Keith Brown / Кейт Браун - Programming Windows Security / Программирование системы безопасности Windows + Code

Keith Brown / Кейт Браун - Programming Windows Security / Программирование системы безопасности Windows + Code
Название:
Keith Brown / Кейт Браун - Programming Windows Security / Программирование системы безопасности Windows + Code
Размер:
5.2 MB
58
Скачать
Programming Windows Security / Программирование системы безопасности Windows
Год: 2000
Автор: Keith Brown / Кейт Браун
Издательство: Addison-Wesley Professional
ISBN: 0-201-60442-6 / 978-0-201-60442-9
Язык: Английский
Формат: PDF
Качество: Распознанный текст без ошибок (OCR)
Интерактивное оглавление: Да
Количество страниц: 331
Описание: "Keith Brown lucidly explains the Win32 security architecture and how it pervades Windows NT and Windows 2000. He demystifies authentication, authorization, auditing, COM+ security, logon sessions, and much more."
--George V. Reilly, IIS Performance Lead, Microsoft
Windows security has often been considered a dry and unapproachable topic. For years, the main examples of programming security were simply exercises in ACL manipulation. Programming Windows Security is a revelation providing developers with insight into the way Windows security really works. This book shows developers the essentials of security in Windows 2000, including coverage of Kerberos, SSL, job objects, the new ACL model, COM+ and IIS 5.0. Also included are highlights of the differences between security in Windows 2000 and in Windows NT 4.0.
Programming Windows Security is written by an experienced developer specifically for use by other developers. It focuses on the issues of most concern to developers today: the design and implementation of secure distributed systems using the networking infrastructure provided by Windows, the file server, the web server, RPC servers, and COM(+) servers.
Topics covered include:
COM(+) security, from the ground up
IIS security
How the file system redirector works and why developers should care
The RPC security model
Kerberos, NTLM, and SSL authentication protocols and SSPI
Services and the Trusted Computing Base (TCB)
Logon sessions and tokens
Window stations, desktops, and user profiles
The Windows 2000 ACL model, including the new model of inheritance
Using private security descriptors to secure objects
Accounts, groups, aliases, privileges, and passwords
Comparison of three strategies for performing access control--impersonation, role-centric, and object-centric--and their impact on the design of a distributed application
Programming Windows Security provides the most comprehensive coverage of COM(+) security available in one place, culled from the author's extensive experience in diagnosing COM security problems in the lab and via correspondence on the DCOM mailing list.
Примеры страниц
Оглавление
Contents
Preface.......................................................................................................................................................4
Chapter 1 - The Players...........................................................................................................................11
Principals................................................................................................................................................11
Authorities..............................................................................................................................................15
Machines as Principals..........................................................................................................................16
Authentication........................................................................................................................................17
Trust.......................................................................................................................................................20
Summary................................................................................................................................................24
Chapter 2 - The Environment..................................................................................................................26
Logon Sessions......................................................................................................................................26
Tokens...................................................................................................................................................29
The System Logon Session...................................................................................................................31
Window Stations....................................................................................................................................32
Processes..............................................................................................................................................35
Summary................................................................................................................................................35
Chapter 3 - Enforcement.........................................................................................................................37
Authorization..........................................................................................................................................37
Discovering Authorization Attributes......................................................................................................41
Distributed Applications..........................................................................................................................41
Objects and Security Descriptors...........................................................................................................42
Access Control Strategies......................................................................................................................44
Choosing a Model..................................................................................................................................48
Caching Mechanisms.............................................................................................................................49
Summary................................................................................................................................................52
Chapter 4 – Logon Sessions..................................................................................................................54
Logon Session 999................................................................................................................................56
Daemon Logon Sessions.......................................................................................................................58
Network Logon Sessions........................................................................................................................60
Interactive Logon Sessions....................................................................................................................61
Network Credentials...............................................................................................................................62
Tokens...................................................................................................................................................62
Memory Allocation and Error Handling Strategies..................................................................................74
Using Privileges.....................................................................................................................................75
Impersonation........................................................................................................................................79
Restricting Authorization Attributes........................................................................................................91
Terminating a Logon Session.................................................................................................................94
Summary................................................................................................................................................95
Chapter 5 – Window Stations and Profiles............................................................................................97
What Is a Window Station?....................................................................................................................97
Window Station Permissions..................................................................................................................99
Natural Window Station Allocation.......................................................................................................100
Daemons in the Lab.............................................................................................................................102
Other Window Stations........................................................................................................................103
Exploring Window Stations...................................................................................................................105
Closing Window Station Handles.........................................................................................................106
Window Stations and Access Control..................................................................................................107
Desktops..............................................................................................................................................108
Jobs, Revisited.....................................................................................................................................114
Processes............................................................................................................................................115
Summary..............................................................................................................................................124
Chapter 6 - Access Control and Accountability..................................................................................125
Permissions..........................................................................................................................................125
Anatomy of a Security Descriptor.........................................................................................................128
Where Do Security Descriptors Come From?......................................................................................131
Security Descriptor Usage Patterns.....................................................................................................132
How ACLs Work...................................................................................................................................135
Security Descriptors and Built-in Objects.............................................................................................143
Security Descriptors and Private Objects.............................................................................................144
Hierarchical Object Models and ACL Inheritance.................................................................................146
ACL Programming................................................................................................................................162
Handles................................................................................................................................................170
Summary..............................................................................................................................................172
Chapter 7 – Network Authentication....................................................................................................174
The NTLM Authentication Protocol......................................................................................................174
The Kerberos v5 Authentication Protocol.............................................................................................186
SSPI.....................................................................................................................................................203
SPNEGO: Simple and Protected Negotiation.......................................................................................207
Summary..............................................................................................................................................208
Chapter 8 – The File Server..................................................................................................................209
LAN Manager.......................................................................................................................................209
LAN Manager Sessions.......................................................................................................................210
Clients and Sessions............................................................................................................................213
Use Records........................................................................................................................................214
NULL Sessions....................................................................................................................................220
Dealing with Conflict.............................................................................................................................221
Drive Letter Mappings..........................................................................................................................221
Named Pipes........................................................................................................................................222
SMB Signing........................................................................................................................................224
Summary..............................................................................................................................................225
Chapter 9 – COM(+)...............................................................................................................................227
The MSRPC Security Model................................................................................................................227
The COM Security Model.....................................................................................................................239
COM Interception.................................................................................................................................249
Activation Requests.............................................................................................................................254
More COM Interception: Access Control..............................................................................................258
Plugging Obscure Security Holes.........................................................................................................259
Security in In-Process Servers?...........................................................................................................260
Surrogates and Declarative Security....................................................................................................260
COM Servers Packaged as Services...................................................................................................263
Legacy Out-of-Process Servers...........................................................................................................264
Launching Servers via the COM SCM.................................................................................................265
A Note on Choosing a Server Identity..................................................................................................268
Access Checks in the Middle Tier........................................................................................................269
The COM+ Security Model: Configured Components..........................................................................270
Catalog Settings...................................................................................................................................271
Applications and Role-Based Security.................................................................................................274
Making Sense of COM+ Access Checks..............................................................................................280
Which Components Need Role Assignments?.....................................................................................284
Security in COM+ Library Applications.................................................................................................285
Fine-Grained Access Control: IsCallerlnRole.......................................................................................287
Call Context Tracking...........................................................................................................................288
Tips for Debugging COM Security Problems........................................................................................289
Summary..............................................................................................................................................291
Chapter 10 – IIS......................................................................................................................................292
Authentication on the Web...................................................................................................................292
Public Key Cryptography......................................................................................................................295
Certificates...........................................................................................................................................296
Interlude: Some Acronyms and Terms.................................................................................................299
Secure Sockets Layer..........................................................................................................................300
Certificate Revocation..........................................................................................................................303
From Theory to Practice: Obtaining and Installing a Web Server Certificate........................................303
Requiring HTTPS via the IIS Metabase...............................................................................................306
Managing Web Applications.................................................................................................................308
Client Authentication............................................................................................................................311
Server Applications..............................................................................................................................318
IIS as a Gateway into COM+................................................................................................................321
Miscellaneous Topics...........................................................................................................................324
Where to Get More Information............................................................................................................326
Summary..............................................................................................................................................327
Appendix: absent, may be not forever.................................................................................................329
Bibliography...........................................................................................................................................330
Доп. информация: Спасибо за подготовку материала -> fat-crocodile