BKPWNTSG.RVW 980514 "PCWeek Microsoft Windows NT Security", Nevin Lambert/Manish Patel, 1997, 1-56276-457-8, U$39.99/C$56.95/UK#36.99 %A Nevin Lambert nevinl@primenet.com %A Manish Patel manishp@primenet.com %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 1997 %G 1-56276-457-8 %I Macmillan Computer Publishing (MCP) %O U$39.99/C$56.95/UK#36.99 800-858-7674 http://www.mcp.com %P 388 p. %T "PCWeek Microsoft Windows NT Security: Security Administrator's Guide" I always get a bit worried at a book written by two cofounders of a consulting startup related to the topic of the book. My alarm level rises when the sarcasm starts right away in the acknowledgements. I am not comforted by the fact that the authors are enthralled by the glories of Microsoft. Chapter one, however, is a very reasonable look at the different levels of security that a situation may demand. Physical security, warnings, accounts, and backups are part of the picture that is presented. Some of the advice is questionable (the use of NTFS sometimes involves a tradeoff between access control and recovery) but the overall scenario has good range and scope. The system history given in chapter two is rather biased in favour of Microsoft and its products, but the system overview is useful background. Account and group concepts and maintenance are covered well in chapter three. The discussion of filesystems in chapter four still hews closely to the Microsoft party line, but it does provide information that can be very helpful for decisions regarding reliability. In the Trusted Computer System Evaluation Criteria (Orange Book) the term "Trusted Path" refers to at least B2 level systems, which NT cannot approach. However, in the review of the NT security subsystem in chapter five, the authors do a credible job of justifying the use of the phrase through the level of detail they provide of the logon process, as well as other operations. Chapter six looks at access to local resources and gives significant detail and information in such areas as well known SIDs (Security IDs). However, as is too often the case, the book fails to furnish a clear explanation of assessment of effective rights to an object. The review of basic networking concepts takes up about half of chapter seven, with the remainder looking at shares and network security provisions. RAS (Remote Access Service) and the related encryption schemes are discussed in chapter eight, but the lack of details of the encryption process make it difficult to assess levels of security and operational needs. Coverage of printer management in chapter nine is good, but the implications of options such as spooling and redirection are not completely addressed. Chapter ten deals with a number of Registry related topics, including editing, Registry tools, backup, and security related keys. Chapter eleven provides a thorough and helpful explanation of profiles, although, again, extra material on the security implications of specific choices could be more helpful. The ramifications of auditing could be discussed forever, of course, but I would have to say that chapter twelve's coverage is quite appropriate for the target audience level of the book. Internet security could (and does) fill other books, so it is acceptable that only concepts and warnings are raised in chapter thirteen. Chapter fourteen reviews security aspects of BackOffice but only in a brief and limited manner. Chapter fifteen provides information on NT's use of cryptography, but this data is not very helpful since it is not backed up with conceptual material on cryptographic strengths and key management. Enterprise policies are reviewed quickly in chapter sixteen. Chapter seventeen looks to the future delivery of Distributed Security Services (DSS). The security references and resources listed in the appendices are not extensive, but they are of reasonably good quality. The book has both a readable style and useful information. The lack of formal security concepts means that there are gaps in coverage, but overall this work can provide both new users and non-specialist administrators with a measure of protection that would reduce vulnerability considerably. Security specialists who are not familiar with Windows NT would likely find the most benefit from using the text as a tutorial, since they would be able to fill in the blanks from their own conceptual background. copyright Robert M. Slade, 1998 BKPWNTSG.RVW 980514