| Foreword | xix |
| Acknowledgments | xxi |
| Introduction | xxiii |
| PART I APPLYING KEY PRINCIPLES OF SECURITY | |
| 1 Key Principles of Security | 3 |
| Understanding Risk Management | 3 |
| Learning to Manage Risk | 4 |
| Risk Management Strategies | 6 |
| Understanding Security | 8 |
| Granting the Least Privilege Required | 8 |
| Defending Each Network Layer | 8 |
| Reducing the Attack Surface | 8 |
| Avoiding Assumptions | 8 |
| Protecting, Detecting, and Responding | 9 |
| Securing by Design, Default, and Deployment | 9 |
| The 10 Immutable Laws of Security | 9 |
| The 10 Immutable Laws of Security Administration | 11 |
| 2 Understanding Your Enemy | 15 |
| Knowing Yourself | 16 |
| Accurately Assessing Your Own Skills | 16 |
| Possessing Detailed Documentation of Your Network | 16 |
| Understanding the Level of Organizational Support You Receive | 17 |
| Identifying Your Attacker | 17 |
| Understanding External Attackers | 19 |
| Understanding Internal Attackers | 20 |
| What Motivates Attackers? | 21 |
| Notoriety, Acceptance, and Ego | 22 |
| Financial Gain | 23 |
| Challenge | 24 |
| Activism | 25 |
| Revenge | 25 |
| Espionage | 25 |
| Information Warfare | 26 |
| Why Defending Networks Is Difficult | 27 |
| Attackers Have Unlimited Resources | 27 |
| Attackers Need to Master Only One Attack | 27 |
| Defenders Cannot Take the Offensive | 27 |
| Defenders Must Serve Business Goals | 28 |
| Defenders Must Win All the Time | 29 |
| PART II SECURING ACTIVE DIRECTORY | |
| 3 Securing User Accounts and Passwords | 33 |
| Securing Accounts | 33 |
| Understanding Security Identifiers | 34 |
| Understanding Access Tokens | 36 |
| Configuring Account Security Options | 38 |
| Securing Administrative Accounts | 40 |
| Implementing Password Security | 43 |
| Granting Rights and Permissions Using Groups | 49 |
| User Rights and Permissions | 50 |
| Group Types and Scope | 55 |
| Implementing Role-Based Security in Windows 2000 | 64 |
| Securing Passwords | 67 |
| Understanding Authentication | 67 |
| Storing Secrets in Windows | 77 |
| Best Practices | 80 |
| Additional Information | 81 |
| 4 Securing Active Directory Objects and Attributes | 83 |
| Understanding the Active Directory Schema | 83 |
| Attributes | 84 |
| Classes | 84 |
| Configuring DACLs to Secure Active Directory Objects | 86 |
| What Are DACLs? | 87 |
| How DACLs Work | 90 |
| Securing Active Directory Objects and Attributes | 91 |
| Configuring Default DACLs on Objects and Attributes | 91 |
| Securing Objects After Being Created | 93 |
| Configuring DACLs from the Command Line | 94 |
| Best Practices | 96 |
| Additional Information | 97 |
| 5 Implementing Group Policy | 99 |
| Understanding Group Policy | 99 |
| Computer-Related Group Policies | 100 |
| User-Related Group Policies | 102 |
| Using Group Policy Containers | 104 |
| Processing Group Policy Objects | 106 |
| Initial Group Policy Application | 106 |
| Group Policy Refresh | 107 |
| On-Demand Processing | 107 |
| Altering Group Policy Application | 108 |
| Block Inheritance | 108 |
| No Override | 109 |
| Group Policy Object Filtering | 109 |
| Loopback Mode Processing | 110 |
| Managing Group Policy | 111 |
| Default Group Policy Permissions | 111 |
| Delegating Group Policy Management | 112 |
| Best Practices | 113 |
| Additional Information | 113 |
| 6 Designing Active Directory Forests and Domains for Security | 115 |
| Autonomy and Isolation in Active Directory | 115 |
| Designing Forests for Active Directory Security | 116 |
| Enterprise Administration Boundaries and Isolation of Authority | 117 |
| Default Permissions and Schema Control | 117 |
| Global Catalog Boundaries | 118 |
| Domain Trust Requirements | 118 |
| Domain Controller Isolation | 119 |
| Protection of the Forest Root Domain | 119 |
| Designing Domains for Active Directory Security | 121 |
| Designing DNS for Active Directory Security | 123 |
| Single Namespace | 125 |
| Delegated Namespace | 125 |
| Internal Namespace | 125 |
| Segmented Namespace | 125 |
| Designing the Delegation of Authority | 126 |
| Best Practices | 128 |
| Additional Information | 130 |
| PART III SECURING THE CORE OPERATING SYSTEM | |
| 7 Securing Permissions | 135 |
| Securing File and Folder Permissions | 135 |
| How DACLs Work | 140 |
| Assigning DACLs at Creation | 141 |
| How DACLs Are Handled When Files and Folders Are Copied or Moved | 142 |
| Command-Line Tools | 143 |
| Default File and Folder Permissions | 148 |
| Securing Files and Folder Access by Using Share Permissions | 155 |
| Using the Encrypting File System | 156 |
| How EFS Works | 157 |
| EFS Command-Line Tools | 159 |
| Additional EFS Features in Windows XP | 162 |
| Introduction to Designing a Data Recovery Agent Policy | 165 |
| Securing Registry Permissions | 166 |
| Configuring Registry Permissions | 168 |
| Best Practices | 169 |
| Additional Information | 169 |
| 8 Securing Services | 173 |
| Managing Service Permissions | 173 |
| Configuring the Startup Value for a Service | 175 |
| Stopping, Starting, Pausing, and Resuming Services | 176 |
| Configuring the Security Context of Services | 177 |
| Configuring the DACL for the Service | 178 |
| Default Services in Windows 2000 and Windows XP | 180 |
| Best Practices | 202 |
| Additional Information | 203 |
| 9 Implementing TCP/IP Security | 205 |
| Securing TCP/IP | 205 |
| Understanding Internet Layer Protocols | 206 |
| Understanding Transport Layer Protocols | 209 |
| Common Threats to TCP/IP | 212 |
| Configuring TCP/IP Security in Windows 2000 and Windows XP | 215 |
| Using IPSec | 225 |
| Securing Data Transmission with IPSec Protocols | 226 |
| Choosing Between IPSec Modes | 229 |
| Selecting an IPSec Authentication Method | 230 |
| Creating IPSec Policies | 231 |
| How IPSec Works | 235 |
| Monitoring IPSec | 238 |
| Best Practices | 240 |
| Additional Information | 241 |
| 10 Securing Microsoft Internet Explorer 6 and Microsoft Office XP | 243 |
| Security Settings in Internet Explorer 6 | 243 |
| Privacy Settings | 243 |
| Security Zones | 247 |
| Configuring Privacy and Security Settings in Internet Explorer 6 | 262 |
| Security Settings in Office XP | 263 |
| Configuring ActiveX and Macros Security | 263 |
| Configuring Security for Outlook 2002 | 266 |
| Best Practices | 267 |
| Additional Information | 267 |
| 11 Configuring Security Templates | 269 |
| Using Security Template Settings | 269 |
| Account Policies | 270 |
| Local Policies | 273 |
| Event Log | 288 |
| Restricted Groups | 289 |
| System Services | 289 |
| Registry | 290 |
| File System | 290 |
| Public Key Policies | 290 |
| IP Security Policies | 291 |
| How Security Templates Work | 291 |
| Applying Security Templates to a Local Computer | 291 |
| Applying Security Templates by Using Group Policy | 295 |
| Default Security Templates | 296 |
| Creating Custom Security Templates | 298 |
| Adding Registry Entries to Security Options | 298 |
| Adding Services, Registry Values, and Files to Security Templates | 301 |
| Best Practices | 301 |
| Additional Information | 302 |
| 12 Auditing Microsoft Windows Security Events | 305 |
| Determining Which Events to Audit | 306 |
| Managing the Event Viewer | 307 |
| Determining the Storage Location | 308 |
| Determining the Maximum Log File Size | 308 |
| Configuring the Overwrite Behavior | 308 |
| Configuring Audit Policies | 310 |
| Auditing Account Logon Events | 310 |
| Auditing Account Management Events | 315 |
| Auditing Directory Service Access | 317 |
| Auditing Logon Events | 318 |
| Auditing Object Access | 320 |
| Auditing Policy Change | 322 |
| Auditing Privilege Use | 323 |
| Auditing Process Tracking | 324 |
| Auditing System Events | 325 |
| How to Enable Audit Policies | 326 |
| Monitoring Audited Events | 328 |
| Using the Event Viewer | 328 |
| Using Custom Scripts | 329 |
| Using Event Comb | 329 |
| Best Practices | 333 |
| Additional Information | 334 |
| 13 Securing Mobile Computers | 335 |
| Understanding Mobile Computers | 335 |
| Increase in the Possibility of Being Lost or Stolen | 335 |
| Difficulty in Applying Security Updates | 337 |
| Exposure to Untrusted Networks | 338 |
| Eavesdropping on Wireless Connectivity | 338 |
| Implementing Additional Security for Laptop Computers | 339 |
| Hardware Protection | 339 |
| Boot Protection | 341 |
| Data Protection | 343 |
| User Education | 345 |
| Securing Wireless Networking in Windows XP | 346 |
| Using Wireless Zero Configuration in Windows XP | 346 |
| Configuring Security for 802.11 Wireless Network Connectivity | 347 |
| Configuring 802.11 Security with 802.1x | 350 |
| Best Practices | 352 |
| Additional Information | 352 |
| PART IV SECURING COMMON SERVICES | |
| 14 Implementing Security for Domain Controllers | 357 |
| Threats to Domain Controllers | 357 |
| Modification of Active Directory Objects | 358 |
| Password Attacks | 358 |
| Denial-of-Service Attacks | 358 |
| Replication Prevention Attacks | 358 |
| Exploitation of Known Vulnerabilities | 359 |
| Implementing Security on Domain Controllers | 359 |
| Providing Physical Security | 359 |
| Increasing the Security of Stored Passwords | 360 |
| Eliminating Nonessential Services | 361 |
| Applying Security Settings by Using Group Policy | 363 |
| Protecting Against the Failure of a Domain Controller | 363 |
| Implementing Syskey | 364 |
| Securing Built-In Accounts and Groups | 364 |
| Enabling Auditing | 366 |
| Securing Active Directory Communications | 366 |
| Best Practices | 369 |
| Additional Information | 370 |
| 15 Implementing Security for DNS Servers | 373 |
| Threats to DNS Servers | 374 |
| Modification of DNS Records | 375 |
| Zone Transfer of DNS Data by an Unauthorized Server | 375 |
| Exposure of Internal IP Addressing Schemes | 375 |
| Denial-of-Service Attacks Against DNS Services | 376 |
| Securing DNS Servers | 376 |
| Implementing Active Directory-Integrated Zones | 376 |
| Implementing Separate Internal and External DNS Name Servers | 377 |
| Restricting Zone Transfers | 378 |
| Implementing IPSec Between DNS Clients and DNS Servers | 379 |
| Restricting DNS Traffic at the Firewall | 380 |
| Limiting Management of DNS | 381 |
| Protecting the DNS Cache | 381 |
| Best Practices | 381 |
| Additional Information | 382 |
| 16 Implementing Security for Terminal Services | 385 |
| Threats to Terminal Services | 386 |
| Grants Excess Permissions for Users | 386 |
| Allows Bypass of Firewall Security | 386 |
| Uses a Well-Known Port | 387 |
| Requires the Log On Locally User Right | 387 |
| Provides an Attacker with a Full Windows Desktop | 387 |
| Securing Terminal Services | 387 |
| Choosing the Correct Terminal Services Mode | 388 |
| Restricting Which Users and Groups Have the Log On Locally User Right | 389 |
| Preventing Remote Control on Terminal Servers | 389 |
| Restricting Which Applications Can Be Executed | 390 |
| Implementing the Strongest Form of Encryption | 392 |
| Strengthening the Security Configuration of the Terminal Server | 393 |
| Best Practices | 393 |
| Additional Information | 394 |
| 17 Implementing Security for DHCP Servers | 397 |
| Threats to DHCP Servers | 398 |
| Unauthorized DHCP Servers | 398 |
| DHCP Servers Overwriting Valid DNS Resource Records | 399 |
| DHCP Not Taking Ownership of DNS Resource Records | 399 |
| Unauthorized DHCP Clients | 400 |
| Securing DHCP Servers | 400 |
| Keeping Default Name Registration Behavior | 401 |
| Determining Whether to Use the DNSUpdateProxy Group | 401 |
| Avoiding Installation of DHCP on Domain Controllers | 401 |
| Reviewing DHCP Database for BAD_ADDRESS Entries | 403 |
| Monitoring Membership in the DHCP Administrators Group | 403 |
| Enabling DHCP Auditing | 404 |
| Best Practices | 404 |
| Additional Information | 405 |
| 18 Implementing Security for WINS Servers | 407 |
| Threats to WINS Servers | 409 |
| Preventing Replication Between WINS Servers | 409 |
| Registration of False NetBIOS Records | 409 |
| Incorrect Registration of WINS Records | 409 |
| Modification of WINS Configuration | 410 |
| Securing WINS Servers | 410 |
| Monitor Membership in the WINS Admins Group | 410 |
| Validate WINS Replication Configuration | 410 |
| Eliminate NetBIOS Applications and Decommission Them | 411 |
| Best Practices | 411 |
| Additional Information | 412 |
| 19 Implementing Security for Routing and Remote Access | 413 |
| Remote Access Solution Components | 413 |
| Authentication Protocols | 414 |
| VPN Protocols | 415 |
| Client Software | 416 |
| Server Services and Software | 417 |
| Threats to Remote Access Solutions | 417 |
| Authentication Interception | 418 |
| Data Interception | 418 |
| Bypass of the Firewall to the Private Network | 419 |
| Nonstandardized Policy Application | 419 |
| Network Perimeter Extended to Location of Dial-In User | 420 |
| Denial of Service Caused by Password Attempts | 420 |
| Stolen Laptops with Saved Credentials | 420 |
| Securing Remote Access Servers | 421 |
| Implementing RADIUS Authentication and Accounting | 421 |
| Securing RADIUS Authentication Traffic Between the Remote Access Server and the RADIUS Server | 422 |
| Configuring a Remote Access Policy | 422 |
| Deploying Required Certificates for L2TP/IPSec | 425 |
| Restricting Which Servers Can Run RRAS | 427 |
| Implementing Remote Access Account Lockout | 428 |
| Securing Remote Access Clients | 428 |
| Configuring the CMAK Packages | 429 |
| Implementing Strong Authentication | 429 |
| Deploying Required Certificates | 429 |
| Best Practices | 430 |
| Additional Information | 431 |
| 20 Implementing Security for Certificate Services | 433 |
| Threats to Certificate Services | 433 |
| Compromise of a CA's Key Pair | 434 |
| Attacks Against Servers Hosting CRLs and CA Certificates | 434 |
| Attempts to Modify the CA Configuration | 434 |
| Attempts to Modify Certificate Template Permissions | 434 |
| Attacks that Disable CRL Checking | 434 |
| Addition of Nontrusted CAs to the Trusted Root CA Store | 435 |
| Issuance of Fraudulent Certificates | 435 |
| Publication of False Certificates to Active Directory | 435 |
| Securing Certificate Services | 435 |
| Implementing Physical Security Measures | 436 |
| Implementing Logical Security Measures | 436 |
| Modifying CRL and CA Certificate Publication Points | 437 |
| Enabling CRL Checking in All Applications | 437 |
| Managing Permissions of Certificate Templates | 437 |
| Best Practices | 438 |
| Additional Information | 438 |
| 21 Implementing Security for Microsoft IIS 5.0 | 441 |
| Implementing Windows 2000 Security | 442 |
| Minimizing Services | 442 |
| Defining User Accounts | 443 |
| Securing the File System | 444 |
| Applying Specific Registry Settings | 446 |
| Configuring IIS Security | 447 |
| Authentication | 447 |
| Web Site Permissions | 451 |
| Communication Channels | 452 |
| Using Tools to Secure IIS | 456 |
| The IIS Lockdown Tool | 456 |
| The URLScan Filter | 462 |
| Configuring the FTP Service | 468 |
| Best Practices | 469 |
| Additional Information | 470 |
| PART V MANAGING SECURITY UPDATES | |
| 22 Patch Management | 475 |
| Types of Patches | 476 |
| Development of a Hotfix | 478 |
| Patch Management in Six Steps | 479 |
| Step 1. Notification | 479 |
| Step 2. Assessment | 480 |
| Step 3. Obtainment | 481 |
| Step 4. Testing | 486 |
| Step 5. Deployment | 486 |
| Step 6. Validation | 490 |
| Best Practices | 491 |
| Additional Information | 492 |
| 23 Using Patch Management Tools | 493 |
| The Security Patch Bulletin Catalog | 494 |
| Windows Update | 497 |
| Automatic Updates | 500 |
| Microsoft Software Update Services | 502 |
| How SUS Works | 502 |
| Configuring the SUS Server | 503 |
| Configuring the SUS Clients | 506 |
| Microsoft Baseline Security Analyzer | 509 |
| Scanning for Updates in the GUI Mode | 510 |
| Scanning for Updates with the Command-Line Version of MBSA | 512 |
| SMS Software Update Services Feature Pack | 513 |
| Best Practices | 516 |
| Additional Information | 517 |
| 24 Using Security Assessment Tools | 519 |
| Assessing Security Configuration | 519 |
| The Security Configuration and Analysis Console | 520 |
| The Secedit.exe Command-Line Utility | 523 |
| Performing Security Assessments | 524 |
| Microsoft Baseline Security Analyzer | 524 |
| Third-Party Tools | 535 |
| Port Scanning | 536 |
| Best Practices | 540 |
| Additional Information | 541 |
| PART VI PLANNING AND PERFORMING SECURITY ASSESSMENTS AND INCIDENT RESPONSES | |
| 25 Assessing the Security of a Network | 545 |
| Types of Security Assessments | 546 |
| Vulnerability Scanning | 546 |
| Penetration Testing | 548 |
| IT Security Audit | 549 |
| How to Conduct Security Assessments | 549 |
| Planning a Security Assessment | 550 |
| Conducting a Security Assessment | 550 |
| Resolving Issues Discovered During the Security Assessment | 551 |
| Conducting Penetration Tests | 553 |
| Step 1. Gathering Information | 554 |
| Step 2. Researching Vulnerabilities | 557 |
| Step 3. Compromising the Target Application or Network | 558 |
| Best Practices | 559 |
| Additional Information | 560 |
| 26 Planning for Incident Response | 561 |
| Creating an Incident Response Team | 561 |
| Obtaining an Executive Sponsor | 562 |
| Identifying the Stakeholders | 562 |
| Choosing a Team Leader | 563 |
| Defining Incident Response Policy | 565 |
| Categorizing Types of Incidents | 565 |
| Outlining Proactive and Reactive Responses | 566 |
| Constructing Policies to Support Incident Response | 568 |
| Creating a Communications Plan | 571 |
| Preincident Internal Communications | 571 |
| Communication During an Incident | 573 |
| Contacting the Attacker | 576 |
| Dealing with the Press | 577 |
| Best Practices | 578 |
| Additional Information | 579 |
| 27 Responding to Security Incidents | 581 |
| Common Indicators of Security Incidents | 582 |
| Internet Port Scans | 582 |
| Inability to Access Network Resources | 585 |
| Excessive CPU Utilization | 585 |
| Irregular Service Operations | 586 |
| Irregular File System Activity | 586 |
| Permissions Changes | 587 |
| Analyzing a Security Incident | 587 |
| Determining the Cause | 588 |
| Preventing Further Exploitation | 588 |
| Avoiding Escalation and Further Incidents | 588 |
| Restoring Service | 589 |
| Incorporating Lessons Learned into Policy | 590 |
| Tracking the Attacker | 590 |
| Conducting Security Investigations | 591 |
| Involving Law Enforcement | 591 |
| Collecting Evidence | 594 |
| Performing Network Monitoring | 599 |
| Implementing Countermeasures to a Security Incident | 599 |
| Assessing the Scope of an Attack | 600 |
| Weighing Tradeoffs | 601 |
| Recovering Services After a Security Incident | 602 |
| Conducting a Security Incident Post Mortem | 603 |
| Best Practices | 603 |
| Additional Information | 604 |
| PART VII APPLYING KEY PRINCIPLES OF PRIVACY | |
| 28 Understanding the Importance of Privacy | 609 |
| Defining Privacy | 610 |
| Privacy vs. Security | 610 |
| Protecting Consumers from Inappropriate Contact and Tracking | 611 |
| The Roots of Privacy Legislation | 612 |
| Organisation for Economic Co-operation and Development | 613 |
| Privacy Legislation in the United States | 614 |
| Privacy Legislation in Canada | 618 |
| Privacy Legislation in Europe | 620 |
| Privacy Legislation in Asia | 620 |
| Privacy Legislation in Australia | 620 |
| Formulating an Enterprise Privacy Strategy | 621 |
| Creating a Privacy Organization | 621 |
| The Role of the Chief Privacy Officer | 622 |
| The Role of the Privacy Advocate | 623 |
| Responding to Privacy Issues | 624 |
| Best Practices | 625 |
| Additional Information | 626 |
| 29 Defining Privacy for the Corporate Web Site | 629 |
| Defining a Privacy Statement | 630 |
| Anatomy of a Privacy Statement | 630 |
| Key Privacy Statement Considerations | 635 |
| Other Rules for Creating and Posting a Privacy Statement | 637 |
| Platform for Privacy Preferences Project | 638 |
| P3P Integration for Internet Explorer 6 | 639 |
| Implementing P3P for Your Web Site | 642 |
| Best Practices | 643 |
| Additional Information | 644 |
| 30 Deploying Privacy in the Enterprise | 645 |
| Selecting Applications Based on Their Privacy Features | 645 |
| Protecting the Privacy of Your Employees | 646 |
| Protecting the Privacy of Your Customers and Business Partners | 646 |
| Storing Customer Data Securely | 647 |
| Collecting Customer Data and Privacy Preferences | 647 |
| Controlling the Handling of Customer Data | 647 |
| Creating a Centralized Contact System | 648 |
| Using Active Directory to Build a Contact System | 648 |
| Using a Database to Build a Contact System | 650 |
| Best Practices | 650 |
| Additional Information | 651 |
| INDEX | 653 |
