[ISN] Book Review: "Windows NT Security Guide", Sutton

From: mea culpa (jerichot_private)
Date: Tue Jul 21 1998 - 08:49:25 PDT

  • Next message: mea culpa: "[ISN] Gas companies fret about hacker threat"

    Posted to: Risks Digest 19.85
    Originally From: "Rob Slade" <rsladet_private>
    BKWNTSCG.RVW   980513
    "Windows NT Security Guide", Stephen A. Sutton, 1997, 0-201-41969-6,
    %A   Stephen A. Sutton suttont_private
    %C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
    %D   1997
    %G   0-201-41969-6
    %I   Addison-Wesley Publishing Co.
    %O   U$29.95/C$41.00 416-447-5101 fax: 416-443-0948 bkexpresst_private
    %P   373 p.
    %T   "Windows NT Security Guide"
    Part one deals with issues of interest to users.  Chapter one is a
    conceptual introduction to security and the NT system.  The material is
    informal.  This makes it easy to read, but also sacrifices completeness. 
    Sutton's idiosyncratic structure is weak in certain areas; for example,
    reliability.  The content is also lavish in its praise of Microsoft and
    NT, and seemingly unwilling to admit to any weak areas or flaws. 
    Accounts, and the domain model, and reviewed in chapter two. 
    (Illustrations are heavily used, and could be helpful were it not for the
    fact that so many have serious errors.)  The working environment, in
    chapter three, holds a rather random assortment of features but
    concentrates on the NT security window, rather mystically referred to as
    the "Trusted Path."  (Both this term and "Trusted Computer Base" are
    specific referents of the "Trusted Computer System Evaluation Criteria" of
    the US Department of Defense, better known as the "Orange Book".  Neither
    term is used in the specific manner defined by the Orange Book.)  The
    structure of the presentation seems to be intent on showing off,
    frequently querying the user before having provided the answer.  (On the
    other hand, one formal exercise asks whether the user should enter a
    password into a specific request box on the screen, and immediately tells
    you that NT does not use that request box.)  Chapter four goes into a lot
    of detail on ACLs (Access Control Lists) but, in common with all too many
    security books, does not present a completely clear picture of effective
    rights in the case of combinations of permissions.  A number of situations
    where the same user name can be handled differently are looked at in
    chapter five. 
    Part two involves administrative tasks.  Chapter six covers the mechanics
    of domain administration quite well, but the actual planning is not dealt
    with in depth.  Management of accounts is the topic of chapter seven. 
    Auditing and logging is covered in fair detail in chapter eight.  Although
    chapter nine is nominally about the Internet and intranets, most of the
    space is dedicated to general discussions of encryption.  Details of
    algorithms are minimal, and a number of the topics covered have only
    tangential relevance to NT.  Chapter ten is a grab bag of topics including
    the Registry, system policies, and printers.  The "Trusted Computing
    Base," in chapter eleven, seems to refer to computer hardware and software
    assets, but the protection of these assets is not well explained.  (One of
    the author's major fears seems to be viruses, but despite a great many
    mentions there is little realistic information about them in the book.) 
    Chapter twelve closes off with a checklist summary of section titles from
    the book to this point. 
    Part three is a single chapter, on assessment of NT security.  Much of
    this chapter is dedicated to proving that NT does not need to conform to
    the "Orange Book" levels. 
    The stated intent of the book is to provide security information both to
    users of Windows NT, and to network administrators.  In reality, users
    would need "cookbook" style recommendations that could be put into
    practice immediately, and which are generally missing from the book. 
    Administrators need a more complete and well rounded approach to the
    topic, particularly addressing vulnerabilities in NT itself (such as the
    built-in and well known standard accounts).  For those with no background
    in security the book provides a little knowledge.  However, note the
    proverbial danger of a little knowledge, particularly in cases where
    overconfidence can lead to disaster. 
    copyright Robert M. Slade, 1998   BKWNTSCG.RVW   980513
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:08 PDT