Home > Store

Protect Your Windows Network: From Perimeter to Data

Register your product to gain access to bonus material or receive a coupon.

Protect Your Windows Network: From Perimeter to Data


  • Sorry, this book is no longer in print.
Not for Sale



A revolutionary, soups-to-nuts approach to network security from two of Microsoft's leading security experts

° The authors are the two most widely known security experts at Microsoft, and will be promoting this book extensively

° Provides a unique approach to network security, covering all seven layers of the Defense in Depth model

° Contains information on topics not covered in other books, such as Network Threat Modeling, the Defense in Depth Model, and security dependencies


  • Copyright 2005
  • Dimensions: 7" x 9-1/4"
  • Pages: 608
  • Edition: 1st
  • Book
  • ISBN-10: 0-321-33643-7
  • ISBN-13: 978-0-321-33643-9

While there are a lot of books available on network security, most of them take
the approach of focusing on the attacks, on the hacks, and responding to those
on a one-by-one basis. This book does just the opposite, focusing on a holistic
approach to protecting your entire network. It covers all seven layers of the
Defense in Depth (DID) Model, as well as other material not covered in any
other books. DID refers to a system of combining defenses to provide added
protection. Since there are then multiple barriers between the attacker and the
attacked, this increases the level of security, and increases the cost of the attack
to the attacker. The authors are two senior members of Microsoft's Security
and Business Technology Unit (SBTU), and are among the most sought-after
speakers for security conferences. With security being such a strong focus at
Microsoft, this book is destined to become the standard guide for all network
administrators and architects who want to have the most secure Windows
network possible.

Sample Content

Online Sample Chapters

Anatomy Of A Hack—The Rise And Fall Of Your Network

The Fundamental Reasons for Protecting Your Windows Network

Downloadable Sample Chapter

Download the Sample Chapter related to this title.

Table of Contents


About the Authors.



1. Introduction to Network Protection.

    Why Would Someone Attack Me?

    Nobody Will Ever Call You to Tell You How Well the Network Is Working

    Introduction to the Defense-in-Depth Model

    The Defender's Dilemma


    What You Should Do Today

2. Anatomy of a Hack-The Rise and Fall of Your Network.

    What a Penetration Test Will Not Tell You

    Why You Need To Understand Hacking

    Target Network

    Network Footprinting

    Initial Compromise

    Elevating Privileges

    Hacking Other Machines

    Taking Over the Domain


    How to Get an Attacker Out of Your Network


    What You Should Do Today

3. Rule Number 1: Patch Your Systems.

    Patches Are a Fact of Life

    Exercise Good Judgment

    What Is a Patch?

    Patch Management Is Risk Management

    Tools to Manage Security Updates

    Advanced Tips and Tricks



    What You Should Do Today


4. Developing Security Policies.

    Who Owns Developing Security Policy

    What a Security Policy Looks Like

    Why a Security Policy Is Necessary

    Why So Many Security Policies Fail

    Analyzing Your Security Needs to Develop _Appropriate Policies

    How to Make Users Aware of Security Policies

    Procedures to Enforce Policies

    Dealing with Breaches of Policy

    More Information


    What You Should Do Today

5. Educating Those Pesky Users.

    System Administration ? Security Administration

    Securing People

    The Problem

    Protecting People

    Plausibility + Dread + Novelty = Compromise

    Things You Should Do Today


6. If You Do Not Have Physical Security, You Do Not Have Security.

    But First, a Story

    It's a Fundamental Law of Computer Security

    The Importance of Physical Access Controls

    Protecting Client PCs

    The Case of the Stolen Laptop

    The Family PC

    No Security, Physical or Otherwise, Is Completely Foolproof

    Things You Should Do Today

7. Protecting Your Perimeter.

    The Objectives of Information Security

    The Role of the Network

    Start with (What's Left of) Your Border

    Next, Use the Right Firewall

    Then, Consider Your Remote Access Needs

    Finally, Start Thinking About "Deperimeterization"

    Things You Should Do Today


8. Security Dependencies.

    Introduction to Security Dependencies

    Administrative Security Dependencies

    Service Account Dependencies

    Mitigating Service and Administrative Dependencies

    Other Security Dependencies


    What You Should Do Today

9. Network Threat Modeling.

    Network Threat Modeling Process

    Document Your Network

    Segment Your Network

    Restrict Access to Your Network


    What You Should Do Today

10. Preventing Rogue Access Inside the Network.

    The Myth of Network Sniffing

    Network Protection at Layers 2 and 3

    Using 802.1X for Network Protection

    Using IPsec for Network Protection

    Network Quarantine Systems


    What You Should Do Today

11. Passwords and Other Authentication Mechanisms-The Last Line of Defense.


    Password Basics

    Password History

    What Administrators Need to Know About Passwords

    Password Best Practices

    Recommended Password Policy

    Better Than Best Practices-Multifactor Authentication


    What You Should Do Today


12. Server and Client Hardening.

    Security Configuration Myths

    On to the Tweaks

    Top 10 (or so) Server Security Tweaks

    Top 10 (or so) Client Security Tweaks

    The Caution List-Changes You Should Not Make

    Security Configuration Tools


    What You Should Do Today


13. Protecting User Applications.

    Patch Them!

    Make Them Run As a Nonadmin

    Turn Off Functionality

    Restrict Browser Functionality

    Attachment Manager


    Security Between Chair and Keyboard (SeBCAK)


    What You Should Do Today

14. Protecting Services and Server Applications.

    You Need a Healthy Disrespect for Your Computer

    Rule 1: All Samples Are Evil

    Three Steps to Lowering the Attack Surface

    What About Service Accounts?

    Privileges Your Services Do Not Need

    Hardening SQL Server 2000

    Hardening IIS 5.0 and 6.0


    What You Should Do Today

15. Security for Small Businesses.

    Protect Your Desktops and Laptops

    Protect Your Servers

    Protect Your Network

    Keep Your Data Safe

    Use the Internet Safely

    Small Business Security Is No Different, Really

    What You Should Do Today

16. Evaluating Application Security.

    Caution: More Software May Be Hazardous to Your Network Health

    Baseline the System

    Things to Watch Out For


    What You Should Do Today


17. Data-Protection Mechanisms.

    Security Group Review

    Access Control Lists

    Layers of Access Control

    Access Control Best Practices

    Rights Management Systems

    Incorporating Data Protection into Your Applications

    Protected Data: Our Real Goal

    What You Should Do Today

Appendix A: How to Get Your Network Hacked in 10 Easy Steps.

Appendix B: Script To Revoke SQL Server PUBLIC Permissions.

Appendix C. HOSTS file to Block Spyware.

Appendix D. Password Generator Tool.

    -g (Generate Password Based on Known Input)

    -r (Generate Random Password)

    -s (Set a Password on an Account and/or Service)

    Security Information

    Usage Scenarios

Appendix E: 10 Immutable Laws of Security.

    Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

    Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.

    Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

    Law #4: -If you allow a bad guy to upload programs to your Web site, it's not your Web site any more.

    Law #5: Weak passwords trump strong security.

    Law #6: A computer is only as secure as the administrator is trustworthy.     Law #7: Encrypted data is only as secure as the decryption key.

    Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all.

    Law #9: Absolute anonymity isn't practical, in real life or on the Web.     Law #10: Technology is not a panacea.



Untitled Document More than a year ago now, I (Jesper) decided that I was finally going to write a book on security. Partially it was because I was getting tired of answering the same questions over and over again, partially because I thought I had something unique to say, and partially because I am hoping to buy a small boat with the proceeds.

After writing the outline and the first chapter, I decided that I needed a co-author to help out, particularly because I simply do not know nearly as much as I would like about certain topics. Because Steve had already had his own thoughts about writing a book, this was a great match. Steve is a perfect complement in the sense that both of us started the same way, in networking, but unlike myself, who went into IT so I could avoid having to deal with people, Steve is actually an extrovert who loves to figure out how to protect people from people. Of course, both of us enjoy debating controversial opinions, mostly just for the thrill of the argument. Working together, the book slowly started to take shape.

The book is focused around the defense-in-depth model we helped develop and refine in our work at Microsoft, and it gives a logical flow to the book that helps in building an overall security strategy, something both of us believed was lacking in the current literature. You get only so much security if you concentrate solely on the technology; the people and the processes are equally important. Indeed, without thought in those two areas, most of the technology you deploy to protect information systems will fail to do what you intend—it will only give you a false sense of security, which in fact can be more dangerous than no security at all.

Much of what you see in these pages has been said before, in various presentations. Both of us travel the world to deliver speeches on security, and if you have ever heard us you will no doubt recognize some of the things you will read in these pages. In a sense, the book is the lecture notes everyone who has heard our presentations keeps asking for. Of course, those notes are sorely needed because most of our presentations are increasingly light on slides to avoid that all-too-common malady: death by PowerPoint.

Everyone we know who has written a book always says in the foreword that their first book is one they wanted to write for a long time. (We are now wondering what's left for us to write in our second book.) That is good, because it takes a long time to write a book. Neither of us thought that we had the competency to write one until recently, so it is not really true that we have wanted to write it for a long time. We have certainly thought about security for a long time, though, and you could certainly say that we wanted to learn enough about it for a long time to have something meaningful to say. After we had spent a few years talking to people, it was clear that security is an area that is fraught with misunderstandings (as we see them) and snake oil (pseudo-solutions that do not do what they purport to do at best, and are harmful at worst).

We find this type of "security theater" all around us. Consider, for instance, next time you go through an airport security check, who would be capable of causing more damage: a 92-year-old great-grandmother with a pair of cuticle scissors, or a 22-year-old martial arts black belt? They will confiscate the cuticle scissors, but they will allow the martial arts champion on the plane without putting him in shackles first. Some secure facilities will confiscate USB drives (and GPS receivers—why in the world?) "for security reasons," but they allow 80 GB FireWire (i1394) drives through because the security personnel cannot imagine any "threats" associated with digital music players. Many organizations have a password policy that requires users to use passwords too long and complicated to remember (and then routinely complain about the expense of resetting locked-out accounts), they block any kind of information gathering from ancient operating systems, and they do it all on computers that have not been patched for more than a year! It may appear that they are providing security but in reality this is nothing more than security theater.

We finally decided that the right way to dispel these myths was to write a book. At the time, it seemed like a really good idea, and we are sure that at some point it will seem like a good idea again.

Target Audience and Objective
This book is targeted at anyone who has the unfortunate yet delightful task of having to manage the security of a computer system or network of systems. Because we deal almost exclusively with relatively large networks running primarily some flavor of Microsoft Windows, the book focuses on that type of environment. However, we hope that just about anyone involved in managing security will find something of value in these pages.

Security in information technology is an evolving field; so evolving, in fact, that there is not really a clear name for it. Some people, ourselves included sometimes, call it information security (infosec). We like that term, because protecting information is the ultimate goal. However, it is also important to protect the data before it becomes information, and it is important to protect the resources and functionality provided by the systems in the network, and infosec does not capture that very well. Computer security gives us a connotation of protecting a single computer, and single computers simply are not that interesting today. Others call the field distributed systems security. However, as we explain in Chapter 1, "Introduction to Network Protection," we think distributed systems is a terrible idea from a security perspective and we want to avoid that term. Thus, we stuck with network security, which means protecting all the assets in the network.

Just as with the name of the field, many other issues are up for debate in network security. Therefore, what you will find in these pages is often our opinion of what is correct. Nowhere is this more pronounced than in Chapter 12, "Server and Client Hardening," but you will find the same phenomenon elsewhere. You may already have an opinion that is not the same as ours, or you may not. The point is not so much to persuade you that our opinion is correct as it is to make you think about the whole picture. If you do that, and come to a conclusion that is different from ours, then our objective has been met. We simply are trying to make you challenge the perceived (often outdated) wisdom and form a conclusion that helps you better protect your network.

What Is on the CD
The CD has a few tools that we wrote, partially because we needed a break from writing chapters, and partially because we thought they would be fun to write. Hopefully you will find some of these useful:

• A HOSTS file a friend of ours gave us to black hole many spyware sites. It simply maps all their DNS names to localhost thus preventing the machine from accessing them. Just copy it into %systemroot%\system32\drivers\etc to use it. You can get an even bigger one at http://www.mvps.org/winhelp2002, and we recommend you update your HOSTS file from there every week or so.

• A password generator. Passgen is an enterprise-class, command- line password manager. We discuss it more in Chapter 11, "Passwords and Other Authentication Mechanisms—The Last Line of Defense," and Chapter 8, "Security Dependencies." Also look at the readme for more information.

• An SQL script to revoke all permissions from the public login. Use with care, but it is fun to see how much public has access to. You use it by pasting it into a Query Analyzer window. It will generate another query as output. If you copy and paste the output into another Query Analyzer window and run it, all the public permissions are revoked.

• A slipstreaming tool. Like passgen, it is another custom tool developed specifically for the book. This VBScript is used to create on-disk operating system installations that already have all the patches applied—which turns out to be an involved process if you do it by hand. Instead, run the slipstream script, tell it where the source files are, where the patches are, and which service pack and operating system you are building; it will automatically build an on-disk install that has all the patches. We wrote this in VBScript because we figured it would be small and short. 1,100 lines of code later, we simply were not interested in rewriting it in a cooler and more efficient language.

We hope you will find these tools useful. They are licensed for your use within the organization that pays for the book. Please respect intellectual property rights and do not spread them around. Likewise, if you receive a copy of one of these tools from somewhere other than the CD, do not run it until you verify its authenticity. The SHA-1 hash of the slipstream tool is ddcf0bbaa4f09319f0d804df79ae60692748dbc9, and the one of the passgen tool is a10baed3102b2183569077a3fbe18113a658ed5d. If you get a copy of either tool with a different SHA-1 hash, do not use it! Instead, send us an e-mail at ProtectYourNetwork@hotmail.com, and we will get you a legitimate copy.

Once we had all the material, the drive, the marital buy-off, and all the other pieces for the book together, we were still missing one thing: a publisher. Karen Gettman at Addison-Wesley has seen us speak numerous times and has bugged us for a couple years to write for her; we are immensely indebted to her for giving us a chance and for letting us have almost unlimited artistic license in what we were doing.

We are also extremely grateful to our reviewers, particularly Susan Bradley, one of the sharpest and most vocal MVPs Microsoft has. As Michael Howard once noted about Jesper in the introduction to the first edition of Writing Secure Code, Susan read every single word, sentence, chapter, and paragraph, and had comments on every single word, sentence, chapter, and paragraph—and plenty of comments about things not in the book as well. If the book makes sense to system administrators in small businesses, it is entirely because of Susan. If it does not, it is our fault. We also had great feedback from our other reviewers, including, Corey Hynes, Richard Waymire, Gene Schultz, Marcus Murray, Mark Russinovich, Matt Bishop, Michael Howard, Rob Hensing, Brian Komar, David LeBlanc, Ben Smith, Jon Wall, Chris Wysopal, Kevin McDonnell, Michael Angelo, Byron Hynes, Harlan Carvey, Russ Rogers, James Morris, Robert Shimonski, Kurt Dillard, Rick Kingslan, Phil Cox, and James Edelen.

Last, but certainly not least, we are indebted (forever, in an irreparable sort of way) to our lovely wives Jennifer and Ingrid. Not only did they let us get away with writing the book, but also with traveling around the world talking to people, which both of us enjoy tremendously.

We hope to see you soon at an event near you!

—Jesper and Steve


Download the Index file related to this title.


Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020