Customer Reviews

Securing Windows NT/2000 Servers for the Internet

5 star:		(4)
4 star:		(5)
3 star:		(1)
2 star:		(1)
1 star:		(0)

 

 

Stefan Norberg wrote one of the first good securing NT documents that were available on the Internet. This book takes that paper to the next level. I have read and researched quite a bit on securing NT/2000 and from what I've read so far (not quite done yet), I consider this one of the best resources. The section on installing SSH on NT is extremely helpful for those who have not tackled that beast before. Norberg's original paper was considered by many (including myself) to be essential reading for anyone concerned with NT/2000 security. This book is even better and should be a part of the library of any responsible NT/2000 admin.

I am a senior engineer for network security operations. I read "Securing Windows NT/2000 Servers for the Internet" (SWNS) to better advise clients on secure configuration of their Windows platforms. Stefan's wonderful book is a testament to the fundamental insecurity of stock Windows platforms. Luckily, his advice transforms vulnerable systems into bastion hosts suitable for deployment on the hostile Internet.

SWNS' key insight is the need to cripple many default Windows services in the interest of security. These troublesome "features" include NetBIOS, the Workstation service, the Server service, and others. In fact, after creating a bastion host, Stefan says "there's no way of administering it remotely!" (This is the case because NT's standard remote admin tools, like Event Viewer and Server Manager, require RPC using NetBIOS.) Thankfully, Stefan provides several options for secure remote administration, like pcAnywhere, Windows 2000 Terminal Services, and open source alternatives (Secure Shell, Virtual Network Computer, etc.)

I concur with an earlier review noting the lack of attention for Microsoft's IIS web server. Hundreds of thousands of Windows machines were recently compromised by the "Code Red" worm, demonstrating two facts. First, Windows is frequently used to host web servers. Second, IIS is frequently deployed insecurely. A second edition of SWNS should add a chapter on configuring IIS. I was also unhappy with Stefan's dismissal of intrusion detection technology in chapter six. He should try the Windows port of the open source Snort IDS.

Overall, SWNS is a must-buy for Windows administrators. The book is a quick read, but it explains many aspects of the internal workings of Microsoft's premier operating systems. As the title implies securing "servers" and not just the underlying operating system, future editions should discuss proper deployment of popular applications for Windows NT/2000, like IIS and Exchange.

I have been waiting for a book like this for quite a while. For anyone interested in securing W2k Internet servers this book has some excellent advice. The networking security tips are particularly useful and relevant. I was disappointed that there was not more IIS specific security information, given that most W2K servers on the Internet are running IIS. Also, as the author himself points out, much of the changes he is proposing to harden servers are not practical in an enterprise-sized environment. By hardening servers as he describes you loose much of the scalable administration NT and W2K where built around. I would not want to implement the majority of these changes on a production environment of more than 30 or so servers for that reason. I also would not put pcanywhere on any production server as a way to get around just having disabled the functionality of the native remote administration tools. Having said all that, buy this book if you are responsible for securing your Microsoft servers. There is enough great information here to make it well worth it.

This is a GREAT book for 2 scenarios:

1) You want a greater understanding of how to secure the NT/2000 operating system (without using 3rd party add-on software). It offers excellent ideas and suggestions on various services and protocols that can be completely disabled in most environments.

2) You run a stand-alone server. When Stefan Norberg says bastion server, that's what he means, NOTHING is getting in. This includes a lot of domain traffic. It would be a disaster to apply this to a computer sitting in a Windows 2000 domain. If you have a stand-alone web server that you want to lock down, then this is you book!

As for other observations...

A few of the extremely useful NT4 bastion server steps are not even given for Windows 2000 use. I was especially disappointed that he gave no description on how to disable the DOS subsystem in Window 2000 (because the NT4 steps sure won't work).

The author provides his email address, but don't bother. He doesn't reply to professional emails containing legitimate comments on his work. Next time, he better just leave the email address out.

I would prefer a 2nd Edition with the NT4 information removed (and even some of the information on the vastly unpopular IPsec) to allow for more in-depth material on Windows 2000 (and even the up and coming Windows XP).

In Securing Windows NT/2000 Servers For The Internet, Stefan Norberg is designed to assist the experienced users of Windows NT/2000 to protect their computers from Internet intrusion, sabotage, information theft, and other unwanted encroachments. Very highly recommended for systems administrators and the non-specialist general users concerned with security issues, Securing Windows NT/2000 Servers For The Internet covers every aspect of building Windows 2000 security systems is comprehensively presented.

I run an ASP based on NT and 2000 servers. This book provides real solutions to help minimize your risk of your servers being hacked. I would also recommed the book as a good start for hardening internal file/print/db servers in your corporate LAN/WAN.

This book was probably just right when it was released, but it's time to update it for 2000/XP and drop NT entirely. I only looked at the 2000 stuff, since those are the kind I support, but the info was very helpful, and even though we're several service packs down the road, it's still accurate. I didn't read the NT information (though it's largely the same, since they have the same roots) for accuracy as much, but it's still worth the price for the 2000 answers.

As network security becomes more and more important, it's nice to see something very specific to Windows NT/2000. Yes, this is a book for specific architecture, but actually would be a very good resource if you are moving into the Windows area especially from an UNIX background. What you take away more than anything else from the book is that the only way to be really secure is to close almost everything, and that's what the author shows. Their setup is an ideal world - a server dedicated to just being secure with some services, and you are shown step by step what is good to have on and what is not.

It is important more so because it gives you a reference point to learn more and try to close holes that you can. There are often a number of services and potential entrance points that are left open by default, or may be open, but you are not using them. So close 'em! You may not be 100% secure then, but 50% secure is better than open and flapping to the digital world.

The book is the kind you skim from cover to cover, then go back and read what you want to know more about, and return to it again and again as reference. It has been invaluable to my knowledge and has given me starting off points to pursue specific areas of security. I hope the book is updated when .NET starts to really spread out. Until then, this helps point us to where we can put up more defense. Knowledge is your best tool to fight insecurity, and this is an excellent tool in your kit.

As a Solaris/Linux admin, I had no clue how to secure a windows machine. I knew to turn off services I recognized but that is about it. Since we only really use NT for the PDC, the file server, and internal groupware client- I really was not interested in pouring over documentation to secure these boxes. I have too much to do in keeping the frontline unix boxes secure.
Norberg introduces the architecture and services and othter things that I really did not know about. He then gives practical suggestions on how to lock down the server. He does state that this is a for a bastion host, so that rules out a web server anyway.
However, this book explains the services and what would need turned off, you can then modify this to your needs.
This book is a must for any Unix admin that needs to learn about WinNt and security for it. I give this book five stars for being exactly what it says it is.

The author certainly understands windows security from the administrator's point of view. He isn't going to launch into the deficiencies of Lanman in great detail, but he will tell you how to allow only NTLMv2 instead, or even better...uninstall all of the MS deadly ports altogether (what are they doing on a mail server anyway???)

To be honest I'm primarily a Unix person (FreeBSD when possible) so I feel really constricted in the windows environment and thus don't know as much as I should about securing the boxes. This book allows me to jump into the windows world (since I obviously need at least one windows box around for work) and make intelligent choices regarding configuration.

The small number of pages is actually a good thing since the author skips all of the general security tips and knowledge that you can get in 1,000 other books nowadays, getting right to the meat of it: what to click and type to secure the box. This also has the pleasant side-affect of reducing the cost from the normal range of 50-60 to around 20, which pretty much means that buying this book is a no-brainer.

In summary, a Unix geek can get away with this book since it's so direct and easy to follow. It requires some previous security knowledge but not a boatload.