Skip to main content

Book Review: PYWN

I had the pleasure of reading Protect Your Windows Network From Perimeter To Data by Jesper Johansson and Steve Riley. Even though it lacks Vista coverage being written in 2005, it is still very relevant and useful to security professionals today. It's a book that I wish I had read sooner, as its a very good primer to security in a windows environment. Its the perfect companion to the Windows Security Resource Kit. The book's two authors are both seasoned security veterans and their IT geek humor is enjoyed throughout the book. I found myself thinking, "Yeah, I've been there before" several times and laughing at the absurdity of the situations we are frequently presented with.

Two notes of caution about this book before delving in. These guys were both Microsoft employees at the time of the writing, so yes you will see some mild MS bias throughout, but they do a good job of reminding you in the text as well. I mean really, who recommends ISA server over a FW appliance like Netscreen, Checkpoint, or ASA, other then a MS employee or a Redmond Kool-aid drinker. Also, while this book contains great nuggets of information, for someone thats been in the security industry awhile, there will be a lot of general IT security information that you can just skim through in the first few chapters. This does not take away from the book in any way, just broadens the target audience some.

One of things I enjoyed most about this book was its readability. You can easily read a chapter a night and finish it quickly, because its interesting and not dry like many books(i.e. Official ISC2 Cissp Guide). Also, the authors revel in giving their brutally honest opinion, even when not always right, but it makes for very good reading. One of the early points they make, which should be known to the masses, is that complete security is unattainable. They used the illustration of chasing unicorns. While only possible in theory, you can only hope to reduce your attack surface and keep your risk at acceptable levels, because security is a dynamic state, not something that can be statically reproduced in reports and stamped with a seal of approval. Anybody that says their network is "secure" doesn't understand that security isn't really a state, but an ongoing process of managing risk. The book also provides, excellent coverage of Windows patching schemes, developing security policies, and educating your users on what not to do. One of the stand out chapters for me, was the security dependency one, which illuminates something that most people don't really address. Services accounts and dependencies on other systems present a very big danger to networks. You in essence reduce your security to that of the least secure system when you allow your critical assets to be dependent on a workstation that has the same service account. Also, often times domain admins will use their account to login to low security systems, thus exposing their credentials. Another great chapter, which I never would have thought reading the title, was the chapter on passwords. It has the most concise and easy to understand discussion of windows authentication schemes that I've ever read. In just a few pages, it discusses the differences between LM, NTLM, NTLMv2, and Kerberos and what configurations are available. The book also includes the requisite hardening guidelines for servers and clients and a very nice chapter on how to evaluate application security in an accurate and reproducible way. The book also comes with CD, the most notable tool being their passgen script.

The only negatives I really noticed in the book, was that they tried to justify not putting outbound filtering on the windows firewall, only to see that feature show up on the Vista version. Also, their discussion of Arp failed to mention hard coding your gateway with a static arp entry, which I thought was odd. Overall though, I would have to say I was mightily impressed with this book and would recommend it to anybody running a windows environment. If interested, you can peruse my notes here

Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...