Author: Steve Kalman
Pages: 608
Publisher: Cisco Press
ISBN: 1587050927



Introduction

After being a technical editor for several Cisco Press publications, Steve Kalman decided to write his own take on the ever present topic of web security. The results of his work is this book, "Web Security Field Guide" - Hands on techniques for securing Windows servers, browsers and network communications.

About the author

Steve Kalman, CISSP, is the managing director for Esquire Micro Consultants, through which he teaches eight courses on Cisco routers, Microsoft Windows, and networking, telecom, and security topics for Learning Tree International. He is also the technical editor for three of those courses. Steve has also developed or edited more than a dozen CBT modules on networking, Cisco routers, and Microsoft Windows topics. In addition to teaching and course development, Steve is a network design consultant. Steve has worked as a programmer, manager, and consultant for companies of all sizes, both for-profit and nonprofit.

An interview with Steve Kalman is available here.

Inside the book

As the author notes, this book is meant for network administrators who are driving without insurance. There is always a demand on them to show positive results and to fix any problems that occur. As the administrators don't have the luxury of time to create prevention plans, this book provides a walk through the security perspectives of their jobs.

"Web Security Field Guide" spreads over 575 pages divided into five parts (six if you include the Appendixes which contain decoding of Base64 tutorial and information on customizing Internet Explorer error messages). Author's way of presenting the information in this book, will sure please the potential readers that like to see a number of graphical examples. From the Windows security to firewalls section, detailed visual guides present an additional view on topics you read. These guides include diagrams, screen captures and step to step instructions. As Mr. Kalman assumes that readers will look only at parts that are pertinent to them, some material is duplicated throughout the book. This can especially be seen in the fourth chapter which deals with Microsoft IIS 4 and IIS 5 installations. This is a big plus as the reader can focus on just the operating system or web server he/she actively uses and can disregard any non important piece of information.

Essential information for web security administration is one of the topics in the first part of the book titled "The Fundamentals of Web Security". Author here discusses the networking basics and network layers, getting the readers either acquainted with these topics or just refreshing their knowledge on these subjects. The following fifteen pages present information on security policies, mainly on approaches to risk analysis, contents of security policies and few examples of common security policies.

The second part of the book is a guide through hardening Windows file servers. It is assumed that the operating system is already installed, so the next step is obviously to secure these systems. Security steps for Microsoft Windows NT 4, Windows 2000 and Windows XP are covered within this part of the "Web Security Field Guide". Previously mentioned visual guides are of great use here, as they provide detailed steps in hardening these, often seemed, unsecure operating systems.

After walking the readers through the process of securing the operating systems, the logical step is to cover the security perspectives of web servers, that is, Microsoft's Internet Information Services (IIS) 4 and 5. After the detailed installation guides, a chapter on enchancing the web server security is presented and covers the following topics: limiting access to the the server, IIS logging functions and miscellaneous security tips. These tips include: moving the Metabase file, managing access and execute permissions, setting advanced security configuration options, managing application isolation etc. As an addition to the chapter on securing web server, there is a section which discusses securing and enchancing the FTP (File Transfer Protocol) server. RhinoSoft's Serv-U secure FTP server was taken as an example and the book contains a guide from the installation to the security tweaks of this product

As the users and the state of their security are important part of any security scheme, "Web Security Field Guide" dedicates its fourth part to the user protection. There are two chapters in this part of the book - "Browser Security" and "Desktop/Laptop Security". As the author focuses on Microsoft Windows environment, the browser security is shown on the example of the Internet Explorer. General browser security issues are covered within this chapter: dangerous content (Java, JavaScript, ActiveX, VBScript), cookies and zones. Part four introduction page says that the "Desktop/Laptop Security" section focuses on protecting the PC and that the topics of the chapter include personal firewalls, virus scanners, digital signatures and enforcing the security policies. Unfortunately this description doesn't have anything related with the actual contents of this chapter, as it just covers Internet Explorer Administration Kit (IEAK). If you ever wanted to know anything about IEAK, this is the book for you as IEAK coverage is spread over 70 pages.

Protecting the network part of the book talks about controlling the access, keeping the malicious content out of corporate network environment and taking care of the state of security. Firewall design, access lists and usage are shown through Cisco's products, therefor you will learn about Cisco PIX's architecture and its features. There are for thematic chapters in this pre-appendix part of the book: "Becoming a Certification Authority", "Firewalls", "Maintaining the ongoing security" and "The weakest link". Each of these chapters is fulfilled with a valuable data and accompanied by examples in the form of screen shots and information tables. The "missing" content of the "Desktop/Laptop Security" chapter, mostly personal firewalls and anti-virus, is located in this part of the book. "Web Security Field Guide" is closed with the chapter on the weakest link - the user.

What I think of it

This "Field guide" should be of interest to the novice and inter-mediate readers interested in enhancing the security of their Microsoft based installations. The visual guides, which fill about 50% of the book will be of a great use to some, and will be disliked by others, who like their books to be full of text. If you like to see actual situations in the way of reading the topic and checking the screen shots at the same time, you'll love the book.