Protect Your Windows Network: From Perimeter to Data [With CDROM]

I received a copy of Protect Your Windows Network (PYWN) almost one year ago, and I immediately put it aside. I figured it was another "security configuration guide," with lots of descriptions of settings and other tweaks that makes for boring reading. Recently I decided to give PYWN another look, and I am exceedingly glad I did. PYWN is one of the best security books I have ever read, and that includes nearly 200 titles over the last six years. Incredibly, even non-Windows users will find plenty of sound advice for their enterprise. Although the book is highly opinionated (and at times perhaps not on my side of the issues) I strongly recommend reading PYWN. When I read and review books, I underline sections of interest and take notes in the margins and on separate sheets of paper. I dried out a pen underlining text and took three pages of notes while reading PYWN. The amount of good advice in the book is staggering. PYWN is incredibly engaging and clear. It is superbly organized, taking a layered approach to enterprise security. The book's strength derives from the authors' consulting experience, and they deliver many stories based on their interactions with customers. PYWN is not a Microsoft marketing person's dream, either. In many places the book is very frank. For example, p 19 says IPsec in Windows "is the poster child for user unfriendliness." The authors correctly recognize the goal of a "protected" network by explicitly telling customers "no, your network is not secure" (p 15). They are critical of "Return on Security Investment": "following the [security] policy does not increase revenue, it does not increase productivity" (p 116). This book is definitely not afraid to offend the reader. I do not mean the use of foul language; rather, the book takes very strong stances on certain subjects. Some of these directly contradict guidance given by others. Ch 12 even features 10 Security Myths. In many cases, I believe the authors take the right position, and they adequately defend their assertions. In other cases, I must disagree. The authors are not fans of detecting intrusions, and their monitoring advice in Ch 4 is particularly shaky. They also tend to use an example of compromising a host-based IDS deployment as an excuse to attack all detection mechanisms. The authors are sticklers for accurate language, which I believe is required in our field. They are keen to point out that "IPSec tunnels" don't exist per se; there is, however "IPSec transport mode" or "IPsec tunnel mode." They repeatedly state that L2TP+IPsec is the only "IETF-approved" remote access solution. This stems from their requirement that such a solution authenticate the user and give his/her machine an IP address. Obviously IPSec alone doesn't fulfill those requirements, hence their promotion of an alternative. In some cases this desire to use the right word doesn't work so well. I disagree with some of the terms used in the threat mod

This book addresses network security through layers. Chapter 1 presents the book's basic argument: that the goal is not to make your network secure, but to make it "secure enough" for your environment. Chapter 2 provides the obligatory description of how a network can be compromised that you would expect in a book on security, but emphasizes the operational issues/mistakes that facilitated the attack with explicit mention of which subsequent chapters will provide guidance on how to best mitigate those flaws. The remaining 15 chapters describe how to make your network more secure. Topics include patch management, the need to set policies and educate users, perimeter access controls, restricting access to network resources, protecting hosts and applications, and protecting the data (information) itself. Each chapter concludes with a short list of suggested action steps ("What You Should Do Today"). The book is well-written and easy to read. Although the book is Windows-centric, most of the material applies to any system. The authors do a good job of explaining and illustrating concepts such as SQL injection and SMB reflection attacks to make them easy to understand for readers with limited technical background. Overall, the book will probably be of most value to individuals with limited experience in managing security of Windows networks. However, even experienced security professionals can benefit from the discussions of how to avoid security dependencies and how to do network threat modeling. All readers will also benefit by thinking about whether they agree or disagree with the authors' challenges to several widely-accepted security prescriptions and their opinions concerning best practices (for example, why turning off SSID broadcasting is not a good idea and why the best place to locate your VPN server is alongside your firewall). The book also includes a CD with several utilities: a Hosts file for blackholing spy-ware sites, a password generator (passgen), an SQL script to revoke permissions from the public login, and a slipstreaming tool that is written in VBScript. One potential limitation is that because much of the detailed advice is directed to features specific to Windows Server 2003 and Windows XP it may become out-dated. Nevertheless, it is likely to be a useful reference source for the near-term future for anyone interested in or responsible for security in a Windows network.

Let me cut to the chase: if you're a Windows admin and you are at all worried about security, get this book. Now. Okay, having said that, let me tell you about the book. I've been doing a lot of professional security work over the years, much of it with Windows. I tend to treat new security books with a big grain of salt, because there are a lot of well-meaning people out there giving advice ranging from mildly wrong to actively harmful. Now that I've written a book of my own, I have a fair idea of what is involved and how easy it is to slip technical howlers past hard-working editors (who aren't usually experts in the topic). Just because something is written down in a book doesn't mean I automatically trust it; unfortunately, too many people do place their faith in the Holy Grail of the printed word. On the other hand, I've not only seen Jesper and Steve speak before, I've had the opportunity to work with them on past projects, so I have a reasonable amount of faith that they actually know what they're talking about. (If you haven't had the pleasure of hearing them speak, go find the events they're at and sign up. Trust me.) As a result, I was pretty sure this book was going to rock on toast and give me a few good hard nuggets to think about. It didn't. This book completely threw many of my security assumptions out the window. More than once, I was reading the book shaking my head, saying "No, no, that's not right!" as the authors made hamburgers out of yet another security sacred cow. After giving myself time to think about it from a real-world point of view, though, I almost always came away agreeing with them. At other times, I'd be pumping my fist in the air, ecstatic that somebody else Got It and was able to put it as eloquently as I'd just read. I don't normally read technical books cover to cover; not only did I read this one straight through, I went back for a second pass with a bunch of sticky flags. My copy now looks like it was in a Twister factory explosion. The book also comes with a CD; it's not got a lot on it, but the scripts that are there are very useful indeed. There's also an accompanying website, http://www.protectyourwindowsnetwork.com/, which contains errata and downloadable copies of the scripts and files on the CD. Some of the best content of the book isn't contained in the book -- it's on the website in the Listening Room. Here, you can find recorded versions of talks by Jesper and Steve. You'll find their talks cover a lot of the same ground the book does, but they are both dynamic speakers and hearing the material reinforces what you're reading. So, is this book for you? Let me answer that with another question: Are you tired of being a prisoner to security bulletins, patches, conflicting (and confusing) security guidance, and vendor claims? If you want to learn how to actually analyze your systems and network, asses the threats you face, and do more than follow step-by-step "hardening guides" that inevitably

It looks like this book will further an alarming ƒº trend by being yet another great security book, written by Microsoft people. ¡§Protect Your Windows Network from Perimeter to Data¡¨ dives into an esoteric world of Windows security in an unusual and novel way. It is clear that this book belongs in 2005 due to its focus on things beyond Windows hardening tips and obscure registry tweaks for security. For example, I found a nice coverage of Windows emerging DRM (called RMS) as well as amazingly in-depth coverage of using ACLs for granular file security (it might sound simple, but its really not). I will not go through the table of contents since you can look it up. Briefly, I most enjoyed chapter 2 with a hacking case study, chapter 3 on patches (I really did!), chapter 10 on rogue insiders, chapter 12 on hardening which contained some uncommon wisdom, and later chapters on application and data security. I liked many things about this book! Right away, the authors establish that while fighting ¡§stock¡¨ worms and viruses, there are skilled attackers out there and simply ¡§keeping up to date with patches¡¨ will not save you. I also liked a harmonious mix of technical (lower level) and business (higher level) issues related to security. In addition, I liked the style and authors¡¦ humor a lot! The book is very easy and even fun to read and is peppered with humorous stories from their experience. The book is full of amusing and educational gems, such as a triangle of ¡¥cheap-usable-secure - pick any two¡¨, and vendors and customers role is changing the above tradeoff. The book is focused mostly on the defense side and display obvious and acknowledged bias towards protecting Windows servers, just like the name of the book indicates. The book contains a minor amount of Unix-bashing, which is more funny than malignant though. Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior¡¨ and a contributor to ¡§Know Your Enemy II¡¨. In his spare time, he maintains his security portal info-secure.org

The authors here have done an excellent job discussion not only effective security techniques, but also the reasoning behind them. Most of the security in the book is at the user layer. How you can set up your system, and the network around you to secure your systems. I particularly appreciated the information on SQL Server, which is all too often not covered in security books. There are some downsides, the book is fairly text intensive (which is something I don't usually cite). There could have illustrations to make the points more clearly. But the images that are there are effective and used well.