Additional Reading

The Association for Computing Machinery (ACM) maintains an extremely educational discussion of computer- related risks to the public, the RISKS Digest. The digest is available on Usenet (look in comp.risks) or on the Web; I normally read it at http://catless.ncl.ac.uk/Risks .

Microsoft Press has two good programming security books. Michael Howard s and David LeBlanc s Writing Secure Code, Second Edition (2003; make sure you get the second edition) and Michael Howard s Designing Secure Web-Based Applications for Microsoft Windows 2000 (2000) describe how programmers and designers can apply the STRIDE model to make their products and services more secure. They re good general-security references, although they don t discuss Exchange in any detail.

The Microsoft security Web site ( http://www.microsoft.com/security/ ) does a good job of posting information on newly discovered vulnerabilities for Windows systems.

For Windows Server 2003 and Windows XP, the Threats and Countermeasures Guide ( http://go.microsoft.com/fwlink/?LinkId=15159 ) is a wonderful introduction to some of the built-in Windows features that mitigate the risk of specific kinds of attack.

For sites running Windows 2000, the Microsoft Security Operations Guide for Windows 2000 Server (and its companion guide for Exchange 2000) make terrific detailed guides of security practices and settings. These guides cover both policies and practices, and Microsoft has made them freely downloadable from http://msdn.microsoft.com/practices/ . Get them and read them.