Protect Your Windows Network: From Perimeter to Data

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $1.99
Usually ships in 1-2 business days
(Save 96%)
Other sellers (Paperback)
  • All (19) from $1.99   
  • New (4) from $20.52   
  • Used (15) from $1.99   

Overview

Praise for Protect Your Windows Network

"Jesper and Steve have done an outstanding job of covering the myriad of issues you must deal with to implement an effective network security policy. If you care about security this book is a must have."
—Mark Russinovich, Chief Software Architect, Winternals Software

"Johansson and Riley's new book presents complex issues in straightforward language, examining both the technical and business aspects of network security. As a result, this book is an important tutorial for those responsible for network security; and even non-technical business leaders would learn a lot about how to manage the business risk inherent in their dependence on information technology.
—Scott Charney, Vice President of Trustworthy Computing, Microsoft

"These guys have a profound understanding of what it takes to implement secure solutions in the real world! Jesper and Steve have been doing security related work (pen testing, consulting, program management, etc.) internally at Microsoft and for Microsoft's customers for many years. As a result of their real-world experience, they understand that security threats don't confine themselves to "the network" or "the operating system" and that to deliver secure solutions, these issues must be tackled at all levels after all of the threats to the environment have been identified. This book distinguishes itself from others in this field in that it does a great job of explaining the threats at many levels (network, operating system, data, and application) and how to counter these threats. A must read for security practitioners!"
—Robert Hensing, CISSP, Security Software Engineer—Security Business and Technology Unit, Microsoft Corporation, rhensing@microsoft.com

"A good book should make you think. A good computer book should make you change how you are doing things in your network. I was fortunate enough to be setting up a new server as I read the book and incorporated many of the items discussed. The lessons in these chapters have relevance to networks large and small and blow through many of the myths surrounding computer security and guide you in making smarter security decisions. Too many times people focus in on just one aspect or part of a network's security and don't look at the bigger picture. These days I'm doing my very best to keep in mind the bigger picture of the forest (active directory notwithstanding), and not just looking at those trees."
—Susan Bradley, CPA, GSEC, MCP, Small Business Server MVP, http://www.msmvps.com/Bradley, sbradcpa@pacbell.net

"Jesper Johansson and Steve Riley's Protect Your Windows Network is a must read for all organizations to gain practical insight and best practices to improve their overall security posture."
—Jon R. Wall, CISSP

"Jesper and Steve are two excellent communicators who really know their stuff! If you want to learn more about how to protect yourself and your network, read this book and learn from these two guys!"
—Richard Waymire

"In order to protect your particular Windows network you need to understand how Windows security mechanisms really work. Protect Your Windows Network gives you an in-depth understanding of Windows security so that you use the security techniques that best map to your needs."
—Chris Wysopal, Director, Development, Symantec Corporation, http://www.symantec.com

"Nowadays, a computer that is not connected to a network is fairly limited in its usefulness. At the same time, however, a networked computer is a prime target for criminals looking to take advantage of you and your systems. In this book, Jesper and Steve masterfully demonstrate the whys and hows of protecting and defending your network and its resources, providing invaluable insight and guidance that will help you to ensure your assets are more secure."
—Stephen Toub, Technical Editor, MSDN Magazine, stoub@microsoft.com

"Security is more than knobs and switches. It is a mind set. Jesper Johansson and Steve Riley clearly understand this. Protect Your Windows Network is a great book on how you can apply this mind set to people, process, and technology to build and maintain more secure networks. This book is a must read for anyone responsible for protecting their organization's network."
—Ben Smith, Senior Security Strategist, Microsoft Corporation, Author of Microsoft Windows Security Resource Kit 2 and Assessing Network Security

"Security is finally getting the mainstream exposure that it has always deserved; Johansson and Riley's book is a fine guide that can complement Microsoft's recent focus on security in the Windows-family operating systems."
—Kenneth Wehr, President, ColumbusFreenet.org

"If you have not been able to attend one of the many security conferences around the world that Jesper and Steve presented, this book is the next best thing. They are two of the most popular speakers at Microsoft on Windows security. This is an informative book on how to make your Windows network more secure. Understanding the trade-offs between high security and functionality is a key concept that all Windows users should understand. If you're responsible for network security or an application developer, this book is a must."
—Kevin McDonnell, Microsoft

In this book, two senior members of Microsoft's Security Business and Technology Unit present a complete "Defense in Depth" model for protecting any Windows network—no matter how large or complex. Drawing on their work with hundreds of enterprise customers, they systematically address all three elements of a successful security program: people, processes, and technology.

Unlike security books that focus on individual attacks and countermeasures, this book shows how to address the problem holistically and in its entirety. Through hands-on examples and practical case studies, you will learn how to integrate multiple defenses—deterring attacks, delaying them, and increasing the cost to the attacker. Coverage includes

  • Improving security from the top of the network stack to the bottom
  • Understanding what you need to do right away and what can wait
  • Avoiding "pseudo-solutions" that offer a false sense of security
  • Developing effective security policies—and educating those pesky users
  • Beefing up your first line of defense: physical and perimeter security
  • Modeling threats and identifying security dependencies
  • Preventing rogue access from inside the network
  • Systematically hardening Windows servers and clients
  • Protecting client applications, server applications, and Web services
  • Addressing the unique challenges of small business network security

Authoritative and thorough, Protect Your Windows Network will be the standard Microsoft security guide for sysadmins, netadmins, security professionals, architects, and technical decision-makers alike.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Product Details

  • ISBN-13: 9780321336439
  • Publisher: Addison-Wesley
  • Publication date: 5/20/2005
  • Series: Addison-Wesley Microsoft Technology Series
  • Edition description: BK&CD-ROM
  • Pages: 608
  • Product dimensions: 6.90 (w) x 9.24 (h) x 1.27 (d)

Meet the Author

Jesper M. Johansson, Microsoft's Senior Program Manager for Security Policy, is responsible for the tools Microsoft customers use to implement security policies, including the Security Configuration Wizard and Editor. A frequent speaker at leading security events, he holds a Ph.D. in MIS, as well as CISSP and ISSAP certification.

Steve Riley, Senior Program Manager in Microsoft's Security Business and Technology unit, specializes in network/host security, protocols, network design, and security policies and processes. He has conducted security assessments and risk analyses, deployed security technologies, and designed highly available network architectures for ISPs, ASPs, and major enterprises.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Read an Excerpt

PrefacePreface

More than a year ago now, I (Jesper) decided that I was finally going to write a book on security. Partially it was because I was getting tired of answering the same questions over and over again, partially because I thought I had something unique to say, and partially because I am hoping to buy a small boat with the proceeds.

After writing the outline and the first chapter, I decided that I needed a co-author to help out, particularly because I simply do not know nearly as much as I would like about certain topics. Because Steve had already had his own thoughts about writing a book, this was a great match. Steve is a perfect complement in the sense that both of us started the same way, in networking, but unlike myself, who went into IT so I could avoid having to deal with people, Steve is actually an extrovert who loves to figure out how to protect people from people. Of course, both of us enjoy debating controversial opinions, mostly just for the thrill of the argument. Working together, the book slowly started to take shape.

The book is focused around the defense-in-depth model we helped develop and refine in our work at Microsoft, and it gives a logical flow to the book that helps in building an overall security strategy, something both of us believed was lacking in the current literature. You get only so much security if you concentrate solely on the technology; the people and the processes are equally important. Indeed, without thought in those two areas, most of the technology you deploy to protect information systems will fail to do what you intend—it will only give you a false sense of security, which in fact can be more dangerous than nosecurity at all.

Much of what you see in these pages has been said before, in various presentations. Both of us travel the world to deliver speeches on security, and if you have ever heard us you will no doubt recognize some of the things you will read in these pages. In a sense, the book is the lecture notes everyone who has heard our presentations keeps asking for. Of course, those notes are sorely needed because most of our presentations are increasingly light on slides to avoid that all-too-common malady: death by PowerPoint.

Everyone we know who has written a book always says in the foreword that their first book is one they wanted to write for a long time. (We are now wondering what's left for us to write in our second book.) That is good, because it takes a long time to write a book. Neither of us thought that we had the competency to write one until recently, so it is not really true that we have wanted to write it for a long time. We have certainly thought about security for a long time, though, and you could certainly say that we wanted to learn enough about it for a long time to have something meaningful to say. After we had spent a few years talking to people, it was clear that security is an area that is fraught with misunderstandings (as we see them) and snake oil (pseudo-solutions that do not do what they purport to do at best, and are harmful at worst).

We find this type of "security theater" all around us. Consider, for instance, next time you go through an airport security check, who would be capable of causing more damage: a 92-year-old great-grandmother with a pair of cuticle scissors, or a 22-year-old martial arts black belt? They will confiscate the cuticle scissors, but they will allow the martial arts champion on the plane without putting him in shackles first. Some secure facilities will confiscate USB drives (and GPS receivers—why in the world?) "for security reasons," but they allow 80 GB FireWire (i1394) drives through because the security personnel cannot imagine any "threats" associated with digital music players. Many organizations have a password policy that requires users to use passwords too long and complicated to remember (and then routinely complain about the expense of resetting locked-out accounts), they block any kind of information gathering from ancient operating systems, and they do it all on computers that have not been patched for more than a year! It may appear that they are providing security but in reality this is nothing more than security theater.

We finally decided that the right way to dispel these myths was to write a book. At the time, it seemed like a really good idea, and we are sure that at some point it will seem like a good idea again.Target Audience and Objective

This book is targeted at anyone who has the unfortunate yet delightful task of having to manage the security of a computer system or network of systems. Because we deal almost exclusively with relatively large networks running primarily some flavor of Microsoft Windows, the book focuses on that type of environment. However, we hope that just about anyone involved in managing security will find something of value in these pages.

Security in information technology is an evolving field; so evolving, in fact, that there is not really a clear name for it. Some people, ourselves included sometimes, call it information security (infosec). We like that term, because protecting information is the ultimate goal. However, it is also important to protect the data before it becomes information, and it is important to protect the resources and functionality provided by the systems in the network, and infosec does not capture that very well. Computer security gives us a connotation of protecting a single computer, and single computers simply are not that interesting today. Others call the field distributed systems security. However, as we explain in Chapter 1, "Introduction to Network Protection," we think distributed systems is a terrible idea from a security perspective and we want to avoid that term. Thus, we stuck with network security, which means protecting all the assets in the network.

Just as with the name of the field, many other issues are up for debate in network security. Therefore, what you will find in these pages is often our opinion of what is correct. Nowhere is this more pronounced than in Chapter 12, "Server and Client Hardening," but you will find the same phenomenon elsewhere. You may already have an opinion that is not the same as ours, or you may not. The point is not so much to persuade you that our opinion is correct as it is to make you think about the whole picture. If you do that, and come to a conclusion that is different from ours, then our objective has been met. We simply are trying to make you challenge the perceived (often outdated) wisdom and form a conclusion that helps you better protect your network.What Is on the CD

The CD has a few tools that we wrote, partially because we needed a break from writing chapters, and partially because we thought they would be fun to write. Hopefully you will find some of these useful:

  • A HOSTS file a friend of ours gave us to black hole many spyware sites. It simply maps all their DNS names to localhost thus preventing the machine from accessing them. Just copy it into %systemroot%\system32\drivers\etc to use it. You can get an even bigger one at http://www.mvps.org/winhelp2002, and we recommend you update your HOSTS file from there every week or so.

  • A password generator. Passgen is an enterprise-class, command- line password manager. We discuss it more in Chapter 11, "Passwords and Other Authentication Mechanisms—The Last Line of Defense," and Chapter 8, "Security Dependencies." Also look at the readme for more information.

  • An SQL script to revoke all permissions from the public login. Use with care, but it is fun to see how much public has access to. You use it by pasting it into a Query Analyzer window. It will generate another query as output. If you copy and paste the output into another Query Analyzer window and run it, all the public permissions are revoked.

  • A slipstreaming tool. Like passgen, it is another custom tool developed specifically for the book. This VBScript is used to create on-disk operating system installations that already have all the patches applied—which turns out to be an involved process if you do it by hand. Instead, run the slipstream script, tell it where the source files are, where the patches are, and which service pack and operating system you are building; it will automatically build an on-disk install that has all the patches. We wrote this in VBScript because we figured it would be small and short. 1,100 lines of code later, we simply were not interested in rewriting it in a cooler and more efficient language.

We hope you will find these tools useful. They are licensed for your use within the organization that pays for the book. Please respect intellectual property rights and do not spread them around. Likewise, if you receive a copy of one of these tools from somewhere other than the CD, do not run it until you verify its authenticity. The SHA-1 hash of the slipstream tool is ddcf0bbaa4f09319f0d804df79ae60692748dbc9, and the one of the passgen tool is a10baed3102b2183569077a3fbe18113a658ed5d. If you get a copy of either tool with a different SHA-1 hash, do not use it! Instead, send us an e-mail at ProtectYourNetwork@hotmail.com, and we will get you a legitimate copy.Acknowledgments

Once we had all the material, the drive, the marital buy-off, and all the other pieces for the book together, we were still missing one thing: a publisher. Karen Gettman at Addison-Wesley has seen us speak numerous times and has bugged us for a couple years to write for her; we are immensely indebted to her for giving us a chance and for letting us have almost unlimited artistic license in what we were doing.

We are also extremely grateful to our reviewers, particularly Susan Bradley, one of the sharpest and most vocal MVPs Microsoft has. As Michael Howard once noted about Jesper in the introduction to the first edition of Writing Secure Code, Susan read every single word, sentence, chapter, and paragraph, and had comments on every single word, sentence, chapter, and paragraph—and plenty of comments about things not in the book as well. If the book makes sense to system administrators in small businesses, it is entirely because of Susan. If it does not, it is our fault. We also had great feedback from our other reviewers, including, Corey Hynes, Richard Waymire, Gene Schultz, Marcus Murray, Mark Russinovich, Matt Bishop, Michael Howard, Rob Hensing, Brian Komar, David LeBlanc, Ben Smith, Jon Wall, Chris Wysopal, Kevin McDonnell, Michael Angelo, Byron Hynes, Harlan Carvey, Russ Rogers, James Morris, Robert Shimonski, Kurt Dillard, Rick Kingslan, Phil Cox, and James Edelen.

Last, but certainly not least, we are indebted (forever, in an irreparable sort of way) to our lovely wives Jennifer and Ingrid. Not only did they let us get away with writing the book, but also with traveling around the world talking to people, which both of us enjoy tremendously.

We hope to see you soon at an event near you!

—Jesper and Steve

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Table of Contents

Acknowledgments.

About the Authors.

Preface.

I. INTRODUCTION AND FUNDAMENTALS.

1. Introduction to Network Protection.

Why Would Someone Attack Me?

Nobody Will Ever Call You to Tell You How Well the Network Is Working

Introduction to the Defense-in-Depth Model

The Defender's Dilemma

Summary

What You Should Do Today

2. Anatomy of a Hack-The Rise and Fall of Your Network.

What a Penetration Test Will Not Tell You

Why You Need To Understand Hacking

Target Network

Network Footprinting

Initial Compromise

Elevating Privileges

Hacking Other Machines

Taking Over the Domain

Post-mortem

How to Get an Attacker Out of Your Network

Summary

What You Should Do Today

3. Rule Number 1: Patch Your Systems.

Patches Are a Fact of Life

Exercise Good Judgment

What Is a Patch?

Patch Management Is Risk Management

Tools to Manage Security Updates

Advanced Tips and Tricks

Slipstreaming

Summary

What You Should Do Today

II. POLICIES, PROCEDURES, AND USER AWARENESS.

4. Developing Security Policies.

Who Owns Developing Security Policy

What a Security Policy Looks Like

Why a Security Policy Is Necessary

Why So Many Security Policies Fail

Analyzing Your Security Needs to Develop _Appropriate Policies

How to Make Users Aware of Security Policies

Procedures to Enforce Policies

Dealing with Breaches of Policy

More Information

Summary

What You Should Do Today

5. Educating Those Pesky Users.

System Administration ? Security Administration

Securing People

The Problem

Protecting People

Plausibility + Dread + Novelty = Compromise

Things You Should Do Today

III. PHYSICAL AND PERIMETER SECURITY: THE FIRST LINE OF DEFENSE.

6. If You Do Not Have Physical Security, You Do Not Have Security.

But First, a Story

It's a Fundamental Law of Computer Security

The Importance of Physical Access Controls

Protecting Client PCs

The Case of the Stolen Laptop

The Family PC

No Security, Physical or Otherwise, Is Completely Foolproof

Things You Should Do Today

7. Protecting Your Perimeter.

The Objectives of Information Security

The Role of the Network

Start with (What's Left of) Your Border

Next, Use the Right Firewall

Then, Consider Your Remote Access Needs

Finally, Start Thinking About "Deperimeterization"

Things You Should Do Today

IV. PROTECTING YOUR NETWORK INSIDE THE PERIMETER.

8. Security Dependencies.

Introduction to Security Dependencies

Administrative Security Dependencies

Service Account Dependencies

Mitigating Service and Administrative Dependencies

Other Security Dependencies

Summary

What You Should Do Today

9. Network Threat Modeling.

Network Threat Modeling Process

Document Your Network

Segment Your Network

Restrict Access to Your Network

Summary

What You Should Do Today

10. Preventing Rogue Access Inside the Network.

The Myth of Network Sniffing

Network Protection at Layers 2 and 3

Using 802.1X for Network Protection

Using IPsec for Network Protection

Network Quarantine Systems

Summary

What You Should Do Today

11. Passwords and Other Authentication Mechanisms-The Last Line of Defense.

Introduction

Password Basics

Password History

What Administrators Need to Know About Passwords

Password Best Practices

Recommended Password Policy

Better Than Best Practices-Multifactor Authentication

Summary

What You Should Do Today

V. PROTECTING HOSTS.

12. Server and Client Hardening.

Security Configuration Myths

On to the Tweaks

Top 10 (or so) Server Security Tweaks

Top 10 (or so) Client Security Tweaks

The Caution List-Changes You Should Not Make

Security Configuration Tools

Summary

What You Should Do Today

VI. PROTECTING APPLICATIONS.

13. Protecting User Applications.

Patch Them!

Make Them Run As a Nonadmin

Turn Off Functionality

Restrict Browser Functionality

Attachment Manager

Spyware

Security Between Chair and Keyboard (SeBCAK)

Summary

What You Should Do Today

14. Protecting Services and Server Applications.

You Need a Healthy Disrespect for Your Computer

Rule 1: All Samples Are Evil

Three Steps to Lowering the Attack Surface

What About Service Accounts?

Privileges Your Services Do Not Need

Hardening SQL Server 2000

Hardening IIS 5.0 and 6.0

Summary

What You Should Do Today

15. Security for Small Businesses.

Protect Your Desktops and Laptops

Protect Your Servers

Protect Your Network

Keep Your Data Safe

Use the Internet Safely

Small Business Security Is No Different, Really

What You Should Do Today

16. Evaluating Application Security.

Caution: More Software May Be Hazardous to Your Network Health

Baseline the System

Things to Watch Out For

Summary

What You Should Do Today

VII. PROTECTING DATA.

17. Data-Protection Mechanisms.

Security Group Review

Access Control Lists

Layers of Access Control

Access Control Best Practices

Rights Management Systems

Incorporating Data Protection into Your Applications

Protected Data: Our Real Goal

What You Should Do Today

Appendix A: How to Get Your Network Hacked in 10 Easy Steps.

Appendix B: Script To Revoke SQL Server PUBLIC Permissions.

Appendix C. HOSTS file to Block Spyware.

Appendix D. Password Generator Tool.

-g (Generate Password Based on Known Input)

-r (Generate Random Password)

-s (Set a Password on an Account and/or Service)

Security Information

Usage Scenarios

Appendix E: 10 Immutable Laws of Security.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

Law #4: -If you allow a bad guy to upload programs to your Web site, it's not your Web site any more.

Law #5: Weak passwords trump strong security.

Law #6: A computer is only as secure as the administrator is trustworthy. Law #7: Encrypted data is only as secure as the decryption key.

Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all.

Law #9: Absolute anonymity isn't practical, in real life or on the Web. Law #10: Technology is not a panacea.

Index.

Read More Show Less

Preface

Preface

More than a year ago now, I (Jesper) decided that I was finally going to write a book on security. Partially it was because I was getting tired of answering the same questions over and over again, partially because I thought I had something unique to say, and partially because I am hoping to buy a small boat with the proceeds.

After writing the outline and the first chapter, I decided that I needed a co-author to help out, particularly because I simply do not know nearly as much as I would like about certain topics. Because Steve had already had his own thoughts about writing a book, this was a great match. Steve is a perfect complement in the sense that both of us started the same way, in networking, but unlike myself, who went into IT so I could avoid having to deal with people, Steve is actually an extrovert who loves to figure out how to protect people from people. Of course, both of us enjoy debating controversial opinions, mostly just for the thrill of the argument. Working together, the book slowly started to take shape.

The book is focused around the defense-in-depth model we helped develop and refine in our work at Microsoft, and it gives a logical flow to the book that helps in building an overall security strategy, something both of us believed was lacking in the current literature. You get only so much security if you concentrate solely on the technology; the people and the processes are equally important. Indeed, without thought in those two areas, most of the technology you deploy to protect information systems will fail to do what you intend—it will only give you a false sense of security, which in fact can be more dangerous than no security at all.

Much of what you see in these pages has been said before, in various presentations. Both of us travel the world to deliver speeches on security, and if you have ever heard us you will no doubt recognize some of the things you will read in these pages. In a sense, the book is the lecture notes everyone who has heard our presentations keeps asking for. Of course, those notes are sorely needed because most of our presentations are increasingly light on slides to avoid that all-too-common malady: death by PowerPoint.

Everyone we know who has written a book always says in the foreword that their first book is one they wanted to write for a long time. (We are now wondering what's left for us to write in our second book.) That is good, because it takes a long time to write a book. Neither of us thought that we had the competency to write one until recently, so it is not really true that we have wanted to write it for a long time. We have certainly thought about security for a long time, though, and you could certainly say that we wanted to learn enough about it for a long time to have something meaningful to say. After we had spent a few years talking to people, it was clear that security is an area that is fraught with misunderstandings (as we see them) and snake oil (pseudo-solutions that do not do what they purport to do at best, and are harmful at worst).

We find this type of "security theater" all around us. Consider, for instance, next time you go through an airport security check, who would be capable of causing more damage: a 92-year-old great-grandmother with a pair of cuticle scissors, or a 22-year-old martial arts black belt? They will confiscate the cuticle scissors, but they will allow the martial arts champion on the plane without putting him in shackles first. Some secure facilities will confiscate USB drives (and GPS receivers—why in the world?) "for security reasons," but they allow 80 GB FireWire (i1394) drives through because the security personnel cannot imagine any "threats" associated with digital music players. Many organizations have a password policy that requires users to use passwords too long and complicated to remember (and then routinely complain about the expense of resetting locked-out accounts), they block any kind of information gathering from ancient operating systems, and they do it all on computers that have not been patched for more than a year! It may appear that they are providing security but in reality this is nothing more than security theater.

We finally decided that the right way to dispel these myths was to write a book. At the time, it seemed like a really good idea, and we are sure that at some point it will seem like a good idea again.

Target Audience and Objective

This book is targeted at anyone who has the unfortunate yet delightful task of having to manage the security of a computer system or network of systems. Because we deal almost exclusively with relatively large networks running primarily some flavor of Microsoft Windows, the book focuses on that type of environment. However, we hope that just about anyone involved in managing security will find something of value in these pages.

Security in information technology is an evolving field; so evolving, in fact, that there is not really a clear name for it. Some people, ourselves included sometimes, call it information security (infosec). We like that term, because protecting information is the ultimate goal. However, it is also important to protect the data before it becomes information, and it is important to protect the resources and functionality provided by the systems in the network, and infosec does not capture that very well. Computer security gives us a connotation of protecting a single computer, and single computers simply are not that interesting today. Others call the field distributed systems security. However, as we explain in Chapter 1, "Introduction to Network Protection," we think distributed systems is a terrible idea from a security perspective and we want to avoid that term. Thus, we stuck with network security, which means protecting all the assets in the network.

Just as with the name of the field, many other issues are up for debate in network security. Therefore, what you will find in these pages is often our opinion of what is correct. Nowhere is this more pronounced than in Chapter 12, "Server and Client Hardening," but you will find the same phenomenon elsewhere. You may already have an opinion that is not the same as ours, or you may not. The point is not so much to persuade you that our opinion is correct as it is to make you think about the whole picture. If you do that, and come to a conclusion that is different from ours, then our objective has been met. We simply are trying to make you challenge the perceived (often outdated) wisdom and form a conclusion that helps you better protect your network.

What Is on the CD

The CD has a few tools that we wrote, partially because we needed a break from writing chapters, and partially because we thought they would be fun to write. Hopefully you will find some of these useful:

  • A HOSTS file a friend of ours gave us to black hole many spyware sites. It simply maps all their DNS names to localhost thus preventing the machine from accessing them. Just copy it into %systemroot%\system32\drivers\etc to use it. You can get an even bigger one at http://www.mvps.org/winhelp2002, and we recommend you update your HOSTS file from there every week or so.
  • A password generator. Passgen is an enterprise-class, command- line password manager. We discuss it more in Chapter 11, "Passwords and Other Authentication Mechanisms—The Last Line of Defense," and Chapter 8, "Security Dependencies." Also look at the readme for more information.
  • An SQL script to revoke all permissions from the public login. Use with care, but it is fun to see how much public has access to. You use it by pasting it into a Query Analyzer window. It will generate another query as output. If you copy and paste the output into another Query Analyzer window and run it, all the public permissions are revoked.
  • A slipstreaming tool. Like passgen, it is another custom tool developed specifically for the book. This VBScript is used to create on-disk operating system installations that already have all the patches applied—which turns out to be an involved process if you do it by hand. Instead, run the slipstream script, tell it where the source files are, where the patches are, and which service pack and operating system you are building; it will automatically build an on-disk install that has all the patches. We wrote this in VBScript because we figured it would be small and short. 1,100 lines of code later, we simply were not interested in rewriting it in a cooler and more efficient language.

We hope you will find these tools useful. They are licensed for your use within the organization that pays for the book. Please respect intellectual property rights and do not spread them around. Likewise, if you receive a copy of one of these tools from somewhere other than the CD, do not run it until you verify its authenticity. The SHA-1 hash of the slipstream tool is ddcf0bbaa4f09319f0d804df79ae60692748dbc9, and the one of the passgen tool is a10baed3102b2183569077a3fbe18113a658ed5d. If you get a copy of either tool with a different SHA-1 hash, do not use it! Instead, send us an e-mail at ProtectYourNetwork@hotmail.com, and we will get you a legitimate copy.

Acknowledgments

Once we had all the material, the drive, the marital buy-off, and all the other pieces for the book together, we were still missing one thing: a publisher. Karen Gettman at Addison-Wesley has seen us speak numerous times and has bugged us for a couple years to write for her; we are immensely indebted to her for giving us a chance and for letting us have almost unlimited artistic license in what we were doing.

We are also extremely grateful to our reviewers, particularly Susan Bradley, one of the sharpest and most vocal MVPs Microsoft has. As Michael Howard once noted about Jesper in the introduction to the first edition of Writing Secure Code, Susan read every single word, sentence, chapter, and paragraph, and had comments on every single word, sentence, chapter, and paragraph—and plenty of comments about things not in the book as well. If the book makes sense to system administrators in small businesses, it is entirely because of Susan. If it does not, it is our fault. We also had great feedback from our other reviewers, including, Corey Hynes, Richard Waymire, Gene Schultz, Marcus Murray, Mark Russinovich, Matt Bishop, Michael Howard, Rob Hensing, Brian Komar, David LeBlanc, Ben Smith, Jon Wall, Chris Wysopal, Kevin McDonnell, Michael Angelo, Byron Hynes, Harlan Carvey, Russ Rogers, James Morris, Robert Shimonski, Kurt Dillard, Rick Kingslan, Phil Cox, and James Edelen.

Last, but certainly not least, we are indebted (forever, in an irreparable sort of way) to our lovely wives Jennifer and Ingrid. Not only did they let us get away with writing the book, but also with traveling around the world talking to people, which both of us enjoy tremendously.

We hope to see you soon at an event near you!

—Jesper and Steve

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted June 26, 2005

    very clear explanations

    With news coming out almost weekly about major attacks against computers, Johansson and Riley give us an eminently readable and thorough discussion of how to defend a network of Microsoft machines. Perhaps the best chapter is a lengthy explanation of passwords. Far more indepth than many an alternative discourse. Without drowning you in the intricacies of cryptography. And it applies across any operating system. A good grounding in how to set a realistic password policy for your users. Another merit of the book is a nice going over of the perils of SQL injection attacks. Where a cracker might submit these attacks via a front end web form. The book is not really a database book, but the clarity of the explanation is commendable. Also, the precautions against SQL injection are applicable on any operating system.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)