Database and Infrastructure Architecture and Security
Home for K. Brian Kelley, SQL Server Author and Columnist

 Home

 Articles
  SQL Server Central
  SQL Server Standard
  Other Sources

 Resume

Essentials of Security Management

This first section is an introduction into the basics of security:

• Why security makes sense from a business perspective
• Risk management as it applies to security (in other words, how not to spend too much money on something that offers you little or no protection)
• Core concepts:
• Defense in Depth
• Microsoft's 10 Immutable Laws of Security
• General concepts of incident response

If you've been around security for any length of time, this material isn't new. If you're interested in security and aren't well-versed in it, take some time to learn this material. Everything that follows will build upon it. However, let me say not to rely just on this introduction for your foundation in understanding security. Key concepts such as the "three As" (Authentication, Authorization, Access Control) aren't covered, nor are important principles such as the Principle of Least Privilege (give a person only the rights needed to do the job and nothing more). Therefore, while the material in this basics section is good, it is by no means comprehensive.

Implementing Security Update Management

Every organization, no matter how large or small, faces the issue of how to keep systems up-to-date with the latest security patches and hotfixes. That's what this portion of the training covers. Outlining this section we get:

• Why managing security updates makes sense to the business
• Understanding how time from patch to exploit has shortened significantly
• Microsoft's classification of security updates and it's frequency of update

If you've never looked at the potential business impact for not updating, this first topic may be an eye opener. Most businesses generally don't like systems to go down for any reason. However, when it comes to security updates the business has to make a choice: does the business want server downtime during a planned update or unexpectd downtime when a vulnerable server gets hit? As I've been taught when it comes to security: getting hit isn't a matter of if but when.

With respect to the time line of patch to exploit, there have been numerous studies and statistics presented about how attackers are getting smarter and faster. I watched Havlar Flake at Blackhat USA 2004 explain how he was able to piece together in a a matter of hours what vulnerable piece of the OS was patched with a security hotfix simply by reverse engineering it and doing some calculations and comparisons. This presentation proved to me that we can't get systems patched fast enough from a security perspective, assuming we can trust the patches. The course doesn't get into detailed topics like that, but it's a good high level overview of why patching is needed and why that patching should be expedited in any organization.

Implementing Server Security on Windows 2000 and Windows Server 2003

Here is where the course begins to get more into the technical details of security on Windows systems. The topics covered are:

• General server security practices
• How Active Directory can be used as a tool to secure servers
• Hardening specific types of servers:
• Active Directory domain controllers
• Member servers
• Non-domain (stand-alone) servers

Even with more technical coverage, the material is still at a high level. You'll pick up concepts and ideas of areas to explore in more detail, however, you won't find ste-by-step guidance and supplementary checklists you can apply immediately to secure your servers. A general training course like this one isn't going to be able to provide such guidance, but the course does refer to more comprehensive sources such as  the Windows 2000 Security Hardening Guide,  the Windows 2003 Server Security Guide, and the Threats and Countermeasures Guide.

Implementing Client Security on Windows 2000 and Windows XP

This section is more nebulous than the previous one because tightening security on clients is a much harder endeavor than on servers. After all, servers are typically very specific on what applications run on them, what services they need running, etc. Client systems tend to be broader because a wider range of applications are needed by end users. Also, end users must be able to work or the business suffers. As a result, security trade-offs have to be carefully weighed. And that's what this section is about: using the technology provided in Windows 2000 and XP to harden client systems but with an understanding of what end users need. A breakdown of topics covered is:

• General client security practices
• The danger of malware
• Software firewalls
• Using Active Directory to tighten down security
• Dealing with non-domain (stand-alone) systems

Impressions about the Course

Overall I felt it was a good first course in security with respect to a Microsoft viewpoint. I thought the basics were a little light but I understand the need to get into a discussion on the operating systems and how to think about securing them. However, I think the course would have been better served getting straight into operating system security or focusing more on the basic concepts which are applicable to most every environment.

With that said, it is a course I wouldn't have a problem recommending to others. There is a solid amount of good information for anyone charged with administering servers and/or workstations in a Windows environment. And this is the first course in a series of five on security. Therefore, more topics are covered in later courses.

Information about the Course

© 2002-2008 by Truth Solutions™ and K. Brian Kelley. All Rights Reserved.
For questions or comments, contact webmaster@truthsolutions.com.
All logos and trademarks are the sole property of their respective owners and are used with permission where required.