Principle Number One: There Is No Such Thing as a Secure Computer
This should be evident to most people in computing. By now, every operating system, browser, or application that is exposed to the Internet has been taken to task by malware or attacks perpetrated by using some feature or bug in the product. Like life, computing poses risks depending on what we do, where we are, when we do it, how we do it, and perhaps even why we do it. Our job in information security is to correctly gauge that risk and do what can be done to mitigate it. At the same time, we have to keep in mind that there is no such thing as a secure computer. Computers are more or less securable, though, and the security of the information stored on them (or transferred by them to other computers) depends on how well we understand how to secure them.Securing computers is a process that is part hardening, part auditing to make sure we did it in the best manner and that configuration stays in place, and part intrusion detection and response. But "securing" is not a process that makes computers secure. Instead, it must be defined as a process that makes a computer as secure as possible, given current knowledge of the threats that the computer will face.Perhaps a better way to think about security is not as some unattainable goal, but as a continuum. On one end is a computer system that has a poor security design, that has had no hardening, that has non-existent external defenses, and that is used by individuals who purposely practice "unsafe" computing. On the other end is a computer designed by the most knowledgeable security engineers and uncluttered by any marketing requirements to make it user-friendly or to conform to some standard other than security. This computer also has been hardened (there will always be some post-design flexibility that requires that the computer be used for something). The computer has multiple external defenses including firewalls, anti-spam, anti-virus, and anti-spyware perimeter controls, in addition to network access controls, which include security requirements that must be met before a computer can operate on the network. The computer is operated by a highly trained security expert whose ethical behavior is unquestionable. Additional defenses such as intrusion detection, intrusion prevention, and things that we haven't discovered yet are also in operation. Think of the first computer as residing at ground zero, and the second one at infinity. Envisioning several continuums that start at zero and extend to infinity might represent a better understanding. Each one could represent one of these parameters, such as user ethics, knowledge, or secure design. The position of the computer on the composite continuum can then be expressed as a combination of its location on all of the separate continuums. This representation is not static. Think of each point on the continuum as a marker, like the wooden rings on an old abacusthey are meant to be moved.If you accept this representation, then you can see the definition of your job in securing the computers on your network. Your job is to push these markers as much as you can to the right toward infinity. Which markers you individually push will depend on your current job and abilities, but push you must. Some of the markers can't be pushed at all; you can't change the design of a current operating system (although you may be able to push its manufacturers to make some attempt at dealing with a poor design), and you probably can't change the behavior of people whose purpose in life is to destroy things in the name of figuring out how they work or who simply want the financial reward inherent in doing so.This book will help you move the markers on one of these continuumsthe hardening onefor Windows Server 2003. When you do that, you will also move the marker on the composite continuum, but I don't think you'll be fooled into thinking that your work is the only thing necessary to secure your computing infrastructure. This book will also advise you of things you can do to push the markers a little bit more in some of the other areas, but in the end, the security composite of your network will depend on more than can be represented in this book.Start here by learning or reviewing basic security principles, and then use the rest of this book to help you understand how to use these principles to secure Windows Server 2003. |
لطفا منتظر باشید ...
Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
