Securing Windows Server 2003
Windows Server 2003 is the most security-conscious operating system that Microsoft has created to date, but it still takes an educated administrator to understand these options. Author Mike Danseglio, a Program Manager in Microsoft s Security Solutions group, provides this education with Securing Windows Server 2003. This book focuses almost exclusively on the operating system and application settings necessary to tune for optimal server security. The value of the book isn t confined only to the configuration checklists for each of these facets, but rather the clear explanation behind the reasons for the recommended approaches.
The first four chapters provide a security overview as it applies to Windows Server 2003, from basic defensive concepts such as POLA (the Principle Of Least Access) to physical and file system security. It s not until the fifth chapter on group policy and security templates that specific settings for the various Windows services are detailed. Running secure code is covered in Chapter 6, followed by various authentication approaches ranging from IP security to Public Key Infrastructure (PKI) to smart cards. DHCP, DNS, IIS, ActiveDirectory, and Remote Access Security (RAS) complete the Windows Server 2003 security picture.
The last chapter, which covers auditing and integrating regular security practices and continual updates as operating system weaknesses are identified and patched, mentions a useful yet not widely publicized vulnerability scanner called the Microsoft Baseline Security Analyzer (MBSA). MBSA, freely available for download at http://www.microsoft.com/technet/security/tools/mbsahome.mspx, is a helpful tool that can assist administrators and developers alike with security audits and validation of secure configuration practices. As in several other places throughout the book, the author pitches a counterpoint about the help/harm factor of this tool, and the unbiased company stance Microsoft takes on the matter. In other words, although Microsoft recognizes that the tool could be used for undesirable purposes, the fact of the matter is that these tools already exist in different commercial and open source forms. MBSA simply aggregates the most recognized and frequently exploited holes and reports these to the operator.
Another defense is made earlier regarding the security of Apache versus IIS, asserting that IIS 6.x is just as secure as Apache out of the box because the same levels of security are applied during initial set-up and configuration. Although these claims are compelling, I couldn t help but feel somewhat cynical about such statements, given the fact that the author is a Microsoft employee trying to cast his company in a more favorable light compared to the competing alternatives. There are many of my peers who are running Apache, PHP, and MySQL on the Windows Server platform, yet given the popularity of this configuration, nary a word is made about securing this or other non-Microsoft application servers that are highly prevalent in such an environment. Perhaps the author can write a complementary book, or at least an expanded appendix in future editions, on securing popular non-Microsoft software products on the platform, such as best practices for Oracle, WebSphere, JBoss, and other common Internet-facing installations. Another appendix could provide a detailed exploration of ASP.NET 2.0 security settings, as well.
Regardless of the minor criticisms, Securing Windows 2003 Server is worth the cover price, especially for any developer or system administrator heavily dependent on Microsoft technologies.
Title: Securing Windows Server 2003
Author: Mike Danseglio
Publisher: O Reilly Media, Inc.
Book Web Site: http://www.oreilly.com/catalog/securews/
Page Count: 444 pages