Updates
Latest Tweet
What's New?
Check out for latest innovation, a computer based training video collection
Like this Page
Protect Your Windows Network: From Perimeter to Data Review by Stephen McIrvin
Thorough, practical advice with great theory
The simple truth is that if you're directly responsible for the health of a Windows network, you need to read this book. It contains a wide enough breadth to be applicable to all Windows administrators running a variety OS and application levels, while still managing the depth required to be truly informative and serve as a good everyday reference. It provides an incredible amount of detailed theory and hands-on practical advice that will give you the background information, tools and motivation to improve your defenses and keep hackers away from your data.
Those directly responsible for securing the network should read this book through and then read it again, perhaps discussing it with a peer. There's a lot of information to unpack, so a critical study of how to contextualize the recommendations to your environment would benefit from a team of individuals dedicated to understanding and carrying-out the guidelines that are given. In contrast, high-level managers and decision makers who have a more hands-off role would be well served by taking a half an hour to read the first two chapters, giving them a sobering first-hand account of the ease with which a knowledgeable attacker can subvert an entire domain. It will be 30 minutes well spent! A final group, the technically-savvy supervisors who don't actually implement (but monitor those who do), should quickly read the entire volume and hold their employees accountable for upholding at least the principles, if not the specific practices, mentioned throughout. All three groups should read it with the goal of acquiring a security mindset, filtering all their projects and goals through the "lens" created as a result of the truths learned from this pair of gurus. It is the unique combination of sufficient depth with comprehensive breadth that gives this book the edge over most recent Windows security titles from other authors. If you have to pick just one printed manual to take with you into battle, this should be your weapon of choice. I heartily recommend it as a great read for now, and as an investment for your go-to shelf later on.
Jesper and Steve begin the journey with the same eye-opening SQL injection attack you may have seen in one of the talks they present around the globe in their roles as security experts for Microsoft (Jesper has since changed employers). They exploit a poorly-written web application by feeding SQL code directly through the web form, eventually compromising the entire network, even though it's fully-patched and even somewhat hardened. They describe the intricacies of the attack from beginning to end, laying the groundwork for the defense techniques described in the remaining chapters. After taking over their victim network, they round out the section on fundamentals with a chapter on patch management. This was the low point of the book and, in my opinion, it glosses over the realities of just how time-consuming and complex change management and regression testing can be in a heterogeneous environment. Don't get discouraged by this chapter; slog through it and enjoy the informative--yet surprisingly fun--chapters that follow.
Having established the basics, more groundwork is laid with above average, but not spectacular, sections on administrative policies and physical security. These are the most "CISSP-ish" pages of the whole book and should look very familiar to members of the (ISC)^2. While the advice in these early chapters will stand the test of time, there's not much in here that won't already be a part of your daily arsenal. If you haven't figured out such basics as having a written security policy and that users will always choose convenience over security, then study this section hard. For the rest of us, you will find yourself saying "Amen" a lot as you review these four well-written and comprehensive middle chapters. The real epiphany comes at the end of Chapter 7 when they declare that the days of having a notion of a "perimeter" are over. If you haven't realized by now how incredibly porous your network is, this book should help bring you back to reality.
With the first half of the book used as an appetizer, the authors start serving the main course of practical, detailed advice about how to protect every aspect of your clients, servers and network infrastructure. Their incredible insight into password theory and how exactly a real password attack would work is so refreshing--these guys are experts, and it's demonstrated most profoundly in their chapter-long advice on the subject. Here and throughout the book they constantly bring you back to reality by refuting myths common in "security theater" and give you the best advice, with enough background to understand why it works. One particularly sobering moment was the sweeping dismissal of biometric authentication because of the myriad (often foolishly simple) flaws that can defeat even über-expensive fingerprint readers, retina scanners, etc. In the next two hundred or so pages the give you just enough instruction about IPSec, 802.1X, two-factor authentication and server/client hardening to help you understand the critical pieces of theory and find the detailed implementation instructions for yourself. You'll feel like you finally know the reasons to do all these things instead of just getting a litany of the individual steps to implement a particular setting or policy. Microsoft has published a lot of dry technical guides on every registry setting and tweak imaginable; these guys tell you the background information of why any of this stuff matters and they do it in a winsome, often satirical way that makes you want to keep reading.
The key concepts I took from reading this book were: a healthy skepticism about merely doing tweaks or checklists that have an air of sophistication but don't actually improve security; a sense of empowerment about how to untangle my network from a web of dependencies caused by shared service accounts (they even provide a handy utility to make their advice doable); and renewed sense of encouragement that least-privilege is actually obtainable. They end each chapter with an immediate call-to-action that addresses the most important steps you can take to do the most good quickly. If you can force yourself to do these challenging tasks for every area they address, you'll be well on the road to a more secure installation.