Application security can be divided into four categories: authentication, encryption, access, and auditing.
We discussed how authentication begins the user interaction and initial interactive security system for applications. Developers must identify and validate users, as well as determine what role they play within the application. Several application authentication mechanisms are available to Windows NT based applications, such as Windows NT Authentication and Kerberos. In addition, many Web-based types of authentication such as basic authentication, Windows NT challenge/response, cookies, and the use of digital certificates can be used by applications. SQL Server's three authentication methods of standard, integrated, and mixed security can also be used within applications.
Information can be encrypted when it is being transferred between the applications users, services, and data stores via several security-related protocols and methods such as SSL and Microsoft's CrytoAPI.
Once an application recognizes a particular user, the application must allow the user access only to the appropriate areas through such security measures as controlling access to system services, files, components, and the Windows NT Registry. Web- and MTS-based applications can pose different access security issues for the teams applications.
Finally, we looked at how to audit who is doing what with an application. We identified several categories of audit entries, and discussed logging entries into log files and the Windows NT event service logs.