Oh No, Not Another Windows 2000 Security Book

One that gets it right — mostly.

• By Roberta Bragg
• 11/01/2001

Remember when finding documentation on Windows NT security was hard to do? Remember when securing anything became hot? Eventually we were treated to numerous books on Windows NT security—many of which didn’t tell us much.

Fast forward to the new millennium and a new version of Windows—Windows 2000. Now here’s an operating system with lots of security features right up front and in your face, and documentation abounds. There’s copious material on the Web sites, certification guides, test preps, even an Official Microsoft Curriculum course. Then there’s a Win2K security tome written by every known security guru (and quite a few unknowns). Thousands of pages. Some quite informative, some lacking in information. There are some authors who thought their extensive knowledge of Windows NT security would be enough to get them through (it wasn’t), some who struggled with the concepts, and some who got it right.

Windows 2000 Security Handbook, by Philip Cox, Tom Sheldon and others, is one that gets it right—mostly.

This isn’t just another Win2K Security book. It’s full of important, well-organized information. Part 1, Security 101, covers security in general, including short sections on threats, countermeasures, policies and management. Part 2, Win2K Security, presents an overview of the Win2K architecture and the basic security subsystem, user groups, authentication and authorization, along with network protocols and Win2K-specific risks and solutions. Part 3 focuses on securing Win2K. Here you’ll find an introduction to Active Directory, information on group policies, user and group security management, logon and authentication, file system and share security, and auditing. Part 4 moves on to network issues and includes defensive strategies including firewalls, proxy servers, remote access, VPNs, client security and enterprise security. Finally, Part 5 offers chapters on securing IIS, fault tolerance and hardening Win2K, which is really instructions on how to bring up a hardened server. If you want a book that introduces the panoply of topics that is info security look no further.

Both the principal authors have a long history of work with Windows products and are well known in the field. Also, it’s obvious they’ve invested time and energy in studying the new OS. However, even though the book’s been released more than a year after the product, there isn’t much “lessons learned” information included. The exception is the chapter on hardening Win2K, in which the authors caution would-be implementers that the suggestions might break a production server. Good. I would, however, have liked to see some backup for some recommendations. For example, page 662 lists essential Win2K services and recommends disabling all others, then only enabling the other services if necessary. However, it doesn’t say what these claims are based on—an article by Microsoft? (I can’t find one.) Private conversations with helpful contacts at same? Extensive research? Educated guesses? I’d like to take the information on faith—but I’ve been thrown once too often when riding that particular horse. This is invaluable information, and I wish there was more of it (and that it was better supported).

You can also find updated and additional information on the book’s Web site. The book refers to an appendix on Win2K services but doesn’t include one. You can find it at http://www.osborne.com/networking_comm/0072124334/0072124334.shtml along with a document on PKI.

In sum, this is a good overall introductory book. It seeks to cover an immense amount of ground and thus covers few topics in detail. I’m a little unhappy that a book published long after the introduction of Win2K improperly defines Native and Mixed mode domains, but a correction is, however, posted to System Experts web site.