Posted to: Risks Digest 19.85
Originally From: "Rob Slade" <rslade@sprint.ca>
BKWNTSCG.RVW 980513
"Windows NT Security Guide", Stephen A. Sutton, 1997, 0-201-41969-6,
U$29.95/C$41.00
%A Stephen A. Sutton sutton@trustedsystems.com
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D 1997
%G 0-201-41969-6
%I Addison-Wesley Publishing Co.
%O U$29.95/C$41.00 416-447-5101 fax: 416-443-0948 bkexpress@aw.com
%P 373 p.
%T "Windows NT Security Guide"
Part one deals with issues of interest to users. Chapter one is a
conceptual introduction to security and the NT system. The material is
informal. This makes it easy to read, but also sacrifices completeness.
Sutton's idiosyncratic structure is weak in certain areas; for example,
reliability. The content is also lavish in its praise of Microsoft and
NT, and seemingly unwilling to admit to any weak areas or flaws.
Accounts, and the domain model, and reviewed in chapter two.
(Illustrations are heavily used, and could be helpful were it not for the
fact that so many have serious errors.) The working environment, in
chapter three, holds a rather random assortment of features but
concentrates on the NT security window, rather mystically referred to as
the "Trusted Path." (Both this term and "Trusted Computer Base" are
specific referents of the "Trusted Computer System Evaluation Criteria" of
the US Department of Defense, better known as the "Orange Book". Neither
term is used in the specific manner defined by the Orange Book.) The
structure of the presentation seems to be intent on showing off,
frequently querying the user before having provided the answer. (On the
other hand, one formal exercise asks whether the user should enter a
password into a specific request box on the screen, and immediately tells
you that NT does not use that request box.) Chapter four goes into a lot
of detail on ACLs (Access Control Lists) but, in common with all too many
security books, does not present a completely clear picture of effective
rights in the case of combinations of permissions. A number of situations
where the same user name can be handled differently are looked at in
chapter five.
Part two involves administrative tasks. Chapter six covers the mechanics
of domain administration quite well, but the actual planning is not dealt
with in depth. Management of accounts is the topic of chapter seven.
Auditing and logging is covered in fair detail in chapter eight. Although
chapter nine is nominally about the Internet and intranets, most of the
space is dedicated to general discussions of encryption. Details of
algorithms are minimal, and a number of the topics covered have only
tangential relevance to NT. Chapter ten is a grab bag of topics including
the Registry, system policies, and printers. The "Trusted Computing
Base," in chapter eleven, seems to refer to computer hardware and software
assets, but the protection of these assets is not well explained. (One of
the author's major fears seems to be viruses, but despite a great many
mentions there is little realistic information about them in the book.)
Chapter twelve closes off with a checklist summary of section titles from
the book to this point.
Part three is a single chapter, on assessment of NT security. Much of
this chapter is dedicated to proving that NT does not need to conform to
the "Orange Book" levels.
The stated intent of the book is to provide security information both to
users of Windows NT, and to network administrators. In reality, users
would need "cookbook" style recommendations that could be put into
practice immediately, and which are generally missing from the book.
Administrators need a more complete and well rounded approach to the
topic, particularly addressing vulnerabilities in NT itself (such as the
built-in and well known standard accounts). For those with no background
in security the book provides a little knowledge. However, note the
proverbial danger of a little knowledge, particularly in cases where
overconfidence can lead to disaster.
copyright Robert M. Slade, 1998 BKWNTSCG.RVW 980513
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Jul 21 14:02:05 1998