Programming Windows Security

I've been a professional software engineer on Win16/Win32 platforms for over 11 years, doing COM development for most of that time. I have never encountered a source of technical information that comes close to the lucidity or completeness of the Developmentor Series.Keith Brown's contribution to this series on Windows security continues the tradition of solid, well researched and clearly written treatise on topics that affect, and should concern, every developer who is serious about producing high quality code on the Win32 platform.Most developers trip over security because the fundamentals of identity, authentication, etc. are not well understood. This book provides a thorough introduction to the ideas that underly secure systems as well as a complete explanation of how they are implemented by Win32. Very useful for those of us who don't bend spoons with our minds for a living (still laughing over that analogy--thanks Keith!)If you use COM (and who writes for Win32 and doesn't these days?) then the wisdom in Chapter 9 alone is worth the price of the book.

Understanding the Windows security model by examining the Win32 API is nearly impossible. This book tied everything together for me, not just for Win32 security, but for security in general. I thought it found a great balance between being instructive and complete. If you want to understand Windows security, this is a great book. However, it is not a cookbook and is a little difficult to use as a reference book. Despite that, I have used it many times since reading it to quickly locate and understand the cause of security problems in our product.

This is the most comprehensive Windows security book for programmers there is. There are many books out there on how to administer Windows security, but very few on how to program it. About two years ago I started on a project that implemented fine-grained private object security and read everything I could find on the topic; there wasn't much. During that project I was able to read some very useful articles from Keith in MSJ/MSDN magazine. This book includes topics covered in his magazine articles, but adds more detail. It also covers more topics and pulls it all together in one comprehensive book. Even though I thought that I had been exposed to most of what this book covers I went ahead and read it. I still learned a lot, especially about logon sessions and Windows stations and how they affect the security of your application. I think that every Windows developer should read this book because what this book covers affects you even if you are not interested in security. Web programmers should make sure to check out the section on IIS. This book would have saved me so much time if I would have had it two years ago. I read some of the other reviews and found the ones about the font size kind of ridiculous. Everyone has his or her personal preferences on font and style, but I am reviewing this book based on content. I give this book five stars.

I went out and bought this book at a time when I was having trouble with some DCOM security issues. I have always kind of avoided learning about Windows security, because, frankly, I didn't find it very interesting, and the parts of the documentation I had read were so confusing as to be useless.I was therefore very pleasantly surprised and gratified to find that Brown's book was easy to read, clearly and interestingly written, and explained the details of Windows security in a very straightforward, methodical fashion.Although it was probably not necesary to do so, I read the book from cover to cover. It is organized so as to provide lower level details and concepts in the early chapters, then to move on to higher-level and more complicated issues. For me, this meant that the problem I was working on was not addressed until the second-last chapter, but by the time I got there, I felt that I had a good grasp of the underlying functionality, and could better understand why certain seemingly bizarre APIs and configurations worked the way they do. (After finishing it, I was able to solve the problems I was having, too!)One of the clever features that Brown has included is to provide a non-technical overview in the first three chapters, which is suitable for sharing with your non-technical manager so that you can have intelligent discussions, using a common vocabulary, of the issues you are dealing with. That's truly a rare treat! Another good feature is that the index is quite well done. (There's nothing worse than a reference book in which you can't find the information you're looking for.)The long and the short if it is that this book, while not for everyone, is an outstanding reference on Windows Security.

This book is important for anybody wanting to correctly understand Windows NT/2000 security whether you program, build or admin Windows NT/2000 networks. Security setup must be done properly in a production system, espically one serving the Internet. Keith gives a great overview of the NT/2000 security infrastructure in a style that gives you the right perspective to see why and how it works the way it does. Is the Guest logon in the Authenticated Users group? What and Why are NULL sessions? The tricks of Net Use lmsessions. The background to understand ticket based security and cached credentials. Its all covered very well in this very readable book.