Keith Brown Keith Brown is a co-founder of Pluralsight, a premier Microsoft .NET training provider. Keith is the author of Pluralsight's Applied .NET Security course as well as several books, including The .NET Developer's Guide to Windows Security, which is available both in print and on the Web. Learn more at www.pluralsight.com/keith Security Briefs: Exploring Claims-Based Identity Keith Brown introduces you to the new identity model in the Microsoft .NET Framework 3.0. Keith Brown - September 2007 Security Briefs: Active Directory Cache Dependencies If you're not taking advantage of Active Directory, you should be. Learn the benefits from Keith Brown. Keith Brown - July 2007 Security Briefs: Events in Windows Vista Keith Brown - May 2007 Security Briefs: Improve Manageability through Event Logging When something goes wrong, a manageable application will tell the administrator how to fix the problem. The Windows Event Log can provide the necessary information. Keith Brown - April 2007 Security Briefs: Using Protocol Transition—Tips from the Trenches Now that Windows Server 2003 is widely deployed, Keith Brown addresses questions from readers who are trying to use protocol transition to build secure gateways into their intranets. Keith Brown - January 2007 Single Sign-On: A Developer's Introduction To Active Directory Federation Services Use Active Directory Federation Services to allow other organizations to use your Web applications without the need for you to grant access explicitly. Keith Brown - November 2006 Security Briefs: Limited User Problems and Split Knowledge Keith Brown - November 2006 Security Briefs: CardSpace, SqlMembershipProvider, and More This month Keith Brown fields some reader questions on InfoCard turned CardSpace and passwords for SqlMembershipProvider. Keith Brown - October 2006 Security Briefs: Security in Windows Communication Foundation Windows Communication Foundation provides three major protections— confidentiality, integrity, and authentication. This month Keith Brown explains what they can do for you. Keith Brown - August 2006 Security Briefs: Step-by-Step Guide to InfoCard In my April 2006 column I began a discussion of InfoCard, the upcoming identity metasystem, which is being prepared for release in the Windows Vista™ timeframe. If you haven’t read that column, you should definitely start there because I’m going to assume you’re familiar with the basics I covered. Keith Brown - May 2006 Security Briefs: A First Look at InfoCard The Web can be annoying at times. I'm certain that I'm not alone in my frustration with filling out the same old forms on every Web site I visit. Like most other techies, I've acquired many tools over the years to help combat this repetition, and I even wrote my own password manager for my hundreds of different identities on the Web. Keith Brown - April 2006 Security Briefs: Encrypting Without Secrets Do you have a Web site or other system that deals in secrets of any sort? It seems like every time I give a security talk, people ask how to deal with the sticky problem of storing secrets. Connection strings with passwords are an obvious problem. Keith Brown - January 2006 Security Briefs: Security Enhancements in the .NET Framework 2.0 The.NET Framework 2.0 got quite a few security enhancements. This month Keith takes you on a whirlwind tour of the goodies you'll find there. Keith Brown - Visual Studio 2005 Guided Tour 2006 Security Briefs: Security Features in WSE 3.0 I've been spending a lot of time lately building secure Web services with the Microsoft® . NET Framework 2. 0, and Web Services Enhancements (WSE) 3. 0 has been a lifesaver for me, so I thought it would be appropriate to dedicate a column to security features in this new product. Keith Brown - November 2005 Security Briefs: Credentials and Delegation I get loads of security questions from friends and former students, and recently I've gotten a number of questions about building secure data-driven Web sites for internal enterprise systems. I've decided to answer them here to hopefully save you some headaches in your own projects. Keith Brown - September 2005 Security Briefs: Customizing GINA, Part 2 GINA, the Graphical Identification and Authentication component, is a part of WinLogon that you can customize or replace. Last month I introduced GINA customization; this month, I'm going to drill down to implement each of the GINA entry points. Keith Brown - June 2005 Security Briefs: Customizing GINA, Part 1 Over the years I've had many people ask me to write about GINA, the Graphical Identification and Authentication component that serves as the gateway for interactive logons. This month I'll begin my coverage of this topic to help you get started if you're tasked to build such a beast. Keith Brown - May 2005 Security Briefs: Access Control List Editing in .NET Access control lists (ACLs) can be complex beasts, and user interfaces for editing them are incredibly tricky to implement properly. That's why I was really excited when Windows® 2000 shipped with a programmable ACL editor, shown in Figure 1. Keith Brown - March 2005 Security Briefs: Security Enhancements in the .NET Framework 2.0 As I write this column, version 2. 0 of the Microsoft® . NET Framework is at Beta 1. When I got my bits, I hacked together a little program to dump all of the public members of all public types in the entire Framework and ran it on version 1. Keith Brown - January 2005 Security Briefs: Password Minder Internals In my last column I introduced Password Minder, the tool I use to manage all of my passwords. It generates a long, random password for each site I visit, and makes it possible for me to use the most complex passwords possible, without ever having to see the actual password material or type it in manually. Keith Brown - October 2004 Security Briefs: Mind Those Passwords! Keith Brown - July 2004 Security: Security Headaches? Take ASP.NET 2.0! ASP.NET 2.0 provides significant advantages with respect to security, especially for folks developing Web sites that use Forms authentication. By providing a user profile repository with support for roles, Forms authentication will move beyond the purview of the ASP.NET internals guru, and should become much more broadly accessible. This article introduces security in ASP.NET 2.0 to give you a head start with upcoming features. Keith Brown - June 2004 Security Briefs: Beware of Fully Trusted Code The vast majority of managed applications run with full trust, but based on my experience teaching . NET security to developers with a broad range of experience, most really don't understand the implications of fully trusted code. Keith Brown - April 2004 Authorize It: Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager Authorization Manager in Windows Server 2003 represents a significant improvement in the administration of role-based security, making it more scalable, flexible, and easier to implement. Using Authorization Manager, you can define roles and the tasks those roles can perform. You can nest roles to inherit characteristics from other roles, and you can define application groups. In addition, Authorization Manager lets you use scripts to modify permissions dynamically, and it allows you to wrap your security logic in a security policy that can be stored in Active Directory. Authorization Manager also includes an easy-to-use API for running access checks. The author discusses all of these topics and demonstrates them with a working sample. Keith Brown - November 2003 Security Briefs: Hashing Passwords, The AllowPartiallyTrustedCallers Attribute Keith Brown describes how yo can hash passwords when you want to store them in your own custom database, and when to use the AllowPartiallyTrustedCallers attribure on your assembly. Keith Brown - August 2003 Security Briefs: Exploring S4U Kerberos Extensions in Windows Server 2003 Building Web sites that provide services external to the corporate firewall is tricky. Usually it's not desirable to grant corporate domain accounts to external clients, and from a purely practical standpoint Kerberos does not work well over the Internet due to the typical configuration of client-side firewalls. Keith Brown - April 2003 Security Tips: Defend Your Code with Top Ten Security Tips Every Developer Must Know There are many ways to get into trouble when it comes to security. You can trust all code that runs on your network, give any user access to important files, and never bother to check that code on your machine has not changed. You can run without virus protection software, not build security into your own code, and give too many privileges to too many accounts. You can even use a number of built-in functions carelessly enough to allow break-ins, and you can leave server ports open and unmonitored. Obviously, the list continues to grow. What are some of the really important issues, the biggest mistakes you should watch out for right now so that you don't compromise your data or your system? Security experts Michael Howard and Keith Brown present 10 tips to keep you out of hot water. Michael Howard and Keith Brown - September 2002 HTTP Pipelines: Securely Implement Request Processing, Filtering, and Content Redirection with HTTP Pipelines in ASP.NET ASP.NET is a flexible and extensible framework for server-side HTTP programming. While most people think of ASP.NET in terms of pages served, there is a lower-level infrastructure sitting beneath this page model. The underlying plumbing is based on a pipeline of app, module, and handler objects. Understanding how this pipeline works is key if you want to get the most out of ASP.NET as an HTTP server platform, while making your process more efficient, and keeping your server secure. This article introduces the architecture of the pipeline and shows how you can use it to add sophisticated functionality to an ASP.NET-based app. Tim Ewald and Keith Brown - September 2002 Security Briefs: Managed Security Context in ASP.NET Keith Brown - January 2002 Security Briefs: ASP.NET Security Issues Keith Brown - November 2001 Security Briefs: The Security Support Provider Interface Revisited Keith Brown - April 2001 Security in .NET: Enforce Code Access Rights with the Common Language Runtime Component-based software is vulnerable to attack. Large numbers of DLLs that are not tightly controlled are at the heart of the problem. Code access security in the Common Language Runtime of the Microsoft .NET Framework addresses this common security hole. In this model, the CLR acts as the traffic cop to assemblies, keeping track of where they came from and what security restraints should be placed on them. Another way the .NET Framework addresses security is by providing preexisting classes which have built-in security. These are the classes that are invoked in .NET when performing risky operations such as reading and writing files, displaying dialog boxes, and so on. Of course, if a component calls unmanaged code, it can bypass code access security measures. This article covers these and other security issues. Keith Brown - February 2001 Security Briefs: Explore the Security Support Provider Interface Using the SSPI Workbench Utility Keith Brown - August 2000 Web Security: Part 2: Introducing the Web Application Manager, Client Authentication Options, and Process Isolation This article, the second of two parts, continues coverage of Web security for Windows. It introduces the Web Application Manager in IIS that allows Web processes to be isolated, decreasing the security risk associated with running in a logon session. The article then picks up where Part One left off-it discusses authentication methods such as basic authentication, digest authentication, integrated Windows authentication, and anonymous logons, and the benefits and drawbacks of each. Keith Brown - July 2000 Web Security: Putting a Secure Front End on Your COM+ Distributed Applications The Internet requires that developers provide a different security model for clients than is used on a closed network. Because it would be too resource-intensive for both the client and server to prove their identity to each other, you need to look at other ways to ensure secure communications. This article covers the options, from digital certificates to public and private key encryption to Secure Sockets Layer and Web certificates. The discussion covers the installation of certificates in Microsoft Internet Information Services along with other options specific to IIS. This article was adapted from Keith Brown's Programming Windows Security (Addison-Wesley), due out in July 2000. Keith Brown - June 2000 Security Briefs: Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utillity Keith Brown - May 2000 Security Briefs: Exploring Handle Security in Windows Keith Brown - March 2000