HARDENING Windows Systems
by Roberta Bragg
McGraw-Hill Osborne 2004.
ISBN 0-07-225354-1. Appendix, index, $39.99
Reviewed by Bob Bruen July 18, 2004
Microsoft Windows administrators and users can use all the help they can get, especially for security. It seems to me that you can break down MS security into two parts: one is the day-to-day issues around security breeches, attacks, and patching, and the other is hardening systems. If you have neither under control there is little you can do to make your life bearable. If your systems are hardened properly, then there will be fewer fires to put out so that you can concentrate on finding a replacement for Internet Explorer.
A network of hardened Windows PCs and servers can reduce the level of attacks from the outside, possibly even from the inside. It also stands to reason that this environment would benefit from a better managed network because of what must be done to harden all of it.
What is hardening? Naturally, there is more than one definition, but in general, one tightens control using policies which affect authorization, authentication and permissions. Nothing happens by default. You only give out permission after thinking about it, something like "deny all" to everyone, then "allow" with justification. Shut off everything, then only turn on that which must be turned on. It is not unlike locking every single door, window and access point in your house, then unlocking only those that need to be. It is quite common for users to take all the defaults when their new system gets turned on making for instant vulnerability. A major problem is trying to figure out where all those details are that need to be turned off, without making the system unusable.
This is where Hardening Windows comes in. Bragg starts out with the requisite password policy problem. Since Windows still owns the desktop, it is more likely that Windows users will need more reminding about this problem, which is exacerbated by the earlier Windows versions that permitted blank passwords and the ability to click cancel. More interesting is the explanation of how policies work for users, groups, domains, etc. Having watched knowledgeable Windows admins suffer trying to make policies work properly for long periods of time, I can appreciate the help. She has posted warnings in appropriate places where a click causes unintended behavior. It is also helpful to see what Microsoft actually meant when you see one of their policies' settings.
The book is full of little tips, like "do not show the last user name in the login box." The book also has detailed registry settings for application access control. This range of detail is a sign of the thoroughness of the book. I liked the list of services that are candidates for disabling, even though it was six pages in length. Securing Windows seems to be a better way to learn about Windows than those many other books of screen shots. Hardening Windows is a must for anyone administering a Windows environment. It is well written, helpful and priced right.