio .NET 2003.

  • Resource File: Threat Model Your Security Risks
    - November 2003


  • Plug-Ins: Let Users Add Functionality to Your .NET Applications with Macros and Plug-Ins
    Jason Clark - October 2003
    Most user applications benefit from the ability to be extended by other developers. It's often easier and more efficient to extend an existing application that users are already familiar with and trained on than it is to develop one from scratch. Thus, extensibility makes your application more attractive. You can build extensibility into your application by supporting features like plug-ins or macros. This is easily accomplished using the .NET Framework even if the core application isn't a .NET Framework app. In this article, the author describes extensibility features of the .NET Framework including late binding and reflection and how to use them, along with plug-in security considerations.

  • Security Briefs: Hashing Passwords, The AllowPartiallyTrustedCallers Attribute
    Keith Brown - August 2003
    Keith Brown describes how yo can hash passwords when you want to store them in your own custom database, and when to use the AllowPartiallyTrustedCallers attribure on your assembly.

  • Windows Server 2003: Discover Improved System Info, New Kernel, Debugging, Security, and UI APIs
    Matt Pietrek - June 2003
    There's a lot to say about Windows Server 2003. First of all, it's the first operating system with built-in .NET Framework support, and it's the first 64-bit OS from Microsoft. But wait, there's more! There are lots of new features and APIs in this version as well. For instance, Windows Server 2003 features Hot Add Memory and a number of other arcane new tidbits. There are new APIs for handling threads, directories, and files, and new features like the low fragmentation heap for managing memory and system information. There's vectored exception handling and new UI APIs as well.OS internals expert Matt Pietrek takes a look at the additions he finds most interesting and useful so you'll have a good place to start when you dive into Windows Server 2003.

  • .NET Remoting: Secure Your .NET Remoting Traffic by Writing an Asymmetric Encryption Channel Sink
    Stephen Toub - June 2003
    As .NET Remoting gains popularity in the enterprise space, it must meet business demands for trustworthy computing. Remoting traffic can be secured when objects are hosted in IIS, but when they aren't hosted in IIS, custom security solutions can be developed to secure them. This article provides an in-depth look at writing channel sinks for .NET. It also details the flow of data through custom channel sinks and explains the kinds of manipulations that can be performed on that data.

  • Virus Hunting: Understand Common Virus Attacks Before They Strike to Better Protect Your Apps
    Jason Fisher - May 2003
    Developer's machines can often be more vulnerable to viruses than the average corporate user because of their more frequent access to remote machines and shares, and the differing administrative privileges they maintain across mutiple machines. Reliance on antivirus software is fine as a first line of defense, but you need a basic arsenal of skills for securing the executables on your system and coping with viruses on your own. This article reviews proactive methods you can use to defend yourself against malicious executable code in resources, component libraries, scripts and macros, as well as how to avoid a handful of other potential vulnerabilities.

  • WS-Security: New Technologies Help You Make Your Web Services More Secure
    David Chappell - April 2003
    Without good security, Web Services will never reach their potential. WS-Security and its associated technologies, the focus of this article, represent the future of security for Web Services. Provided here is an overview of these emerging security standards that explains what they do, how they work, and how they get along together. Topics discussed include integrity and confidentiality and how these are provided by public key cryptography, WS-Security, and more. Some of the key components of WS-Security, such as the wsu namespace, are also covered.

  • Security Briefs: Exploring S4U Kerberos Extensions in Windows Server 2003
    Keith Brown - April 2003
    Building Web sites that provide services external to the corporate firewall is tricky. Usually it's not desirable to grant corporate domain accounts to external clients, and from a purely practical standpoint Kerberos does not work well over the Internet due to the typical configuration of client-side firewalls.

  • Windows Forms: .NET Framework 1.1 Provides Expanded Namespace, Security, and Language Support for Your Projects
    Chris Sells - March 2003
    With the much-anticipated release of the .NET Framework 1.1, developers are eager to know what's been added to their programming bag of tricks. In this article, the author focuses on new developments in Windows Forms, such as namespace additions, support for hosting managed controls in unmanaged clients, and designer support for C++ and J#. Integrated access to the Compact Framework and new mobile code security settings also make this release noteworthy. Along with these features, the author reviews the best ways to handle multiple versions of the common language runtime and highlights some potential pitfalls.

  • Talking To…: Michael Howard Discusses the Secure Windows Initiative
    - March 2003
    The growth of interconnected computers in recent years has pushed security concerns to the forefront of development and application design. The Microsoft effort, dubbed the Secure Windows Initiative (SWI), focuses on securing new and legacy code.

  • Resource File: Web Services Security Specs and TrustBridge
    - October 2002
    WS-Security is a recently proposed specification from Microsoft, IBM, and VeriSign. It has been submitted to OASIS for industry standardization. WS-Security builds on the SOAP specification to provide you with a standard mechanism to exchange secure, signed messages in a Web Services environment.

  • Security Tips: Defend Your Code with Top Ten Security Tips Every Developer Must Know
    Michael Howard and Keith Brown - September 2002
    There are many ways to get into trouble when it comes to security. You can trust all code that runs on your network, give any user access to important files, and never bother to check that code on your machine has not changed. You can run without virus protection software, not build security into your own code, and give too many privileges to too many accounts. You can even use a number of built-in functions carelessly enough to allow break-ins, and you can leave server ports open and unmonitored. Obviously, the list continues to grow. What are some of the really important issues, the biggest mistakes you should watch out for right now so that you don't compromise your data or your system? Security experts Michael Howard and Keith Brown present 10 tips to keep you out of hot water.

  • Security in .NET: The Security Infrastructure of the CLR Provides Evidence, Policy, Permissions, and Enforcement Services
    Don Box - September 2002
    The common language runtime of the .NET Framework has its own secure execution model that isn't bound by the limitations of the operating system it's running on. In addition, unlike the old principal-based security, the CLR enforces security policy based on where code is coming from rather than who the user is. This model, called code access security, makes sense in today's environment because so much code is installed over the Internet and even a trusted user doesn't know when that code is safe.In this article, Don Box explains how code access security works in the CLR. He discusses the kinds of evidence required by policy, how permissions are granted, and how policy is enforced by the runtime.

  • Security in IIS 6.0: Innovations in Internet Information Services Let You Tightly Guard Secure Data and Server Processes
    Wayne Berry - September 2002
    Security improvements have been a top priority in the evolution of IIS. IIS 6.0, which will be part of Windows .NET Server, has improved security features and a new approach to server configuration. New security-related tools for IIS, including IIS LockDown, make securing your server against attack easier than ever. The author explains how and why you can shut down services with IIS LockDown. He discusses limiting port access with TCP/IP filtering, controlling how files are served with extension mapping, what's new for Secure Sockets Layer, the use of URLScan, and more.

  • Passport Secure Sign-In: Provide Your Users with Secure Authentication Capabilities Using Microsoft .NET Passport
    Michael Kogotkov-Lisin - September 2002
    Secure sign-in, a new feature in version 2.0 of the .NET Passport single sign-in and profile service, is a functionality that will be especially useful for sites containing confidential information or anywhere security is a primary concern. Such sites include banks, medical sites, and so on. Secure sign-in is as safe as any SSL-based Web site login used today and provides a way to virtually eliminate vulnerability to replay and dictionary attacks.This article explains secure sign-in and demonstrates how you can implement this feature with very little effort in either ASP using the Passport.Manager COM object or in ASP.NET using the .NET class PassportIdentity.

  • HTTP Pipelines: Securely Implement Request Processing, Filtering, and Content Redirection with HTTP Pipelines in ASP.NET
    Tim Ewald and Keith Brown - September 2002
    ASP.NET is a flexible and extensible framework for server-side HTTP programming. While most people think of ASP.NET in terms of pages served, there is a lower-level infrastructure sitting beneath this page model. The underlying plumbing is based on a pipeline of app, module, and handler objects. Understanding how this pipeline works is key if you want to get the most out of ASP.NET as an HTTP server platform, while making your process more efficient, and keeping your server secure. This article introduces the architecture of the pipeline and shows how you can use it to add sophisticated functionality to an ASP.NET-based app.

  • Tamper-Resistant Apps: Cryptographic Hash Algorithms Let You Detect Malicious Code in ASP.NET
    Jason Coombs - September 2002
    Cryptographic hash algorithms produce fixed-length sequences based on input of arbitrary length. A given input always produces the same output, called a hash code. Using these algorithms, you can compute and validate hash codes to ensure that code running on your machine has not been tampered with or otherwise changed. ASP.NET provides a software mechanism for validating hash code fingerprints for every page requested by a client. In this article, the author shows how to use hash codes with ASP.NET applications to detect tampering and prevent malicious code from running when tampering is detected.

  • Editor's Note: Start Your Own Security Push
    - September 2002
    Earlier this year, Bill Gates outlined a comprehensive vision for trustworthy computing. Simply put, to achieve trustworthy computing developers must pay attention to security and reliability—the two biggest issues facing the world of computing today.

  • Web Q&A: Scripting Security
    Edited by Nancy Michell - September 2002


  • Resource File: Skills Development
    - September 2002
    Two Microsoft Web sites have been created to assist developers in writing secure code using the latest technology.

  • Commerce with ASP.NET: Leverage the Authentication and Form Validation Features of ASP.NET to Bolster Your Commerce App
    Jason Lefebvre and Robert Lair - August 2002
    If you're planning to build an e-commerce site, you'll be pleased to see that ASP.NET makes it easier than ever. Existing controls can be used and extended to add a great deal more functionality than you might expect. In this article, forms-based authentication is used to verify the identity of users and make certain areas of the site, such as the check-out page, inaccessible to unauthorized users. The power and flexibility of validation controls are demonstrated using the CustomValidator control to connect to a Web Service that verifies addresses. A shopping cart is then implemented in ASP.NET using the DataGrid, and finally, credit card authorization and billing are performed.

  • .NET Zero Deployment: Security and Versioning Models in the Windows Forms Engine Help You Create and Deploy Smart Clients
    Chris Sells - July 2002
    Windows Forms applications solve many of the problems inherent in building Web applications the old fashioned way?with HTML. To demonstrate the use of Windows Forms over the Web, the author takes his existing app, Wahoo!, and ports it to Windows Forms. In doing so, he discusses versioning, linked files, security, storage isolation, the deployment model, and everything else you need to get started building your own Windows Forms apps for the Web.

  • Security: Protect Private Data with the Cryptography Namespaces of the .NET Framework
    Dan Fox - June 2002
    The .NET Framework includes a set of cryptographic services that extend the services provided by Windows through the Crypto API. In this article, the author explores the System.Security.Cryptography namespace and the programming model used to apply cryptographic transformations. He discusses reasons why cryptography is easier in .NET than it was before, including the easy programmatic acccess developers have to the cryptography APIs and the difference between symmetric and asymmetric algorithms. Along the way, a brief discussion of the most widely used algorithms, including RSA, DSA, Rijndael, SHA, and other hash algorithms, is provided.

  • Return of the Rich Client: Code Access Security and Distribution Features in .NET Enhance Client-Side Apps
    Jason Clark - June 2002
    Rich clients employ many of the features and conveniences of the operating system they run on, and the list of these features has been growing since the dawn of the PC. But as apps have migrated to the Web, the trend towards increasing client-side functionality has ground to a virtual halt. There are several reasons for this; chief among them are security and deployment problems. But that's all about to change. With the .NET Framework, you can participate in building the distributable rich client of the future. In this article, the author enumerates the pertinent features of .NET that will allow you to build safe, easily deployable controls. The features discussed include managed code, code access security, versioning control, Windows Forms classes, and isolation.

  • Web Q&A: XML Security Questions
    Edited by Nancy Michell - June 2002


  • Security: Unify the Role-Based Security Models for Enterprise and Application Domains with .NET
    Juval Lowy - May 2002
    Role-based security allows administrators to assign access permissions to users based on the roles they play rather than on their individual identities. These privileges can be used to control access to objects and methods, and are easier to identify and maintain than user-based security. The .NET Framework provides two role-based security models, which are exposed as two namespaces: System.Enterprise-Services and System.Security.Permissions. Presented here is a comparison of the two options and a discussion of when each is the right choice. The author also demonstrates the process involved in setting up access security and discusses role memberships.

  • Scripting: Windows Script Host 5.6 Boasts Windows XP Integration, Security, New Object Model
    Dino Esposito - May 2002
    Windows Script Host (WSH) 5.6, a major upgrade for the WSH environment, provides some significant improvements over previous versions. A brand new security model that is tightly integrated with security in Windows XP allows administrators to place fine-grained restrictions on scripts reducing the risk from malicious code. In addition, local scripts can now run on remote machines, and enhancements to the object model reduce the amount of boilerplate code needed when writing professional code. This overview of WSH 5.6 explains these changes and how .NET and scripting work together.

  • ASP.NET Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS, Part 2
    Jeff Prosise - May 2002
    Forms authentication is one of the most compelling and useful new features of ASP.NET. It enables developers to declaratively specify which files on their site can be accessed and by whom, and allows identification of a login page. When an unauthenticated user attempts to retrieve a page protected by forms authentication, ASP.NET automatically redirects them to the login page and asks them to identify themselves. Included here is an overview of forms authentication and what you need to know to put it to work. Also included is hard-to-find information on the security of cookie authentication and on combining forms authentication with role-based URL authorizations.

  • ASP.NET Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS
    Jeff Prosise - April 2002
    ASP.NET and Microsoft Internet Information Services (IIS) work together to make building secure Web sites a breeze. But to do it right, you have to know how the two interrelate and what options they provide for securing access to a Web site's resources. This article, the first in a two-part series, explains the ABCs of Web security as seen through the eyes of ASP.NET and includes a hands-on tutorial demonstrating Windows authentication and ACL authorizations. A range of security measures and authentication methods are discussed, including basic authentication, digest authentication, and role-based security.

  • Virus Hunting: Track and Report Server Attacks Quickly and Easily with the .NET Networking Classes
    G. Andrew Duthie - April 2002
    To help stop the spread of worms, viruses, and other hostile activity, it is important to track down and report the servers used in these attacks along with those used to send spam. Many Web administrators, however, don't take the time to track them because the manual process can be quite cumbersome. The Microsoft .NET Framework comes to the rescue with several networking classes, including the Dns class and the TcpClient class, that abstract away the complexity of performing DNS and WHOIS lookups. These classes make it easy to create a simple, straightforward ASP.NET-based utility for performing these lookups and automating this very important task.

  • DHTML and .NET: Host Secure, Lightweight Client-Side Controls in Microsoft Internet Explorer
    Jay Allen - January 2002
    In the past, Web developers often used ActiveX controls if they wanted customized client-side functionality incorporated into their Web applications. Now, they can build objects supported by the Microsoft .NET Framework which are more compact, lightweight, secure, and seamlessly integrated. By hosting .NET Windows Forms controls in Internet Explorer, developers can realize many of their client-side Web development goals. This article adapts ActiveX concepts for use with Windows Forms, and builds a multifile upload application that demonstrates these techniques.

  • Security Briefs: Managed Security Context in ASP.NET
    Keith Brown - January 2002


  • Windows Media Technologies: Using Windows Media Rights Manager to Protect and Distribute Digital Media
    Andrea Pruneda - December 2001
    Media distributors have been looking for a way to prevent users from getting saleable content for free ever since independent distributors and peer-to-peer systems began distributing files without licensing them. Windows Media Services addresses these concerns by providing encryption, licensing, and management capabilities. One of its components, Windows Media Rights Manager, allows companies to issue licenses that consumers must pay for before their media files will play. This article explains this and other components of Windows Media Services so you can begin protecting your media files today.

  • Security Briefs: ASP.NET Security Issues
    Keith Brown - November 2001


  • ISAPI Filters: Designing SiteSentry, an Anti-Scraping Filter for IIS
    Rodney Bennett - October 2001
    The Microsoft Internet API for IIS, ISAPI, sits between the client and the Web server. Therefore, you can access the HTTP data stream before IIS gets to see it. The project in this article takes advantage of the ISAPI architecture to create a filter that monitors access to a Web site to determine if visits are from typical users or from automated processes designed to pilfer information from your site. The author tracks the regularity of visits to the site to determine the likely source. Once the determination is made, the app either redirects the user or continues to track information about those hits.

  • Windows Script Host: New Code-Signing Features Protect Against Malicious Scripts
    Eric Lippert - April 2001
    Downloading scripts from the Web or e-mail leaves users vulnerable to security risks because scripts can't be signed. But now developers can use Windows Script Host (WSH) to hash scripts so users can verify their source and safety. With WSH, scripts can be signed or verified using all the same tools ordinarily used to sign EXE, CAB, DLL, and OCX files. This article discusses public-key cryptosystems, the process of signing and verifying scripts in WSH, and several warnings about attacks that could potentially be made against cryptographically secured scripts and ways in which to avoid them.

  • Secure Sockets Layer: Protect Your E-Commerce Web Site with SSL and Digital Certificates
    John Papa - April 2001
    Security is one of the most important factors in the future growth of e-businesses. Making sure that communications remain secure between customers and the Web server is a critical issue. Secure Sockets Layer (SSL) is the standard that secure Web sites are built upon today. This article presents an overview of SSL-based Web security, explaining such fundamental concepts as digital certificates and their distribution, encryption, and the proper configuration of Microsoft Internet Information Services (IIS). Acquiring a certificate, installing it, and configuring IIS for SSL are outlined in a step-by-step process.

  • Security Briefs: The Security Support Provider Interface Revisited
    Keith Brown - April 2001


  • Web Q&A: Detecting Security Settings, Printing from the WebBrowser Control, Hiding the Print Button, and More
    Robert Hess - March 2001


  • Security in .NET: Enforce Code Access Rights with the Common Language Runtime
    Keith Brown - February 2001
    Component-based software is vulnerable to attack. Large numbers of DLLs that are not tightly controlled are at the heart of the problem. Code access security in the Common Language Runtime of the Microsoft .NET Framework addresses this common security hole. In this model, the CLR acts as the traffic cop to assemblies, keeping track of where they came from and what security restraints should be placed on them. Another way the .NET Framework addresses security is by providing preexisting classes which have built-in security. These are the classes that are invoked in .NET when performing risky operations such as reading and writing files, displaying dialog boxes, and so on. Of course, if a component calls unmanaged code, it can bypass code access security measures. This article covers these and other security issues.

  • Security Briefs: Explore the Security Support Provider Interface Using the SSPI Workbench Utility
    Keith Brown - August 2000


  • Web Security: Part 2: Introducing the Web Application Manager, Client Authentication Options, and Process Isolation
    Keith Brown - July 2000
    This article, the second of two parts, continues coverage of Web security for Windows. It introduces the Web Application Manager in IIS that allows Web processes to be isolated, decreasing the security risk associated with running in a logon session. The article then picks up where Part One left off-it discusses authentication methods such as basic authentication, digest authentication, integrated Windows authentication, and anonymous logons, and the benefits and drawbacks of each.

  • Editor's Note: Kindly Check the Attached LOVELETTER Coming from Me
    - July 2000


  • Web Security: Putting a Secure Front End on Your COM+ Distributed Applications
    Keith Brown - June 2000
    The Internet requires that developers provide a different security model for clients than is used on a closed network. Because it would be too resource-intensive for both the client and server to prove their identity to each other, you need to look at other ways to ensure secure communications. This article covers the options, from digital certificates to public and private key encryption to Secure Sockets Layer and Web certificates. The discussion covers the installation of certificates in Microsoft Internet Information Services along with other options specific to IIS. This article was adapted from Keith Brown's Programming Windows Security (Addison-Wesley), due out in July 2000.

  • Security Briefs: Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utillity
    Keith Brown - May 2000


  • Security Briefs: Exploring Handle Security in Windows
    Keith Brown - March 2000


Page view tracker