Oh No, Not Another Windows 2000 Security Book
One that gets it right — mostly.
- By Roberta Bragg
- November 01, 2001
Remember when finding documentation on Windows NT security was hard to
do? Remember when securing anything became hot? Eventually we were treated
to numerous books on Windows NT security—many of which didn’t tell us
much.
Fast forward to the new millennium and a new version of Windows—Windows
2000. Now here’s an operating system with lots of security features right
up front and in your face, and documentation abounds. There’s copious
material on the Web sites, certification guides, test preps, even an Official
Microsoft Curriculum course. Then there’s a Win2K security tome written
by every known security guru (and quite a few unknowns). Thousands of
pages. Some quite informative, some lacking in information. There are
some authors who thought their extensive knowledge of Windows NT security
would be enough to get them through (it wasn’t), some who struggled with
the concepts, and some who got it right.
Windows 2000 Security Handbook, by Philip Cox, Tom Sheldon and
others, is one that gets it right—mostly.
This isn’t just another Win2K Security book. It’s full of important,
well-organized information. Part 1, Security 101, covers security in general,
including short sections on threats, countermeasures, policies and management.
Part 2, Win2K Security, presents an overview of the Win2K architecture
and the basic security subsystem, user groups, authentication and authorization,
along with network protocols and Win2K-specific risks and solutions. Part
3 focuses on securing Win2K. Here you’ll find an introduction to Active
Directory, information on group policies, user and group security management,
logon and authentication, file system and share security, and auditing.
Part 4 moves on to network issues and includes defensive strategies including
firewalls, proxy servers, remote access, VPNs, client security and enterprise
security. Finally, Part 5 offers chapters on securing IIS, fault tolerance
and hardening Win2K, which is really instructions on how to bring up a
hardened server. If you want a book that introduces the panoply of topics
that is info security look no further.
Both the principal authors have a long history of work with Windows products
and are well known in the field. Also, it’s obvious they’ve invested time
and energy in studying the new OS. However, even though the book’s been
released more than a year after the product, there isn’t much “lessons
learned” information included. The exception is the chapter on hardening
Win2K, in which the authors caution would-be implementers that the suggestions
might break a production server. Good. I would, however, have liked to
see some backup for some recommendations. For example, page 662 lists
essential Win2K services and recommends disabling all others, then only
enabling the other services if necessary. However, it doesn’t say what
these claims are based on—an article by Microsoft? (I can’t find one.)
Private conversations with helpful contacts at same? Extensive research?
Educated guesses? I’d like to take the information on faith—but I’ve been
thrown once too often when riding that particular horse. This is invaluable
information, and I wish there was more of it (and that it was better supported).
You can also find updated and additional information on the book’s Web
site. The book refers to an appendix on Win2K services but doesn’t include
one. You can find it at http://www.osborne.com/networking_comm/0072124334/0072124334.shtml
along with a document on PKI.
In sum, this is a good overall introductory book. It seeks to cover an
immense amount of ground and thus covers few topics in detail. I’m a little
unhappy that a book published long after the introduction of Win2K improperly
defines Native and Mixed mode domains, but a correction is, however, posted
to System Experts web site.
About the Author
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.