What Is Enterprise Application Security?

A typical enterprise application includes the following architectural elements and processes:

• User interface services (such as an Active Server Pages user interface)
• Operating system services (such as registry access and object pooling)
• Business process services (such as a distributed COM DLL component)
• Data transmission services (such as HTTP over the Internet)
• Database access services (such as SQL Server)
• Access to non-database support files (such as a .prf user preferences file)

Application security means that each of these application services must be available only to qualified users. At the same time, every component, service, and supporting file must be protected from unauthorized viewing, tampering, or modification.

The best way to protect your application's architectural elements and processes is with the built-in services provided by Windows NT operating system security. Windows NT prevents unauthorized access and tampering by providing user access control, resource and service protection, and auditability.

You can extend the standard Windows NT security features to include the protection of sensitive data transmissions by using either encryption or digital signatures.

Your application might also rely on BackOffice services such as SQL Server or Internet Information Server. All of these BackOffice services can be uniquely configured to control access and process privileges.

For More Information   Understanding Windows NT Security, in this chapter, provides links to more information about a number of primary operating system-level security functions to control access. For a discussion about storing and transmitting encrypted data see Using the Microsoft CryptoAPI. For information on using digital certificates to control access to your application, see Using Certificates.