買這商品的人也買了...
-
Malicious Mobile Code: Virus Protection for Windows$1,485$1,411 -
C++ Primer, 3/e 中文版$980$774 -
Embedded Systems Design: An Introduction to Processes, Tools and Techniques$2,480$2,356 -
Dreamweaver MX 中文版魔法書$490$417 -
鳥哥的 Linux 私房菜$560$504 -
C++ Builder 6 完全攻略$690$587 -
Java 完美經典優質學習篇$750$638 -
ASP.NET 程式設計徹底研究$590$466 -
CCNP Practical Studies: Troubleshooting$2,330$2,214 -
ARM 原理與實作─以網路 SoC 為例$600$540 -
重構─改善既有程式的設計$720$569 -
Practical Java Programming Language Guide 中文版 (Practical Java Programming Language Guide)$560$442 -
行動 Linux─KNOPPIX 改造手冊$290$261 -
鳥哥的 Linux 私房菜-伺服器架設篇$750$675 -
詳解 JavaScript & HTML & CSS 語法辭典$490$382 -
鳥哥的 Linux 私房菜─基礎學習篇增訂版$560$504 -
CCNA Self-Study: Interconnecting Cisco Network Devices (ICND) 640-811, 640-801, 2/e$2,330$2,214 -
$299CCNP Self-Study: Building Cisco Remote Access Networks (BCRAN), 2/e (Hardcover) -
人月神話:軟體專案管理之道 (20 週年紀念版)(The Mythical Man-Month: Essays on Software Engineering, Anniversary Edition, 2/e)$480$379 -
JSP 2.0 技術手冊$750$593 -
CCNP Self-Study : Building Cisco Multilayer Switched Networks (BCMSN), 2/e$2,330$2,214 -
$399CCNP Self-Study : Building Scalable Cisco Internetworks (BSCI), 2/e -
JSP 與 Servlet 500 個應用範例技巧大全集$590$460 -
不同系統功能別資料庫設計 資料塑模入門講座$420$420 -
最新計算機概論, 3/e$560$442
商品描述
Description:
Help maximize security for Windows-based systems, services, and networks?with tools and resources direct from Microsoft.
Get the in-depth information and tools you need to help secure Microsoft®
Windows®–based clients, servers, networks, and Internet services with expertise
from those who know the technology best—the Microsoft Security Team. These
expert authors prescribe how to plan and implement a comprehensive
security-management strategy—from identifying risks to configuring security
technologies, applying security best practices, and monitoring and responding to
security incidents. The kit also provides essential security tools, scripts, and
other on-the-job resources—all designed to help maximize data and system
security while minimizing downtime and costs.
• Gain a framework for
understanding security threats and vulnerabilities and applying countermeasures
• Help protect servers, desktops, and laptops by configuring permissions,
security templates, TCP/IP settings, and application-level security
•
Implement security enhancements for domain controllers, Microsoft Internet
Information Services 5.0, Windows Terminal Services, and DNS, DHCP, WINS, RAS,
VPN, and certificate servers
• Help secure Active Directory® objects,
attributes, domains, and forests; use Group Policy; manage user accounts and
passwords
• Develop an auditing strategy and incident response team
•
Utilize security assessment tools, detect and respond to internal and external
security incidents, and recover services
• Create a process for deploying and
managing security updates
•Help establish your enterprise privacy
strategy
CD-ROM features:
50+ tools and scripts from the Microsoft
Security Team and the Microsoft Windows Resource Kits, including:
•
Subinacl.exe—view and help maintain security on files, registry keys, and
services from the command line or in batch files
• Ntrights.exe—set user
rights from the command line or in batch files
• EventcombMT.exe—collect and
search event logs from multiple computers through a GUI
• Scripts for
configuring security
Plus, a fully searchable eBook
Table of Contents:
| Foreword | xix |
| Acknowledgments | xxi |
| Introduction | xxiii |
| PART I APPLYING KEY PRINCIPLES OF SECURITY | |
| 1 Key Principles of Security | 3 |
| Understanding Risk Management | 3 |
| Learning to Manage Risk | 4 |
| Risk Management Strategies | 6 |
| Understanding Security | 8 |
| Granting the Least Privilege Required | 8 |
| Defending Each Network Layer | 8 |
| Reducing the Attack Surface | 8 |
| Avoiding Assumptions | 8 |
| Protecting, Detecting, and Responding | 9 |
| Securing by Design, Default, and Deployment | 9 |
| The 10 Immutable Laws of Security | 9 |
| The 10 Immutable Laws of Security Administration | 11 |
| 2 Understanding Your Enemy | 15 |
| Knowing Yourself | 16 |
| Accurately Assessing Your Own Skills | 16 |
| Possessing Detailed Documentation of Your Network | 16 |
| Understanding the Level of Organizational Support You Receive | 17 |
| Identifying Your Attacker | 17 |
| Understanding External Attackers | 19 |
| Understanding Internal Attackers | 20 |
| What Motivates Attackers? | 21 |
| Notoriety, Acceptance, and Ego | 22 |
| Financial Gain | 23 |
| Challenge | 24 |
| Activism | 25 |
| Revenge | 25 |
| Espionage | 25 |
| Information Warfare | 26 |
| Why Defending Networks Is Difficult | 27 |
| Attackers Have Unlimited Resources | 27 |
| Attackers Need to Master Only One Attack | 27 |
| Defenders Cannot Take the Offensive | 27 |
| Defenders Must Serve Business Goals | 28 |
| Defenders Must Win All the Time | 29 |
| PART II SECURING ACTIVE DIRECTORY | |
| 3 Securing User Accounts and Passwords | 33 |
| Securing Accounts | 33 |
| Understanding Security Identifiers | 34 |
| Understanding Access Tokens | 36 |
| Configuring Account Security Options | 38 |
| Securing Administrative Accounts | 40 |
| Implementing Password Security | 43 |
| Granting Rights and Permissions Using Groups | 49 |
| User Rights and Permissions | 50 |
| Group Types and Scope | 55 |
| Implementing Role-Based Security in Windows 2000 | 64 |
| Securing Passwords | 67 |
| Understanding Authentication | 67 |
| Storing Secrets in Windows | 77 |
| Best Practices | 80 |
| Additional Information | 81 |
| 4 Securing Active Directory Objects and Attributes | 83 |
| Understanding the Active Directory Schema | 83 |
| Attributes | 84 |
| Classes | 84 |
| Configuring DACLs to Secure Active Directory Objects | 86 |
| What Are DACLs? | 87 |
| How DACLs Work | 90 |
| Securing Active Directory Objects and Attributes | 91 |
| Configuring Default DACLs on Objects and Attributes | 91 |
| Securing Objects After Being Created | 93 |
| Configuring DACLs from the Command Line | 94 |
| Best Practices | 96 |
| Additional Information | 97 |
| 5 Implementing Group Policy | 99 |
| Understanding Group Policy | 99 |
| Computer-Related Group Policies | 100 |
| User-Related Group Policies | 102 |
| Using Group Policy Containers | 104 |
| Processing Group Policy Objects | 106 |
| Initial Group Policy Application | 106 |
| Group Policy Refresh | 107 |
| On-Demand Processing | 107 |
| Altering Group Policy Application | 108 |
| Block Inheritance | 108 |
| No Override | 109 |
| Group Policy Object Filtering | 109 |
| Loopback Mode Processing | 110 |
| Managing Group Policy | 111 |
| Default Group Policy Permissions | 111 |
| Delegating Group Policy Management | 112 |
| Best Practices | 113 |
| Additional Information | 113 |
| 6 Designing Active Directory Forests and Domains for Security | 115 |
| Autonomy and Isolation in Active Directory | 115 |
| Designing Forests for Active Directory Security | 116 |
| Enterprise Administration Boundaries and Isolation of Authority | 117 |
| Default Permissions and Schema Control | 117 |
| Global Catalog Boundaries | 118 |
| Domain Trust Requirements | 118 |
| Domain Controller Isolation | 119 |
| Protection of the Forest Root Domain | 119 |
| Designing Domains for Active Directory Security | 121 |
| Designing DNS for Active Directory Security | 123 |
| Single Namespace | 125 |
| Delegated Namespace | 125 |
| Internal Namespace | 125 |
| Segmented Namespace | 125 |
| Designing the Delegation of Authority | 126 |
| Best Practices | 128 |
| Additional Information | 130 |
| PART III SECURING THE CORE OPERATING SYSTEM | |
| 7 Securing Permissions | 135 |
| Securing File and Folder Permissions | 135 |
| How DACLs Work | 140 |
| Assigning DACLs at Creation | 141 |
| How DACLs Are Handled When Files and Folders Are Copied or Moved | 142 |
| Command-Line Tools | 143 |
| Default File and Folder Permissions | 148 |
| Securing Files and Folder Access by Using Share Permissions | 155 |
| Using the Encrypting File System | 156 |
| How EFS Works | 157 |
| EFS Command-Line Tools | 159 |
| Additional EFS Features in Windows XP | 162 |
| Introduction to Designing a Data Recovery Agent Policy | 165 |
| Securing Registry Permissions | 166 |
| Configuring Registry Permissions | 168 |
| Best Practices | 169 |
| Additional Information | 169 |
| 8 Securing Services | 173 |
| Managing Service Permissions | 173 |
| Configuring the Startup Value for a Service | 175 |
| Stopping, Starting, Pausing, and Resuming Services | 176 |
| Configuring the Security Context of Services | 177 |
| Configuring the DACL for the Service | 178 |
| Default Services in Windows 2000 and Windows XP | 180 |
| Best Practices | 202 |
| Additional Information | 203 |
| 9 Implementing TCP/IP Security | 205 |
| Securing TCP/IP | 205 |
| Understanding Internet Layer Protocols | 206 |
| Understanding Transport Layer Protocols | 209 |
| Common Threats to TCP/IP | 212 |
| Configuring TCP/IP Security in Windows 2000 and Windows XP | 215 |
| Using IPSec | 225 |
| Securing Data Transmission with IPSec Protocols | 226 |
| Choosing Between IPSec Modes | 229 |
| Selecting an IPSec Authentication Method | 230 |
| Creating IPSec Policies | 231 |
| How IPSec Works | 235 |
| Monitoring IPSec | 238 |
| Best Practices | 240 |
| Additional Information | 241 |
| 10 Securing Microsoft Internet Explorer 6 and Microsoft Office XP | 243 |
| Security Settings in Internet Explorer 6 | 243 |
| Privacy Settings | 243 |
| Security Zones | 247 |
| Configuring Privacy and Security Settings in Internet Explorer 6 | 262 |
| Security Settings in Office XP | 263 |
| Configuring ActiveX and Macros Security | 263 |
| Configuring Security for Outlook 2002 | 266 |
| Best Practices | 267 |
| Additional Information | 267 |
| 11 Configuring Security Templates | 269 |
| Using Security Template Settings | 269 |
| Account Policies | 270 |
| Local Policies | 273 |
| Event Log | 288 |
| Restricted Groups | 289 |
| System Services | 289 |
| Registry | 290 |
| File System | 290 |
| Public Key Policies | 290 |
| IP Security Policies | 291 |
| How Security Templates Work | 291 |
| Applying Security Templates to a Local Computer | 291 |
| Applying Security Templates by Using Group Policy | 295 |
| Default Security Templates | 296 |
| Creating Custom Security Templates | 298 |
| Adding Registry Entries to Security Options | 298 |
| Adding Services, Registry Values, and Files to Security Templates | 301 |
| Best Practices | 301 |
| Additional Information | 302 |
| 12 Auditing Microsoft Windows Security Events | 305 |
| Determining Which Events to Audit | 306 |
| Managing the Event Viewer | 307 |
| Determining the Storage Location | 308 |
| Determining the Maximum Log File Size | 308 |
| Configuring the Overwrite Behavior | 308 |
| Configuring Audit Policies | 310 |
| Auditing Account Logon Events | 310 |
| Auditing Account Management Events | 315 |
| Auditing Directory Service Access | 317 |
| Auditing Logon Events | 318 |
| Auditing Object Access | 320 |
| Auditing Policy Change | 322 |
| Auditing Privilege Use | 323 |
| Auditing Process Tracking | 324 |
| Auditing System Events | 325 |
| How to Enable Audit Policies | 326 |
| Monitoring Audited Events | 328 |
| Using the Event Viewer | 328 |
| Using Custom Scripts | 329 |
| Using Event Comb | 329 |
| Best Practices | 333 |
| Additional Information | 334 |
| 13 Securing Mobile Computers | 335 |
| Understanding Mobile Computers | 335 |
| Increase in the Possibility of Being Lost or Stolen | 335 |
| Difficulty in Applying Security Updates | 337 |
| Exposure to Untrusted Networks | 338 |
| Eavesdropping on Wireless Connectivity | 338 |
| Implementing Additional Security for Laptop Computers | 339 |
| Hardware Protection | 339 |
| Boot Protection | 341 |
| Data Protection | 343 |
| User Education | 345 |
| Securing Wireless Networking in Windows XP | 346 |
| Using Wireless Zero Configuration in Windows XP | 346 |
| Configuring Security for 802.11 Wireless Network Connectivity | 347 |
| Configuring 802.11 Security with 802.1x | 350 |
| Best Practices | 352 |
| Additional Information | 352 |
| PART IV SECURING COMMON SERVICES | |
| 14 Implementing Security for Domain Controllers | 357 |
| Threats to Domain Controllers | 357 |
| Modification of Active Directory Objects | 358 |
| Password Attacks | 358 |
| Denial-of-Service Attacks | 358 |
| Replication Prevention Attacks | 358 |
| Exploitation of Known Vulnerabilities | 359 |
| Implementing Security on Domain Controllers | 359 |
| Providing Physical Security | 359 |
| Increasing the Security of Stored Passwords | 360 |
| Eliminating Nonessential Services | 361 |
| Applying Security Settings by Using Group Policy | 363 |
| Protecting Against the Failure of a Domain Controller | 363 |
| Implementing Syskey | 364 |
| Securing Built-In Accounts and Groups | 364 |
| Enabling Auditing | 366 |
| Securing Active Directory Communications | 366 |
| Best Practices | 369 |
| Additional Information | 370 |
| 15 Implementing Security for DNS Servers | 373 |
| Threats to DNS Servers | 374 |
| Modification of DNS Records | 375 |
| Zone Transfer of DNS Data by an Unauthorized Server | 375 |
| Exposure of Internal IP Addressing Schemes | 375 |
| Denial-of-Service Attacks Against DNS Services | 376 |
| Securing DNS Servers | 376 |
| Implementing Active Directory-Integrated Zones | 376 |
| Implementing Separate Internal and External DNS Name Servers | 377 |
| Restricting Zone Transfers | 378 |
| Implementing IPSec Between DNS Clients and DNS Servers | 379 |
| Restricting DNS Traffic at the Firewall | 380 |
| Limiting Management of DNS | 381 |
| Protecting the DNS Cache | 381 |
| Best Practices | 381 |
| Additional Information | 382 |
| 16 Implementing Security for Terminal Services | 385 |
| Threats to Terminal Services | 386 |
| Grants Excess Permissions for Users | 386 |
| Allows Bypass of Firewall Security | 386 |
| Uses a Well-Known Port | 387 |
| Requires the Log On Locally User Right | 387 |
| Provides an Attacker with a Full Windows Desktop | 387 |
| Securing Terminal Services | 387 |
| Choosing the Correct Terminal Services Mode | 388 |
| Restricting Which Users and Groups Have the Log On Locally User Right | 389 |
| Preventing Remote Control on Terminal Servers | 389 |
| Restricting Which Applications Can Be Executed | 390 |
| Implementing the Strongest Form of Encryption | 392 |
| Strengthening the Security Configuration of the Terminal Server | 393 |
| Best Practices | 393 |
| Additional Information | 394 |
| 17 Implementing Security for DHCP Servers | 397 |
| Threats to DHCP Servers | 398 |
| Unauthorized DHCP Servers | 398 |
| DHCP Servers Overwriting Valid DNS Resource Records | 399 |
| DHCP Not Taking Ownership of DNS Resource Records | 399 |
| Unauthorized DHCP Clients | 400 |
| Securing DHCP Servers | 400 |
| Keeping Default Name Registration Behavior | 401 |
| Determining Whether to Use the DNSUpdateProxy Group | 401 |
| Avoiding Installation of DHCP on Domain Controllers | 401 |
| Reviewing DHCP Database for BAD_ADDRESS Entries | 403 |
| Monitoring Membership in the DHCP Administrators Group | 403 |
| Enabling DHCP Auditing | 404 |
| Best Practices | 404 |
| Additional Information | 405 |
| 18 Implementing Security for WINS Servers | 407 |
| Threats to WINS Servers | 409 |
| Preventing Replication Between WINS Servers | 409 |
| Registration of False NetBIOS Records | 409 |
| Incorrect Registration of WINS Records | 409 |
| Modification of WINS Configuration | 410 |
| Securing WINS Servers | 410 |
| Monitor Membership in the WINS Admins Group | 410 |
| Validate WINS Replication Configuration | 410 |
| Eliminate NetBIOS Applications and Decommission Them | 411 |
| Best Practices | 411 |
| Additional Information | 412 |
| 19 Implementing Security for Routing and Remote Access | 413 |
| Remote Access Solution Components | 413 |
| Authentication Protocols | 414 |
| VPN Protocols | 415 |
| Client Software | 416 |
| Server Services and Software | 417 |
| Threats to Remote Access Solutions | 417 |
| Authentication Interception | 418 |
| Data Interception | 418 |
| Bypass of the Firewall to the Private Network | 419 |
| Nonstandardized Policy Application | 419 |
| Network Perimeter Extended to Location of Dial-In User | 420 |
| Denial of Service Caused by Password Attempts | 420 |
| Stolen Laptops with Saved Credentials | 420 |
| Securing Remote Access Servers | 421 |
| Implementing RADIUS Authentication and Accounting | 421 |
| Securing RADIUS Authentication Traffic Between the Remote Access Server and the RADIUS Server | 422 |
| Configuring a Remote Access Policy | 422 |
| Deploying Required Certificates for L2TP/IPSec | 425 |
| Restricting Which Servers Can Run RRAS | 427 |
| Implementing Remote Access Account Lockout | 428 |
| Securing Remote Access Clients | 428 |
| Configuring the CMAK Packages | 429 |
| Implementing Strong Authentication | 429 |
| Deploying Required Certificates | 429 |
| Best Practices | 430 |
| Additional Information | 431 |
| 20 Implementing Security for Certificate Services | 433 |
| Threats to Certificate Services | 433 |
| Compromise of a CA's Key Pair | 434 |
| Attacks Against Servers Hosting CRLs and CA Certificates | 434 |
| Attempts to Modify the CA Configuration | 434 |
| Attempts to Modify Certificate Template Permissions | 434 |
| Attacks that Disable CRL Checking | 434 |
| Addition of Nontrusted CAs to the Trusted Root CA Store | 435 |
| Issuance of Fraudulent Certificates | 435 |
| Publication of False Certificates to Active Directory | 435 |
| Securing Certificate Services | 435 |
| Implementing Physical Security Measures | 436 |
| Implementing Logical Security Measures | 436 |
| Modifying CRL and CA Certificate Publication Points | 437 |
| Enabling CRL Checking in All Applications | 437 |
| Managing Permissions of Certificate Templates | 437 |
| Best Practices | 438 |
| Additional Information | 438 |
| 21 Implementing Security for Microsoft IIS 5.0 | 441 |
| Implementing Windows 2000 Security | 442 |
| Minimizing Services | 442 |
| Defining User Accounts | 443 |
| Securing the File System | 444 |
| Applying Specific Registry Settings | 446 |
| Configuring IIS Security | 447 |
