BKWNTSAC.RVW 990409 "Microsoft Windows NT 4.0 Security, Audit, and Control", James G. Jumes et al, 1999, 1-57231-818-X, U$49.99/C$71.99/UK#45.99 %A James G. Jumes %A Neil F. Cooper %A Paula Chamoun %A Todd M. Feinman %C 1 Microsoft Way, Redmond, WA 98052-6399 %D 1999 %G 1-57231-818-X %I Microsoft Press %O U$49.99/C$71.99/UK#45.99 800-6777377 fax: 206-936-7329 %P 318 p. %S Technical Reference %T "Microsoft Windows NT 4.0 Security, Audit, and Control" The primary audience described in the introduction seems to be security professionals. However, system administrators, technology managers, and CIOs are mentioned as well. The attempt at breadth of coverage usually does not bode well in works like these. Chapter one discusses an information security model based upon the business (and other) objectives of the institution in question. While valid as far as it goes, and even possibly helpful when formulating security policy, this by no means provides a structure from which to view either security policy or procedures, let alone implement a complex set of controls. The widget company, beloved of management writers, is described in chapter two. For the purposes of assessing security in real world working environments, this particular widget company seems to be astoundingly simple and homogeneous. Chapter three starts out talking reasonably about security policy, starts to get flaky in risk assessment (I would definitely worry about a .45 chance of an earthquake), and tails off into trivia. Monitoring, in chapter four, looks first at system performance and diagnostics, and then gets into event logging without really going into the concepts. Many areas of physical security are left uncovered in chapter five. Chapter six discusses domains, trust relationships, and remote access permissions. Dialogue boxes for user accounts and groups are listed in chapter seven. There is some mention of the commonly "received wisdom" in regard to these topics, as there is in chapter eight regarding account policies, but nothing very significant. File system, share, and other resource control is covered in chapter nine. Chapter ten is a bit of a grab bag without much focus. The registry is reviewed in chapter eleven. Chapter twelve looks briefly at power supplies and backups. Although it talks about auditing, chapter thirteen is more of a checklist of security features to think about. Appendix A is a bit better in this regard: it lists recommended settings across a number of functions for six different types of systems. There is some discussion of options as the various functions are addressed, so, in a sense, this is a start towards full coverage of NT security. It has a long way to go, though. In addition, the deliberation comes at the cost of a loss of some detail in terms of security implementation. copyright Robert M. Slade, 1999 BKWNTSAC.RVW 990409