Windows Server 2003 Security A Technical Reference
by Roberta Bragg
ISBN 0-321-30501-9. 1142 pages. $54.99. Index.
Reviewed by Robert Bruen 07/12/05
This is not a general book about security or even about Microsoft security; it is about Windows Server 2003 security. It is a book with remarkable depth and real content all the way through. Since it is about a specific platform, and the book takes its content from the implementation of the platform. (The book does not present tricks that could be used to hack into Server 2003.)
The book contains good, general background about security principles, but only as they apply to the topics covered. The presentation of how to set up and implement Microsoft strategies is excellent. Many books are available with screenshots and click here instructions, but few provide this level and quality of explanation so that you understand why things should happen in a particular way. Microsoft may have made it easier to get things working, but they have made much harder when things go wrong. Ms. Bragg has filled in that gap, at least for Server 2003.
Security has many components, one of those is encryption. It is not the only or the most important, but it needs to be part of almost any security architecture. It is a tragedy, for example, that cleartext remote logins are still available, especially since this problem was solved years ago. Microsoft Windows has had encryption available for long enough that it should be used as a standard operating procedure. Think of how much grief could have been avoided by those fifteen of so colleges who had databases stolen containing personal information. Encryption can be used and should be used for sensitive information. Now the Encrypting File System is part of NTFS and is available to ordinary users without being part of a domain or meeting any other special requirements. EFS is simple to use, mainly by clicking in dialog boxes, but there is command window access as well. The author has been very thorough in covering the simple procedures as well as the complex issues. One of the reasons, in my opinion, that PKI in general has not really taken off is because key management is difficult. The same problem pops up in EFS.
The recovery agent is a feature meant to address this problem, in part. If you lose your key or you leave the organization, the files that you encrypted can be recovered by the designated recovery agent. Naturally there are a few hidden traps. For example, although Windows 2000 set up the admin as a recovery agent by default, Server 2003 does not, except for the domain controller admin, but only the first one. It would be a nasty surprise to discover this after an upgrade. This book will guide you through this and all of the landmines when setting up, running and troubleshooting EFS. The jury is still out on whether the ability of third parties to recovery such files is a good, because it is both helpful and shows a weakness, but at least you can plan for the difficulties with some confidence.
Bragg has produced the reference book for Server 2003 security. Microsoft should be grateful, along with anyone who has to administer a domain with Server 2003 at its heart. Definitely a must-have book.