BKNT4NSC.RVW 20000609 "NT 4 Network Security", Matthew Strebe/Charles Perkins/Michael G. Moncur, 1999, 0-7821-2425-9, U$49.99 %A Matthew Strebe ntsecurity@starlingtech.com %A Charles Perkins ntsecurity@starlingtech.com %A Michael G. Moncur mgm@starlingtech.com %C 1151 Marina Village Parkway, Alameda, CA 94501 %D 1999 %G 0-7821-2425-9 %I Sybex Computer Books %O U$49.99 800-227-2346 Fax: 510-523-2373 info@sybex.com %P 940 p. + CD-ROM %T "NT 4 Network Security, Second Edition" While dauntingly thick, this is a generally readable, and fairly comprehensive, introduction to security in general, and particularly to Windows NT in a networked environment. On the other hand, it sometimes has less material than you would expect. Chapter one presents a general overview of security, touching lightly on a range of topics and indicating areas the book is going to cover. It is interesting to note that one subject seems to be left out: data and business recovery is only mentioned tangentially. For example, the NTFS disk format is noted to fully support security, but the possible problems in recovering when the disk goes bad are not mentioned. Human security, in chapter two, covers a wide range of social factors, including an extensive discussion of password choice, and the importance of treating your employees fairly and well. The explanation of encryption, in chapter three, deals with a number of important aspects, but is poorly structured. It also brings in a number of unrealistic factors, such as the use of quantum computers, and neglects some fairly important current developments. A general plan for administering security is proposed in chapter four. Chapter five presents the Windows NT security model, and, while it does a better job than many other such works, it does not really provide a clear working picture. User account functions, with another look at passwords, is reviewed in chapter six. System policy is introduced in chapter seven, but the overall operation and effect is not explained well, and the material almost immediately degenerates into a terse listing of policy options. Although chapter eight purports to examine file systems, most of it deals with setting security permissions with NTFS. Chapter nine starts to look at networking issues with workgroups and shares. Unfortunately, while the mechanics of sharing operations are clear enough, the concepts are not. Domains and trust relationships are introduced, but not very functionally, in chapter ten. Fault tolerance, in chapter eleven, gives some basic information on various types of disk redundance, and a few tips on backup. Chapter twelve talks about virus protection. I am used to security texts that have numerous mistakes in this area, but I was astonished to see, at the beginning of this section, mention of a "CMOS virus" (no such thing) that infects the CMOS BIOS code. A computer's "CMOS" is the term used to refer to the small chip containing battery supported memory, holding a small table of information. This information is used by the BIOS programming, which programming is generally stored in read-only memory. (The next page actually mentions this.) CMOS memory is generally too small to hold any effective virus. In addition, it is only called as data, and no program that you did manage to store in the CMOS area would ever run. In any case, the text goes on to say that these viruses can obtain complete control over a computer, and cannot be removed by most antiviral software. (I suppose the statement about removal is true enough: since they don't exist, who would bother to write removal programs?) There is also an erroneous account of the Brain virus, a two page exegesis on Java that finally admits Java can't be used to create viral applets, a statement that NT is "immune" to file viruses (it's not), a list of antiviral types that only mentions different types of scanners (never mentioning activity monitors or change detection software), and a section on trojan software. Remote access actually starts with a brief mention, at the end of chapter twelve, of the dangers of pcAnywhere. (Both here and in the following, there are stories of scanning local networks from home ISP service. The authors do not mention that this operation is restricted to those with cable modems.) Chapter thirteen starts off with some opining on phone phreaking, but then does move on to some reasonable information on securing dial-in situations. The material on multi- vendor networks, in chapter fourteen, does little more than assert that other operating systems have security holes, too, you know! Chapter fifteen is an introduction to the Internet, but, because of a rather loose structure, does not present security concepts in a coherent manner. Similarly, the overview of TCP/IP, in chapter sixteen, lists a number of potential problems with the protocols but not much instruction on what to do about them. Chapter seventeen describes a rather random bag of advice on security aspects on client (non-server, or, in other words, user) machines. Then we move back into network territory with a blend of firewall and virtual private network (VPN) technology in chapter eighteen. Chapter nineteen tells us about VPNs, with a few mentions of firewalls. Microsoft BackOffice is reviewed in chapter twenty, but without much specific information about security. Chapter twenty one lists a variety of user (application) level security loopholes. A number of attacks available at the network level are listed in chapter twenty two. "The Secure Server," in chapter twenty three, looks primarily at physical security and concerns (and finally admits that NTFS can be bypassed after all). Chapter twenty four looks at physical matters again, mostly in the TEMPEST realm (and with a little misinformation about fibre optics and fish tanks). The authors have tried to lighten up a rather heavy topic by including humour in the text. While the remarks don't really get in the way of the content, they don't really support it, either. There is also an attempt to keep readers from getting lost in the jargon by providing "terminology" boxes throughout the book. This is helpful, but is not used as consistently as it could be. Acronyms, in particular, frequently start to appear in the text without ever having been specifically defined. This work has better conceptual coverage than "Microsoft Windows NT 4.0 Security, Audit, and Control" by James G. Jumes et al, (cf. BKWNTSAC.RVW), and is about equal to "Windows NT Server 4 Security Handbook" by Hadfield, Hatter, and Bixler (cf. BKNT4SHB.RVW). There is better structure and more willingness to discuss flaws than is apparent in the "Windows NT Security Guide" by Stephen A. Sutton (cf. BKWNTSCG.RVW). It has perhaps the same level of quality, and is certainly larger than "Windows NT Security" by Charles B. Rutstein (cf. BKWNTSEC.RVW), but there is not as much depth in places. "PCWeek Microsoft Windows NT Security," by Lambert and Patel (cf. BKPWNTSG.RVW), has better material in significantly less space. In terms of Internet material, it is about the same as "Internet Security with Windows NT," by Mark Joseph Edwards (cf. BKINSCNT.RVW), although it could hardly be worse. In general it is a good, useful guide, but there are still a number of holes to patch. copyright Robert M. Slade, 2000 BKNT4NSC.RVW 20000609