買這商品的人也買了...
-
$1,411$1,337 -
$980$774 -
$2,380$2,261 -
$490$417 -
$560$504 -
$690$587 -
$750$638 -
$590$466 -
$2,320$2,204 -
$600$540 -
$720$569 -
$560$442 -
$290$261 -
$750$675 -
$490$382 -
$560$504 -
$2,320$2,204 -
$900CCNP Self-Study: Building Cisco Remote Access Networks (BCRAN), 2/e (Hardcover)
-
$480$379 -
$750$593 -
$2,320$2,204 -
$900CCNP Self-Study : Building Scalable Cisco Internetworks (BSCI), 2/e
-
$590$460 -
$420$420 -
$560$442
相關主題
商品描述
Description:
Help maximize security for Windows-based systems, services, and networks?with tools and resources direct from Microsoft.
Get the in-depth information and tools you need to help secure Microsoft®
Windows®–based clients, servers, networks, and Internet services with expertise
from those who know the technology best—the Microsoft Security Team. These
expert authors prescribe how to plan and implement a comprehensive
security-management strategy—from identifying risks to configuring security
technologies, applying security best practices, and monitoring and responding to
security incidents. The kit also provides essential security tools, scripts, and
other on-the-job resources—all designed to help maximize data and system
security while minimizing downtime and costs.
• Gain a framework for
understanding security threats and vulnerabilities and applying countermeasures
• Help protect servers, desktops, and laptops by configuring permissions,
security templates, TCP/IP settings, and application-level security
•
Implement security enhancements for domain controllers, Microsoft Internet
Information Services 5.0, Windows Terminal Services, and DNS, DHCP, WINS, RAS,
VPN, and certificate servers
• Help secure Active Directory® objects,
attributes, domains, and forests; use Group Policy; manage user accounts and
passwords
• Develop an auditing strategy and incident response team
•
Utilize security assessment tools, detect and respond to internal and external
security incidents, and recover services
• Create a process for deploying and
managing security updates
•Help establish your enterprise privacy
strategy
CD-ROM features:
50+ tools and scripts from the Microsoft
Security Team and the Microsoft Windows Resource Kits, including:
•
Subinacl.exe—view and help maintain security on files, registry keys, and
services from the command line or in batch files
• Ntrights.exe—set user
rights from the command line or in batch files
• EventcombMT.exe—collect and
search event logs from multiple computers through a GUI
• Scripts for
configuring security
Plus, a fully searchable eBook
Table of Contents:
Foreword | xix |
Acknowledgments | xxi |
Introduction | xxiii |
PART I APPLYING KEY PRINCIPLES OF SECURITY | |
1 Key Principles of Security | 3 |
Understanding Risk Management | 3 |
Learning to Manage Risk | 4 |
Risk Management Strategies | 6 |
Understanding Security | 8 |
Granting the Least Privilege Required | 8 |
Defending Each Network Layer | 8 |
Reducing the Attack Surface | 8 |
Avoiding Assumptions | 8 |
Protecting, Detecting, and Responding | 9 |
Securing by Design, Default, and Deployment | 9 |
The 10 Immutable Laws of Security | 9 |
The 10 Immutable Laws of Security Administration | 11 |
2 Understanding Your Enemy | 15 |
Knowing Yourself | 16 |
Accurately Assessing Your Own Skills | 16 |
Possessing Detailed Documentation of Your Network | 16 |
Understanding the Level of Organizational Support You Receive | 17 |
Identifying Your Attacker | 17 |
Understanding External Attackers | 19 |
Understanding Internal Attackers | 20 |
What Motivates Attackers? | 21 |
Notoriety, Acceptance, and Ego | 22 |
Financial Gain | 23 |
Challenge | 24 |
Activism | 25 |
Revenge | 25 |
Espionage | 25 |
Information Warfare | 26 |
Why Defending Networks Is Difficult | 27 |
Attackers Have Unlimited Resources | 27 |
Attackers Need to Master Only One Attack | 27 |
Defenders Cannot Take the Offensive | 27 |
Defenders Must Serve Business Goals | 28 |
Defenders Must Win All the Time | 29 |
PART II SECURING ACTIVE DIRECTORY | |
3 Securing User Accounts and Passwords | 33 |
Securing Accounts | 33 |
Understanding Security Identifiers | 34 |
Understanding Access Tokens | 36 |
Configuring Account Security Options | 38 |
Securing Administrative Accounts | 40 |
Implementing Password Security | 43 |
Granting Rights and Permissions Using Groups | 49 |
User Rights and Permissions | 50 |
Group Types and Scope | 55 |
Implementing Role-Based Security in Windows 2000 | 64 |
Securing Passwords | 67 |
Understanding Authentication | 67 |
Storing Secrets in Windows | 77 |
Best Practices | 80 |
Additional Information | 81 |
4 Securing Active Directory Objects and Attributes | 83 |
Understanding the Active Directory Schema | 83 |
Attributes | 84 |
Classes | 84 |
Configuring DACLs to Secure Active Directory Objects | 86 |
What Are DACLs? | 87 |
How DACLs Work | 90 |
Securing Active Directory Objects and Attributes | 91 |
Configuring Default DACLs on Objects and Attributes | 91 |
Securing Objects After Being Created | 93 |
Configuring DACLs from the Command Line | 94 |
Best Practices | 96 |
Additional Information | 97 |
5 Implementing Group Policy | 99 |
Understanding Group Policy | 99 |
Computer-Related Group Policies | 100 |
User-Related Group Policies | 102 |
Using Group Policy Containers | 104 |
Processing Group Policy Objects | 106 |
Initial Group Policy Application | 106 |
Group Policy Refresh | 107 |
On-Demand Processing | 107 |
Altering Group Policy Application | 108 |
Block Inheritance | 108 |
No Override | 109 |
Group Policy Object Filtering | 109 |
Loopback Mode Processing | 110 |
Managing Group Policy | 111 |
Default Group Policy Permissions | 111 |
Delegating Group Policy Management | 112 |
Best Practices | 113 |
Additional Information | 113 |
6 Designing Active Directory Forests and Domains for Security | 115 |
Autonomy and Isolation in Active Directory | 115 |
Designing Forests for Active Directory Security | 116 |
Enterprise Administration Boundaries and Isolation of Authority | 117 |
Default Permissions and Schema Control | 117 |
Global Catalog Boundaries | 118 |
Domain Trust Requirements | 118 |
Domain Controller Isolation | 119 |
Protection of the Forest Root Domain | 119 |
Designing Domains for Active Directory Security | 121 |
Designing DNS for Active Directory Security | 123 |
Single Namespace | 125 |
Delegated Namespace | 125 |
Internal Namespace | 125 |
Segmented Namespace | 125 |
Designing the Delegation of Authority | 126 |
Best Practices | 128 |
Additional Information | 130 |
PART III SECURING THE CORE OPERATING SYSTEM | |
7 Securing Permissions | 135 |
Securing File and Folder Permissions | 135 |
How DACLs Work | 140 |
Assigning DACLs at Creation | 141 |
How DACLs Are Handled When Files and Folders Are Copied or Moved | 142 |
Command-Line Tools | 143 |
Default File and Folder Permissions | 148 |
Securing Files and Folder Access by Using Share Permissions | 155 |
Using the Encrypting File System | 156 |
How EFS Works | 157 |
EFS Command-Line Tools | 159 |
Additional EFS Features in Windows XP | 162 |
Introduction to Designing a Data Recovery Agent Policy | 165 |
Securing Registry Permissions | 166 |
Configuring Registry Permissions | 168 |
Best Practices | 169 |
Additional Information | 169 |
8 Securing Services | 173 |
Managing Service Permissions | 173 |
Configuring the Startup Value for a Service | 175 |
Stopping, Starting, Pausing, and Resuming Services | 176 |
Configuring the Security Context of Services | 177 |
Configuring the DACL for the Service | 178 |
Default Services in Windows 2000 and Windows XP | 180 |
Best Practices | 202 |
Additional Information | 203 |
9 Implementing TCP/IP Security | 205 |
Securing TCP/IP | 205 |
Understanding Internet Layer Protocols | 206 |
Understanding Transport Layer Protocols | 209 |
Common Threats to TCP/IP | 212 |
Configuring TCP/IP Security in Windows 2000 and Windows XP | 215 |
Using IPSec | 225 |
Securing Data Transmission with IPSec Protocols | 226 |
Choosing Between IPSec Modes | 229 |
Selecting an IPSec Authentication Method | 230 |
Creating IPSec Policies | 231 |
How IPSec Works | 235 |
Monitoring IPSec | 238 |
Best Practices | 240 |
Additional Information | 241 |
10 Securing Microsoft Internet Explorer 6 and Microsoft Office XP | 243 |
Security Settings in Internet Explorer 6 | 243 |
Privacy Settings | 243 |
Security Zones | 247 |
Configuring Privacy and Security Settings in Internet Explorer 6 | 262 |
Security Settings in Office XP | 263 |
Configuring ActiveX and Macros Security | 263 |
Configuring Security for Outlook 2002 | 266 |
Best Practices | 267 |
Additional Information | 267 |
11 Configuring Security Templates | 269 |
Using Security Template Settings | 269 |
Account Policies | 270 |
Local Policies | 273 |
Event Log | 288 |
Restricted Groups | 289 |
System Services | 289 |
Registry | 290 |
File System | 290 |
Public Key Policies | 290 |
IP Security Policies | 291 |
How Security Templates Work | 291 |
Applying Security Templates to a Local Computer | 291 |
Applying Security Templates by Using Group Policy | 295 |
Default Security Templates | 296 |
Creating Custom Security Templates | 298 |
Adding Registry Entries to Security Options | 298 |
Adding Services, Registry Values, and Files to Security Templates | 301 |
Best Practices | 301 |
Additional Information | 302 |
12 Auditing Microsoft Windows Security Events | 305 |
Determining Which Events to Audit | 306 |
Managing the Event Viewer | 307 |
Determining the Storage Location | 308 |
Determining the Maximum Log File Size | 308 |
Configuring the Overwrite Behavior | 308 |
Configuring Audit Policies | 310 |
Auditing Account Logon Events | 310 |
Auditing Account Management Events | 315 |
Auditing Directory Service Access | 317 |
Auditing Logon Events | 318 |
Auditing Object Access | 320 |
Auditing Policy Change | 322 |
Auditing Privilege Use | 323 |
Auditing Process Tracking | 324 |
Auditing System Events | 325 |
How to Enable Audit Policies | 326 |
Monitoring Audited Events | 328 |
Using the Event Viewer | 328 |
Using Custom Scripts | 329 |
Using Event Comb | 329 |
Best Practices | 333 |
Additional Information | 334 |
13 Securing Mobile Computers | 335 |
Understanding Mobile Computers | 335 |
Increase in the Possibility of Being Lost or Stolen | 335 |
Difficulty in Applying Security Updates | 337 |
Exposure to Untrusted Networks | 338 |
Eavesdropping on Wireless Connectivity | 338 |
Implementing Additional Security for Laptop Computers | 339 |
Hardware Protection | 339 |
Boot Protection | 341 |
Data Protection | 343 |
User Education | 345 |
Securing Wireless Networking in Windows XP | 346 |
Using Wireless Zero Configuration in Windows XP | 346 |
Configuring Security for 802.11 Wireless Network Connectivity | 347 |
Configuring 802.11 Security with 802.1x | 350 |
Best Practices | 352 |
Additional Information | 352 |
PART IV SECURING COMMON SERVICES | |
14 Implementing Security for Domain Controllers | 357 |
Threats to Domain Controllers | 357 |
Modification of Active Directory Objects | 358 |
Password Attacks | 358 |
Denial-of-Service Attacks | 358 |
Replication Prevention Attacks | 358 |
Exploitation of Known Vulnerabilities | 359 |
Implementing Security on Domain Controllers | 359 |
Providing Physical Security | 359 |
Increasing the Security of Stored Passwords | 360 |
Eliminating Nonessential Services | 361 |
Applying Security Settings by Using Group Policy | 363 |
Protecting Against the Failure of a Domain Controller | 363 |
Implementing Syskey | 364 |
Securing Built-In Accounts and Groups | 364 |
Enabling Auditing | 366 |
Securing Active Directory Communications | 366 |
Best Practices | 369 |
Additional Information | 370 |
15 Implementing Security for DNS Servers | 373 |
Threats to DNS Servers | 374 |
Modification of DNS Records | 375 |
Zone Transfer of DNS Data by an Unauthorized Server | 375 |
Exposure of Internal IP Addressing Schemes | 375 |
Denial-of-Service Attacks Against DNS Services | 376 |
Securing DNS Servers | 376 |
Implementing Active Directory-Integrated Zones | 376 |
Implementing Separate Internal and External DNS Name Servers | 377 |
Restricting Zone Transfers | 378 |
Implementing IPSec Between DNS Clients and DNS Servers | 379 |
Restricting DNS Traffic at the Firewall | 380 |
Limiting Management of DNS | 381 |
Protecting the DNS Cache | 381 |
Best Practices | 381 |
Additional Information | 382 |
16 Implementing Security for Terminal Services | 385 |
Threats to Terminal Services | 386 |
Grants Excess Permissions for Users | 386 |
Allows Bypass of Firewall Security | 386 |
Uses a Well-Known Port | 387 |
Requires the Log On Locally User Right | 387 |
Provides an Attacker with a Full Windows Desktop | 387 |
Securing Terminal Services | 387 |
Choosing the Correct Terminal Services Mode | 388 |
Restricting Which Users and Groups Have the Log On Locally User Right | 389 |
Preventing Remote Control on Terminal Servers | 389 |
Restricting Which Applications Can Be Executed | 390 |
Implementing the Strongest Form of Encryption | 392 |
Strengthening the Security Configuration of the Terminal Server | 393 |
Best Practices | 393 |
Additional Information | 394 |
17 Implementing Security for DHCP Servers | 397 |
Threats to DHCP Servers | 398 |
Unauthorized DHCP Servers | 398 |
DHCP Servers Overwriting Valid DNS Resource Records | 399 |
DHCP Not Taking Ownership of DNS Resource Records | 399 |
Unauthorized DHCP Clients | 400 |
Securing DHCP Servers | 400 |
Keeping Default Name Registration Behavior | 401 |
Determining Whether to Use the DNSUpdateProxy Group | 401 |
Avoiding Installation of DHCP on Domain Controllers | 401 |
Reviewing DHCP Database for BAD_ADDRESS Entries | 403 |
Monitoring Membership in the DHCP Administrators Group | 403 |
Enabling DHCP Auditing | 404 |
Best Practices | 404 |
Additional Information | 405 |
18 Implementing Security for WINS Servers | 407 |
Threats to WINS Servers | 409 |
Preventing Replication Between WINS Servers | 409 |
Registration of False NetBIOS Records | 409 |
Incorrect Registration of WINS Records | 409 |
Modification of WINS Configuration | 410 |
Securing WINS Servers | 410 |
Monitor Membership in the WINS Admins Group | 410 |
Validate WINS Replication Configuration | 410 |
Eliminate NetBIOS Applications and Decommission Them | 411 |
Best Practices | 411 |
Additional Information | 412 |
19 Implementing Security for Routing and Remote Access | 413 |
Remote Access Solution Components | 413 |
Authentication Protocols | 414 |
VPN Protocols | 415 |
Client Software | 416 |
Server Services and Software | 417 |
Threats to Remote Access Solutions | 417 |
Authentication Interception | 418 |
Data Interception | 418 |
Bypass of the Firewall to the Private Network | 419 |
Nonstandardized Policy Application | 419 |
Network Perimeter Extended to Location of Dial-In User | 420 |
Denial of Service Caused by Password Attempts | 420 |
Stolen Laptops with Saved Credentials | 420 |
Securing Remote Access Servers | 421 |
Implementing RADIUS Authentication and Accounting | 421 |
Securing RADIUS Authentication Traffic Between the Remote Access Server and the RADIUS Server | 422 |
Configuring a Remote Access Policy | 422 |
Deploying Required Certificates for L2TP/IPSec | 425 |
Restricting Which Servers Can Run RRAS | 427 |
Implementing Remote Access Account Lockout | 428 |
Securing Remote Access Clients | 428 |
Configuring the CMAK Packages | 429 |
Implementing Strong Authentication | 429 |
Deploying Required Certificates | 429 |
Best Practices | 430 |
Additional Information | 431 |
20 Implementing Security for Certificate Services | 433 |
Threats to Certificate Services | 433 |
Compromise of a CA's Key Pair | 434 |
Attacks Against Servers Hosting CRLs and CA Certificates | 434 |
Attempts to Modify the CA Configuration | 434 |
Attempts to Modify Certificate Template Permissions | 434 |
Attacks that Disable CRL Checking | 434 |
Addition of Nontrusted CAs to the Trusted Root CA Store | 435 |
Issuance of Fraudulent Certificates | 435 |
Publication of False Certificates to Active Directory | 435 |
Securing Certificate Services | 435 |
Implementing Physical Security Measures | 436 |
Implementing Logical Security Measures | 436 |
Modifying CRL and CA Certificate Publication Points | 437 |
Enabling CRL Checking in All Applications | 437 |
Managing Permissions of Certificate Templates | 437 |
Best Practices | 438 |
Additional Information | 438 |
21 Implementing Security for Microsoft IIS 5.0 | 441 |
Implementing Windows 2000 Security | 442 |
Minimizing Services | 442 |
Defining User Accounts | 443 |
Securing the File System | 444 |
Applying Specific Registry Settings | 446 |
Configuring IIS Security | 447 |