- Paperback: 608 pages
- Publisher: Addison-Wesley Professional (May 30, 2005)
- Language: English
- ISBN-10: 0321336437
- ISBN-13: 978-0321336439
- Product Dimensions: 6.9 x 1.4 x 9 inches
- Shipping Weight: 1.9 pounds (View shipping rates and policies)
- Average Customer Review: 4.8 out of 5 stars See all reviews (18 customer reviews)
- Amazon Best Sellers Rank: #890,630 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Protect Your Windows Network: From Perimeter to Data
Use the Amazon App to scan ISBNs and compare prices.
Customers who bought this item also bought
From the Back Cover
Praise for Protect Your Windows Network
"Jesper and Steve have done an outstanding job of covering the myriad of issues you must deal with to implement an effective network security policy. If you care about security this book is a must have."
Mark Russinovich, Chief Software Architect, Winternals Software
"Johansson and Riley's new book presents complex issues in straightforward language, examining both the technical and business aspects of network security. As a result, this book is an important tutorial for those responsible for network security; and even non-technical business leaders would learn a lot about how to manage the business risk inherent in their dependence on information technology.
Scott Charney, Vice President of Trustworthy Computing, Microsoft
"These guys have a profound understanding of what it takes to implement secure solutions in the real world! Jesper and Steve have been doing security related work (pen testing, consulting, program management, etc.) internally at Microsoft and for Microsoft's customers for many years. As a result of their real-world experience, they understand that security threats don't confine themselves to "the network" or "the operating system" and that to deliver secure solutions, these issues must be tackled at all levels after all of the threats to the environment have been identified. This book distinguishes itself from others in this field in that it does a great job of explaining the threats at many levels (network, operating system, data, and application) and how to counter these threats. A must read for security practitioners!"
Robert Hensing, CISSP, Security Software EngineerSecurity Business and Technology Unit, Microsoft Corporation, email@example.com
"A good book should make you think. A good computer book should make you change how you are doing things in your network. I was fortunate enough to be setting up a new server as I read the book and incorporated many of the items discussed. The lessons in these chapters have relevance to networks large and small and blow through many of the myths surrounding computer security and guide you in making smarter security decisions. Too many times people focus in on just one aspect or part of a network's security and don't look at the bigger picture. These days I'm doing my very best to keep in mind the bigger picture of the forest (active directory notwithstanding), and not just looking at those trees."
Susan Bradley, CPA, GSEC, MCP, Small Business Server MVP, http://www.msmvps.com/Bradley, firstname.lastname@example.org
"Jesper Johansson and Steve Riley's Protect Your Windows Network is a must read for all organizations to gain practical insight and best practices to improve their overall security posture."
Jon R. Wall, CISSP
"Jesper and Steve are two excellent communicators who really know their stuff! If you want to learn more about how to protect yourself and your network, read this book and learn from these two guys!"
"In order to protect your particular Windows network you need to understand how Windows security mechanisms really work. Protect Your Windows Network gives you an in-depth understanding of Windows security so that you use the security techniques that best map to your needs."
Chris Wysopal, Director, Development, Symantec Corporation, http://www.symantec.com
"Nowadays, a computer that is not connected to a network is fairly limited in its usefulness. At the same time, however, a networked computer is a prime target for criminals looking to take advantage of you and your systems. In this book, Jesper and Steve masterfully demonstrate the whys and hows of protecting and defending your network and its resources, providing invaluable insight and guidance that will help you to ensure your assets are more secure."
Stephen Toub, Technical Editor, MSDN Magazine, email@example.com
"Security is more than knobs and switches. It is a mind set. Jesper Johansson and Steve Riley clearly understand this. Protect Your Windows Network is a great book on how you can apply this mind set to people, process, and technology to build and maintain more secure networks. This book is a must read for anyone responsible for protecting their organization's network."
Ben Smith, Senior Security Strategist, Microsoft Corporation, Author of Microsoft Windows Security Resource Kit 2 and Assessing Network Security
"Security is finally getting the mainstream exposure that it has always deserved; Johansson and Riley's book is a fine guide that can complement Microsoft's recent focus on security in the Windows-family operating systems."
Kenneth Wehr, President, ColumbusFreenet.org
"If you have not been able to attend one of the many security conferences around the world that Jesper and Steve presented, this book is the next best thing. They are two of the most popular speakers at Microsoft on Windows security. This is an informative book on how to make your Windows network more secure. Understanding the trade-offs between high security and functionality is a key concept that all Windows users should understand. If you're responsible for network security or an application developer, this book is a must."
Kevin McDonnell, Microsoft
In this book, two senior members of Microsoft's Security Business and Technology Unit present a complete "Defense in Depth" model for protecting any Windows networkno matter how large or complex. Drawing on their work with hundreds of enterprise customers, they systematically address all three elements of a successful security program: people, processes, and technology.
Unlike security books that focus on individual attacks and countermeasures, this book shows how to address the problem holistically and in its entirety. Through hands-on examples and practical case studies, you will learn how to integrate multiple defensesdeterring attacks, delaying them, and increasing the cost to the attacker. Coverage includes
Improving security from the top of the network stack to the bottom
Understanding what you need to do right away and what can wait
Avoiding "pseudo-solutions" that offer a false sense of security
Developing effective security policiesand educating those pesky users
Beefing up your first line of defense: physical and perimeter security
Modeling threats and identifying security dependencies
Preventing rogue access from inside the network
Systematically hardening Windows servers and clients
Protecting client applications, server applications, and Web services
Addressing the unique challenges of small business network security
Authoritative and thorough, Protect Your Windows Network will be the standard Microsoft security guide for sysadmins, netadmins, security professionals, architects, and technical decision-makers alike.
© Copyright Pearson Education. All rights reserved.
About the Author
Jesper M. Johansson, Microsoft's Senior Program Manager for Security Policy, is responsible for the tools Microsoft customers use to implement security policies, including the Security Configuration Wizard and Editor. A frequent speaker at leading security events, he holds a Ph.D. in MIS, as well as CISSP and ISSAP certification.
Steve Riley, Senior Program Manager in Microsoft's Security Business and Technology unit, specializes in network/host security, protocols, network design, and security policies and processes. He has conducted security assessments and risk analyses, deployed security technologies, and designed highly available network architectures for ISPs, ASPs, and major enterprises.
© Copyright Pearson Education. All rights reserved.
If you are a seller for this product, would you like to suggest updates through seller support?
Top Customer Reviews
Okay, having said that, let me tell you about the book. I've been doing a lot of professional security work over the years, much of it with Windows. I tend to treat new security books with a big grain of salt, because there are a lot of well-meaning people out there giving advice ranging from mildly wrong to actively harmful. Now that I've written a book of my own, I have a fair idea of what is involved and how easy it is to slip technical howlers past hard-working editors (who aren't usually experts in the topic). Just because something is written down in a book doesn't mean I automatically trust it; unfortunately, too many people do place their faith in the Holy Grail of the printed word. On the other hand, I've not only seen Jesper and Steve speak before, I've had the opportunity to work with them on past projects, so I have a reasonable amount of faith that they actually know what they're talking about. (If you haven't had the pleasure of hearing them speak, go find the events they're at and sign up. Trust me.) As a result, I was pretty sure this book was going to rock on toast and give me a few good hard nuggets to think about.
This book completely threw many of my security assumptions out the window. More than once, I was reading the book shaking my head, saying "No, no, that's not right!" as the authors made hamburgers out of yet another security sacred cow. After giving myself time to think about it from a real-world point of view, though, I almost always came away agreeing with them. At other times, I'd be pumping my fist in the air, ecstatic that somebody else Got It and was able to put it as eloquently as I'd just read. I don't normally read technical books cover to cover; not only did I read this one straight through, I went back for a second pass with a bunch of sticky flags. My copy now looks like it was in a Twister factory explosion. The book also comes with a CD; it's not got a lot on it, but the scripts that are there are very useful indeed. There's also an accompanying website, [...] which contains errata and downloadable copies of the scripts and files on the CD.
Some of the best content of the book isn't contained in the book -- it's on the website in the Listening Room. Here, you can find recorded versions of talks by Jesper and Steve. You'll find their talks cover a lot of the same ground the book does, but they are both dynamic speakers and hearing the material reinforces what you're reading.
So, is this book for you? Let me answer that with another question: Are you tired of being a prisoner to security bulletins, patches, conflicting (and confusing) security guidance, and vendor claims?
If you want to learn how to actually analyze your systems and network, asses the threats you face, and do more than follow step-by-step "hardening guides" that inevitably break the CEO's favorite applications, then you need to get this book. It won't give you false warm fuzzies; it won't hold your hand and do your thinking for you, because the reality of security is that everybody's system is different. You can't produce cookie-cutter protection for a moving target; there is no substitute for digging in and learning the techniques Jesper and Steve show you here. If you put the work in, though, I can promise you will have a much better understanding of what it takes to keep your systems and network secure, and how to adapt as the threat landscape changes.
If you want to keep plodidng on, performing security by rote, following checklists, then don't read this book. It will make you question your assumptions and might even lead to thinking. And the bad guys in your network don't want that.
To see a slightly more detailed verson of this review (with hyperlinks), head to my blog (e)Mail Insecurity at:
Those directly responsible for securing the network should read this book through and then read it again, perhaps discussing it with a peer. There's a lot of information to unpack, so a critical study of how to contextualize the recommendations to your environment would benefit from a team of individuals dedicated to understanding and carrying-out the guidelines that are given. In contrast, high-level managers and decision makers who have a more hands-off role would be well served by taking a half an hour to read the first two chapters, giving them a sobering first-hand account of the ease with which a knowledgeable attacker can subvert an entire domain. It will be 30 minutes well spent! A final group, the technically-savvy supervisors who don't actually implement (but monitor those who do), should quickly read the entire volume and hold their employees accountable for upholding at least the principles, if not the specific practices, mentioned throughout. All three groups should read it with the goal of acquiring a security mindset, filtering all their projects and goals through the "lens" created as a result of the truths learned from this pair of gurus. It is the unique combination of sufficient depth with comprehensive breadth that gives this book the edge over most recent Windows security titles from other authors. If you have to pick just one printed manual to take with you into battle, this should be your weapon of choice. I heartily recommend it as a great read for now, and as an investment for your go-to shelf later on.
Jesper and Steve begin the journey with the same eye-opening SQL injection attack you may have seen in one of the talks they present around the globe in their roles as security experts for Microsoft (Jesper has since changed employers). They exploit a poorly-written web application by feeding SQL code directly through the web form, eventually compromising the entire network, even though it's fully-patched and even somewhat hardened. They describe the intricacies of the attack from beginning to end, laying the groundwork for the defense techniques described in the remaining chapters. After taking over their victim network, they round out the section on fundamentals with a chapter on patch management. This was the low point of the book and, in my opinion, it glosses over the realities of just how time-consuming and complex change management and regression testing can be in a heterogeneous environment. Don't get discouraged by this chapter; slog through it and enjoy the informative--yet surprisingly fun--chapters that follow.
Having established the basics, more groundwork is laid with above average, but not spectacular, sections on administrative policies and physical security. These are the most "CISSP-ish" pages of the whole book and should look very familiar to members of the (ISC)^2. While the advice in these early chapters will stand the test of time, there's not much in here that won't already be a part of your daily arsenal. If you haven't figured out such basics as having a written security policy and that users will always choose convenience over security, then study this section hard. For the rest of us, you will find yourself saying "Amen" a lot as you review these four well-written and comprehensive middle chapters. The real epiphany comes at the end of Chapter 7 when they declare that the days of having a notion of a "perimeter" are over. If you haven't realized by now how incredibly porous your network is, this book should help bring you back to reality.
With the first half of the book used as an appetizer, the authors start serving the main course of practical, detailed advice about how to protect every aspect of your clients, servers and network infrastructure. Their incredible insight into password theory and how exactly a real password attack would work is so refreshing--these guys are experts, and it's demonstrated most profoundly in their chapter-long advice on the subject. Here and throughout the book they constantly bring you back to reality by refuting myths common in "security theater" and give you the best advice, with enough background to understand why it works. One particularly sobering moment was the sweeping dismissal of biometric authentication because of the myriad (often foolishly simple) flaws that can defeat even über-expensive fingerprint readers, retina scanners, etc. In the next two hundred or so pages the give you just enough instruction about IPSec, 802.1X, two-factor authentication and server/client hardening to help you understand the critical pieces of theory and find the detailed implementation instructions for yourself. You'll feel like you finally know the reasons to do all these things instead of just getting a litany of the individual steps to implement a particular setting or policy. Microsoft has published a lot of dry technical guides on every registry setting and tweak imaginable; these guys tell you the background information of why any of this stuff matters and they do it in a winsome, often satirical way that makes you want to keep reading.
The key concepts I took from reading this book were: a healthy skepticism about merely doing tweaks or checklists that have an air of sophistication but don't actually improve security; a sense of empowerment about how to untangle my network from a web of dependencies caused by shared service accounts (they even provide a handy utility to make their advice doable); and renewed sense of encouragement that least-privilege is actually obtainable. They end each chapter with an immediate call-to-action that addresses the most important steps you can take to do the most good quickly. If you can force yourself to do these challenging tasks for every area they address, you'll be well on the road to a more secure installation.
Most Recent Customer Reviews
This is a well written and thought out book that contains many tips and techniques not found anywhere...Read more