Windows Security Pointers and Resources

• Anti-Virus Tools

• Message Labs - offers a 100% virus free e-mail service.
• Computer Associates offers its eTrust anti-virus family of programs, which check e-mail attachments, .ZIP archives, incoming FTP and HTTP downloads, and other, more conventional potential sources of virus infection.
• Even though McAfee is now part of Computer Associates, the company still offers a site that includes information and updates for its ViruScan product.
• Symantec Corporation offers the Norton Anti-Virus software, available for Windows platforms, with centralized management and control. Click "Products and Services" for more anti-virus product info.
• Dr. Solomon (and yes, it's the name of a real person), is now a part of the Network Associates family (like McAfee), and it offers an Anti-Virus tool and a product called Virex, which include a variety of networked installation, configuration, and management facilities.
• The Computer Emergency Response Team (CERT) is an organization that acts as a clearinghouse for information about viruses, and related fixes and workarounds. A great source for late-breaking virus news, and related fixes.
• F-PROT is now part of Frisk Software International's anti-virus environment. Plenty of sources for the shareware version linger elsewhere on the Web, as a quick visit to any search engine using the string "F-PROT" will affirm. F-PROT remains the best tool for curing boot sector viruses that we know of.
• Aladdin Knowledge Systems offers the eSafe anti-virus package as one of its several security-related software packages.
• Command Software Systems, Inc. offers its Command AntiVirus package, a proactive, enterprise-wide antivirus toolset, to combat viruses at all potential points of entry.
• F-Secure is Data Fellows comprehensive antivirus software package.
• Finjan Software, Ltd provides products that represent a new way to combat Trojan horses, worms, malicious Java, ActiveX and Script programs from infecting user systems. Not exactly anti-virus, but close enough to fit into this general category.
• Proland Software offers its Protector Plus antivirus package as a real-time virus detection and removal product.
• Sophos offers its Sophos Anti-Virus product for a broad range of platforms, for enterprise-wide antivirus coverage.
• Trend Micro offers a broad range of anti-virus products for internet gateways, e-mail, Web servers, and desktop users.
• Moosoft’s The Cleaner is a special-purpose trojan scanner designed to detect, repair, and eliminate trojan horse programs from your systems and networks.
• Locations to report virus infections:Federal Computer Incident Response Capability; NASA Incident Response Center; Computer Incident Advisory Capability (CIAC); National Infrastructure Protection Center (NIPC); and European CERTs.
• The WildList Organization International tracks and documents incidents of virus encounters in the wild.




• General Security Resources

• NSA's Security Recommendation Guides - a collection of security guides from the NSA.
• Computer Security Institute trains security professionals, holds conferences, etc. Look for their "Firewall Product Matrix" for a good comparison of firewall products.
• The Feds maintain an excellent list of Security Groups and Organizations at the Center for Information Technology at NIH.
• The International Computer Security Association (ICSA) (also known as TruSecure Corporation, formerly known as the NCSA, or National Computer Security Association), offers all kinds of information and certification services for hardware, security technology, and all kinds of computer security-related information. They also publish a magazine, called Information Security which is worth checking out.
• The Department of Commerce makes its Commercial Encryption Export Controls Regulations available to the public.
• Information about Denial of Service Attacks: CERT Web site; Denial of Service Attack Resources documents known DoS attack strategies and tools, along with related repairs and workarounds; and NetWare Connections: April 2000: Cyber Crime. See also About.com's Denial-of-Service resources.
• SecurityFocus.com is a premier resource for security news and information online.
• Attrition.org is a computer security Web site dedicated to the collection, disemination and distribution of information about the industry for anyone interested in the subject. They maintain one of the largest catalogs of security advisories, cryptography, text files, and denial of service attack information. They are also known for the largest mirror of Web site defacements and their crusade to expose industry frauds and inform the public about incorrect information in computer security articles.
• CAUCE, The Coalition Against Unsolicited Commercial Email handles all kind of e-mail and SPAM-related matters, including the occasional security item.
• Peter Gutmann, a member of the Computer Science faculty at the University of Aukland maintains a giant compendium of security pointers on his home page. A good place to start any serious security sortie.
• The penetration expert known as RainForest Puppy published one of the best explanations of the heavily-reported "Netscape engineers are weenies!" exploit against Microsoft FrontPage extensions. If you use FP extensions, be sure to check this out.
• The National Infrastructure Protection Center (NIPC) issued an advisory on a Web trojan that performs site and server reconnaissance, named RingZero, in October, 1999.
• Burning a better backup Web Informant #219, 12 October 2000

  Firewalls, Proxy Servers, Screening Routers, and More...

• Most of the major router vendors, including Cisco Systems, 3Com Corporation, and Nortel Networks offer products that can help screen and filter Internet traffic, both inbound and outbound.
• BorderWare is both the name of the company, and the related firewall product, spun out of Secure Computing in 1998, and back on its own today.
• CheckPoint offers a Windows-based firewall called Firewall-1.
• WinGate is a proxy server that's received rave reviews from users and the trade press.
• Microsoft's Internet Security and Acceleration Server (ISA) is a Windows-2000 based firewall, caching server, with additional VPN and security features. You can download an evaluation copy of the software from this page.
• Netscape also offers a Windows-based proxy server called Netscape Proxy Server.
• Network Security Solutions, Inc. offers a family of CyberWallPLUS products, that provide both internal and external data and access safeguards.
• Ositis Software offers a simple, no-frills Windows-based proxy server that is also relatively inexpensive.
• Symantec aquired Axent Technologies, Inc. and now makes a good IP Firewall/Proxy Server; its Web site contains lots of white papers and other materials on Internet Security. The company also offers a number of other tools, including an enterprise security manager, plus several flavors of intrusion detection software.
• Ineo, Inc. offers an enterprise security manager that supports single log-on to multiple types of systems called Passwerks.
• Network Associates' security related products are many and varied, including the Gauntlet Firewall (available in Unix and Windows flavors), plus intrusion detection, VPN, and encryption stuff.
• NetSys operates an excellent firewall mailing list.
• The Home PC Firewall Guide is one of the best resources on low-end home and SOHO firewalls we know of anywhere, with comparitive reviews, ratings, rankings, and more.
• On April 3, 2000, Network Computing published a Mike Fratto article entitled "Multisite Firewall Management: Not Enterprise-Ready" that's worth a look-see. They also published a firewall report card a bit earlier, that's also worth a look. Search the Network Computing web site for "firewall" or "firewall management" for newer articles, but you'll find no newer survey/overview piece than this one!
• Sygate Technologies offers a variety of security-related products including enterprise, SOHO, and personal security monitoring, Internet access sharing, and management tools.
• CyberGuard’s LX, FS, KS, and SL products are highly-regarded "firewall appliances," that comes as close to plug-and-play network security as any products we've seen.
• GFi’s LANguard is an outstanding Internet access control and intrusion detection software package.
• On January 24, 2000, Mike Fratto's story, Hammering out a secure framework, appeared in Network Computing. It's a great place to start the arduous task of doing the same thing for your systems and networks.
• Internet Security Systems’s Black Ice is a terrific security tool for PC Protection (a server version is also avaialable).
• Moonlight Software’s NetWatcher 2000 is another great personal security tool; not designed for large-scale network use, but great for users who dial into the Internet, or connect via DSL or Cable Modem.




• Security Policies

• SANS offers online security class materials that includes sample security policies, Word template files, case studies, and more.
• Carnegie-Mellon's Software Engineering Institute offers a risk and threat assessment and management study that includes a thorough overview of the items and issues that should be addressed in any security policy, covered in the Octave document in the section entitled "2 Phase 1: Build Enterprise-Wide Security Requirements."
• Murdoch University's Office of Information technology Services has put together a report entitled "INFORMATION TECHNOLOGY SECURITY POLICY" that describes security policies in great detail, from an general overview of security concepts and domains, to coverage of the types of documentation that well-implemented security policies encompass.
• When the Hacker Is on the Inside an article on Business Week online.
• For the "Security Policy" section at SearchSecurity.com, Ed Tittel wrote two tips entitled "Security policy by example" and "More security policy by example." Search on those titles at SearchSecurity for pointers to numerous books that include detailed security policy templates and examples.

Security Devices

• Think Geeks: Key Katcher - Captures 65,000 keystrokes, no software required, completely undetectable by the OS, installs in seconds, works with ANY system with a PS/2 keyboard.
• ActiveCard's token devices for computers and communications
• PassGo's Defender is a well-known dialback system that adds extra security for remote access services of all kinds.
• Cardshow is a tradeshow with a substantial Web presence that specializes in Smart Card technologies.
• Fortezza devices provide some of the highest-level security that external cards can deliver. This Web page points the the PC Card Support Group, an industry association that works with the Feds to provide secure PC Card hardware for their uses, including Fortezza cards.
• Trintech offers a broad range of parts, products, and services for companies and organizations who wish to use Smart Cards to enhance authentication and identification of users.
• The Java-based i-button is being used for a variety of security based hardware applications.
• Secure Computing's SafeWord provides advanced, software-based authentication services suitable for Web and other Internet use.
• Security Dynamics, Inc., is now part of RSA Security. Their SecurID Cards are just one of this growing company's many security enhancement tools, products, and technologies.
• Vasco's DigiPass products use Smart Card technology to support secure user login and authentication.




• Security Organizations, Conferences, and Certifications

• The National Security Institute A plethora of TCP/IP-related security issues and references to other sites.
• Computer Emergency Response Team (CERT) provides advisories, security tips, intrusion countermeasures, and more.
• The TruSecure is now the sponsor of the ICSA certification.
• The SANS Institute offers all kinds of security and best-practices information to the public, including a series of shows and seminars devoted to Windows Security matters. They also offer the Global Information Assurance Certification (GIAC) program, a highly-regarded security certification.
• Ed updates two Technical Tips for SearchSecurity.com entitled "The Vendor-neutral Security Certification Landscape" and "The Vendor-specific Security Certification Landscape" that document all the security certification programs he can identify. The easiest way to find them is to search at SearchSecurity for "Tittel security certification landscape". Use the most current version of these two tips (May, 2003 as of this update) for pointers to the vast majority of well-known security certs, including CISSP, SSCP, ICSA, CCP, SANS-GIAC, and more.
• Information Systems Security Assocation international organization that delivers educational information, materials, and publications related to computer security.
• The Internet Security Conference, or TISC, is a yearly security conference that covers all kinds of interesting topics, and usually has great speakers like Stephen Kent, Marcus Ranum, Phil Cox, and others (heck, we teach for them too). They also publish lots of great articles and white papers throughout the year. Information about all of this appears on their Web site. TISC is sponsored by Core Competence.
• The International Information Systems Security Certification Consortium (aka "ICS-squared") offers one of the best-known security certications, the Certified Information Systems Security Professional (CISSP) credential, to a global audience.
• ProSoftTraining’s Certified Internet WebMaster (CIW) program includes the 1D0-470 Security Professional exam as part of its Master CIW Administrator track.

  Security Tools

• MBSA - Microsoft Baseline Security Analyzer.
• Shavlik Technologies' EnterpriseInspector - commericial version of MBSA.
• Fport - port mapper maps open ports to services/applications from Foundstone. Foundstone's Free Tools - a collection of other useful tools (intrusion detection, forensics, scanning, testing, etc).
• ntsecurity.nu's Security Toolbox - a collection of tools for performing a wide range of administrative and investigative functions.
• WinZapper is a hacking tool that permits records to be deleted from the Event Manager's security log. A hacking tool you should investigate (and look for, if you scan systems).
• The Security/Analyst from Intrusion.com scans many aspects of a network's security apparatus, and assesses vulnerabilities.
• Aelita Software offers a number of interesting products, including the Domain Migration Wizard (this tool also handles migrating information from one Windows NT domain to another, and promises to help when moving data from Windows NT 4.0 domains to Win2K domains). Plus, check out their ERDisk product that offers networked creation and access to ERDs for any and all NT systems on that network.
• En Garde Systems T-Sight is a manual intrustion detection system, while IP-Watcher is an "active sniffer," that can not only observe network traffic, but hijack ongoing IP-based sessions.
• The infamous Security Administrator Tool for Analyzing Networks SATAN only runs on UNIX, but is an excellent public domain scanning and analysis tool.
• Blue Lance builds an audit and security product called LT Auditor+ that handles and analyses Windows NT and 2000 Audit data to issue alerts and take protective actions.
• Internet Security Systems' RealSecure that includes a real-time attack recognition and response capability, along with more conventional security monitoring and auditing facilities.
• Frank Ramos runs an operation called Somarsoft that offers a number of tools, the most useful of which is called DumpACL: as its name suggests, it dumps a comprehensive listing of all file and folder ACLs on a per-volume basis. Be sure to check out his DumpEvt (Event Log Report) and DumpReg (Registry contents report) utilities as well. Now available at no charge (used to be shareware). Also includes pointers to lots of other good security and Windows NT resources. Now a part of www.systemtools.com.
• Foundstone offers a good port scanner called Super Scan that does the job quite nicely. Be sure to check out their other tools as well.
• Visit NetSecurity.about.com's Internet/Network Security page for all kinds of useful references, including pointers to their most popular recent security coverage. Use their search engine for all kinds of great pointers and references.
• To view his collection of useful security related tools, search on "security tools" from the home page at Security Administrator, Mark Edwards' outstanding resource center for Windows Security news, tools, and updates. He's also got good advice to dispense about working with Service Packs, Hotfixes, and so forth.
• Marcus Ranum is one of the reigning gurus in the areas of network and Internet security. Check out his famous Network Flight Recorder, and related tools (Network IDS and Host IDS), to see what this guy can do!
• St. Bernard Software makes a package called UpdateExpert that can report on and manage Service Packs and Hotfixes on a Windows NT or 2000 machine.
• Abbott Systems makes a cross-platform product called CanOpener that can read or extract data from infected files without launching or activating an attached or embedded virus. Be sure to check the site for their Macintosh version, if it's of interest to you.
• Use OfficeRecovery.com to recover data from damaged MS Office documents.
• nmap is a Perl library. Thus, you should be able to download and compile this tool to run on a Windows NT or 2000 box, but as the first Web page indicates, nobody has bothered to do this yet. Unless you're the pioneering type, stick to one of the other native Windows tools for the job.
• The Legion scanner is a native Win32 tool, so it shares none of the portability problems associated with nmap and nlog. Use the search tool to find Legion, or scroll down until you get to the "L"s on the packetstorm page. Grab version 2.11.
• Search for unapproved software and games with Apreo's AntiGame Plus.
• DeviceLock allows network administrators to specify which users can access which devices (ports, floppies, MOs, and so on) on the local computer. Once DeviceLock is installed, administrators can assign permissions to LPT ports, CD-ROMs, COM Ports, or any other device, just as they would to any share on the hard disk.
• Zone Labs Zone Alarm is a network security software package aimed at users or networks who use always on technologies like DSL or Cable Modem, and comes in several flavors designed for single machines, small, or medium- to large-sized networks.
• Nessus is a powerful, free security scanner that's worth downloading and trying out on your systems.
• eEye’s nmapNT, Retina, Iris, and Blink
• end-user password manamgement tools, such as Gator and Microsoft Passport
• PC Guardian's Encryption Plus for Hard Disks (EPHD)
• IP Security in Windows 2000: Step-by-Step by Timothy J. Rogers
• Vulnerability Scanners: Detection Results

  Hacking Tools

• AntiOnline is a good source of hacking news, code, and information.
• Cerberus internet scanner (CIS) is a general-purpose security scanner that covers 300 separate scanning tasks, can run in a background batch file, and creates easy-to-read HTML-based reports.
• Digicrime.com advertises itself as "... the industry leader in the digital underworld." Makes us curious about what they're up to. You should be curious, too!
• eLiTeWrap is a tool that is designed to create customized trojan horse programs. Need we say more?
• Epdump is a Windows-based port scanner that maps services to ports.
• Grinder is an IP address range scanner and a Web server profiling tool. Be sure to check out the plethora of other tools available at this self-professed "Definitive Listing of Hacking Resources and Information Resources."
• The Security News Network is where you can keep up with current expoits, break-in, vulnerabilities, and more.
• Hammer of God - a collection of various hacker tools
• Invisible KeyLogger Stealth is a keystroke recorder that can even capture the so-called Secure Attention Sequence (CTRL-ALT-DEL); also includes instructions to "...provide the maximum stealth."
• Legion is an infamous file share scanner and password cracking tool.
• Netbus Pro was an infamous remote administration and monitoring tool that included file management, registry management, and application redirect capabilities. Now, a commercial version named Spector Pro is available, but has been "safed up" to remove illicit capabilities. You can still find versions of Netbus Pro by searching through Google, however.
• Netcat is a popular, all-purpose port and service scanning tool that's great for "footprinting" a Windows system.
• Netviewx is a handly tool that lists servers in a domain or a workgroup.
• Nmap is the premier network port and service scanning tool, but it runs on Linux/UNIX systems only.
• Access Data offers a powerful password recovery tool that can recover passwords from PKZip, WinZip, Word, Excel, WordPerfect, Lotus1-2-3, Paradox, Q&A, Quattro-Pro, Ami Pro, Approach, QuickBooks, Act!, Access, Word Pro, dBase, Symphony, Outlook, Express, MSMoney, Quicken, Scheduler+, Ascend, Netware, and Windows NT server/workstation. No ability to crack Windows 2000 passwords yet!
• Pinger is a fast-scanning IP address range inspection tool.
• Pippa provides a mechanism to redirect data to different, non-standard TCP or UDP port numbers. This is a common technique used to penetrate firewalls once internal systems have been compromised.
• Revelation can very often exchange the asterisks that show up for cached or saved passwords with their clear-text equivalents, when run on a Windows machine.
• Sam Spade is a general-purpose freeware Interent scanning and monitoring tool that includes all kind of IP functionality, plus e-mail and other high-level scanning and analysis capabilities.
• SolarWinds 2000 is a mid-priced ($125 to $595, plus yearly maintenance), general-purpose network monitoring and management tool. A nice all-in-one package, at an attractive price.
• Simovits Consulting maintains a comprehensive list of ports used by trojans, which is worth consulting when scanning your own network, and strange or unexpected port usage patterns emerge.
• VisualRoute is a handy, cheap ($37.50 for a single-user license), shareware utility that combines the functionality of ping, whois, and traceroute, and performs connectivity analyses for automatic graphic display.




• TCP/IP Stuff

• "Security Problems with TCP/IP Protocol Suite" Steven M. Bellovin (request by e-mail)
• "Simple Active Attack Against TCP" Laurent Joncheray (request by e-mail)
• Visit NEC's SOCKS Overview for an outstanding explanation of SOCKS, a proxy protocol for client/server environments. SOCKS includes two primary components, the SOCKS server and the SOCKS client library. The SOCKS server implementation is at the application layer and the SOCKS client library is between the client's application and transport layers; in short, it's one technology that helps make many applications ready for Proxy services.

  Windows NT and Windows 2000 Specific Resources and More...

  Microsoft Stuff

• Microsoft operates a Web site called "The Microsoft Security Advisor" that is a good source of information on NT and 2000 Security news and developments.
• KBAlertz - Free Email Alerts every time Microsoft Publishes NEW Support or Knowledge Base Articles by product or technology.
• Microsoft's Download Center is the company's primary repository for Service Packs, HotFixes, and other important security and software updates. For Windows 2000, you access this area automatically when you invoke the Windows Update utility from the Start Menu.
• Access TechNet subscription information online to obtain one of the premier sources of Windows NT information of all kinds. You can also find lots of good security-related manual chapters, white papers, tech notes, and training materials on the TechNet CDs.
• Search the Microsoft Knowledge Base (KB) for all kinds of security-related Windows NT and 2000 information online.
• Microsoft's News Server operates at msnews.microsoft.com and includes a number of security-related newsgroups, including: microsoft.public.iis-4.beta.security, Microsoft.public.inetexplorer.ie4.security, microsoft.public.java.security, and a whole collection of newsgroups under the microsoft.public.windowsnt.* umbrella. They also operate a security mailing list at secure@microsoft.com.
• Step-by-Step Guide to Configuring Enterprise Security Policies for Windows 2000.
• The current list of Microsoft Security tools, including checklists, security tools, and security updates. Bookmark this one!

Third-party (non-MS) Stuff

• The Windows 2000 Magazine article Dangerous Services does a nice job of documenting questionable MS services.
• Russ Cooper's NT Bugtraq is widely regarded as one of the best sources for information about NT bugs and security holes available online today.
• Windows NT and Windows 2000 News is another NT-focused trade magazine that covers most security news and information.
• Pedestal Software offers some of the most useful command-line file and directory manipulation tools we've ever seen for managing ACLs and shares, and manipulating the Registry, that we've ever run into. If you're into using batch files to get things done, these tools are a must-have! (Thanks to Peter Sturm of Siemens, München, for pointing these out to us.)
• SysInternals (shareware) and Winternals (commercial versions) provide a way for Mark Russinovich and Bryce Cogswell to market their wares. Since their tools include NTFSDOS, ERD Commander, Remote recover, NT Locksmith, and much, much more, these are two sites you should check out for yourself.
• Download the LC4 password cracking tool from the @Stake archives.
• The Quakenbush Password Appraiser will review your account and password data, and comment on its strengths and weaknesses.
• PWDUMP2 SAM database extraction and cracking tool.
• Paperbits is a great online resource for Windows NT and Windows 2000 information.
• Windows NT/2000/XP/etc Tips and Tricks. We've found lots of interesting stuff here over the years.
• Security Explorer from Small Wonders Software.
• Scripting tools or environments for Windows NT/2000: Perl - commercial; Perl - public domain; OpalisRobot; and WinBatch.
• Find Windows NT/2000 software at: Server Xtras, Inc.; Sunbelt Software; and Beverly Hills Software.
• Online port vulnerability scanner from Gibson Research called ShieldsUp provides an external scan of any site from which the Web page is invoked; very handy tool.
• Integrated Research’s Prognosis for Windows is a multi-platform network management tool based on Windows NT and Windows 2000
• John Savill's famous Windows NT/2000 FAQ covers almost any bases you can even think of!
• TechTarget's outstanding Search Windows 2000 Web site includes a very useful section on Security. See also their Search Security Web site.
• The Honeynet project is a non-profit research group of thirty security professionals dedicated to information security research. It is our goal to learn the tools, tactics, and motives of the blackhat community and share these lessons learned.
• The Deception Toolkit has as its mission "to discuss issues surrounding deception and the deception toolkit from the definition of what it is to how to do it and everywhere between."
• ManTrap extends the honeypot concept by creating an entire network of deception hosts that lure the attacker away from production systems and into the confines of the ManTrap cage

Windows-capable Remote Control Software Packages

• Back Orifice 2000 a remote control tool from Cult of the Dead Cow.
• Citrix offers all kinds of terminal services and thin client support, but their Independent Computing Architecture (ICA) and MultiWin products, and their WinFrame and MetaFrame products, fit this product category best. Explore their Web site to get a complete sense of all the functionality this dynamic company has to offer for remote control.
• Formerly known as Remotely Possible, Unicenter Remote Control offers the same capabilities under a new product name.
• At one time, Lockdown was called a trojan, but it now offers methods to detect and remove trojans.
• The former NetBus Pro is known called Spector, and offers remote control capabilities in addition to its monitoring and logging functions, which is why it appears here.
• Netcat also offers remote control capabilities, which is why it's included here.
• Symantec offers PCAnywhere as its remote control package. It's what we use ourselves; be SURE to enable password security!
• Altiris offers its Carbon Copy Solution product to provide help-desk support and general remote control capabilities.
• Remotely Anywhere offers advanced remote management capabilities, in addition to the normal remote controls.
• Netopia offers several versions of its Timbuktu remote control software, including Timbuktu Pro Enterprise which works with Windows 9x, NT, and 2000, plus Macintosh machines.
• AT&T Research Laboratories in Cambridge, England, spawned Virtual Network Computing (aka vnc, which works on Windows, Linux, and Solaris machines, with remote viewers for all those platforms, plus Macintosh, Windows-CE devices, and even any desktop with a Java-capable Web browser. Definitely hot stuff!

• Class Bibliography (Recommended Reading)

  General Computer and Internet Security and Related Topics

• Intrusion Detection: Network Security Beyond the Firewall, by Terry Escamilla.
  John Wiley & Sons, New York, NY, 1998. ISBN 0-471-29000-9. List Price: $39.99. Written by one of the architects of the WebStalker product from Haystack Labs (once known as Network Associates' CyberCop, now defunct), Dr. Escamilla covers the literature, topics, concerns, and requirements for intrusion detection systems in a concise and readable book.



• Building Internet Firewalls,2nd edition, by Brent Chapman and Elizabeth D. Zwicky.
  O'Reilly & Associates, Sebastopol, CA, 2000. ISBN: 1-56592-871-7. The recent update to this classic title adds coverage of modern topics and attack technologies. It remains one of the two most frequently cited books on firewalls, and for good reason. It covers the motivation, design considerations, and implementation issues involved in building firewalls better than any other reference we've seen.



• Intrusion Signatures and Analysis, by Stephen Northcutt, Mark Cooper, Matt Fearnow, and Karen Frederick.
  New Riders, Indianapolis, IN, 2001. ISBN: 0-73571-063-5. A book that performs complete analyses of numerous network- or Internet-based attacks, explaining what traces were gathered and how the analysis pointed to penetration tools and techniques. One of the best network forensics titles we've ever seen! Part of the outstanding SANS GIAC curriculum.



• Network Intrusion Detection, 2nd edition, by Stephen Northcutt, and Judy Novak.
  New Riders, Indianapolis, IN, 2000. ISBN: 0-73571-008-2. A book that provides outstanding training on and technical references to the art and science of intrusion detection. Provides detailed examples to illustrate concepts, tools, and techniques. Part of the outstanding SANS GIAC curriculum.



• PKI: Implementing and Managing E-Security, by Andrew Nash, William Duane, Celia Joseph, and Derek Brink.
  RSA Press, New York, NY, 2001. ISBN: 0-07-213123-3. Written by researchers who helped develop standards and technology upon which PKI is based, this book provides an excellent overview of concepts and technologies involved in PKI, along with case studies to illustrate planning and deployment issues.



• Firewalls and Internet Security: Repelling the Wily Hacker, by William R. Cheswick and Steven M. Bellovin.
  Addison Wesley, Reading, MA, 1994 (copyright by AT&T Bell Labs, Inc.). ISBN: 0-201-63357. Written by two leading experts in the fields of Internet and network security, this book remains one of the two best resources on these topics available today. A second edition is expected to be ready by early 2002, so if you're thinking about buying this book (and you should), wait for the revised and expanded edition to arrive.



• Hacking Exposed: Network Security Secrets and Solutions, 4th ed. Stuart McClure, Joel Scambray, George Kurtz. Computing McGraw-Hill, 2003. ISBN: 0072227427. There's also a great companion Website for this book at http://www.hackingexposed.com/. This is one of our current favorite references in the field, and others give it high marks, too!



• Computer Security. Dieter Gollman. J Wiley & Sons, New York, NY, 1999. ISBN: 0471978442.
  An upper-division undergraduate/graduate-level computer science textbook on computer security, this one covers the subject very well from a more theoretical and academic perspective. An excellent introduction to the topic for those with computer science or engineering degrees.




• General Windows Architecture

• Inside Windows 2000, 3rd edition, by David A. Solomon and Mark Russinovich.
  Microsoft Press, Redmond, WA, 2000. ISBN: 0-7356-1021-5. A worthy successor to previous editions of this book, written for Windows NT 3.51. and 4.0. Solomon's analyses and discussions were already great, but Russinovich's insight and understanding of the Windows kernel is second to none. A must-have reference for those who REALLY want to understand Windows 2000.

Windows 2000 Security Books

• Windows 2000 Security Handbook, by Phillip Cox and Thomas Sheldon.
  Osborne/McGraw-Hill, San Francisco, CA, 2000. ISBN: 0-07-212433-4. A worthy, completely updated and Active Directory-savvy successor to its equally good Windows NT predecessor, this book contains great overview information, plus lots of nuts-and-bolts hands-on instructions and good examples.


• Windows 2000 Security, by Roberta Bragg.
  New Riders, Indianapolis, IN, 2001. ISBN: 0-73570-991-2. Ms. Bragg writes a monthly column on security for MCP Magazine, and her depth of knowledge and experience are clear in this book. Not terribly detailed, but one of the best overall books on Windows 2000 security around. An excellent desktop reference as well.



• Configuring Windows 2000 Server Security, by Thomas Shinder, et al.
  Syngress Media, location unknown, 1999. ISBN: 1928994024. List Price: $49.95. An early entrant into a broadening field of Windows 2000 security books, but it includes good content and coverage of key Windows 2000 security capabilities and configuration matters.



• Windows 2000 Security Little Black Book, by Ian McLean.
  Coriolis, Phoenix, AZ, 2000. ISBN: 1-57610-387-0. Intense, focused coverage of security tools, utilities, and tasks that administrators must cover for Windows 2000. Best initial desktop reference around.



• Windows 2000 Security Handbook, by Jeff Schmidt.
  Que, Indianapolis, IN, 2000. ISBN: 0-7897-1999-1. Much like the Cox- Sheldon book: an excellent general reference on Windows 2000 security topics, with lots of examples and step-by-step instructions.



• Windows 2000 Security Technical Reference, by John Hayday and ISS Systems.
  Microsoft Press, Redmond, WA, 2000. ISBN: 0-7356-0858-X. The Technical Reference series is a standard Microsoft Press offering. Although this book gets low ratings in some places (Amazon) it contains some useful information on security policies, group policy objects, and PKI. Don't buy this unless you're building a Windows security library, though.