Special Ops

If maintaining the security of networked machines running Microsoft Windows is part of your job (but you need a touch of Oracle and UNIX advice, too), take heart. elwing writes "Don't let the cover title and camo look turn you away -- Special Ops is a no-nonsense guide to securing your network from inside attackers. This is one of the first books I've seen which covers this topic in detail. It doesn't skimp on external threats, but the majority of the book deals with host based security." Read on for the rest of elwing's review.

Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle
author	Erik Pace Birkholz, et al.
pages	1040
publisher	Syngress
rating	8 - Worth Reading
reviewer	elwing
ISBN	1931836698
summary	Taking a look at securing your network from the inside.

In order to get the most out of Special Ops, I suggest that you brush up on your system administration skills, particularly Microsoft technologies. The book is aimed primarily at security and systems administrators, but several of the chapters are either aimed specifically at management (Chaps 17 & 18), or could easily be understood by them (chaps 1-3).

The authors write in a conversational, matter-of-fact style, including personal anecdotes and experiences where appropriate. The editors did a great job of "smoothing out" the styles of the different authors to give Special Ops a consistent feel.

One of the best features of Special Ops is the end-of-chapter content. These summaries include a "Security Checklist" which creates a nice list for admins to take into the field, a one-page summary of the chapter, links to relevant web pages, relevant mailing lists, other books to read for more in-depth information, a "Solutions Fast Track," and a FAQ. Some chapters list all of the freeware and commercial tools used/mentioned in that chapter. The Solutions Fast Track is a great section to hand to your slightly more technical manager explaining why you should secure a specific service. These chapter extras make Special Ops a great reference book, even if you never bother to read the rest of it.

Another great feature is the "Notes from the Underground ..." sections scattered throughout the book. All of the authors have worked in security for several years, and they share specific examples of attacks or other interesting tidbits they've seen over the years.

I had trouble giving Special Ops a rating of 9 or 10 for a few reasons. Even though the book is an easy read, it's a lot of information to digest. The subtitle makes it sound as if Microsoft, UNIX, and Oracle would receive equal treatment: not so. While there are 7 chapters on Microsoft specific technologies, UNIX and Oracle rate one chapter each. I would have preferred to see Special Ops split into 2 or 3 books, giving equal attention to all of the technologies.

The authors' bias towards certain commercial tools shows through as well. Granted, the majority of the authors are also Foundstone employees, but they should have given equal treatment to all tools. Explain the strengths and weaknesses of each tool and allow the reader to decide on the "best" tool.

All in all, Special Ops is a great book. It will definitely reside on my reference shelf for years to come.

Table of Contents

1. Assessing Internal Network Security
2. Inventory and Exposure of Corporate Assets
3. Hunting for High Severity Vulnerabilities (HSV)
4. Attacking and Defending Windows XP Professional
5. Attacking and Defending Windows 2000
6. Securing Active Directory
7. Securing Exchange and Outlook Web Access
8. Attacking and Defending DNS
9. Attacking and Defending Microsoft Terminal Services
10. Securing IIS
11. Hacking Custom Web Applications
12. Attacking and Defending Microsoft SQL Server
13. Attacking and Defending Oracle
14. Attacking and Defending Unix
15. Wireless LANs: Discovery and Defense
16. Network Architecture
17. Architecting the Human Factor
18. Creating Effective Corporate Security Policies

---

You can purchase the Special Ops from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Re:Attacking and Defending Microsoft Terminal Serv

[SkArcher]

Nah, it'd be waaay too hard a difficulty curve, and the power ups would always be buggy :P

Defending Windows 2000?

[corebreech]

He means, Uninstalling Windows 2000, doesn't he?

Re:Defending Windows 2000?

[jhigh]

or unplugging. Although I guess behind a nice, stateful iptables firewall it wouldn't be TOO bad.

Re:Defending Windows 2000?

[Niksie3]

I was thinking more allong the lines of a good, old fashioned, brick and concrete wall.

Re:Defending Windows 2000?

[SquadBoy]

Firewalls make for networks with crunchy exteriors and nice soft insides. You need both network and host security.

I Wonder

[SkArcher]

I f I can get my emplotyer to buy this for me?

It is certainly the kind of problem I often end up facing at work, far too many people know just enough to majorly fuck things up nowadays.

Personally, I would prefer not to have to use M$ware at all, but all too often legacy systems in the workplace are a lock in, so I expect to see things like this continue to be published and be popular for a good while.

Re:I Wonder

[ketamine-bp]

If I were you, I would have bought this book with my own money if the book review is reliable.

On the other side, this book would mean quite a number of poor sysadmins facing attacks described in the book by fellow ex-employees of their company.

Re:I Wonder

[ch-chuck]

Just create a text file called "Important Microsoft Security Update", put instructions in it to buy you the book, then copy it to \\bossspc\c$\windows\desktop

Re:I Wonder

[Captain Large Face]

In case it's password-protected, the password is "12345".

Re:I Wonder

[operagost]

What a coincidence! That's the combination on my luggage!

Re:I Wonder

[WickerChap]

not intending to troll, but "windows" is the install directory for windows 3.1, win 9x and WinME. None have admin shares (c$, d$, admin$ etc).

try

\\bosspc\admin$\profiles\boss\desktop or \\bosspc\shared-c-drive-for-whole-company-to-brows e-with-no-file-permissions\windows\desktop

Re:I Wonder

[rutledjw]

Here's one way to do it. Start watching the traffic coming in on internal web servers. We've discovered a little part-time hacking on our internal network.

While doing some application debugging, we found we were getting probed. The guy then tried a number of expoits, IIS mostly, but also a couple looking for an insecure J2EE server. It appears to be a script kiddie except that he did figure out we were running Apache (IHS, actually, but there's little difference) and J2EE and did some more probes based on that.

The other issue is that this person would plug a computer into a different physical port in our network from the usual and wouldn't stay long. He knew he could be tracked. A little spooky, he MAY have been a script kiddie or this may have been HIS script.

Either way, we brought it to info-sec and they promptly blew it off. I'd call that kind of thing a "job-terminating, cop-calling activity" but was alone in that. Whatever.

Point is, watch your HTTP logs for wierd stuff. You may be suprised and may be able to use that to get some support for buying the book. Plus, it's kinda fun to know what's going on ouyt there! ;)

Re:I Wonder

[marshac]

I just put in for it... Is there really a reason why your employer WOULDN'T pay for it? Seriously, any semi-competent manager would know that $47 (Amazon.com) is much cheaper than even an hour of downtime due to security concerns. If this could even possibly save you one single hour in the future, then it has already paid for itself.

Well, of course

[Faust7]

While there are 7 chapters on Microsoft specific technologies, UNIX and Oracle rate one chapter each.

Well, this is a security guide, isn't it? :)

I've read it and found it to be grossly simplified

[beee]

I'd rate it somewhere around 6 or 7 out of 10, certainly no where near 9. My major complaints are similar to those of the author of the article:

- Gives no mention of its focus on Microsoft OS's, but it concentrates on them nearly entirely.
- Simple, simple, simple. If you know your basics, most of this book is redundant and a review. There's a lengthy discussion on how a traceroute works. That's a little too simple for my tastes.
- Though not required, the author seems excessively biased towards Microsoft OS's. He even goes so far to suggest (in mild language) that it's easier to track invaders using Microsoft products than using freely available tools. C'mon, I think we all know the pile of open source tools available for these applications outnumber and outwork anything out of Redmond.

It's something I think newbie MS admins should read, but it doesn't hold much new content for anyone who's been admining for a year+.

Re:I've read it and found it to be grossly simplif

[ketamine-bp]

Your major complaints about this book is true, yet, one point, however, is quite arguable to me, that is the microsoft point.

Microsoft products (i.e. windows 95/98/NT/2k/2k3) does have its place (and a large market share...) on corporate markets (on clients), therefore it should be considered as a large portion of corporate administration. I spend most of my time administrating windows even though i'm a linux admin. (Well, the good debian box does not require much administration, honestly.)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:crazy

[Q Who]

Competant admins simply do not get hacked.

Compentant admins have systems that are harder to hack - a distinction that is important to make.

Competent admins know to spell.

Cheers. :)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:crazy

[jhigh]

Competant admins simply do not get hacked.

This is a ridiculous statement to say the least, and an obvious sign of ignorance. If all you're doing is patching servers and paying attention to vulnerability reports, then you wouldn't even know if you DID get hacked. Real security requires a layered approach, one of those layers being intrusion detection. This alone can be a full-time job. It is this simplistic-style thinking that continues to make the Internet such a dangerous place, and contributes to my inability to get any significant amount of funding for security-related projects. If all I have to do is patch servers and watch vuln reports, then why should I spend money on a firewall, IDS, training, a security policy, etc, etc, etc. I could write an entire book just on why that statement was dumb...but this post will have to suffice.

Your name is wrong

[georgeha]

You probably became a LOTR fanboy after seeing the movie, so it's understandable. I've been reading, and rereading JRR for the last 20+ years, and you're wrong about Boromir being the son of Faramir.

See, Boromir and Faramir are both brothers, their father is Arathorn.

Re:Your name is wrong

[Artemis P. Fonswick]

I've been reading, and rereading JRR for the last 20+ years

As a punishment? ..or are you a masochist? ;)

And I think their father is Denethor, not Arathorn...but I've only seen the movie as well.

Re:Your name is wrong

[Doom Ihl' Varia]

It is also important to point out that Boromir's father is NOT the king of Gondor. He is merely the steward put in place while they await the return of the true king. Thus the title of the third book and movie, Return Of The King.

Re:Your name is wrong

[jonadab]

Denithore. Their father is Denithore. Arathorn is Strider's dad.

Re:crazy

[towaz]

try reading the book.

It explains common mistakes of an Admin and the best baseline configuration (gold standard) for all the operating systems.

You don't learn this stuff from you mcse training material or a lot of other certs.

"hackers. Script kiddies have an easy enough time of it as it is."

I agree.. but how do you implement against something that you have never heard of before.

.

Re:crazy

[dki]

Any admin who isn't completely shirking his duties has exactly no use for this book. Who, then, will find it valuable? That's right: hackers. Script kiddies have an easy enough time of it as it is. The computer book industry needs to take some responsibility and stop publishing this sort of hacker how-to.

I strongly disagree with this sentiment. Some of the most knowledgable security gurus I know are "hackers" who started by administering systems. And many administrators I know can apply patches with the best of 'em, but are unable to recognize potential attack signatures in their logs. Simply knowing how to apply a patch does not give one the insight required to recognize attacks that aren't widely publicized. Do you want an admin who only knows he/she is being attacked because Microsoft says so? Or would you rather have one who knows what to look for because he/she has studied hacking techniques and has ethically hacked, and therefore can cut off suspicious behavior before a patch is even issued? I know which one I'd pick.

Re:crazy

[UnknowingFool]

You keep your system up-to-date and pay attention to the latest exploit warnings, and you will be fine 99.9% of the time.

That's not always true. Sometimes patches are the problem [pcworld.com].

Almost without fail, hacking incidents at major companies are found to be due to security holes that have been known about and fixed for months, if not years.

Tell that to the victims of the latest BugBear worm [msnbc.com]. Admins who patched for the first worm were not protected against the latest variant.

Re:crazy

[Jussi K. Kojootti]

Any admin who isn't completely shirking his duties has exactly no use for this book. Who, then, will find it valuable? That's right: hackers. Script kiddies have an easy enough time of it as it is. The computer book industry needs to take some responsibility and stop publishing this sort of hacker how-to.

So you prefer security through obscurity... That's one way to do it, I guess.
I believe that

A truly secure system must be able to withstand open review at all levels (e.g. protocol, source code, etc)

Re:crazy

[jonadab]

All levels?

Sure, protocols, ports, source code, passwords, ...

Oh, wait...

Obscurity is a fine contribution to security, provided you have
something more to go with it. It just can't stand alone.

I see Windows as a challenge...

[Ghengis]

As soon as I read that there are 7 chapters on M$, I knew the M$ flames would be abundant in this thread of comments. I'd like to take a different approach to this; rather than adamently bash microsoft, I'll be more subtle about it. I see securing MS products as a challenge. Yes, they're buggy (release early / often,) and I love my Unixees more, but this could be a fun game. Anyone can RTFM and secure *nix boxen, but someone who can make a windows box truely secure... now they've done something!!

Re:I see Windows as a challenge...

[UnknowingFool]

You have a point. It is more of a challenge to secure Windows, but at the same time, it is more of an accomplishment to crack a *nix box.

Re:I see Windows as a challenge...

[phorm]

Making windows more secure? Part of it starts out like this...

Build a 'nix firewall...
Put the windows machine behind the 'nix firewall...
Adjust iptables rules accordingly...

Re:I see Windows as a challenge...

[Eravau]

Except that, as stated in the summary paragraph at the top, this is mostly focused on security inside your netowrk. Unless you have enough budget to buy a u*nix box to place in front of every Windows box on your network, this won't go very far. But who doesn't want to spend twice as much money for hardware?

Re:I see Windows as a challenge...

[Jester99]

...but someone who can make a windows box truely secure... now they've done something!!

Unplugged the machine? :)

1) Put computer in room

[burgburgburg]

2) Put cinderblocks around room
3) Put bricks around cinderblocks

Congratulations. Your Windows installation is now secure.

Re:1) Put computer in room

[stefanlasiewski]

4) Unplug computer
5) Smash, Smash, Smash computer with sledgehammer
6) Set computer on fire
7) Destroy remains with industrial strength acid: pH 2.0 or better.

Re:1) Put computer in room

[_ph1ux_]

8) ??????
9) Profit!

Re:1) Put computer in room

[Cybrr]

All you profit belong to Natalie Portman's Beowulf cluster of hot grits that obey the laws of physics in Soviet Russia!

Re:1) Put computer in room

[Piquan]

Y'know, we haven't heard from our MCSE since he started on this. But at least that banging noise from the NT server room died down after a few days.

Re:1) Put computer in room

[calethix]

" 2) Put cinderblocks around room
3) Put bricks around cinderblocks"

ok, thanks for the lesson on security... I think I have that covered now but I forgot to make a door so how do I get out?

Re:1) Put computer in room

[srsabu]

You forgot the lead lining between the cinderblocks and bricks.

Securing web servers, and web applications

[Anonymous Coward]

http://www.cgisecurity.com/lib/ [cgisecurity.com]

deja vu

[BrianUofR]

...If maintaining the security of networked machines running Microsoft Windows is part of your job...

I had a nightmare about that last week. wierd.

Re:deja vu

[metlin]

Its weird. :-)

In Re(sponse):

[Jonsey]

In response to the large numbers of complaints that the book focuses too narrowly on Micro$oft Products, I propose the following changes to make it more universal.

Please remove pages 1 - 1040 and replace with the following sheet of paper:
- - - - - - - -
1.) Educate your users.

Failing that:

2.) Execute your users.

Hole In The Bucket

[jabbadabbadoo]

I was a win admin once. Seriously, it reminded me of a traditional song called "There's a Hole In the Bucket." For your convenience, her are the lyrics (note that Henry corresponds to the win admin wannabe, Liza the security "expert"):

I urge your to read the hole thing, one verse pr. line.

There's a hole in the bucket, dear Liza, dear Liza, There's a hole in the bucket, dear Liza, a hole.
So fix it dear Henry, dear Henry, dear Henry, So fix it dear Henry, dear Henry, fix it.
With what should I fix it, dear Liza, dear Liza, With what should I fix it, dear Liza, with what?
With straw, dear Henry, dear Henry, dear Henry, With straw, dear Henry, dear Henry, with straw.
But the straw is too long, dear Liza, dear Liza, The straw is too long, dear Liza, too long.
So cut it dear Henry, dear Henry, dear Henry, So cut it dear Henry, dear Henry, cut it!
With what should I cut it, dear Liza, dear Liza, With what should I cut it, dear Liza, with what?
Use the hatchet, dear Henry, dear Henry, dear Henry, Use the hatchet, dear Henry, the hatchet.
But the hatchet's too dull, dear Liza, dear Liza, The hatchet's too dull, dear Liza, too dull.
So, sharpen it, dear Henry, dear Henry, dear Henry, So sharpen it dear Henry, dear Henry, sharpen it!
With what should I sharpen it, dear Liza, dear Liza, With what should I sharpen, dear Liza, with what?
Use the stone, dear Henry, dear Henry, dear Henry, Use the stone, dear Henry, dear Henry, the stone.
But the stone is too dry, dear Liza, dear Liza, The stone is too dry, dear Liza, too dry.
So wet it, dear Henry, dear Henry, dear Henry, So wet it dear Henry, dear Henry, wet it.
With what should I wet it, dear Liza, dear Liza, With what should I wet it, dear Liza, with what?
With water, dear Henry, dear Henry, dear Henry, With water, dear Henry, dear Henry, water.
With what should I carry it, dear Liza, dear Liza, With what should I carry it dear Liza, with what?
Use the bucket dear Henry, dear Henry, dear Henry, Use the bucket, dear Henry, dear Henry, the bucket!
There's a hole in the bucket, dear Liza, dear Liza, There's a hole in the bucket, dear Liza, a hole.

4 steps to a Secure Windows boxen

[CoyoteGuy]

Step 1: Place Windows system in a lead safe
Step 2: Take wire cutters and cut ethernet cable to said computer
Step 3: Close door
Step 4: Dump the safe into closest body of water

Now you have a windows system no one can touch.

Not a chance

[sharkey]

Don't let the cover title and camo look turn you away

It won't get a chance to turn me away. One glance at the website, and I was hammering the Back button.

Re:Not a chance

[itwerx]

Same here. Definitely targeted at the Admin newbie...

General topic on Microsoft

[stikk]

Although I admit I'm partial to the book, it should be noted that the DNS chapter is unbiased; covering the dns infrastructure, BIND, DJBDNS, and MSDNS.

Re:General topic on Microsoft

[autechre]

That's very impressive. Most *nix books address the topic as if DNS == BIND. Personally, I prefer DJBDNS not only because it's more secure, but also because of the way it is configured (small, modular, partitioned) and, er, the way it is configured (configuration files). I also use daemontools to run liveice (when the program first came out, it refused to go into the background and would not stay up for more than several hours at a time).