[ISN] REVIEW: "Windows NT Security Guide", Stephen A. Sutton

From: mea culpa (jerichot_private)
Date: Mon Jul 06 1998 - 12:08:30 PDT

  • Next message: mea culpa: "[ISN] Cross-Infecting Virus in MS Office 97"

    Forwarded From: "Rob Slade, doting grandpa of Ryan and Trevor" <rsladet_private>
    Posted To: p1t_private
    
    BKWNTSCG.RVW   980513
    
    "Windows NT Security Guide", Stephen A. Sutton, 1997, 0-201-41969-6,
    U$29.95/C$41.00
    %A   Stephen A. Sutton suttont_private
    %C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
    %D   1997
    %G   0-201-41969-6
    %I   Addison-Wesley Publishing Co.
    %O   U$29.95/C$41.00 416-447-5101 fax: 416-443-0948 bkexpresst_private
    %P   373 p.
    %T   "Windows NT Security Guide"
    
    Part one deals with issues of interest to users.  Chapter one is a
    conceptual introduction to security and the NT system.  The material
    is informal.  This makes it easy to read, but also sacrifices
    completeness.  Sutton's idiosyncratic structure is weak in certain
    areas; for example, reliability.  The content is also lavish in its
    praise of Microsoft and NT, and seemingly unwilling to admit to any
    weak areas or flaws.  Accounts, and the domain model, and reviewed in
    chapter two.  (Illustrations are heavily used, and could be helpful
    were it not for the fact that so many have serious errors.)  The
    working environment, in chapter three, holds a rather random
    assortment of features but concentrates on the NT security window,
    rather mystically referred to as the "Trusted Path."  (Both this term
    and "Trusted Computer Base" are specific referents of the "Trusted
    Computer System Evaluation Criteria" of the US Department of Defense,
    better known as the "Orange Book".  Neither term is used in the
    specific manner defined by the Orange Book.)  The structure of the
    presentation seems to be intent on showing off, frequently querying
    the user before having provided the answer.  (On the other hand, one
    formal exercise asks whether the user should enter a password into a
    specific request box on the screen, and immediately tells you that NT
    does not use that request box.)  Chapter four goes into a lot of
    detail on ACLs (Access Control Lists) but, in common with all too many
    security books, does not present a completely clear picture of
    effective rights in the case of combinations of permissions.  A number
    of situations where the same user name can be handled differently are
    looked at in chapter five.
    
    Part two involves administrative tasks.  Chapter six covers the
    mechanics of domain administration quite well, but the actual planning
    is not dealt with in depth.  Management of accounts is the topic of
    chapter seven.  Auditing and logging is covered in fair detail in
    chapter eight.  Although chapter nine is nominally about the Internet
    and intranets, most of the space is dedicated to general discussions
    of encryption.  Details of algorithms are minimal, and a number of the
    topics covered have only tangential relevance to NT.  Chapter ten is a
    grab bag of topics including the Registry, system policies, and
    printers.  The "Trusted Computing Base," in chapter eleven, seems to
    refer to computer hardware and software assets, but the protection of
    these assets is not well explained.  (One of the author's major fears
    seems to be viruses, but despite a great many mentions there is little
    realistic information about them in the book.)  Chapter twelve closes
    off with a checklist summary of section titles from the book to this
    point.
    
    Part three is a single chapter, on assessment of NT security.  Much of
    this chapter is dedicated to proving that NT does not need to conform
    to the "Orange Book" levels.
    
    The stated intent of the book is to provide security information both
    to users of Windows NT, and to network administrators.  In reality,
    users would need "cookbook" style recommendations that could be put
    into practice immediately, and which are generally missing from the
    book.  Administrators need a more complete and well rounded approach
    to the topic, particularly addressing vulnerabilities in NT itself
    (such as the built-in and well known standard accounts).  For those
    with no background in security the book provides a little knowledge. 
    However, note the proverbial danger of a little knowledge,
    particularly in cases where overconfidence can lead to disaster.
    
    copyright Robert M. Slade, 1998   BKWNTSCG.RVW   980513
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:05 PDT