Share via

Best Practices

The best practices articles on this page will help you build better applications in a more secure manner.


Inspect Your Gadget

Today, the Windows Vista Sidebar hosts Gadgets built from HTML, JavaScript, and potentially ActiveX controls, and because Gadgets are HTML, they are subject to Cross-site Scripting style bugs. These bugs are extremely serious because script in the Sidebar is capable of running arbitrary code in the context of the locally logged-on user. This arcticle outlines some of the secure programming best practices that should be considered when building Windows Vista Sidebar Gadgets.

Security Briefs: Improve Manageability through Event Logging

When something goes wrong, a manageable application will tell the administrator how to fix the problem. The Windows Event Log can provide the necessary information.

Security Briefs: Using Protocol Transition—Tips from the Trenches

Now that Windows Server 2003 is widely deployed, Keith Brown addresses questions from readers who are trying to use protocol transition to build secure gateways into their intranets.

Security Briefs: Limited User Problems and Split Knowledge

This month, Windows® Communication Foundation service and the non-administrator, and implementing split knowledge and dual control of keys.

Security Briefs: Active Directory Cache Dependencies

Discusses integrate your application with Active Directory, including the System.DirectoryServices namespace.

Security Briefs: Events in Windows Vista

Explores the new Wndows Vista eventing system, Windows Eventing 6.0.

Enterprise Obfuscation - Technology, Process and Control (PreEmptive Solutions)
This article enumerates the essential characteristics of an enterprise obfuscation solution and assesses its suitability and value within a layered security program and as a component of a risk-based IT control framework. Focuses on a summary of obfuscation technical capabilities and considerations; identification of common system configuration management dependencies; application lifecycle workflow and process requirements; development, quality assurance, and support best practice; guidance as to when enterprise obfuscation can be an effective IT control; and enterprise obfuscation evaluation criteria.
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users
Security expert Michael Howard discusses minimizing security risks to code through techniques such as identifying and reducing attack surface, reducing the volume of code available to untrusted users, and limiting the damage that hackers can do.
Secure Coding Guidelines for the .NET Framework
Learn about evidence-based and code access security and security issues to consider in your code, and get guidelines for classifying your components.
Designing Application-Managed Authorization
Get information on implementing authorization capabilities using the .NET Framework at the application level.
Building and Configuring More Secure Web Sites
See how the Microsoft security Web application for the eWeek OpenHack 4 competition was built and configured. Also, get best practices to secure your own solutions.
How To: Secure Your Developer Workstation
This How To from PAG's Improving Web Application Security: Threats and Countermeasures helps you improve your development workstation security.
Using Permutations in .NET for Improved Systems Security
In this article, James McCaffrey explains permutations and provides a Permutation class implemented in C#. He also presents an algorithm that generates an arbitrary permutation by using a mathematical construct, and he discusses several practical applications for permutations.
Writing Error Messages for Security Features
Learn the essentials of writing, presenting, and testing security-related messages.
Security Policy Best Practices
Modify security policy to meet your needs as an administrator, with the .NET Framework code-access security model. Learn basic administration concepts and best practices to use when administering code-access security policy.