<< And whilst in the throes of insomnia, a book review | Home | ISA Server 2004 Best Practices Analyzer released >>

Review: Protect Your Windows Network by Jesper M. Johansson and Steve Riley (Addison-Wesley)

Title: Protect Your Windows Network
Authors: Jesper M. Johansson and Steve Riley
Publisher: Addison-Wesley
ISBN: 0-321-33643-7
Price: $49.99 SRP (578 pages with CD)

Let me cut to the chase: if you're a Windows admin and you are at all worried about security, get this book. Now.

Okay, having said that let me tell you about the book. Here's the back blurb:

In this book, two senior members of Microsoft's Security Business and Technology Unit present a complete "Defense in Depth" model for protecting any Windows network -- no matter how large or complex. Drawing on their work with hundreds of enterprise customers, they systematically address all the three elements of a successful security program: people, processes, and technology.

I've been doing a lot of professional security work over the years, much of it with Windows. I tend to treat new security books with a big grain of salt, because there are far too many well-meaning people out there giving advice ranging from mildly wrong to actively harmful. Now that I've written a book of my own, I have a fair idea of what is involved and how easy it is for authors to slip technical howlers past their hard-working editors (who aren't usually experts in the topic). Just because something is written down in a book doesn't mean I automatically trust it; unfortunately, too many people do place their faith in the Holy Grail of the printed word. On the other hand, I've not only seen Jesper and Steve speak before, I've had the opportunity to work with them on past projects, so I have a reasonable amount of faith that they actually know what they're talking about. (If you haven't had the pleasure of hearing them speak, go find the events they're at and sign up. Trust me.) As a result, I was pretty sure this book was going to rock on toast and give me a few good hard nuggets to think about.

It didn't.

This book completely threw many of my security assumptions out the window. More than once, I was reading the book shaking my head, saying "No, no, that's not right!" as the authors made hamburgers out of yet another security sacred cow. After giving myself time to think about it from a real-world point of view, though, I almost always came away agreeing with them. At other times, I'd be pumping my fist in the air, ecstatic that somebody else Got It and was able to put it as eloquently as I'd just read. I don't normally read technical books cover to cover; not only did I read this one straight through, I went back for a second pass with a bunch of sticky flags. My copy now looks like it was in a Twister factory explosion. My wife got to hear a fair amount of the book too; she'd come in asking why I was laughing and I'd have to read the offending portion to her.

The book comes with a CD; it's not got a lot on it, but the scripts that are there are very useful indeed. There's also an accompanying website, http://www.protectyourwindowsnetwork.com/, which contains errata and downloadable copies of the scripts and files on the CD.

Here, along with the outline of chapters, is a sampling of the many gems I found in this book:

  • Chapter 1, Introduction to Network Protection:
    • Page 4 and 17: the book is not about building a secure network, since network security as an end state is impossible. You don't want to be completely secure; you just want to be secure enough.
    • Page 8: the four types of attacks (automated or manual vs. passive or active).
    • Page 20: defense in depth does not mean piling on the tweaks. It includes people, policies, and processes as well as technical resources. Before you make a change, you should know exactly what problem it mitigates or blocks and that problem needs to be significant enough of a risk to warrant the reduced functionality.
  • Chapter 2, Anatomy of a Hack -- The Rise and Fall of Your Network: the whole chapter. This is a great walkthrough, with real command lines and data, showing one way that a nominally secure network is successfully attacked. A standout point is made on pp. 73-76: your only real option for getting an attacker out of the network is draining the network and rebuilding. There's a woefully impressive list of "You cannots" that directly addresses common mistakes people make after detecting an attack, such as trying to clean a system instead of rebuild it.
  • Chapter 3, Rule Number 1: Patch Your Systems
    • Page 80: "Note: If you think patching makes a system unstable, try getting yourself hacked. That tends to be even more destabilizing!"
    • Page 83: Patch Management is Risk Management. (Oddly enough, so is security.)
    • Page 101: how to create slipstreamed installations of Windows. They even include a nifty script to help make this process easier.
  • Chapter 4, Developing Security Policies
    • Page 113: "Without a security policy, you cannot have an effective network protection strategy. The security policy is what tells you what threats you are facing, which ones you are willing to accept, and which ones you want to mitigate."
    • Page 127: how to set up a system sensitivity classification policy. Not all servers are created equal; you need to know which systems are most critical and need the most protection.
  • Chapter 5, Educating Those Pesky Users:
    • A lot of this chapter talks about social engineering and gives specific examples of how to find the information you need. It also tells you how to inform your users of the threat and how to design your policies so that people's natural impulse to help acts to reinforce your security instead of circumvent it.
    • Page 153 gives the ultimate secret for getting information to your organization and ensuring they'll remember it later: throw a party, give them beer and pizza, then tell them what you need to tell them.
  • Chapter 6, If You Do Not Have Physical Security, You Do Not Have Security:
    • Page 160 replaces the traditional, incomplete 7-layer OSI network model with the real deal: Layer 0 (Physical--Meatspace), Layer 1 (Physical--Interconnect), Layer 2 (Data Link), Layer 3 (Network), Layer 4 (Transport), Layer 5 (Session), Layer 6 (Presentation), Layer 7 (Application), Layer 8 (People), Layer 9 (Management), Layer 10 (Politics), Layer 11 (Religion). Don't laugh -- it's true.
    • Page 171: don't waste time trying to disable USB drives. The very next page gives a long list of ways people can circumvent your restrictions and get data out of your computers and organization if they really want to.
    • Page 175: the Encrypting File System (EFS) is good for laptops.
  • Chapter 7, Protecting Your Perimeter:
    • Page 183: Perimeter? What perimeter? You can't rely on a strong perimeter/DMZ model anymore.
    • Page 191: the five rules you need on your border router (block all inbound traffic claiming to be from your internal network, block all outbound traffic claiming to be from some network other than your internal network, block all traffic to or from private network ranges, block all source-routed traffic, and block all fragments). Drop these packets before they ever get to your firewalls.
    • Pages 192-198: picking the right firewall (packet-filtering vs. application filtering, software vs. appliance, one brand vs. multiple)
    • Page 208: "Unless you have a need to inspect all traffic between VPN clients and the internal network, the best place to locate your VPN server is alongside your firewall. Because RRAS can protect itself and because you probably aren't doing internal inspection in your network, placing your VPN server alongside your firewall is logical and helps keep your network design simpler." (Anybody's brain breaking yet?)
  • Chapter 8, Security Dependencies:
    • Page 225: "Note: Domain administrative accounts are for logging on to domain controllers and other systems that are as sensitive and as well protected as domain controllers. They must never be used on any other system."
    • Page 225 again: The problem with writing passwords down isn't that they're written down. It's that the written copies are not adequately protected. Recording your passwords is a good step and increases your security -- as long as they are protected.
    • Page 227: Using the Passgen tool (included with the book) to secure accounts by giving them long, random, complex passwords without telling even you what they are.
  • Chapter 9, Network Threat Modeling: again, this whole chapter is worth the price of the book. One particularly nice sidebar on page 243 categorizes the six types of threats: STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege). Table 9-1 on pp.258-263 gives you a detailed list of traffic and ports used by Windows domain controllers.
  • Chapter 10, Preventing Rogue Access Inside the Network:
    • Big grins on page 267: "It should be obvious by now that if a bad guy is inside your network, you have serious problems. However, all hope is not lost. After all, bad guys connect to your network all the time, although we usually call them users."
    • Pages 267-269: why network sniffing isn't as big of a threat as security admins think it is. (Risk management redux.)
    • Page 272: how to use 802.1x to protect your network (and why, on page 275, it won't really protect your wired networks). Use it along with WPA for your wireless networks and they'll be stronger than your wired networks.
    • Pages 283-296: how to use Windows IPsec policies to stop worms, protect your network servers from rogue clients, and implement domain isolation (Domain isolation = devices cannot communicate with your domain resources unless they are domain-joined and have the proper IPsec policies).
  • Chapter 11, Passwords and Other Authentication Mechanisms -- The Last Line of Defense: again, this whole chapter is good because it punctures a lot of myths about passwords (No, passwords are really a bad way to authenticate; you should be using passphrases, which are stronger yet easier to remember; better yet, use other forms of authentication). It includes a good discussion of why taking extraordinary measures to come up with uncrackable passwords may often be wasted effort -- you need to be protecting your password hashes, which are gold.
  • Chapter 12, Server and Client Hardening:
    • Pages 355-364: ten security configuration myths. These points are good; many are counter-intuitive (security guides don't really make your system secure? WHOA!)
    • Pages 365-377: the top ten server tweaks you need to make.
    • Pages 377-385: the top ten client tweaks you need to make.
    • Pages 385-387: tweaks you should not make.
  • Chapter 13, Protecting User Applications:
    • Page 398: make your applications run under nonadmin accounts (least user access, or LUA).
    • Page 400: if you aren't using it, don't install it.
    • Page 402: how to lock down the browser (IE, of course).
  • Chapter 14, Protecting Services and Server Applications:
    • Pages 415-416: "You will constantly run into statements like 'that is not supported' and 'we have never tested that.' Those statements are very important, but they do not mean you cannot do something. They just mean you may be on your own doing it."
    • Page 417: Rule 1: All Samples Are Evil. They provide easy attack routes. (Sample IIS apps, anyone?)
    • Page 418: how to reduce your attack surface.
    • Pages 421-445 give a clear and concise description of how you go about analyzing services to find out what privileges they really need (as opposed to the ones they tell you they need), as well as how to harden SQL Server and IIS. Get rid of services running as administrative accounts!
  • Chapter 15, Security for Small Businesses: this chapter is a good discussion of how to use the same principles in smaller businesses, where Small Business Server may be deployed. "Regardless of size, all networks face pretty much the same threats."
  • Chapter 16, Evaluating Application Security:
    • Page 469: how to baseline your system.
    • Pages 471-487: what sorts of issues to watch out for.
  • Chapter 17, Data Protection Mechanisms: it isn't enough to secure your network, servers, and clients. Now you have to secure the data -- how to set up effective ACLs, access control best practices, and why you might want to look at rights management systems.
  • Appendix A, How to Get Your Network hacked in 10 Easy Steps
  • Appendix B, Script To Revoke SQL Server PUBLIC Permissions
  • Appendix C, HOSTS file to Block Spyware (this has since been replaced by the errata and may not be in your printing of the book.
  • Appendix D, Password Generator Tool
  • Appendix E, 10 Immutable Laws of Security
  • A CD containing:
    • The HOSTS file from Appendix C (again, this has since been replaced).
    • The password generator (PassGen) in Appendix D. The CD version is 1.0; the website version is 1.1 and can generate passwords up to 256 characters long.
    • The SQL hardening script in Appendix B.
    • The slipstreaming script in Chapter 3.

Some of the best content of the book isn't contained in the book -- it's on the website in the Listening Room. Here, you can find recorded versions of talks by Jesper and Steve. You'll find their talks cover a lot of the same ground the book does, but they are both dynamic speakers; hearing the material reinforces what you've just read.

So, is this book for you? Let me answer that with another question: Are you tired of being a prisoner to security bulletins, patches, conflicting (and confusing) security guidance, and vendor claims?

If you want to learn how to actually analyze your systems and network, asses the threats you face, and do more than follow step-by-step "hardening guides" that inevitably break the CEO's favorite applications, then you need to get this book. It won't give you false warm fuzzies; it won't hold your hand and do your thinking for you, because the reality of security is that everybody's system is different. You can't produce cookie-cutter protection for a moving target; there is no substitute for digging in and learning the techniques Jesper and Steve show you here. If you put the work in, though, I can promise you will have a much better understanding of what it takes to keep your systems and network secure, and how to adapt as the threat landscape changes.

If you want to keep plodding on, performing security by rote, following checklists, then don't read this book. It will make you question your assumptions and might even lead to thinking. And the bad guys in your network don't want that.

[Edited 12/9 to fix typos and clarify wording in a few places.]

Print | posted on Thursday, December 08, 2005 3:16 AM

Comments have been closed on this topic.