Book Review

This book is divided into six sections. Most important is “The Big Picture”. Every developer (whether you use .NET, or another platform) should understand this area.

Next is a set of topics on Windows Security Context, and Access Control. You will refer to this section often if you are doing .NET development.

The last two sections are specific to certain applications or components: COM+, Network Services. Finally, the ever-popular miscellaneous section covers those topics that defy classification.

Brown’s treatment of the subject is broad. You should not be under any misconception that this book will make you an expert on security (either Windows, or .NET). But, it will help you remember the issues you need to remember in order to produce software that does not increase the attack surface of your customer’s machines. That’s the strength of this book. You will not need every recommendation for every application you develop, but you will need to remind yourself of these issues, and make sure you have thought about those issues.

The only weakness in Brown’s book is the low-level organization, and the corresponding Item titles. Too many of the titles describe the question that the item answers. (For example, “How to Create a Windows Principal?”) I’d rather see the titles organized around the tasks I need to perform and consider. Why do I need to create a windows principal? When do I need one? I’d like the Item titles to help me know when I need to dive deeper into a given topic.

As I said at the top of this review, “The .NET Developer’s Guide to Windows Security” should be required reading for every .NET developer. It’s already earned a place of prominence on my bookshelf. I browse the table of contents repeatedly during development. It reminds me of the issues I need to consider when I make important design decisions.