I chose to continue using the “Add exception” button to get to the screen where I could see the certificate details. Nothing wrong with the certificate issue, path and so on, except that it expired a few hours ago at 18:26 GMT:

This certificate is not actually for live.com that runs the logon part of the process, but profile.microsoft.com which looks after the other parts of the page which wrap round this. So, not vital but likely to cause much confusion and FUD until they get a new certificate to fix the problem.

Do you know when your certificates expire? And all your different domain names? What about other vital contracts which would stop you doing business if they expired suddenly? How do you manage all of these; is it a central business policy or does it just come down to one overworked IT Manager’s Outlook calendar?

In December, the European Commission and Microsoft arrived at a resolution of a number of long-standing competition law issues. Microsoft made a legally binding commitment that PC manufacturers and users will continue to be able to install any browser on Windows, to make any browser the default browser, and to turn access to Internet Explorer on or off. In addition, Microsoft agreed to use Windows Update to provide a browser choice screen to Windows users in Europe who are running Internet Explorer as their default browser.

So, when I install shiny new Windows 7 machines for my clients with a perfectly serviceable browser (IE8) with some great security features such as protected mode, I make sure the Windows Update has brought everything up to date and BAM! An icon appears on their desktop and prompts them to choose what browser they want.

So I choose IE, delete the icon and everyone is happy.

This is a complete waste of everyone’s time and money. The users who want an alternative still go and download the browser of their choice. Most don’t bother. Making a bad choice from the popup screen and deciding a while later you want to switch, or revert to IE is just a waste of people’s time, and in business this time will cost money. Across Europe this hidden cost will be huge.

The choice screen is currently only being pushed to users in UK, Belgium and France, but later will cover the whole of the European Economic Area. Just like the pointless “Windows N” without media player, this panders to niche software vendors without delivering any real value to anyone that cares. Pushing this out via Windows Update will only serve to confuse huge numbers of consumers. Many consumers are perfectly happy with the browser, media player, calculator and notepad that come with their computer. A few are not, and may go out and freely choose to install any software they wish, and pretty easily make it their default. Should we take away the simplicity of buying a PC, turning it on and using it? Why not strip out all of these free applications and make people go and download only the ones they choose? Once upon a time it was seen as a great idea that Microsoft (and Apple, and anyone else) gave away free software with their OS so you could just get up and running; this is now seen as anti-competitive.

There is lots of media buzz around Firefox, Chrome and other alternatives. Anyone that cares has probably read about these and can easily find out more and make their own choice. Presenting them with a screen in this way makes it feel like they have to make a choice, and then gives them options which are virtually impossible to distinguish – the fastest, shiniest, safest, most standards-compliant, most popular browser. How is any of this helping them to make an informed decision?

Next time you buy a box of cornflakes should it have a money-off voucher on the side which gives you a discount from any brand of breakfast cereal? Should it have helpful descriptions so you can choose an alternative to your normal shopping option? How would they differentiate themselves? The tastiest? Crispiest? Sugariest? Healthiest?

Is Internet Explorer really all that bad anyway?

Yes, I know some users will never hear about, or understand, or care enough to change their browser to an alternative. So what? IE8 is really a pretty good browser. I’ve been a Firefox user for years, and still use it as my main browser on a regular basis, mainly for some of the add-ons like NoScript and AdBlock Plus, but I do find myself using IE more often for sites that don’t load properly. In fact, the main thing which keeps me from using IE8 as my default browser is probably that I use IE for my Dynamics CRM work, and it is much easier for me to mentally separate by application than merely by tabs or sessions. The jump list for IE on Windows 7 makes more sense than for FF (frequent sites rather than local pages) and the ability to jump straight to a tab or open window from a list would be useful if I didn’t tend to have several dozen open tabs at any given time. I do find that Firefox seems to recover better than IE from crashes (of the app or of Windows) and get my tabs back more reliably (my laptop sometimes locks up when undocking and has to be forcibly powered off and cold started, and FF usually picks up where it left off).

I understand that publicly funded institutions like the BBC should not be in the business of advertising, and need to have disclaimers like “other listings magazines are available” (just in case you did not know there are alternatives to the Radio Times because you have lived in a cave and never visited a newsagent or supermarket in the last 25 years). I just don’t get why this should apply to a company whose prime objective is (and should be) to increase shareholder value. It’s that simple – their shareholders want to earn money, not make the world a fluffier warmer cuddlier place.

I tried Opera a year or so ago and at the time it was no better than Firefox (and worse in some ways), so inertia won out and I stuck with what I had been using for a few years. I would need a compelling reason to change, and I have not seen one yet from Opera. IE8 is beginning to convince me that Microsoft has the best alternative for me. Firefox went from nothing to holding a significant market share. Google Chrome is following nicely, albeit with a much bigger marketing budget and established brand.

Arguments may be made about which browser is the most secure – for me probably the biggest reason choose one over another right now since drive-by malware infections seem to be getting more frequent and worse to remove. There is certainly a discussion to be had about whether the same ruling should be made about Apple’s software bundling – I don’t care if they ship Safari and IE, should they not also be forced to provide the same breadth of choice as MS? What about their productivity applications? Should you get the choice to install OpenOffice (or some other third party option)? I have nothing against Apple, but they do seem remarkably immune to these sorts of legal challenges (because of their market share) when they are actually a much more closed shop bundling hardware and software together.

I wish the European Commission had better things to do with their time and my taxes than this kind of nonsense. I wonder if it makes any difference that the company making the noise about it (Opera) is European, and they felt duty bound to stand up to the perceived might of a US software giant.

What about non-MS applications bundled with new PCs?

A much better use of their time would be considering banning PC manufacturers from bundling trialware with PCs, or at least restricting this in a variety of possible ways:

• all trialware must come NOT installed, but give the user the choice to install it as part of their setup. This is NOT the same as giving them a choice not to register and run it.
• trialware must be free for at least the period of warranty of the hardware, usually at least a year
• before installing, the consumer should be told the current cost of continuing their subscription for longer than that trial
• if we can’t force them to not install it in the first place, there must be penalties for having uninstall routines which fail since the hardware is not fit for purpose with a half-uninstalled Norton suite on it which prevents other AV products working properly. Been there, sworn at that. Forcing me to download a separate removal tool is not an option unless you pay for my time in doing this. About £100 penalty should suffice.

I even object to bundling of unnecessary applications, browser toolbars, gadgets and other crapware, and double FAIL points for those which insist on trying to update themselves every day. Some are arguably designed to get the most out of your hardware (such as a utility to selectively switch off WLAN, Bluetooth or 3G connections), while others are just generic fluff. If a system builder installs Google toolbar I am surely less likely to feel a need for Yahoo toolbar. Isn’t this just the same anti-competitive behaviour MS is being accused of? Please at least give me the choice at the time of purchase to avoid all non-essential apps, especially those I could easily install later for free if I choose to. And while we are on the subject, Acrobat reader is NOT an essential app, and in light of recent security vulnerabilities, not far away from installing a backdoor for malware.

What do you think? Is this a big waste of money or an important decision for fair business practices? What browser(s) are you using right now and why?

Good afternoon,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,

Rolland Hanna

Your Customs Service

This content was so close to the UPS_Invoice one that it seems obvious it originates from the same source.

My parents were on holiday in France on July 9th (back home now) so this might just possibly have caught me out if I had not seen the previous variant and the wording was a bit less stilted (especially the signoff), and the sender had actually been spoofed as the customs service not some random .com company. I guess the people most likely to fall for this would be anyone who bought something online from France, or through eBay and maybe they are not 100% sure where their purchase is being shipped from.

This time the attachment was called Tax_Invoice.zip which expanded directly to the executable (no folders in between this time) which was called Tax_Invoice_________________________NHHDLS883298792929.exe . I guess the filename padding is a flimsy attempt to make the end part disappear from the view and show as the truncated name “Tax_Invoice_…” or similar. Like the previous ones, this has a crude MS Word icon which has rough edges and simply does not scale above “medium icons” view in Vista – any larger and it just shows the smaller one in a larger grey box.

This one has an MD5 hash of 8CEB0F61089D86C086DCC08D6A783015.

Since the first rash of these emails last week, things died down. Presumably as the world’s antivirus vendors caught up with this new malware outbreak, they were mainly being caught at the point of sending. I certainly received none for several days, then had two on Monday night / Tuesday morning with the same text as before:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

(one bizarrely missed the apostrophe from “recipient’s” and replaced it with a space)

Both had the same attachment UPS_INVOICE_978172.zip (47.9 KB or 49,110 bytes in size), which expanded to a 56KB (57,344 bytes) exe of the same name with MD5 checksum DA4B7EF93C588AD799F1A1C5AFB6CFAD.

Thursday’s pair were just called invoice_8712.zip (48 KB or 49,192 bytes) which held a 55.5 KB (56,832 bytes) file called INVOICE_8712.exe with MD5 digest of 9E2756F0A0AD988E149845B07216B181. All of this week’s emails had the subject “UPS Tracking Number nnn” with four different numbers: 1950761581, 8587187457, 7535113385, and 6853701924.

The first one which had the half German subject line was a file called UPS_Invoice_317.zip which was 5,420 bytes in size. This one expanded into two levels of folder as UPS_Invoice_317\Ups_invoice\UPS_INVOICE.exe (this was the only one to use lower case in its folder names). The executable was exactly 8,192 bytes (almost certainly padded) and had an MD5 hash of 6B4EF50E3E21205685CEA919EBF93476 which is the same as the one posted by Kayrac on the broadbandreports.com forum. Unfortunately he did not say what the name of the containing zip file was.

My next one was called UPS_INOICE_107.zip (note the mis-spelling) and extracted as UPS_INOICE_107\UPS_INVOICE_107.exe – only one level of folders this time, and the executable inherited the numeric part in its name. The mis-spelling almost certainly came from a mis-spelled folder used to compress it in the first place, as most zip programs default to using the folder name for the zip file as well. This file was only 6,656 bytes long and had MD5 checksum of 0C0F2CB1DEB11EC0AA68DEE0933FAACF. Since this is smaller than all the others I am certain it is a significantly different variant, or perhaps is simply broken. Hopefully I can test this later to see what (if anything) it does.

My third and fourth received emails were both called UPS_INVOICE_107.zip and extracted to UPS_INVOICE_107\UPS_INVOICE_107.exe, both 8,192 bytes long and with the same MD5 digest of 58AC24B1F802990387870D3A5CC2312B. The two zip files however were different sizes (4,117 and 4,178 bytes), so they were not direct copies of one another.

All the files made reference to a Russian domain which was registered on the 11th June. I have obscured the domain name and parts of the IP address in the screenshot below, taken from DNSstuff.com

There seems to be an SMTP server running on the same IP as the name servers, presumably to enable the malware to forward copies of itself, or perhaps to send messages home, since it does not seem to be set up to permit relaying.

Anyone have any further information about what this does yet? I’m just setting up a sandbox machine to try and track its infection in a safe environment.

Also, if you have any MD hashes which are different it might be interesting to post them as comments so we see how many flavours of this are out there.

From: United Parcel Service [someone@not_ups.com]

Subject: UPS Paket N2410170593

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

Attachment: UPS_Invoice_317.zip

Of course this was extremely suspicious. I had no recent dealings with UPS, the email clearly did not really come from them anyway (it was not even spoofed to appear to be from their domain), and why on earth would they need to send me a file, let alone a zipped one? The misspelling in the subject also smelled of an automated message (although Paket is the correct spelling for the German word for packet). I smelled malware and wanted to find out more.

So I saved the file and had a quick peek with notepad to avoid opening the zip file at all. I could see enough of the content to see that the content of the zip was a single executable called UPS_invoice.exe rather than any kind of document file. Next step – a quick search online to see what particular flavour of nastiness this was. Fire up search engine, search for “UPS_invoice trojan”, “UPS invoice trojan” and other variations. Absolutely nothing at all. No-one else seems to have received this. Very strange indeed. I had a look on Sophos’ website and McAfee’s virus information library but could not find anything resembling this.

I wondered if I had somehow been ‘lucky’ enough to be one of the first to be sent a new malware variant, so I submitted a sample to Sophos.

I checked again later in the day and now I got a single hit for a site discussing this new menace, a blog at the Berlin Technische Universität focussing on hoax information had this post: UPS-Mails mit Malware. So, I was not alone, but it was still odd that no-one else reported this.

Of course, zip files can be opened natively on XP with no additional software, and a zip can be compressed in such a way that it will automatically open or run a file once it has decompressed the zip. This means that simply double-clicking the file could cause the payload to run, and attempt to install and do its damage.

Five hours after submitting my sample, Sophos kindly confirmed that the file did contain malware, identified by them as Troj/Agent-HFU. Coincidentally, the last email to arrive before I received this was another version of the same thing, with an English subject of “UPS Tracking Number 8017161622″ and the attachment was called UPS_Inoice_107.zip this time (yes, that’s “inoice” with no V). So maybe the first one was actually a German variant sent to me – not too farfetched given that I receive plenty of spam in German, usually pump-and-dump stock scams, so I must be on someone’s spam lists.

Still no information about UPS_Invoice.exe

However, there was still no mention of the email subject or payload name. Web searches still found only the TU Berlin article – was this just because the search providers have an inevitable timelag, or something else? I had a read of the Sophos advisory about this and found that they simply don’t mention UPS at all. Nothing. I know back when I wrote my review of Sophos Small Business Edition they used to be pretty good at describing the symptoms of a malware variant so you had some chance of identifying threats. Now the description says only that this trojan affects Windows, and that protection has been available for Sophos customers since 13 July 2008 19:44:42 (GMT). Pretty useless, so I thought I would check if anyone else had any more helpful information by searching for the name “Troj/Agent-HFU” and “Trojan Agent HFU”. The only results were sites which either syndicated Sophos information directly or wrote about new releases and quoted the source. So the blogosphere echoed with the same information I could get from Sophos but nothing else.

What’s in a name?

So, does this mean that Sophos are the only vendor out there offering to spot this new threat with an updated signature? I very much doubt it, I suspect this is just a manifestation of the usual problem of confusion over virus names. When a biologist finds a new species of beetle (or indeed a real-life virus) they get to name it anything they like. They can stick to a conventional Linnaean classification, or name it after their maternal grandmother, a character from Star Trek, or simply a new rude-sounding word. But once they have decided upon a name, everyone else has to use the same one. OK, there are cases where a second person does not realise that their find is not actually new, and they use their own chosen name for a while, but once it is determined that two creatures are in fact just individuals from the same species, the earlier name is used.

Not so for computer viruses. For years I have found it annoying and frustrating that the antivirus vendors seem to enjoy choosing different names for the same malware and then sticking doggedly to them. At least they used to cross-reference each other’s versions to some extent, but now it seems they are deliberately keeping to their own petty conventions. Why not adopt a universal scheme of letters and numbers within which any vendor can take the next one off the list and attach it to an identified executable? If astronomers can do this for the billions of stars and other objects found in outer space, why not for something as specific and tangible as a few dozen lines of code? Even the minor variants introduced by viruses when copying themselves in order to defeat the most primitive signature-based scanners are easily stripped away, and the core program and its behaviour can be identified. Maybe I’m being over-simplistic or optimistic about the levels of cooperation possible between large corporations which answer to their shareholders. Any insiders care to share any information about the practicality or otherwise of such a name-sharing scheme?

PS: A third email with subject “UPS Tracking Number 6360851232″ and an attachment name correctly spelled as UPS_Invoice_107.zip arrived while I was writing this.

It just seems odd how no-one seems to be talking about these with reference to the subject or attachment names. Since it is totally obvious they are not really from UPS, what’s the issue? Has anyone else been receiving many of these?

I agree with the comment made that the design exams do generally seem easier in some respects than the straight technical ones, as you don’t need to know the same level of detail of exactly how to do something in terms of making choices in a dialogue box.

On the other hand, the MS design exams do expect you to be able to take in, digest and interpret a load of business and technical requirements (some of the latter may only be implied from the former, some will be explicitly stated). The breadth of this is where the challenge lies in the real world, although the exam will often lead you in the right direction, rather than a blank sheet of paper on which to write an IT security plan. The nature of a computer-based exam does not lend itself to open questions; it would be very hard to make any kind of meaningful sense out of your answer to “How would you improve the security of the data for this organisation? (answer in no more than 200 words)”.

The other difference between these sort of exams and a real-world scenario is that in order to ensure there is a completely correct answer the requirements do not conflict. Sometimes one requirement might “trump” another, but will never directly oppose it. You won’t have the CEO saying that staff must not be required to carry anything for two-factor authentication while the CIO says all data must be encrypted and secured using smartcards. The reality of business is that overcoming these sort of conflicts is often the first hurdle for an IT manager to address through listening, discussion, understanding and education.

From a hardcore, old-school, hands-on technical point of view, this exam is not particularly challenging. It is really easy to say “just build a PKI infrastructure with subordinate CAs on every site, auto-enrol machines using Group Policy and then use IPSec to manage all access to secure data” – actually implementing such as plan is a bit more than an afternoon’s work, though!

Seeing the whole picture, understanding which bits of provided information are important and which less so, and knowing what can be done technically to address the needs is a different type of skill than the attention to detail needed for the technical exams. Much of this is learnt through experience, rather than from books. Reading widely around the subject at hand (security in this case, or Active Directory or Exchange design at enterprise level for those exams) and getting a feel for it from others is just as important.

In some ways, this design exam is a more realistic measure of your real ability to do this type of work than some of the technical exams. How many times have you had to learn some detail for an exam (such as the switches available for some command line tool), knowing that you have almost zero chance of ever needing that particular fact in your environment, and that if you ever did you would be able to look it up in minutes (most probably with a simple /?). Knowing that the tool exists, and the situations where it is used should be enough, and there seem to be too few exams which acknowledge this.

This learning of detail for its own sake is the reason why for me the 70-270 XP exam was one of the hardest to learn for. I have never done, and very likely never will do, an unattended (scripted) installation of Windows XP. I have used sysprep many times, creating “gold images” for cloning using tools such as Ghost, but never written an unattend.txt file. Yet for the exam I had to learn all the switches, what the files were called and where they were saved, and which one “won” if their configurations conflicted. To me, understanding the benefits and weaknesses of a variety of deployment methods is more important – should I be cloning? using RIS? writing unattend files and creating bootable install media? what advantages does Ghost multicast have over RIS? what disadvantages? how about SMS or SCCM? If I decide to use unattended installation, I can easily use reference books and internet resources to get the detail of how it is done. Knowing it is the right tool to use in the first place seems to me the bigger challenge.

In the end, I believe the design and technical exams share the same separation of skills as those of an architect and a builder. The architect needs to understand the building methods available and the benefits and limitations of them in order to be able to choose the appropriate ones for the required design to fit the customer brief from a two-bedroom house to a skyscraper or shopping mall. In doing so he will need to have some awareness of a whole range of trades such as building, plumbing, glazing, insulation, as well as understanding wider issues such as planning and environmental regulations. A builder has to implement the design through a deeper working knowledge and experience of actually laying bricks, pouring concrete or fitting steel structures together. A good builder will also be able to see the bigger picture and offer alternatives if his experience tells him that a better choice exists. The builder may also need to have some feel for where the plumbing will go or how the roof will be attached, but would not be expected to install the heating system or wire the alarms.

An IT team needs good builders, but without an architect who also understands the bigger picture, they will never get successful end-results, and somehow you have to be able to identify who has these skills and who does not.

The first section had 11 questions which was great as I had made loads of notes from the provided fictional case studies, and I sailed through with loads of time to spare. Unfortunately the format of these exams is that the time for each part is independent, so you don’t get to carry any spare time to the next set of questions and use it there. I had a couple of shorter sections where I maybe spent too long reading the materials and answered the last question with seconds to spare.

Overall I found this style of exam to be right up my street; taking in lots of information in a very short time and then applying my technical knowledge to this to come up with solutions to the business issues. Despite the rushed time on a couple of questions I came away with my best score to date on a Microsoft MCP exam, and won’t need to use my second chance to take this.

How do you find these design exams compare to the ‘normal’ technical ones?

Produced by a group of world-class contributors including several MVPs and members of Microsoft’s server security team, this is likely to be the definitive reference on the subject for some time.

According to Jesper’s blog it has now gone to press.

This official Microsoft Resource Kit delivers the in-depth, technical information and tools you need to help protect your Windows®–based clients, server roles, networks, and Internet services.

Leading security experts explain how to plan and implement comprehensive security with special emphasis on new Windows security tools, security objects, security services, user authentication and access control, network security, application security, Windows Firewall, Active Directory® security, group policy, auditing, and patch management. The kit also provides best practices based on real-world implementations.

You also get must-have tools, scripts, templates, and other key job aids, including an eBook of the entire Resource Kit on CD.

It’s an MS Press title so it should be pretty widely available, I will be pre-ordering my copy from here at The Register book store, as they have really competitive pricing and free delivery for orders over £25 at the moment.

Suggested Publisher Price: $39.99 US / $57.95 CDN / £24.99 UK

ISBN: 0-07-225354-1 Softcover, 504 pages

Bulletproof your systems before you are hacked!

Take a proactive approach to network security by hardening your Windows systems against attacks before they occur. Written by security evangelist Roberta Bragg, this hands-on resource provides concrete steps you can take immediately as well as ongoing actions to ensure long-term security. Whether you have one Windows server or one hundred, you’ll get complete details on how to systematically harden your network from the ground up, as well as strategies for getting company-wide support for your security plan. With coverage of Windows 95/98/NT 4.0/2000/XP and Windows Server 2003, this book is an essential security tool for on-the-job IT professionals.

Extract from foreword:

One other area in which this book stands out is that is was written with the full realization that, while computer security is inherently about the computer, sometimes the biggest security vulnerabilities come from people…This book does an excellent job of illustrating the critical areas where the interaction among computers, users, administrators, and IT management can cause vulnerabilities to your network and what you can do about it now in addition to the technical aspects of configuring security

Book Contents

Part I – Do this now!
1 – An immediate call to action
Part II – Take it from the top: Systematic Harden
2 – Harden Authentication
3 – Harden Network Physical Infrastructure
4 – Harden Logical Network Infrastructure
5 – Harden Network Infrastructure Roles
6 – Secure Windows Directory Information and Operations
7 – Harden Administrative Authority and Practice
8 – Harden Servers and Client Computers by Role
9 – Harden Application access and use
10 – Harden Data Access
11 – Harden Communications
12 – Harden Windows using PKI and harden PKI
Part III – Once is never enough!
13 – Harden the security lifecycle
Part IV – How to succeed in hardening your Windows systems
14 – Harden WetWare
Appendix A – resources

Review

Introduction

“Hardening Windows Systems” is a book written with the dual purpose of explaining why you should make every aspect of your systems secure, and exactly how to go about that. It thoroughly addresses many different aspects of a Windows network such as individual computers, user authentication, Active Directory and the physical and logical network elements. Some common myths are debunked, and the principle of blindly following the latest trend in “best practice” is dismissed.

The author is obviously passionate and evangelistic about security and shows great depth of knowledge, yet at no time does this book appear to say “you should do this just because I say so”. On the contrary, a clear attempt is made to properly educate the reader in the approach to good security practice, a real understanding of the issues and technologies involved, and thereby enable an administrator to harden their systems immediately and continue to revisit and re-harden their existing network and future new systems they introduce. Dealing with the topic from a high-level view right down to step-by-step procedures, this is a very comprehensive read for anyone who wants to harden their systems.

Part I

The first part addresses the most immediate, simple and effective measures which can and should be done if at all possible as a first step towards a more secure network. This includes elements such as physical security, banning non-secure wireless networks and disabling EFS. These latter two are good examples of the realistic approach taken by the author – today you should take preliminary steps which may seem extreme, since there is not enough time to fully address them in detail straight away. Later, after planning and testing it should be possible to take a more precise stance, for example enabling EFS only after proper key recovery procedures have been developed, tested and put firmly in place. This emphasises the point that doing nothing while working out what to do is rarely the sensible choice.

Part II

After the short appetiser of the first chapter calling for immediate action, the second part is served as the real main course, and takes up about 3/4 of the volume of the book. Various interlocking areas of potential weakness are discussed in a structured fashion across several chapters. Depending on the interests, skills or job description of the reader, some of the subjects in this section will have varying degrees of relevance. By dealing with clearly-defined topics in separate chapters, this allows you to concentrate your time and effort in areas of most concern without too much side-tracking into every possible area. Each of these chapters is filled with a huge amount of useful detail, including lists of services, files, and registry entries to be considered.

The author also gives reasonably comprehensive explanation of the use of a variety of common and less well-known command line utilities, built-in tools, software from Resource Kits and additional downloads (such as MBSA and SUS). Some books try to give exhaustive (and exhausting) coverage of every possible feature of such tools (always a good way to fill more pages), or conversely refer to a command and leave the rest up to the reader to follow a URL. Instead, this author strikes a good balance, providing what you need to know to use a utility to achieve a specific result, complemented by a few further hints on alternative or more advanced features.

Part III

The dessert and coffee courses are an often-overlooked but important part of a good meal, and so it is with the subjects covered in the last two parts of this book. It is clearly not enough to harden systems once and then leave them be, so part III deals with the topic of ongoing patching, testing and auditing of systems. Another lesson which many technical people would perhaps rather avoid is understanding where your technical measures fit in relation to business operations, human factors and the prevailing legal environment. Good application of these ‘softer’ aspects can have as great an effect on the overall ‘hardness’ of your systems as all the lockdown methods applied elsewhere and this is well covered in part IV, avoiding the high-level cursory discussion other books sometimes provide.

Overview, style and detail

One of the best and most distinctive features of this book is that it covers all Windows systems from 95 onwards (even touching on ME at times!). Almost all other works in this area assume from the outset a pristine network of brand new systems using only the latest software, particularly those books whose main purpose is for passing exams. In reality this assumption is not only missing out a large chunk of the real-world, but can lead to systems which are unworkable, such as securing network authentication in such a way that older systems no longer function. By being inclusive and realistic, the author succeeds not only in providing a complete view, but demonstrates clearly both a wealth of personal experience and the importance of considering the whole environment at every step.

There is no pretence that these older systems can be hardened as easily or as far as more recent offerings, but the balanced approach shows how much can be done and emphasises the idea that one solution does not necessarily fit all. A side-effect of the inclusion of the whole Windows family in the discussion is that the contrast between older and newer operating systems becomes even more stark, which may provide further useful ammunition for those budget-constrained administrators to convince the bosses of the need to upgrade.

The most awkward aspect of this book is that it does not fit comfortably into a category as either a book to be read through from start to end, or a work for dipping into for occasional reference. It jumps from high-level discussion of a topic to specific instructions and settings to achieve a particular effect. This mirrors the obvious enthusiasm of the author and conveys the impression that “we have talked about this for long enough, now let’s get on with it!”. While in principle this is refreshing and avoids being bored by theory on the one hand or bombarded by whole chapters of detail on the other, it means the only place suitable for reading it is in front of a console from which real changes can be made. The immediacy of the instruction may also tempt readers to begin making changes on live systems without the proper planning which is cautioned elsewhere in the book.

Since the theory and practice cannot be completely separated, my only suggestion for improving this would be through altered layout, for example using recognisable boxes signaling to the user “either do the things in this section now or skip the box to carry on reading through”. While this technique is used to good effect for lists of settings, services and so on, it could be extended to improve both the process of reading through, and of finding individual details more efficiently as a reference source.

Almost all the tools and utilities covered are from Microsoft, although this does not appear to be a matter of loyalty or a banal free advertisement, rather it makes the methods used available to all readers for little or no cost. (A few of the tools come from the Resource Kits, so while they have an associated cost, it is quite likely that many organisations will already have these, possibly via Technet or MSDN). It means that concerns of interaction between tools and of any ongoing support issues are removed – if all your tools come from the same source you have the best chance of success or of proper assistance if all else fails.

Also absent is any discussion of additional Microsoft products which might be considered clear extensions of the hardening toolkit but require more expenditure, such as SMS and ISA server. The appendix of further reading would perhaps have been a good place to indicate some sources of additional software without too much time spent on the details of usage of every one and with an appropriate rider of “buyer beware” where appropriate, but the author unfortunately chose not to take this opportunity.

Unfortunately the legislation-related part of the last chapter is entirely US-orientated, and it would have been nicer to find some additional material (possibly from a second contributing author) covering UK issues, since there are some huge differences not just in the actual laws but in the underlying culture in which they are applied. Since many of the relevant areas are deliberately the same or similar in other EU countries as well (such as Data Protection, Freedom of Information and the Human Rights Act), this ought to make this chapter a lot more relevant to a wider audience.

This book does not cover non-Windows systems such as Linux, nor network infrastructure elements such as hardware firewalls, routing, packet sniffing and so on. You should not be misled by chapter headings – the sections on network infrastructure deal with physical security of various devices and with Windows based security features such as using IPSEC, how to harden RRAS, encryption and so on, but a firm line is drawn as to what constitutes hardening a Windows system and what is a supporting product or service. However, it is fairly clear from the outset what the book covers and what it does not, and there are three other books (by different authors) in the “Hardening” series covering Linux, Network Infrastructure and Code respectively. It would be unreasonable to expect any book to cover all of these properly in one volume, so “Windows Systems” is a broad but reasonable scope to adopt.

Target Audience

Firstly, I feel this is not a book which would be well received by non-technical senior management nor worth their time. While the CIO of a medium-sized firm may still be sufficiently in touch with the “nuts and bolts” of the systems to oversee day-to-day operations, this book remains unashamedly technical. Despite those few chapters which discuss the more human aspects of the hardening process, this is one small part of an otherwise technology-led approach, and these chapters are best used by technical staff and IT managers as an insight into how they must engage with the business management and users to meet them on their own terms. There are better books for non-technical executives relating in simple, human and business terms why security is important and in general how to go about the process of improving it.

Some of the topics covered (particularly the first chapter) could be easily followed with some success by an administrator with very little experience. However, this principle cannot be extended to some of the more complex areas of security in this book – a little knowledge may be a dangerous thing here. It is quite possible that trying to apply some of the hardening measures suggested without a deeper understanding of their functions, sufficient testing in a particular environment and a proper approach to rollback or recovery could render a system unusable just as likely as it might make it more secure.

I would therefore suggest that the target audience is primarily intermediate to advanced administrators, including those who may only be beginners in the security field as a specialty, or for whom security is only one part of their job. Furthermore, only the most experienced security professionals will find nothing of use or interest in this comprehensive, up to date and detailed book.

Conclusion

Overall, I am very happy to have read this book and now keep it handy on my shelf to refer to quite frequently, and would recommend others to do the same. I was very tempted to give this book a rating of 9/10 for its broad coverage and real, usable detail. Unfortunately I feel it is let down slightly by the lack of any discussion of additional tools from third parties and the slightly confusing switching between detail and big picture. I hope there will be an updated second edition in the future, for now this book receives a well-deserved rating of 8/10.

This review is © Copyright Adam Vero 2005 and was first published on Security-Forums Dot Com.
It may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.

From http://imgs.xkcd.com/comics/exploits_of_a_mom.png (sorry, I don’t know who the original artist is, if I find out they will of course get credit)