Home > Store

Programming Windows Security

Register your product to gain access to bonus material or receive a coupon.

Programming Windows Security

Book

  • Sorry, this book is no longer in print.
Not for Sale

Description

  • Copyright 2000
  • Dimensions: 7-1/4" x 9-1/4"
  • Pages: 608
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-60442-6
  • ISBN-13: 978-0-201-60442-9

Windows 2000 and NT offer programmers powerful security tools that few developers use to the fullest -- and many are completely unaware of. In Programming Windows Security, a top Windows security expert shows exactly how to apply them in enterprise applications. Keith Brown starts with a complete roadmap to the Windows 2000 security architecture, describing every component and how they all fit together. He reviews the "actors" in a secure system, including principals, authorities, authentication, domains, and the local security authority; and the role of trust in secure Windows 2000 applications. Developers will understand the security implications of the broader Windows 2000 environment, including logon sessions, tokens, and window stations. Next, Brown introduces Windows 2000 authorization and access control, including groups, aliases, roles, privileges, security descriptors, DACLs and SACLs - showing how to choose the best access strategy for any application. In Part II, he walks developers through using each of Windows 2000's security tools, presenting techniques for building more secure setup programs, using privileges at runtime, working with window stations and user profiles, and using Windows 2000's dramatically changed ACLs. Finally, Brown provides techniques and sample code for network authentication, working with the file system redirector, using RPC security, and making the most of COM/COM+ security.

Sample Content

Table of Contents



Preface.

I. MODEL 1.

1. The Players.

Principals.

Authorities.

Machines as Principals.

Authentication.

Trust.

Summary.

2. The Environment.

Logon Sessions.

Tokens.

The System Logon Session.

Window Stations.

Processes.

Summary.

3. Enforcement.

Authorization.

Discovering Authorization Attributes.

Distributed Applications.

Objects and Security Descriptors.

Access Control Strategies.

Choosing a Model.

Caching Mechanisms.

Summary.

II. MECHANICS.

4. Logon Sessions.

Logon Session 999.

Daemon Logon Sessions.

Network Logon Sessions.

Interactive Logon Sessions.

Network Credentials.

Tokens.

Memory Allocation and Error Handling Strategies.

Using Privileges.

Impersonation.

Restricting Authorization Attributes.

Terminating a Logon Session.

Summary.

5. Window Stations and Profiles.

What Is a Window Station?

Window Station Permissions.

Natural Window Station Allocation.

Daemons in the Lab.

Other Window Stations.

Exploring Window Stations.

Closing Window Station Handles.

Window Stations and Access Control.

Desktops.

Jobs, Revisited.

Processes.

Summary.

6. Access Control and Accountability.

Permissions.

Anatomy of a Security Descriptor.

Where Do Security Descriptors Come From?

Security Descriptor Usage Patterns.

How ACLs Work.

Security Descriptors and Built-in Objects.

Security Descriptors and Private Objects.

Hierarchical Object Models and ACL Inheritance.

ACL Programming.

Handles.

Summary.

III. DISTRIBUTION.

7. Network Authentication.

The NTLM Authentication Protocol.

The Kerberos v5 Authentication Protocol.

SSPI.

SPNEGO: Simple and Protected Negotiation.

Summary.

8. The File Server.

Lan Manager.

Lan Manager Sessions.

Clients and Sessions.

Use Records.

NULL Sessions.

Dealing with Conflict.

Drive Letter Mappings.

Named Pipes.

SMB Signing.

Summary.

9. COM(+).

The MSRPC Security Model.

The COM Security Model.

COM Interception.

Activation Requests.

More COM Interception: Access Control.

Plugging Obscure Security Holes.

Security in In-Process Servers?

Surrogates and Declarative Security.

COM Servers Packaged as Services.

Legacy Out-of-Process Servers.

Launching Servers via the COM SCM.

A Note on Choosing a Server Identity.

Access Checks in the Middle Tier.

The COM+ Security Model: Configured Components.

Catalog Settings.

Applications and Role-Based Security.

Making Sense of COM+ Access Checks.

Which Components Need Role Assignments?

Security in COM+ Library Applications.

Fine-Grained Access Control: IsCallerInRole.

Call Context Tracking.

Tips for Debugging COM Security Problems.

Summary.

10. IIS.

Authentication on the Web.

Public Key Cryptography.

Certificates.

Secure Sockets Layer.

Certificate Revocation.

From Theory to Practice: Obtaining and Installing a Web Server Certificate.

Requiring HTTPS via the IIS Metabase.

Managing Web Applications.

Client Authentication.

Server Applications.

IIS as a Gateway into COM+.

Miscellaneous Topics.

Where to Get More Information.

Summary.

Appendix: Some Parting Words.

Well-Known SIDs.

Printing SIDs in Human Readable Form.

Adding Domain Principals in Windows 2000.

Adding Groups in Windows 2000.

Adding Local Accounts and Aliases.

Privileges and Logon Rights.

Secrets: The Windows Password Stash.

Glossary.
Bibliography.
Index. 0201604426T04062001

Preface

As with most of my friends, I learned to program Windows by reading Charles Petzold's classic tome, Programming Windows. I then moved on to Jefferey Richter's seminal book for systems developers, Advanced Windows NT. Finally, I moved into the realm of objects with Kraig Brockschmidt's Inside OLE 2. With the release of Windows NT 4.0, I started using (and eventually teaching) COM as a way to build distributed applications. Until this point in my life, I'd been able to safely ignore security, and had long since suppressed the pangs of guilt I used to feel when passing NULL for LPSECURITY_ATTRIBUTES. Little did I know that my life was about to change forever.

It was a beautiful sunny day in Bellevue, Washington, when I drove up to the offices of Saros, a software development company where I was scheduled to give my first on-site presentation of Essential COM, DevelopMentor's flagship COM course that included coverage of the relatively new Windows NT 4.0 feature called DCOM. All the students in the class had packed in their own computers (these students were worn and grizzled Windows programmers, some of whom had lost the covers to their machines long ago). What made the situation interesting was that some of the students had machines belonging to various Windows NT domains, whereas others had standalone machines not associated with any domain. One student was even running Windows 95. It was a recipe for disaster. Everything had been going smoothly, and the students (and myself) were thoroughly enjoying the class, but the radical configuration in the classroom put quite a crimp in the DCOM lab exercise that morning. Virtually all the students were getting E_ACCESSDENIED and various and sundry error codes, and of course they all looked to me to fix the problem. I failed miserably that day, and had to admit to myself (and the students) that I didn't yet have a good enough grasp of Windows security to solve their problems. I've rarely felt so small.

Shortly after this soul-wrenching experience, I dedicated myself to the pursuit of a deep and practical understanding of Windows security. I solidified my commitment by agreeing to write a new course for DevelopMentor about services and security, and proceeded to spend three months of virtually uninterrupted time studying and experimenting with the Windows security APIs. I never knew that I'd end up falling in love. Since then, I've learned loads more and answered hundreds of questions on the DCOM mailing list regarding security issues, and reached thousands of students, conference attendees, and readers of Microsoft Systems Journal (now MSDN Magazine) with the message that security is a fascinating and approachable topic.

As the culmination of my effort, this book attempts to fill the gaping hole in the Windows systems programming canon by providing a reference for programmers that covers Windows security from the basics of principals, authorities, logon sessions, and DACLs all the way through COM+ security, one of the most subtle and sensitive beasts you'll encounter as a Windows programmer.

As a side effect of my predilection for distributed programming, this book is unique in that it addresses security with the distributed systems developer in mind; in fact, the original title of the book was Distributed Security in Windows NT. Of course, Microsoft's decision to rename their (beta, at the time) operating system from "Windows NT 5.0" to "Windows 2000" didn't bode well for my original title. Frankly, Distributed Security in Windows NT/2000 sounded really goofy. Thus the new title.

In any case, if you're a programmer who, not unlike myself a few years ago, feels a hollowness in the pit of your stomach as a result of being asked to add a security-related feature or debug a security-related problem in an application, I hope you"ll find that this book completes you.

Which Windows?

This book covers security programming on Windows 2000 and Windows NT 4. Therefore, to avoid crossing the reader's eyes with "Windows 2000/NT" or similar nastiness, I'll simply refer to both of these operating systems as Windows. If I find the need to say anything specific about a distinct operating system (including Windows 9x), I'll use the full name.

Who Should Read This Book

This book was written for professional software developers involved in systems programming on Windows. The third part of the book was written for the subset of these programmers developing distributed systems (especially those using COM).

The first part of the book (the first three chapters) intentionally has no code in it, and instead speaks to the big picture, introducing terminology and concepts that will likely be useful not just for programmers but also for technical managers and advanced Windows users. If you are a manager and want to get a better understanding of Windows security, borrow this book from one of the developers on your team and rip out the first three chapters for yourself. Sharing a common terminology will help you and your development team play better together.

What a Developer Should Already Know

I assume you have a basic understanding of Windows system programming; that is, you know the difference between a process and a thread, and you've written a DLL before and perhaps even written a service or two. I casually mention features such as thread local storage and assume that you know what I'm talking about. If you're unsure of your ability in this area, my favorite book on the subject is Advanced Windows, by Jefferey Richter (as of this writing the fourth edition is hot off the press).

In the COM chapter (Chapter 9), I assume you feel comfortable with the basics of IUnknown and that you know what a proxy and stub are. If you're unsure, my favorite COM book is Essential COM by Don Box.

Much of the later material in the COM chapter talks about COM+ features in Windows 2000, which Essential COM doesn't address (as of this writing, Essential COM is in its first edition). My favorite COM+ book in print as I write this is Programming Distributed Applications with COM and Visual Basic 6.0 by Ted Pattison. Tim Ewald's book Transactional COM+: Designing Scalable Applications will likely be a must-read as well, although it's not yet gone to press as I write this.

Although this book often shows full declarations of Windows API functions, I won't always bother to tell you the details of what each and every parameter means if it's not relevant to the topic at hand. I hope you find that this book works well as a complement to the Windows API documentation, as opposed to a replacement for it.

How to Approach This Book

I know that most developers don't relish thinking about security issues, which is often why security ends up getting retrofitted into existing products (or left until the last minute in new products). Most of my students are really surprised to learn that security is actually quite an interesting topic, and they really enjoy sitting through DevelopMentor's security class. However, I'm aware that this is a self-selecting group; these folks have chosen to take the class, often because there is a distinct set of problems that they need to be able to solve, whether they like it or not. Whatever your predisposition is toward security, I designed this book to be readable front to back, but also to be readable in chunks.

Many people will buy this book because it contains (at least as of this writing) an exhaustive coverage of COM security, and will want to dive right in to the chapter on COM. However, you can't possibly understand COM security without having a basic understanding of the fundamentals, and no matter how much I urge folks to read chapter 4, there will be a large group of people who don't have the time for this. If it's you I'm describing, do spend the time to read the first three (very short) chapters of this book before you start diving into the nitty-gritty details of COM security. These chapters will help you develop a more intuitive feel for how Windows security works and why it works the way it does.

This Is Not a Cookbook

In the vein of my last book project, Effective COM (coauthored with Don Box, Tim Ewald, and Chris Sells), I've purposely avoided making this a cookbook that provides lots of code for you to cut and paste to solve a particular set of problems that you may or may not be faced with. Instead, this book is about helping you understand how things work. I'd love to see a Windows security cookbook written. I find that cookbooks increase my long-term productivity once I have a basic understanding of the topic at hand.

The code snippets in this book should all compile correctly. However, although some of them might be appropriate for cutting and pasting into your projects, be aware that a number of them exist solely to foster insight and understanding and will necessarily be a bit more abstract than what you'd expect to find in a cookbook.

The Bad Guys

Often I'll refer to the "bad guys" when I want to indicate someone who may be trying to break into your system either to do malicious damage, or just for fun. The bad guys are the folks that we want to keep out, and the good guys are folks that we want to let in. I actually borrowed the terms "good guys" and "bad guys" from one of my favorite security books, Network Security: Private Communication in a Public World (Kaufman, Perlman, and Speciner 1995).

Code Sample Conventions

All the code samples in this book were built using Visual C++ 6 with the Platform SDK for Windows 2000. Each snippet was compiled, and all functional samples were tested as well. This occurred before they were copied into the manuscript, so any syntax errors you find are likely printing errors. Download the code snippets from http://www.develop.com/books/pws to get the real thing.

I built all the code samples with the UNICODE macro defined; I didn't want to clutter the code with __TEXT macros when this book is all about programming Windows 2000 and Windows NT 4, where Unicode is the norm.

I use a consistent naming scheme for any functions that are my own, so that you can distinguish them from system calls. My functions (and constants) all start with a lowercase letter prefixed with an underscore:

_thisIsACallToMyFunction();
ThisIsACallToASystemFunction();

Let me warn you that the snippets I provide sometimes ignore error checking for brevity, except in certain cases where I have some special insight to offer or when I'm providing functions that are generally useful to be worthy of direct cut-and-paste. There are many ways of performing error checks (many wars have been fought over the correct way to do this), but virtually all error checking mechanisms obscure the system calls you're making to some degree, and it's these calls that I want to focus on in the code snippets.

Finally, I'm a real stickler when it comes to writing const-correct production C++ code, but I found that this doesn't work well in the limited space a book affords. (Much of the Windows security API is notoriously const-- incorrect, and having you wade through oodles of const_cast operators wouldn't serve any good purpose.)

Yes, There Is No CD-ROM

I've been told that we live in the "information age," and I personally think it's silly to ship a CD with stale content when I am perfectly willing to provide up-to-date content via the web. So please visit http://www.develop.com/books/pws to download real examples that compile and build (this includes all the code snippets from this book, plus lots of other goodies that I upload from time to time).

Errata

I've gone out of my way to research all the topics in this book, but as with any endeavor of this magnitude, there's bound to be a few rough edges. Please send any errata to me via my web site (http://www.develop.com/books/pws). I'll publish all confirmed bugs online, and credit the first person to report the problem. Please check my web site from time to time to keep abreast of any problems that may have been reported.

What to Expect

Part I: Model

These first chapters were written to give you a roadmap of the Windows security architecture. These chapters are designed to be as concise as possible so that a dedicated reader can consume them comfortably in one or two sittings. My goal is to introduce some basic terminology with an emphasis on how all the pieces fit together, without drilling down into the details. An effective way to use this part of the book would be to read through it once before diving into the other chapters in the book, and then revisit these chapters whenever you need to step back and see the big picture. There is no code in these chapters, so this is a great section to tear out and send to your manager to help bridge the communication gap that often develops on a project.

Chapter 1: The Players

This chapter focuses on the actors in a secure system. It introduces principals and authorities, authentication, domains, and the Local Security Authority (LSA). The chapter emphasizes that security eventually boils down to trust, and provides several examples.

Chapter 2: The Environment

This chapter focuses on the environment in which your programs run. It introduces logon sessions, tokens, window stations, and profiles.

Chapter 3: Enforcement

This chapter focuses on authorization and access control. It introduces groups, aliases, roles, privileges, security descriptors, and DACLs and SACLs, as well as some access control strategies and guidelines for picking an appropriate strategy for your application. The chapter ends with a discussion of the session- oriented nature of Windows security.

Part II: Mechanics

These next three chapters drill down into the details of each of the concepts introduced in Part I. Except where noted, you can read these in pretty much any order you like.

Chapter 4: Logon Sessions

This chapter delves into the details of logon sessions and tokens. Systems developers will feel much more comfortable designing and implementing applications with a good grasp of logon sessions. This chapter discusses the System logon session, as well as interactive and network logon sessions and how to call LogonUser to establish new logon sessions. It also shows how to make use of privileges at runtime and restrict privileges with job objects.

Chapter 5: Window Stations and Profiles

Many Windows developers have never even heard of a window station, but these seemingly obscure entities will eventually haunt you if you don't come to grips with them. This chapter includes a discussion of window stations and desktops, as well as a discussion of user profiles and how to manage them. To get the most out of this chapter, read the previous chapter on logon sessions first.

Chapter 6: Access Control and Accountability

This chapter shows how to create and manage security descriptors, including access control list (ACL) programming and auditing. ACLs in Windows 2000 change quite dramatically from those in earlier versions of the operating system, and these changes are covered in detail. The chapter also includes a discussion of how to manage and use private security descriptors for securing application-defined objects, including dealing with object hierarchies and ACL inheritance.

Part III: Distribution

Parts I and II deal with basic Windows security programming. Part III builds on this foundation by showing how distribution factors into the security model. Many companies are developing Windows-based distributed systems these days, and most of them rely on COM and HTTP as integral enabling technologies. This book therefore culminates in a discussion of COM and IIS security. Except where noted, you can read these chapters in any order you like.

Chapter 7: Network Authentication

The problem of proving one's identity to another across a public wire was the primary question that originally captivated me and initiated my love affair with security. It's a fascinating problem with many solutions, and this chapter provides an introduction to the core network authentication protocols used in Windows NT and Windows 2000, namely, NTLM and Kerberos. After describing and contrasting the two protocols, the chapter concludes by introducing the Security Support Provider Interface (SSPI), which abstracts the differences between various authentication protocols.

Chapter 8: The File Server

Using the Windows file system across the network is a very common practice, and this chapter is dedicated to exploring the sort of security programming problems you're likely to encounter in these scenarios. This chapter is all about understanding SMB (Server Message Block) security and how to bend it to your will. Because named pipes are built on top of the file server infrastructure, I've also included them in this discussion.

Chapter 9: COM(+)

This chapter draws on the basics introduced in earlier chapters to provide the foundation for a solid understanding of COM(+) security, one of the most misunderstood and oft-cursed features in Windows. I address COM+ security features and provide notes on differences between COM+, MTS, and base COM. You'll get the most out of this chapter if you've already read the first and second parts of this book (chapter 4 is the most important chapter from the second part). I'd also recommend reading chapter 7 before tackling this chapter.

Chapter 10: IIS

DCOM isn't a popular protocol for use over the Internet. In fact, just getting it to cross firewalls and network address translation layers is quite a feat of engineering. The Internet is about simplicity, and HTTP and SSL are the protocols of choice for reaching the broadest audience. Often a distributed system is built using DCOM in the middle tier, with HTTP used as a gateway to the client tier. This chapter first covers the basics of SSL and certificate-based authentication, and then turns and focuses on issues you need to be aware of when building web applications with IIS, especially when coupling them with a middle tier of COM+ components. The latter parts of this chapter will make more sense if you've read chapter 9.

Appendix: Some Parting Words

I've put together some tips for writing setup programs (how to install user and group accounts, configure privileges, and configure secrets such as the COM RunAs password). I've included a list of well-known SIDs that you can form programmatically, and a simple class for making this easy to do. I've also included a discussion of the three different group scopes in Windows 2000 (universal, global, and domain local). Finally, I've included a list of all the defined privileges in Windows along with as much insight as I could muster into how they really work (the documentation often is too vague to be of use).

Glossary

Throughout the text, new terms are called out in bold as they are introduced, and are summarized in the glossary. I hope you find this section helpful.

Bibliography

Any book or magazine articles I reference can be found in the bibliography.

What Not to Expect

Active Directory

I'll spend just enough time talking about the Active Directory Services Interface (ADSI) to get you started installing user and group accounts. An entire book could (and should) be written on programming the Windows directory. This is not that book.

Public Key Infrastructure

Although I discuss SSL authentication and the basics of how certificates work, any detailed coverage of what it takes to build a public key infrastructure is beyond the scope of this book. I provide several references in the bibliography for interested readers.

Acknowledgments

First of all, I want to acknowledge the tremendous sacrifice my wife and kids made while I struggled to get this book to press. I've hardly seen them at all for the last four months of this project. Thanks Kathy, Colin, Nathan, and Aidan. I've missed you so incredibly much.

I'd like to thank Don Box and Mike Abercrombie of DevelopMentor for providing an unparalleled environment for research and development, and for feeding my family while I hunkered down to finish the book. I've had a ton of fun working with you guys, and I look forward to many more years of collaboration.

Thanks to Bruce Schneier for writing an incredibly readable book on cryptography that captivated me. Reading Applied Cryptography was a turning point in my life, because I discovered what a fascinating game security really was.

Thanks to all the students in my security classes over the past couple of years who have listened to an evolving story and have provided their own unique input. This story wouldn't be the same without you.

Thanks to the reviewers who gave me feedback on this project: Saji Abraham, Richard Ward, Michael Howard, Bob Beauchemin, Ian Griffiths, George Reilly, Michael Nelson, Steve Rodgers, Thomas Deml, Henk de Koning, and Jefferey Richter.

Thanks to the staff at Addison Wesley: Kristin Erickson, for being an advocate and friend, Jacquelyn Doucette for pushing production through in record time, and J. Carter Shanklin for talking me into this thing in the first place.

Thanks to my copyeditor Cindy Kogut, who continues to amaze me with her ability to cover my prose with oodles of red ink. Cindy also retrofitted a healthy dose of consistency into a book whose conception spanned two years of my life.

And finally, thanks to Alice and Bob for just being you.



0201604426P04062001

Updates

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020