Suggested Publisher Price: $39.99 US / $57.95 CDN / £24.99 UK

ISBN: 0-07-225354-1 Softcover, 504 pages

Bulletproof your systems before you are hacked!

Take a proactive approach to network security by hardening your Windows systems against attacks before they occur. Written by security evangelist Roberta Bragg, this hands-on resource provides concrete steps you can take immediately as well as ongoing actions to ensure long-term security. Whether you have one Windows server or one hundred, you’ll get complete details on how to systematically harden your network from the ground up, as well as strategies for getting company-wide support for your security plan. With coverage of Windows 95/98/NT 4.0/2000/XP and Windows Server 2003, this book is an essential security tool for on-the-job IT professionals.

Extract from foreword:

One other area in which this book stands out is that is was written with the full realization that, while computer security is inherently about the computer, sometimes the biggest security vulnerabilities come from people…This book does an excellent job of illustrating the critical areas where the interaction among computers, users, administrators, and IT management can cause vulnerabilities to your network and what you can do about it now in addition to the technical aspects of configuring security

Book Contents

Part I – Do this now!
1 – An immediate call to action
Part II – Take it from the top: Systematic Harden
2 – Harden Authentication
3 – Harden Network Physical Infrastructure
4 – Harden Logical Network Infrastructure
5 – Harden Network Infrastructure Roles
6 – Secure Windows Directory Information and Operations
7 – Harden Administrative Authority and Practice
8 – Harden Servers and Client Computers by Role
9 – Harden Application access and use
10 – Harden Data Access
11 – Harden Communications
12 – Harden Windows using PKI and harden PKI
Part III – Once is never enough!
13 – Harden the security lifecycle
Part IV – How to succeed in hardening your Windows systems
14 – Harden WetWare
Appendix A – resources

Review

Introduction

“Hardening Windows Systems” is a book written with the dual purpose of explaining why you should make every aspect of your systems secure, and exactly how to go about that. It thoroughly addresses many different aspects of a Windows network such as individual computers, user authentication, Active Directory and the physical and logical network elements. Some common myths are debunked, and the principle of blindly following the latest trend in “best practice” is dismissed.

The author is obviously passionate and evangelistic about security and shows great depth of knowledge, yet at no time does this book appear to say “you should do this just because I say so”. On the contrary, a clear attempt is made to properly educate the reader in the approach to good security practice, a real understanding of the issues and technologies involved, and thereby enable an administrator to harden their systems immediately and continue to revisit and re-harden their existing network and future new systems they introduce. Dealing with the topic from a high-level view right down to step-by-step procedures, this is a very comprehensive read for anyone who wants to harden their systems.

Part I

The first part addresses the most immediate, simple and effective measures which can and should be done if at all possible as a first step towards a more secure network. This includes elements such as physical security, banning non-secure wireless networks and disabling EFS. These latter two are good examples of the realistic approach taken by the author – today you should take preliminary steps which may seem extreme, since there is not enough time to fully address them in detail straight away. Later, after planning and testing it should be possible to take a more precise stance, for example enabling EFS only after proper key recovery procedures have been developed, tested and put firmly in place. This emphasises the point that doing nothing while working out what to do is rarely the sensible choice.

Part II

After the short appetiser of the first chapter calling for immediate action, the second part is served as the real main course, and takes up about 3/4 of the volume of the book. Various interlocking areas of potential weakness are discussed in a structured fashion across several chapters. Depending on the interests, skills or job description of the reader, some of the subjects in this section will have varying degrees of relevance. By dealing with clearly-defined topics in separate chapters, this allows you to concentrate your time and effort in areas of most concern without too much side-tracking into every possible area. Each of these chapters is filled with a huge amount of useful detail, including lists of services, files, and registry entries to be considered.

The author also gives reasonably comprehensive explanation of the use of a variety of common and less well-known command line utilities, built-in tools, software from Resource Kits and additional downloads (such as MBSA and SUS). Some books try to give exhaustive (and exhausting) coverage of every possible feature of such tools (always a good way to fill more pages), or conversely refer to a command and leave the rest up to the reader to follow a URL. Instead, this author strikes a good balance, providing what you need to know to use a utility to achieve a specific result, complemented by a few further hints on alternative or more advanced features.

Part III

The dessert and coffee courses are an often-overlooked but important part of a good meal, and so it is with the subjects covered in the last two parts of this book. It is clearly not enough to harden systems once and then leave them be, so part III deals with the topic of ongoing patching, testing and auditing of systems. Another lesson which many technical people would perhaps rather avoid is understanding where your technical measures fit in relation to business operations, human factors and the prevailing legal environment. Good application of these ‘softer’ aspects can have as great an effect on the overall ‘hardness’ of your systems as all the lockdown methods applied elsewhere and this is well covered in part IV, avoiding the high-level cursory discussion other books sometimes provide.

Overview, style and detail

One of the best and most distinctive features of this book is that it covers all Windows systems from 95 onwards (even touching on ME at times!). Almost all other works in this area assume from the outset a pristine network of brand new systems using only the latest software, particularly those books whose main purpose is for passing exams. In reality this assumption is not only missing out a large chunk of the real-world, but can lead to systems which are unworkable, such as securing network authentication in such a way that older systems no longer function. By being inclusive and realistic, the author succeeds not only in providing a complete view, but demonstrates clearly both a wealth of personal experience and the importance of considering the whole environment at every step.

There is no pretence that these older systems can be hardened as easily or as far as more recent offerings, but the balanced approach shows how much can be done and emphasises the idea that one solution does not necessarily fit all. A side-effect of the inclusion of the whole Windows family in the discussion is that the contrast between older and newer operating systems becomes even more stark, which may provide further useful ammunition for those budget-constrained administrators to convince the bosses of the need to upgrade.

The most awkward aspect of this book is that it does not fit comfortably into a category as either a book to be read through from start to end, or a work for dipping into for occasional reference. It jumps from high-level discussion of a topic to specific instructions and settings to achieve a particular effect. This mirrors the obvious enthusiasm of the author and conveys the impression that “we have talked about this for long enough, now let’s get on with it!”. While in principle this is refreshing and avoids being bored by theory on the one hand or bombarded by whole chapters of detail on the other, it means the only place suitable for reading it is in front of a console from which real changes can be made. The immediacy of the instruction may also tempt readers to begin making changes on live systems without the proper planning which is cautioned elsewhere in the book.

Since the theory and practice cannot be completely separated, my only suggestion for improving this would be through altered layout, for example using recognisable boxes signaling to the user “either do the things in this section now or skip the box to carry on reading through”. While this technique is used to good effect for lists of settings, services and so on, it could be extended to improve both the process of reading through, and of finding individual details more efficiently as a reference source.

Almost all the tools and utilities covered are from Microsoft, although this does not appear to be a matter of loyalty or a banal free advertisement, rather it makes the methods used available to all readers for little or no cost. (A few of the tools come from the Resource Kits, so while they have an associated cost, it is quite likely that many organisations will already have these, possibly via Technet or MSDN). It means that concerns of interaction between tools and of any ongoing support issues are removed – if all your tools come from the same source you have the best chance of success or of proper assistance if all else fails.

Also absent is any discussion of additional Microsoft products which might be considered clear extensions of the hardening toolkit but require more expenditure, such as SMS and ISA server. The appendix of further reading would perhaps have been a good place to indicate some sources of additional software without too much time spent on the details of usage of every one and with an appropriate rider of “buyer beware” where appropriate, but the author unfortunately chose not to take this opportunity.

Unfortunately the legislation-related part of the last chapter is entirely US-orientated, and it would have been nicer to find some additional material (possibly from a second contributing author) covering UK issues, since there are some huge differences not just in the actual laws but in the underlying culture in which they are applied. Since many of the relevant areas are deliberately the same or similar in other EU countries as well (such as Data Protection, Freedom of Information and the Human Rights Act), this ought to make this chapter a lot more relevant to a wider audience.

This book does not cover non-Windows systems such as Linux, nor network infrastructure elements such as hardware firewalls, routing, packet sniffing and so on. You should not be misled by chapter headings – the sections on network infrastructure deal with physical security of various devices and with Windows based security features such as using IPSEC, how to harden RRAS, encryption and so on, but a firm line is drawn as to what constitutes hardening a Windows system and what is a supporting product or service. However, it is fairly clear from the outset what the book covers and what it does not, and there are three other books (by different authors) in the “Hardening” series covering Linux, Network Infrastructure and Code respectively. It would be unreasonable to expect any book to cover all of these properly in one volume, so “Windows Systems” is a broad but reasonable scope to adopt.

Target Audience

Firstly, I feel this is not a book which would be well received by non-technical senior management nor worth their time. While the CIO of a medium-sized firm may still be sufficiently in touch with the “nuts and bolts” of the systems to oversee day-to-day operations, this book remains unashamedly technical. Despite those few chapters which discuss the more human aspects of the hardening process, this is one small part of an otherwise technology-led approach, and these chapters are best used by technical staff and IT managers as an insight into how they must engage with the business management and users to meet them on their own terms. There are better books for non-technical executives relating in simple, human and business terms why security is important and in general how to go about the process of improving it.

Some of the topics covered (particularly the first chapter) could be easily followed with some success by an administrator with very little experience. However, this principle cannot be extended to some of the more complex areas of security in this book – a little knowledge may be a dangerous thing here. It is quite possible that trying to apply some of the hardening measures suggested without a deeper understanding of their functions, sufficient testing in a particular environment and a proper approach to rollback or recovery could render a system unusable just as likely as it might make it more secure.

I would therefore suggest that the target audience is primarily intermediate to advanced administrators, including those who may only be beginners in the security field as a specialty, or for whom security is only one part of their job. Furthermore, only the most experienced security professionals will find nothing of use or interest in this comprehensive, up to date and detailed book.

Conclusion

Overall, I am very happy to have read this book and now keep it handy on my shelf to refer to quite frequently, and would recommend others to do the same. I was very tempted to give this book a rating of 9/10 for its broad coverage and real, usable detail. Unfortunately I feel it is let down slightly by the lack of any discussion of additional tools from third parties and the slightly confusing switching between detail and big picture. I hope there will be an updated second edition in the future, for now this book receives a well-deserved rating of 8/10.

This review is © Copyright Adam Vero 2005 and was first published on Security-Forums Dot Com.
It may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.

Authors: David and Raina Hawley

Publisher: O’Reilly

Suggested Publisher Price: $24.95 US / $36.95 CDN / £17.50 UK

ISBN: 0-596-00625-X Softcover, 284 pages

Excel has fundamentally changed the way we’ve related to numbers for over a decade, but much of its power remains hidden.

Diving beneath the surface of Excel requires looking at features in unusual ways, but offers great rewards. Excel Hacks helps you leapfrog most of the preparatory work of understanding how it all works and what lives where, taking you straight to a set of immediately practical tools and techniques for analyzing, processing and presenting data.

Contents

• Chapter 1. Reducing Workbook and Worksheet Frustration
• Chapter 2. Hacking Excel’s Built-in Features
• Chapter 3. Naming Hacks
• Chapter 4. Hacking PivotTables
• Chapter 5. Charting Hacks
• Chapter 6. Hacking Formulas and Functions
• Chapter 7. Macro Hacks
• Chapter 8. Connecting Excel to the World

Review

Introduction

Why read “Excel Hacks”? The word “hack” in the title here is meant only in the old-fashioned sense of getting a program or system to do what you really want or need, rather than what the programmer thought you would want. The authors have many years of experience, including with older versions of Excel which had a lot of power hidden away from the average user. They have provided consulting and training services and give away lots of information for users of all levels through their website.

My own experience with Excel has varied widely over the last 12 years of teaching and using it. I have found it useful for a whole range of tasks from simple lists and charts to parsing big AD exports in order to re-use the information for creating scripts. I have also used a much greater part of the functionality to do monthly analysis of sales to a major blue chip corporation (around a dozen fields for 50,000+ records). I wish this book had been available to me then, as I would have saved substantial time and effort and created a much more robust solution.

Overview

This book is not designed as an Excel primer for beginners, it is firmly aimed at people who are already familiar with many of the concepts and the interface of the program. Speaking of the interface it is worth noting that the authors have taken great care to provide as much help as possible for different platforms – all shortcuts have Mac and Windows alternatives, and where a particular hack is version-dependent this is made clear.

That said, “Excel Hacks” is not exclusively for really advanced users – if you have never done the simplest formula it may not be for you, but if you have done a few basic arithmetic functions, SUMs, and IFs you should be able to get some value out of many of the hacks included in the book. Similarly this book will not teach you to write VB code (although you could simply use some of the code examples verbatim without fully understanding them), but it will help you manage macros more powerfully and use some simple methods for improving performance.

The thing I found most useful was the number of functions which I already knew and used in their most basic ways, but now they were properly explained, I can stretch them to their limits. Many users quickly get frustrated with formulae which seem to depend on making direct cell references, whereas the methods shown here enable you to use much more flexible ways to cross-reference information which may not always be found in a static location. This concept leads directly on to the overall approach taken by the authors of working to “best practice”. They show how planning your spreadsheet solution and taking time to set things up (such as defining named ranges) will make you more productive in the long term and spend less time re-writing and updating your work every time the underlying data changes (for example as you add another month’s sales figures).

The chapters of the book collect together related hacks so you can easily focus on the sort of topics you want to find, although there is such good cross-referencing between hacks that you can easily dip in at any point and get your hands dirty with using the ideas straight away.

The style of writing is fairly relaxed and clearly comes from a practical standpoint. No time or space is wasted on explaining the most basic functionality – if you can already find it in the Excel help files you probably won’t find it here. Plenty of screenshots and examples help the reader to absorb the techniques without having to be sat in front of the application at the time.

For me there is a little too much room given to some of the charting techniques. The rather esoteric speedometer pie chart hack takes nearly seven pages which does not seem justified for the few people that might use it. It seems to be included to show how clever it is (which it certainly is) rather than for its usefulness.

Conclusion

I found this book to be very useful as a quick way to learn some techniques to take Excel to the next level. The real-world attitude of the authors comes across in the style of the book and in the choice of hacks included – most of them seem to answer questions users will have had asked themselves before.

The clear explanations of the advanced ways to use seemingly simple functions will help anyone to become more effective in the spreadsheet solutions they are able to produce. This book receives a solid rating of 8/10.

This review is © Copyright Adam Vero 2007 and was first published on Security-Forums Dot Com.
It may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.

Author: Jeremy Moskowitz, MCSE, MCSA, MVP

Publisher: Sybex

Suggested Publisher Price: $49.99 US / $69.95 CDN / £34.99 UK

ISBN: 0-7821-4298-2 Softcover, 536 pages (+TOC / index)

Buy the book direct from the Author (and get it signed!) (Update: this link now goes to a page for the replacement fourth edition of this book)

Everything you need to know about Group Policy in one useful reference…and loads more besides

The Group Policy Management Console (GPMC) is a dramatic step forward in the way Group Policy is administered. This book provides all the instruction and insight you need to take full control of your Active Directory with GPMC and other Group Policy tools. You’ll also learn techniques for implementing Intellimirror, making it possible for users to work securely from any location; and you’ll find intensive troubleshooting advice, insider tips on keeping your network secure, and hundreds of clear examples that will help you accomplish all your administration goals.

Topics covered:

• Create and manage all Group Policy functions within Active Directory
• Understand Group Policy differences in Windows 2000, Windows XP, and Windows 2003 systems
• Troubleshoot Group Policy using Support tools, Resource Kit utilities, log files, registry hacks, and third-party tools
• Create and deploy custom settings for managing client systems
• Manage, secure, and audit client and server systems
• Script complex operations, including linking, back-up, restore, permissions changes, and migrating
• Set up Local, Roaming, and Mandatory profiles
• Set up and manage Intellimirror components with Group Policy
• Use Group Policy Software Installation to perform hands-off installations
• Use Remote Installation Services to automate the installation of new Windows systems
• Ensure the safety of your users’ data with Redirected Folders and Shadow Copies

Review

Introduction

This book contains everything you ever needed to know about Group Policy and related topics, including loads of things you probably didn’t even know you should have been asking!

Jeremy Moskowitz covers in great depth the whole subject of group policy, as well as profiles (including roaming and mandatory), redirected folders, offline files, Shadow Copies, Remote Installation Services (RIS) and even finds time to take a preliminary look at scripting. I thought I already had a good grasp of most of these things, but this book still provided a wealth of little details, tips and tricks, up to date information and proper explanations of how all this really works. It was also an easy way to get up to date on many of the changes made with the introduction of XP and 2003, since these are highlighted.

Overview

When I first started reading this book I was not sure it would suit me. It is written in a very conversational, colloquial style more suited to a Tarantino script than a technical manual, and normally I find this irritating when I want precise answers from a reference work. However, I soon changed this first impression. Through this chatty style the author drew me in, got me intrigued by his passion for the subject and seemed to metaphorically drag me in and say “I just want to show you this other really cool thing you can do…”. I found I could read fluidly through huge chunks of the book and actually take in the information presented along the way as well – quite unusual for a book of this depth.

About 70% of the book is concerned solely with group policy – what policies are, how to create, apply and troubleshoot them, and some tips for more complex scenarios such as multiple-forest environments. It is a little difficult to split it in this way since topics like folder redirection depend on a policy for delivery but involve so much more than a mere setting and are dealt with in a section of their own.

I would guess that many people using group policy have probably dived right in without a thorough knowledge of many of the aspects the author deals with, such as exactly when and how policies are applied “under the hood”, what to do about updating templates (.adm files) for newer settings, and consideration of policies being applied across multiple operating systems. There is a great deal to be gained from the author’s experience here, such as sensible shortcuts to and best practice, as well as common pitfalls to avoid.

One area which does not get much coverage in older books on Windows network administration is the use of software restriction policies. In many cases this is because they were written before XP and 2003 made software restriction available through group policy (rather than older NT-style policies or using appsec.exe). This is one of those complex areas which are not just about ticking a box and everything works automagically, but requires proper attention to planning, design and testing before wholesale rollout. This book devotes a whole chapter to the topic to give it the attention it deserves, and recognises the importance for 2003 Terminal Services / Citrix environments as well as desktop administrators.

The remainder of the book deals with what at first appear to be only a loosely related collection of Windows tools for automating and controlling the user experience. A closer look reveals some deeper insights into things such as user profiles which are often skimmed over and taken for granted. It would be tempting for experienced administrators to skim these chapters on the assumption that they already know what they contain, but to do so would miss much of genuine use. I was pleasantly surprised to find many nuggets of new information as well as proper explanations of when to use these tools as well as how to configure and optimise them. Once more the author’s intimate style and obvious real-world experience came together and it is at times like being shown how to do things by a wiser colleague who can say “I’ve been here before, this is how I would approach it…”

The topics covered in the latter parts of the book include tools for automating installation – Remote Installation Services (RIS) and Group Policy Software Installation (GPSI). Again there is plenty of information here for both first-timers and old hands, and should be read particularly by anyone that has tried and given up on these powerful but troublesome subjects. Coverage is also given to features which were not available in Windows 2000 such as using advanced WMI filters on policies (particularly valuable for GPSI) and this may be enough to justify revisiting this. There is also a brief discussion of how all this fits with more complex tools such as Microsoft Systems Management Server (SMS).

Style, Coverage and Detail

As I said at the start, I was impressed by how well Jeremy Moskowitz has managed to take a potentially dry subject and get across many important details in a relaxed style. This is really important in the many chapters where there is a temptation to skip over things that you “already know”. By keeping the reader engaged it is almost easier to keep reading than to miss sections out.
The author makes good use of screenshots, boxed-off text for extra notes and details and plenty of cross references to other parts of the book and web-based resources. These all help the flow, keeping the important things in the body of the text and leaving you to read the extras which you find particularly relevant. Each chapter has a useful conclusion, bringing together the areas covered, rather like a lesson summary.

The amount of information in the book is a double-edged sword – I expect I will refer back to it frequently as a reference, but I found it occasionally frustrating not being able to get straight to something I knew I had read before, and skim reading large sections was quite hard. The index could have been a little more comprehensive – sometimes you have to know what heading something is under before you can find it. It is easy to get used to being handed things on a plate by search engines these days, so maybe I am being a bit harsh, but at the risk of too much duplication it could be useful if the index were expanded a little. The front and back panels of the book go some way to help using the book as a reference when you first pick it up – one highlights which parts of the book cover different group policy topics and the other lists the areas which are new, which is ideal for people using this as a means to bring old skills up to date.

As an example of the level of detail in this book, it even discusses the subtle differences between the way XP and 2003 handle software restrictions in reality and discusses how XP sp2 may change that (the edition reviewed was published when sp2 was still in Beta; the third edition expected soon will bring this properly up to date). It is this kind of attention to little details which makes this book stand out as a really useful practical reference work for the real-world administrator, especially when it comes to troubleshooting.

When I first saw the book I thought it would be a bit like a “three-in-one” – basically separate topics lumped together with a solid group policy book for padding or publishing convenience. I was not convinced there was enough to be said about profiles, folder redirection and software installation to contribute any real benefit to my bookshelf. This partly highlights how little I thought was involved in some of these topics, but this was largely brought about by many other books giving only a surface-level treatment of such things. Too often I had read other sources which I now realise only described how things appear to work, only with the latest OS in a simple environment, and assuming everything behaves as it should. The real world is a little more complicated than that, a fact which this book easily takes in its stride.

There are a few things which the author acknowledges might be considered missing from this otherwise comprehensive book such as IPSec, PKI and EFS. Clearly there is a limit to fitting in a discussion of every possible policy, and the author does attempt to mitigate these omissions by some useful URLs for relevant MS references. Hopefully some of these might get some space in the third edition as more organisations start to adopt these built-in security features.

Overall, this book covers just about every aspect of delivering, managing and controlling the user environment across your enterprise. It is not intended to cover all aspects of systems security, nor provide a comprehensive manual for writing scripts to automate non-policy events, but it does give both of these a suitable level of attention in the wider context of the whole subject of systems management.

Target Audience

I have read many MS Press, Sybex and other publishers’ titles about Windows servers, active directory design and management and been an administrator and systems architect for several years. I was pleasantly surprised to find so much information that I had not come across before in a single book. Whether you want to consolidate your knowledge for your personal training plan, update your skills from Windows 2000, or have a real issue you are trying to resolve, this is the book for you.

Conclusion

Even if you don’t feel you or your organisation are ready for using group policy extensively (although after reading this you may not be able to resist!), the rest of the book is probably justification for adding a copy of this book to your library.

This is a sound collection of tutorials for anyone who wants to give users a better experience, tighten control of their systems, increase security and do it all without leaving their desk. Rather than being seen solely as a technical reference on a few specific topics, this possibly deserves the broader title of “Managing Windows Systems (using Group Policy and Intellimirror)”.

I would say without hesitation that “Group Policy, Profiles, and Intellimirror” is an essential handbook for any administrator wanting to improve their systems for their users, the business and themselves. This book receives a hard-earned rating of 10/10, and I look forward to the third edition with great anticipation.

This review is © Copyright Adam Vero 2005 and was first published on Security-Forums Dot Com.
It may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.