What s in This Book?


What's in This Book?

This book is made up of 15 chapters covering four areas. Part I covers the basics and gives the reader a detailed understanding of the underlying technologies so they can implement the recommendations handed out in the rest of the book. Part II covers operating system security—securing it past the Microsoft defaults. Part III describes, step by step, how to harden commonly installed applications such as e-mail, Internet Explorer, and Internet Information Services. Part IV finishes the book by discussing how to best automate Windows security. Here's a chapter summary:

Part I

Part I, "The Basics in Depth," contains three chapters covering Windows threats, some basic defenses, and ends by discussing NTFS permissions probably better than you've ever heard them discussed before. Chapter 1, "Windows Attacks," starts off by correctly defining the real problem. You can't plan the appropriate defense-in-depth strategy without understanding the right enemy. This is where most textbooks and lecturers go wrong. Chapter 1 discusses viruses, worms, trojans, buffer overflows, hybrid attacks, and the dedicated manual hacker methodology. One of the most valuable parts of the book is a listing of every place malware can hide in a Windows system.

Although this book focuses on efficient unconventional defenses that most Windows administrators don't use, but should, Chapter 2, "Conventional and Unconventional Defenses," covers the normal recommendations of physical security, patch management, firewalls, and antivirus software. It offers specific best practice recommendations and warns you about the problem areas that concern network administrators the most.

Correctly set NTFS permissions are the number one way to fight malicious exploits, but most administrators don't have a clue about how to set them. Chapter 3, "NTFS Permissions 101," covers default NTFS permissions, dispels some widely held myths, and details how your Windows security permissions should be set. Don't skip Chapter 3, as many seasoned veterans will be tempted to do. You will learn many new things and its lessons are integral to the forthcoming chapters. One of the best parts of this chapter is a table summarizing the default NTFS permissions for Windows Server 2003 and XP Pro.

Part II

In Part II, "OS Hardening," Chapters 4 through 8 discuss practical ways to secure the Windows operating system beyond the Microsoft defaults. Understanding authentication and preventing password crackers is central to securing Microsoft Windows computers. Chapter 4, "Preventing Password Crackers," covers the various types of Windows authentication protocols, when they are used, and which should be implemented when. After learning how Windows password authentication works, this chapter teaches you how to prevent password crackers in five easy steps.

Microsoft's latest operating systems come with a fair amount of default security built in, but it isn't enough. Chapter 5, "Protecting High-Risk Files," covers high-risk files needing additional security and how to secure them. While a lot of this chapter was seen for years as avant-garde, more and more security guides are recommending the advice it contains.

Like Chapter 5, Chapter 6, "Protecting High-Risk Registry Entries," details how to protect the operating system by increasing security beyond the defaults recommended by Microsoft. Defending and securing your registry is one of the best ways to prevent automated malware attacks. A few simple registry permissions can significantly secure your Windows computer. Chapter 6 covers high-risk registry keys and how to secure them.

Chapter 7, "Tightening Services," discusses the specialized topic of Windows services. You will learn how services and service accounts differ from the other Windows security principals, how hackers exploit services, and how to strengthen Windows service security.

IP Security is a vender-neutral method for encrypting and authenticating network communications between two computers. Unfortunately, IPSec is complex to understand and almost as complex to use. Chapter 8, "Using IPSec," explains IPSec in the easiest terms available and helps you leverage IPSec as a part of your normal security policy.

Part III

Part III, "Application Security," discusses ways to harden Microsoft's most commonly attacked applications.

If you can't stop unauthorized application installation or execution, you ultimately cannot prevent maliciousness. Preventing unwanted applications from launching is one of the best ways to prevent viruses, worms, and trojans. Chapter 9, "Stopping Unauthorized Execution," discusses the various ways to stop unwanted software execution with a special focus on Software Restriction Policies.

Internet Explorer (IE) is perhaps the weakest link of Windows security and Microsoft has made it impossible to remove (even when you think you have). So, if you have to live with it, secure it. Chapter 10, "Securing Internet Explorer," covers how IE functions behind the scenes, its multitude of security settings, and the recommended configuration.

Most malware attacks arrive as file attachments or embedded Internet links. Chapter 11," Protecting E-mail," covers essential e-mail security. It covers the biggest threats, how to defend against them, and recommends e-mail best practices.

Internet Information Services (IIS) has become a very stable and reliable product. IIS 6 has had only one or two vulnerabilities announced since its introduction (compare that to dozens on its nearest competitor, Apache). Read Chapter 12, "IIS Security," and learn the steps you can take to harden IIS 6 beyond the already very acceptable levels implemented by Microsoft. Many of the lessons were learned during the very successful www.hackiis6.com contest.

Microsoft's Encrypting File System (EFS) is an excellent way to provide seamless and secure file encryption. In fact, EFS is so secure that unprepared users often find their files encrypted permanently without a way to unlock them. Read Chapter 13, "Using Encrypting File System," to learn how EFS works and what you need to know and do before implementing EFS.

Part IV

Part IV, "Automating Security," includes two chapters that cover automating all the security settings covered in the previous chapters. It details hundreds of group policy settings and the best way to apply group policy objects.

Microsoft Windows comes with over two thousand different group policy settings. Chapter 14, "Group Policy Explained," covers them, discussing which ones should be implemented when, and finishing with how to create your own customized security and administrative templates.

Knowing how to secure a Windows computer isn't hard. It's consistent implementation that is difficult. Chapter 15, "Designing a Secure Active Directory Infrastructure," covers how to automate all the previously discussed steps. It covers when to use local computer policy, group policy, and administrative templates, and what should be set at each level.

The lessons taught here apply to all the current versions of Microsoft Windows, including 2000, XP, and Server 2003. Most of the information is centered on Windows XP and Server 2003. In most cases, the differences between the newest versions of Windows and its legacy versions (9x, ME, NT, etc.) are noted when appropriate. Most of the lessons taught in this book will work with the forthcoming Windows Vista client and the "Longhorn" server versions expected in 2006–2007. Any discussion of Vista and Longhorn should be understandably tempered by understanding that their features and security mechanisms will change prior to their final release. I've covered the features I think will be in the final product.

One last warning before we begin. The term hacker will often be used to describe malicious attackers even though the author and the publisher realize many hackers never participate in wrongdoing. However, through its overuse and misuse in the conventional media, the word hacker has been forever associated with malicious intent. For that reason, it is often used in this book without intentionally meaning to malign all the good hackers in the world. Now, join me on a journey of heightened awareness. By the conclusion of this book you will have gained the knowledge that dozens of the world's leading corporations use to secure their Microsoft Windows computers.



Professional Windows Desktop and Server Hardening
Professional Windows Desktop and Server Hardening (Programmer to Programmer)
ISBN: 0764599909
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net