Security Briefs - Exploring Claims-Based Identity
Tue, 17 Jul 2007 10:00:00 GMT
Keith Brown introduces you to the new identity model in the Microsoft .NET Framework 3.0.
Security Briefs - Active Directory Cache Dependencies
Tue, 22 May 2007 10:00:00 GMT
If you're not taking advantage of Active Directory, you should be. Learn the benefits from Keith Brown.
Security Briefs - Events in Windows Vista
Wed, 11 Apr 2007 10:00:00 GMT
Security Briefs - Improve Manageability through Event Logging
Tue, 13 Mar 2007 10:00:00 GMT
When something goes wrong, a manageable application will tell the administrator how to fix the problem. The Windows Event Log can provide the necessary information.
Security Briefs - Using Protocol Transition—Tips from the Trenches
Wed, 22 Nov 2006 10:00:00 GMT
Now that Windows Server 2003 iswidely deployed, Keith Brown addresses questions from readers who are trying to use protocol transition to build secure gateways into their intranets.
Single Sign-On - A Developer's Introduction To Active Directory Federation Services
Thu, 12 Oct 2006 10:00:00 GMT
Use Active Directory Federation Services to allow other organizations to useyour Web applications without the need for you to grant access explicitly.
Security Briefs - Limited User Problems and Split Knowledge
Thu, 12 Oct 2006 10:00:00 GMT
Security Briefs - CardSpace, SqlMembershipProvider, and More
Wed, 09 Aug 2006 10:00:00 GMT
This month Keith Brown fields some reader questions on InfoCard turned CardSpace and passwords for SqlMembershipProvider.
Security Briefs - Security in Windows Communication Foundation
Thu, 06 Jul 2006 10:00:00 GMT
Windows Communication Foundation provides three major protections— confidentiality, integrity, and authentication. This month Keith Brown explains what they can do for you.
Security Briefs - Step-by-Step Guide to InfoCard
Thu, 06 Apr 2006 10:00:00 GMT
In my April 2006 column I began a discussion of InfoCard, the upcoming identity metasystem, which is being prepared for release in the Windows Vista™ timeframe.If you haven’t read that column, you should definitely start there because I’m going to assume you’re familiar with the basics I covered.
Security Briefs - A First Look at InfoCard
Thu, 09 Mar 2006 10:00:00 GMT
The Web can be annoying at times.I'm certain that I'm not alone in my frustration with filling out the same old forms on every Web site I visit.Like most other techies, I've acquired many tools over the years to help combat this repetition, and I even wrote my own password manager for my hundreds of different identities on the Web.
Security Briefs - Encrypting Without Secrets
Tue, 13 Dec 2005 10:00:00 GMT
Do you have a Web site or other system that deals in secrets of any sort? It seems like every time I give a security talk, people ask how to deal with the sticky problem of storing secrets.Connection strings with passwords are an obvious problem.
Security Briefs - Security Enhancements in the .NET Framework 2.0
Fri, 20 Jan 2006 10:00:00 GMT
The.NET Framework 2.0 got quite a few security enhancements. This month Keith takes you on a whirlwind tour of the goodies you'll find there.
Security Briefs - Security Features in WSE 3.0
Tue, 11 Oct 2005 10:00:00 GMT
I've been spending a lot of time lately building secure Web services with the Microsoft® . NET Framework 2. 0, and Web Services Enhancements (WSE) 3. 0 has been a lifesaver for me, so I thought it would be appropriate to dedicate a column to security features in this new product.
Security Briefs - Credentials and Delegation
Tue, 09 Aug 2005 10:00:00 GMT
I get loads of security questions from friends and former students, and recently I've gotten a number of questions about building secure data-driven Web sites for internal enterprise systems.I've decided to answer them here to hopefully save you some headaches in your own projects.
Security Briefs - Customizing GINA, Part 2
Tue, 10 May 2005 10:00:00 GMT
GINA, the Graphical Identification and Authentication component, is a part of WinLogon that you can customize or replace.Last month I introduced GINA customization; this month, I'm going to drill down to implement each of the GINA entry points.
Security Briefs - Customizing GINA, Part 1
Tue, 12 Apr 2005 10:00:00 GMT
Over the years I've had many people ask me to write about GINA, the Graphical Identification and Authentication component that serves as the gateway for interactive logons.This month I'll begin my coverage of this topic to help you get started if you're tasked to build such a beast.
Security Briefs - Access Control List Editing in .NET
Tue, 15 Feb 2005 10:00:00 GMT
Access control lists (ACLs) can be complex beasts, and user interfaces for editing them are incredibly tricky to implement properly.That's why I was really excited when Windows® 2000 shipped with a programmable ACL editor, shown in Figure 1.
Security Briefs - Security Enhancements in the .NET Framework 2.0
Tue, 14 Dec 2004 10:00:00 GMT
As I write this column, version 2. 0 of the Microsoft® . NET Framework is at Beta 1.When I got my bits, I hacked together a little program to dump all of the public members of all public types in the entire Framework and ran it on version 1.
Security Briefs - Password Minder Internals
Tue, 14 Sep 2004 10:00:00 GMT
In my last column I introduced Password Minder, the tool I use to manage all of my passwords.It generates a long, random password for each site I visit, and makes it possible for me to use the most complex passwords possible, without ever having to see the actual password material or type it in manually.
Security Briefs - Mind Those Passwords!
Tue, 15 Jun 2004 10:00:00 GMT
Security - Security Headaches? Take ASP.NET 2.0!
Tue, 18 May 2004 10:00:00 GMT
ASP.NET 2.0 provides significant advantages with respect to security, especially for folks developing Web sites that use Forms authentication. By providing a user profile repository with support for roles, Forms authentication will move beyond the purview of the ASP.NET internals guru, and should become much more broadly accessible. This article introduces security in ASP.NET 2.0 to give you a head start with upcoming features.
Security Briefs - Beware of Fully Trusted Code
Tue, 16 Mar 2004 10:00:00 GMT
The vast majority of managed applications run with full trust, but based on my experience teaching . NET security to developers with a broad range of experience, most really don't understand the implications of fully trusted code.
Authorize It - Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager
Tue, 14 Oct 2003 10:00:00 GMT
Authorization Manager in Windows Server 2003 represents a significant improvement in the administration of role-based security, making it more scalable, flexible, and easier to implement. Using Authorization Manager, you can define roles and the tasks those roles can perform. You can nest roles to inherit characteristics from other roles, and you can define application groups. In addition, Authorization Manager lets you use scripts to modify permissions dynamically, and it allows you to wrap your security logic in a security policy that can be stored in Active Directory. Authorization Manager also includes an easy-to-use API for running access checks. The author discusses all of these topics and demonstrates them with a working sample.
Security Briefs - Hashing Passwords, The AllowPartiallyTrustedCallers Attribute
Tue, 15 Jul 2003 10:00:00 GMT
Keith Brown describes how yo can hash passwords when you want to store them in your own custom database, and when to use the AllowPartiallyTrustedCallers attribure on your assembly.
Security Briefs - Exploring S4U Kerberos Extensions in Windows Server 2003
Tue, 11 Mar 2003 10:00:00 GMT
Building Web sites that provide services external to the corporate firewall is tricky.Usually it's not desirable to grant corporate domain accounts to external clients, and from a purely practical standpoint Kerberos does not work well over the Internet due to the typical configuration of client-side firewalls.
Security Briefs - Managed Security Context in ASP.NET
Tue, 18 Dec 2001 10:00:00 GMT
Security Briefs - ASP.NET Security Issues
Tue, 16 Oct 2001 10:00:00 GMT
Security Briefs - The Security Support Provider Interface Revisited
Tue, 13 Mar 2001 10:00:00 GMT
Security in .NET - Enforce Code Access Rights with the Common Language Runtime
Tue, 16 Jan 2001 10:00:00 GMT
Component-based software is vulnerable to attack. Large numbers of DLLs that are not tightly controlled are at the heart of the problem. Code access security in the Common Language Runtime of the Microsoft .NET Framework addresses this common security hole. In this model, the CLR acts as the traffic cop to assemblies, keeping track of where they came from and what security restraints should be placed on them. Another way the .NET Framework addresses security is by providing preexisting classes which have built-in security. These are the classes that are invoked in .NET when performing risky operations such as reading and writing files, displaying dialog boxes, and so on. Of course, if a component calls unmanaged code, it can bypass code access security measures. This article covers these and other security issues.
Security Briefs - Explore the Security Support Provider Interface Using the SSPI Workbench Utility
Tue, 18 Jul 2000 10:00:00 GMT
Web Security - Part 2: Introducing the Web Application Manager, Client Authentication Options, and Process Isolation
Tue, 13 Jun 2000 10:00:00 GMT
This article, the second of two parts, continues coverage of Web security for Windows. It introduces the Web Application Manager in IIS that allows Web processes to be isolated, decreasing the security risk associated with running in a logon session. The article then picks up where Part One left off-it discusses authentication methods such as basic authentication, digest authentication, integrated Windows authentication, and anonymous logons, and the benefits and drawbacks of each.
Web Security - Putting a Secure Front End on Your COM+ Distributed Applications
Tue, 16 May 2000 10:00:00 GMT
The Internet requires that developers provide a different security model for clients than is used on a closed network. Because it would be too resource-intensive for both the client and server to prove their identity to each other, you need to look at other ways to ensure secure communications. This article covers the options, from digital certificates to public and private key encryption to Secure Sockets Layer and Web certificates. The discussion covers the installation of certificates in Microsoft Internet Information Services along with other options specific to IIS. This article was adapted from Keith Brown's Programming Windows Security (Addison-Wesley), due out in July 2000.
Security Briefs - Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utillity
Tue, 18 Apr 2000 10:00:00 GMT
Security Briefs - Exploring Handle Security in Windows
Tue, 15 Feb 2000 10:00:00 GMT