Security and Identity

Develop more secure desktop apps by using Windows APIs and services. These APIs provide:

  • Authentication
  • Authorization
  • Cryptography
  • Directory, identity, and access services
  • Parental controls
  • Rights management

This section also provides best practices and other security articles.

In this section

Topic Description
Antimalware Scan Interface The Antimalware Scan Interface (AMSI) is a generic interface standard that allows applications and services to integrate with any antimalware product present on a machine. It provides enhanced malware protection for users and their data, applications, and workloads.
Authentication Authentication is the process by which the system validates a user's logon information. A user's name and password are compared to an authorized list, and if the system detects a match, access is granted to the extent specified in the permission list for that user.
Authorization Authorization is the right granted an individual to use the system and the data stored on it. Authorization is typically set up by a system administrator and verified by the computer based on some form of user identification, such as a code number or password.
Best Practices for the Security APIs Provides best practices for developing more secure applications.
Certificate Enrollment API The Certificate Enrollment API can be used to create a client application to request a certificate and install a certificate response.
Control Flow Guard (CFG) Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities.
Cryptography Cryptography is the use of codes to convert data so that only a specific recipient will be able to read it, using a key. CryptoAPI enables users to create and exchange documents and other data in a secure environment, especially over nonsecure media such as the Internet.
Cryptography API: Next Generation Cryptography API: Next Generation (CNG) enable users to create and exchange documents and other data in a secure environment, especially over nonsecure media such as the Internet.
Dynamic Access Control developer extensibility The Dynamic Access Control (DAC) scenario, as delivered in Windows Server 2012, has a variety of developer extensibility points that add customization potential for your applications development.
Directory, Identity, and Access Services Network Administrators can use directory services to automate common administrative tasks, such as adding users and groups, managing printers, and setting permissions on network resources.
Independent Software Vendors and end-user developers can use directory services to directory-enable their products and applications. Services can publish themselves in a directory, clients can use the directory to find services, and both can use the directory to find and manipulate other objects.
Forefront Identity Manager (FIM) provides an integrated and comprehensive solution for managing the entire lifecycle of user identities and their associated credentials.
Identity Lifecycle Manager (ILM) enables IT organizations to reduce the cost of managing the identity and access lifecycle by providing a single view of a user's identity across the heterogeneous enterprise and through the automation of common tasks.
Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries.
Extensible Authentication Protocol The Extensible Authentication Protocol (EAP) is a standard supported by several system components. EAP is crucial for protecting the security of wireless (802.1X) and wired LANs, Dial-up, and Virtual Private Networks (VPNs).
Extensible Authentication Protocol Host EAPHost is a Microsoft Windows Networking component that provides an Extensible Authentication Protocol (EAP) infrastructure for the authentication of "supplicant" protocol implementations such as 802.1X and Point-to-Point (PPP).
MS-CHAP Password Management API You can use the MS-CHAP Password Management API to create applications to change the passwords of networked users on remote workstations.
Network Access Protection Network Access Protection (NAP) is a set of operating system components that provide a platform for protected access to private networks. The NAP platform provides an integrated way of evaluating the system health state of a network client that is attempting to connect to or communicate on a network and restricting the access of the network client until health policy requirements have been met.
Network Policy Server Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. It is the successor of Internet Authentication Service (IAS).
Parental Controls The Parental Controls technology in Windows is intended to assist diligent parents or guardians in ensuring access to appropriate materials by age or maturity level for those under their guardianship. It provides an extensible infrastructure in addition to built-in capabilities.
Rights Management Three generations of Rights Management SDK are now available as well as an all-up roadmap to Microsoft supplied RMS code samples and developer tools across all supported operating systems; Android, iOS/OS X, Windows Phone and Windows Desktop.
Security Development Lifecycle (SDL) - Process Guidance Microsoft Security Development Lifecycle (SDL) is an industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, the SDL introduces security and privacy early and throughout all phases of the development process.
Security Management The security management technologies can be used to manage Local Security Authority (LSA) policy and password filter policy, query the ability of programs from external sources, and service attachments that extend the functionality of the Security Configuration tool.
Security WMI Providers The Security WMI providers enable administrators and programmers to configure BitLocker Drive Encryption (BDE) and the Trusted Platform Module (TPM) using Windows Management Instrumentation (WMI).
Security Glossary Provides a glossary of security terms.
TPM Base Services The Trusted Platform Module (TPM) Base Services (TBS) feature centralizes TPM access across applications. The TBS feature uses priorities specified by calling applications to cooperatively schedule TPM access.
Windows Biometric Framework API You can use the Windows Biometric Framework API to create client applications that securely capture, save, and compare end-user biometric information.
Security Technical Articles Articles on security and cryptography.