Friday, September 21, 2007

Book Review: PYWN

I had the pleasure of reading Protect Your Windows Network From Perimeter To Data by Jesper Johansson and Steve Riley. Even though it lacks Vista coverage being written in 2005, it is still very relevant and useful to security professionals today. It's a book that I wish I had read sooner, as its a very good primer to security in a windows environment. Its the perfect companion to the Windows Security Resource Kit. The book's two authors are both seasoned security veterans and their IT geek humor is enjoyed throughout the book. I found myself thinking, "Yeah, I've been there before" several times and laughing at the absurdity of the situations we are frequently presented with.

Two notes of caution about this book before delving in. These guys were both Microsoft employees at the time of the writing, so yes you will see some mild MS bias throughout, but they do a good job of reminding you in the text as well. I mean really, who recommends ISA server over a FW appliance like Netscreen, Checkpoint, or ASA, other then a MS employee or a Redmond Kool-aid drinker. Also, while this book contains great nuggets of information, for someone thats been in the security industry awhile, there will be a lot of general IT security information that you can just skim through in the first few chapters. This does not take away from the book in any way, just broadens the target audience some.

One of things I enjoyed most about this book was its readability. You can easily read a chapter a night and finish it quickly, because its interesting and not dry like many books(i.e. Official ISC2 Cissp Guide). Also, the authors revel in giving their brutally honest opinion, even when not always right, but it makes for very good reading. One of the early points they make, which should be known to the masses, is that complete security is unattainable. They used the illustration of chasing unicorns. While only possible in theory, you can only hope to reduce your attack surface and keep your risk at acceptable levels, because security is a dynamic state, not something that can be statically reproduced in reports and stamped with a seal of approval. Anybody that says their network is "secure" doesn't understand that security isn't really a state, but an ongoing process of managing risk. The book also provides, excellent coverage of Windows patching schemes, developing security policies, and educating your users on what not to do. One of the stand out chapters for me, was the security dependency one, which illuminates something that most people don't really address. Services accounts and dependencies on other systems present a very big danger to networks. You in essence reduce your security to that of the least secure system when you allow your critical assets to be dependent on a workstation that has the same service account. Also, often times domain admins will use their account to login to low security systems, thus exposing their credentials. Another great chapter, which I never would have thought reading the title, was the chapter on passwords. It has the most concise and easy to understand discussion of windows authentication schemes that I've ever read. In just a few pages, it discusses the differences between LM, NTLM, NTLMv2, and Kerberos and what configurations are available. The book also includes the requisite hardening guidelines for servers and clients and a very nice chapter on how to evaluate application security in an accurate and reproducible way. The book also comes with CD, the most notable tool being their passgen script.

The only negatives I really noticed in the book, was that they tried to justify not putting outbound filtering on the windows firewall, only to see that feature show up on the Vista version. Also, their discussion of Arp failed to mention hard coding your gateway with a static arp entry, which I thought was odd. Overall though, I would have to say I was mightily impressed with this book and would recommend it to anybody running a windows environment. If interested, you can peruse my notes here

No comments:

Post a Comment