| | Copyright |
| | Praise for Protect Your Windows Network |
| | Acknowledgments |
| | About the Authors |
| | | Jesper M. Johansson |
| | | Steve Riley |
| | Preface |
| | | Target Audience and Objective |
| | | What Is on the CD |
| | Part I. Introduction and Fundamentals |
| | | Chapter 1. Introduction to Network Protection |
| | | Why Would Someone Attack Me? |
| | | Nobody Will Ever Call You to Tell You How Well the Network Is Working |
| | | Introduction to the Defense-in-Depth Model |
| | | The Defender's Dilemma |
| | | Summary |
| | | What You Should Do Today |
| | | Endnote Endnotes |
| | | Chapter 2. Anatomy Of A HackThe Rise And Fall Of Your Network |
| | | What a Penetration Test Will Not Tell You |
| | | Why You Need To Understand Hacking |
| | | Target Network |
| | | Network Footprinting |
| | | Initial Compromise |
| | | Elevating Privileges |
| | | Hacking Other Machines |
| | | Taking Over the Domain |
| | | Post-mortem |
| | | How to Get an Attacker Out of Your Network |
| | | Summary |
| | | What You Should Do Today |
| | | Chapter 3. Rule Number 1: Patch Your Systems |
| | | Patches Are a Fact of Life |
| | | Exercise Good Judgment |
| | | What Is a Patch? |
| | | Patch Management Is Risk Management |
| | | Tools to Manage Security Updates |
| | | Advanced Tips and Tricks |
| | | Slipstreaming |
| | | Summary |
| | | What You Should Do Today |
| | Part II. Policies, Procedures, and User Awareness |
| | | Chapter 4. Developing Security Policies |
| | | Who Owns Developing Security Policy |
| | | What a Security Policy Looks Like |
| | | Why a Security Policy Is Necessary |
| | | Why So Many Security Policies Fail |
| | | Analyzing Your Security Needs to Develop Appropriate Policies |
| | | How to Make Users Aware of Security Policies |
| | | Procedures to Enforce Policies |
| | | Dealing with Breaches of Policy |
| | | More Information |
| | | Summary |
| | | What You Should Do Today |
| | | Chapter 5. Educating Those Pesky Users |
| | | System Administration Security Administration |
| | | Securing People |
| | | The Problem |
| | | Protecting People |
| | | Plausibility + Dread + Novelty = Compromise |
| | | Things You Should Do Today |
| | Part III. Physical and Perimeter Security: The First Line of Defense |
| | | Chapter 6. If You Do Not Have Physical Security, You Do Not Have Security |
| | | But First, a Story |
| | | It's a Fundamental Law of Computer Security |
| | | The Importance of Physical Access Controls |
| | | Protecting Client PCs |
| | | The Case of the Stolen Laptop |
| | | The Family PC |
| | | No Security, Physical or Otherwise, Is Completely Foolproof |
| | | Things You Should Do Today |
| | | Chapter 7. Protecting Your Perimeter |
| | | The Objectives of Information Security |
| | | The Role of the Network |
| | | Start with (What's Left of) Your Border |
| | | Next, Use the Right Firewall |
| | | Then, Consider Your Remote Access Needs |
| | | Finally, Start Thinking About "Deperimeterization" |
| | | Things You Should Do Today |
| | | Endnote Endnotes |
| | Part IV. Protecting Your Network Inside the Perimeter |
| | | Chapter 8. Security Dependencies |
| | | Introduction to Security Dependencies |
| | | Administrative Security Dependencies |
| | | Service Account Dependencies |
| | | Mitigating Service and Administrative Dependencies |
| | | Other Security Dependencies |
| | | Summary |
| | | What You Should Do Today |
| | | Chapter 9. Network Threat Modeling |
| | | Network Threat Modeling Process |
| | | Document Your Network |
| | | Segment Your Network |
| | | Restrict Access to Your Network |
| | | Summary |
| | | What You Should Do Today |
| | | Chapter 10. Preventing Rogue Access Inside the Network |
| | | The Myth of Network Sniffing |
| | | Network Protection at Layers 2 and 3 |
| | | Using 802.1X for Network Protection |
| | | Using IPsec for Network Protection |
| | | Network Quarantine Systems |
| | | Summary |
| | | What You Should Do Today |
| | | Chapter 11. Passwords and Other Authentication MechanismsThe Last Line of Defense |
| | | Introduction |
| | | Password Basics |
| | | Password History |
| | | What Administrators Need to Know About Passwords |
| | | Password Best Practices |
| | | Recommended Password Policy |
| | | Better Than Best PracticesMultifactor Authentication |
| | | Summary |
| | | What You Should Do Today |
| | Part V. Protecting Hosts |
| | | Chapter 12. Server and Client Hardening |
| | | Security Configuration Myths |
| | | On to the Tweaks |
| | | Top 10 (or so) Server Security Tweaks |
| | | Top 10 (or so) Client Security Tweaks |
| | | The Caution ListChanges You Should Not Make |
| | | Security Configuration Tools |
| | | Summary |
| | | What You Should Do Today |
| | Part VI. Protecting Applications |
| | | Chapter 13. Protecting User Applications |
| | | Patch Them! |
| | | Make Them Run As a Nonadmin |
| | | Turn Off Functionality |
| | | Restrict Browser Functionality |
| | | Attachment Manager |
| | | Spyware |
| | | Security Between Chair and Keyboard (SeBCAK) |
| | | Summary |
| | | What You Should Do Today |
| | | Chapter 14. Protecting Services and Server Applications |
| | | You Need a Healthy Disrespect for Your Computer |
| | | Rule 1: All Samples Are Evil |
| | | Three Steps to Lowering the Attack Surface |
| | | What About Service Accounts? |
| | | Privileges Your Services Do Not Need |
| | | Hardening SQL Server 2000 |
| | | Hardening IIS 5.0 and 6.0 |
| | | Summary |
| | | What You Should Do Today |
| | | Chapter 15. Security for Small Businesses |
| | | Protect Your Desktops and Laptops |
| | | Protect Your Servers |
| | | Protect Your Network |
| | | Keep Your Data Safe |
| | | Use the Internet Safely |
| | | Small Business Security Is No Different, Really |
| | | What You Should Do Today |
| | | Chapter 16. Evaluating Application Security |
| | | Caution: More Software May Be Hazardous to Your Network Health |
| | | Baseline the System |
| | | Things to Watch Out For |
| | | Summary |
| | | What You Should Do Today |
| | Part VII. Protecting Data |
| | | Chapter 17. Data-Protection Mechanisms |
| | | Security Group Review |
| | | Access Control Lists |
| | | Layers of Access Control |
| | | Access Control Best Practices |
| | | Rights Management Systems |
| | | Incorporating Data Protection into Your Applications |
| | | Protected Data: Our Real Goal |
| | | What You Should Do Today |
| | | Endnote Endnotes |
| | Appendix A. How to Get Your Network Hacked in 10 Easy Steps |
| | Appendix B. Script To Revoke SQL Server PUBLIC Permissions |
| | Appendix C. HOSTS file to Block Spyware |
| | Appendix D. Password Generator Tool |
| | | g (Generate Password Based on Known Input) |
| | | r (Generate Random Password) |
| | | s (Set a Password on an Account and/or Service) |
| | | Security Information |
| | | Usage Scenarios |
| | Appendix E. 10 Immutable Laws of Security |
| | | Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore |
| | | Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore |
| | | Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore |
| | | Law #4: If you allow a bad guy to upload programs to your Web site, it's not your Web site any more |
| | | Law #5: Weak passwords trump strong security |
| | | Law #6: A computer is only as secure as the administrator is trustworthy |
| | | Law #7: Encrypted data is only as secure as the decryption key |
| | | Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all |
| | | Law #9: Absolute anonymity isn't practical, in real life or on the Web |
| | | Law #10: Technology is not a panacea |
| | Index |