Solved by verified expert:Hello, I need help with two tasks?Task 1: Chapter 9 in your text has some best practices to follow for Microsoft Windows network security. Which two would you start with and why? Can you think of others not on the list? If so, introduce them. Post your response to this forum in 4-5 paragraphs.* For Task 1 , I am attaching application security text book below and please go through Chapter 9 Microsoft Windows Network Security (page number 226 to further) and Post your response to this forum in 4 -5 paragraphs.Attached Text Book Name : Application Security (Please go through Chapter 9 “Microsoft Windows Network Security” )Task 2: Also post a reply to at least one other person’s post in 2-3 paragraphs.* For Task 2, I am attaching one of my friend post below with the name of the document ” Friend_Post” and he given response to above forum and you need to read his post and reply to his post in 2-3 paragraphs.Thanks.
Unformatted Attachment Preview
World Headquarters Jones & Bartlett Learning 40 Tall Pine Drive
Sudbury, MA 01776 978-443-5000 firstname.lastname@example.org www.jblearning.com
Jones & Bartlett Learning Canada 6339 Ormindale Way Mississauga,
Ontario L5V 1J2 Canada
Jones & Bartlett Learning International Barb House, Barb Mews London
W6 7PA United Kingdom
Jones & Bartlett Learning books and products are available through most
bookstores and online booksellers. To contact Jones & Bartlett Learning
directly, call 800-832-0034, fax 978-443-8000, or visit our
Substantial discounts on bulk quantities of Jones & Bartlett Learning publications
are available to corporations, professional associations, and other qualified
organizations. For details and specific discount information, contact the special sales
department at Jones & Bartlett Learning via the above contact information or send
an email to email@example.com.
Copyright © 2011 by Jones & Bartlett Learning, LLC
All rights reserved. No part of the material protected by this copyright may
be reproduced or utilized in any form, electronic or mechanical, including
photocopying, recording, or by any information storage and retrieval
system, without written permission from the copyright owner.
This publication is designed to provide accurate and authoritative
information in regard to the subject matter covered. It is sold with the
understanding that the publisher is not engaged in rendering legal,
accounting, or other professional service. If legal advice or other expert
assistance is required, the service of a competent professional person
should be sought.
Production Credits Chief Executive Officer: Ty Field President: James
Homer SVP, Chief Operating Officer: Don Jones, Jr. SVP, Chief Technology
Officer: Dean Fossella SVP, Chief Marke (Solomon, 2014)ting Officer:
Alison M. Pendergast SVP, Chief Financial Officer: Ruth Siporin SVP,
Business Development: Christopher Will VP, Design and Production: Anne
Spencer VP, Manufacturing and Inventory Control: Therese Connell
Editorial Management: High Stakes Writing, LLC, Editor and Publisher:
Lawrence J. Goodrich Reprints and Special Projects Manager: Susan
Schultz Associate Production Editor: Tina Chen Director of Marketing:
Alisha Weisman Senior Marketing Manager: Andrea DeFronzo Cover
Design: Anne Spencer Composition: Mia Saunders Design Cover Image: ©
Handy Widiyanto/ShutterStock, Inc. Chapter Opener Image: ©
Rodolfo Clix/Dreamstime.com Printing and Binding: Malloy, Inc. Cover
Printing: Malloy, Inc.
6048 Printed in the United States of America
14 13 12 11 10 10 9 8 7 6 5 4 3 2 1
Purpose of This Book
This book is part of the Information Systems Security & Assurance Series
from Jones & Bartlett Learning (www.jblearning.com). Designed for courses
and curriculums in IT Security, Cybersecurity, Information Assurance, and
Information Systems Security, this series features a comprehensive,
consistent treatment of the most current thinking and trends in this critical
subject area. These titles deliver fundamental information-security
principles packed with real-world applications and examples. Authored by
Certified Information Systems Security Professionals (CISSPs), they deliver
comprehensive information on all aspects of information security.
Reviewed word for word by leading technical experts in the field, these
books are not just current, but forward-thinking—putting you in the
position to solve the cybersecurity challenges not just of today, but of
tomorrow, as well.
Part 1 of this book focuses on new risks, threats, and vulnerabilities
associated with the Microsoft Windows operating system. Particular
emphasis is placed on Windows XP, Vista, and 7 on the desktop, and
Windows Server 2003 and 2008 versions. More than 90 percent of
individuals, students, educators, businesses, organizations, and
governments use Microsoft Windows, which has experienced frequent
attacks against its well-publicized vulnerabilities. Part 2 emphasizes how to
use tools and techniques to decrease risks arising from vulnerabilities in
Microsoft Windows operating systems and applications. Part 3 provides a
resource for readers and students desiring more information on Microsoft
Windows OS hardening, application security, and incident management,
among other issues.
The writing style of this book is practical and conversational. Step-by-step
examples of information security concepts and procedures are presented
throughout the text. Each chapter begins with a statement of learning
objectives. Illustrations are used both to clarify the material and to vary the
presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and
sidebars to alert the reader to additional and helpful information related to
the subject under discussion. Chapter Assessments appear at the end of
each chapter, with solutions provided in the back of the book.
Chapter summaries are included in the text to provide a rapid review or
preview of the material and to help students understand the relative
importance of the concepts presented.
The material is suitable for undergraduate or graduate computer science
majors or information science majors, students at a two-year technical
college or community college who have a basic technical background, or
readers who have a basic understanding of IT security and want to expand
I would like to thank Jones & Bartlett Learning for the opportunity to write
this book and be a part of the Information Systems Security & Assurance
Series. I would also like to thank K Rudolph, the book’s technical reviewer
and liaison between me and Jones & Bartlett Learning. Your input really
made this a better book. And thanks so much to Ed Tittel for getting me
involved in the first place and Carole Jelen with Waterside Productions for
working so hard to make this happen.
Part ONE. The Microsoft Windows
CHAPTER 1 Microsoft Windows and the Threat Landscape 2
CHAPTER 2 Security in the Microsoft Windows Operating
Chapter 1. Microsoft Windows and the
MICROSOFT WINDOWS is the most common operating system used
today. More than 90 percent of computers use a Windows operating
system. Microsoft provides operating system software for a wide variety of
solutions, including both client and server computers. The latest Windows
releases for server environments provide the most advanced features of the
Windows product line.
Those releases contain new and updated security features. Each year brings
new and unique threats to violate a system’s security. Whether the goal is to
crash a system, access information without authorization, or disrupt
normal system operation, attackers are finding much vulnerability to
It is important to understand the threats to Windows system security and
the steps to protect it from attackers. The first step to creating and
maintaining a secure environment is learning how to find and mitigate
vulnerabilities and how to protect your systems.
This book covers the topics you will need to understand the risks, threats,
and vulnerabilities associated with the Windows operating systems. Then it
addresses the steps necessary to protect your systems. You will learn how to
implement Windows controls to protect both server and client computers.
And finally, you will learn how to maintain security controls to keep your
Windows computers secure.
Chapter 1 Topics
In this chapter, the following topics and concepts are presented:
What information systems security is
What the tenets of information security are:
The Availability-Integrity-Confidentiality (A-I-C) Triad
What mapping Microsoft Windows and applications into a typical IT
What Microsoft’s end user licensing agreement (EULA) and limitations of
What common Windows threats and vulnerabilities are
What Microsoft Windows vulnerabilities are, including Code Red, Conficker, and
What the discovery-analysis-remediation cycle is
What common forms of attack on Windows environments are
Chapter 1 Goals
Upon completion of this chapter, you will be able to:
Review key concepts and terms associated with information systems security
Discuss the tenets of information security: A-I-C Triad
Explain how Microsoft Windows and applications map to a typical IT
List the main objectives of the Microsoft EULA
Describe the limitations of liability in the Microsoft EULA
Categorize Windows threats and vulnerabilities
Recognize the anatomy of common Microsoft Windows vulnerabilities
Summarize the discovery-analysis-remediation cycle
Analyze common methods of attack
Discuss emerging methods of attack
Information Systems Security
As computers become more complex, attackers become more
sophisticated. Attackers are continually crafting new methods to defeat
the most secure environments. The job of the security professional is
becoming more difficult because of the complexity of systems and
attackers. No single action, rule, or device can protect an information
system from all attacks. It takes a collection of strategies to make
a computer environment safe. This approach to using a collection of
strategies is often called defense in depth. To maintain secure systems, it
is important to understand how environments are attacked and how
computer systems and networks can be protected. This book specifically
focuses on securing the family of Microsoft Windows operating systems and
The main goal in information security is to prevent loss. Today’s
information is most commonly stored in electronic form on computers, also
referred to as information systems. Although printed information, or
hardcopy, needs to be protected, this book only address issues related to
protecting electronic information stored on information systems.
The two goals of protecting information from unauthorized use while
making the information available for authorized use are completely
separate and often require different strategies. Ensuring information is
readily available and accessible for authorized use makes restricting the
data from unauthorized use more difficult. Most information security
decisions require careful thought to ensure balance between security and
usability. Information that is secure is simply serving the purpose for which
it is intended. It is not being used for purposes for which it is unintended.
Mechanisms used to protect information are called security controls.
Security controls can be part of the operating system or application
software setup, part of a written policy, or a physical device that limits
access to a resource. There are two methods of categorizing controls. These
aren’t the only methods used to classify controls and a single control may fit
into more than one category. The first method looks at what the control is.
Security controls belong to at least one of the following types:
Administrative controls are written policies, procedures, guidelines,
regulations, laws, and rules of any kind.
Technical controls are devices or processes that limit access to
resources. Examples include user authentication, antivirus software,
and firewalls. Technical controls are also called logical controls.
Physical controls are devices that limit access or otherwise protect a
resource, such as fences, doors, locks, and fire extinguishers.
Security controls can also be categorized by the type of function they
perform—also referred to as what they do. Here are the most common types
of security control function types:
Preventative controls prevent an action. Preventative controls include
locked doors, firewall rules, and user passwords.
Detective controls detect that an action has occurred. Detective
controls include smoke detectors, log monitors, and system audits.
Corrective controls repair the effects of damage from an attack.
Corrective controls include virus removal procedures, firewall table
updates, and user authorization database updates.
Tenets of Information Security: The AI-C Triad
The practice of securing information involves ensuring three main
attributes of information. These three attributes are often called the tenets
of information security, or the A-I-C Triad. (Security professionals may
refer to the triad in a different order, such as the C-I-A Triad, but the
concept is the same.) The three tenets of information security are:
Availability—Assurance the information is available to authorized
users in an acceptable time frame when the information is requested.
Integrity—Assurance the information cannot be changed
by unauthorized users.
Confidentiality—Assurance the information cannot be accessed or
viewed by unauthorized users.
Each of the tenets interacts with the other two, and in some cases, may
cause conflict with other tenets. In this section, you will look at each tenet
in more detail and how each one may cause conflicts with the others.
Figure 1-1. The A-I-C Triad.
Recall that secure information is serving the purpose for which it was created.
This means that secure information must be available when the information is
Many attacks focus on denying the availability of information. One common
type of attack that denies the availability of information is the denial of service
(DoS) attack. This type of attack does not need to actually access or modify
information. It prevents authorized users from accessing it. For example, an
attack that denies access to Amazon.com’s Web-based information would have a
negative impact on sales. Amazon can’t afford to allow their information to be
inaccessible for any length of time. Since so many businesses rely on available
information to function properly, unavailable information poses a risk to the
primary business functions.
In August 2009, a denial of service (DoS) attack brought down Twitter and
slowed down Facebook for several hours. Both these services depend on
continuous availability to stay in business. While a few hours didn’t bankrupt
either organization, it did make many users frustrated that they couldn’t
access their favorite site.
Information is valid only when it is correct and can be trusted. The second
tenet of information security ensures that information can be modified only
by authorized users. Ensuring integrity means applying controls that prohibit
unauthorized changes to information. Controls that ensure information
integrity can be based on the user’s role. Other examples of integrity controls
are security classification and user clearance.
Since information may change as a result of application software instructions,
it is important that controls ensuring integrity extend to the application
software development process. Regardless of the specific controls in use, the
goal of integrity is to protect information from unauthorized changes.
In some cases, it is not enough to ensure information is protected from
changes. Some information is private, privileged, business confidential, or
classified and must be protected from unauthorized access of any type. Part of
the value of confidential infomation is that it is available only to a limited
number of authorized users. Some examples of confidential information
include financial information, either personal or corporate; personal medical
information; and secret military plans.
Confidentiality also introduces a need for an additional layer of protection.
Sometimes, it is necessary to limit users with access to many resources by
only allowing them to access specific resources on a need to know (NTK)
basis. For example, a manager may have access to project documents that
contain sensitive information. To limit the damage that could occur from
accidents or errors, it is common to limit access to documents that directly
relate to the manager’s projects only. Documents that do not directly relate to
the manager’s projects are not accessible. That means that although a user
possesses sufficient access for a resource, if the user does not have a specific
need to know what a resource stores, the user still cannot access it.
A successful attack against confidential information enables the attacker to
use the information to gain an inappropriate advantage or to extort
compensation through threats to divulge the information.
Confidentiality has long been the subject of many types of legislation.
Legislative bodies in many countries have enacted laws and regulations to
protect the confidentiality of personal medical and financial information.
Attorneys and physicians have long enjoyed the privilege of confidentiality
when conversing with clients and patients. This assurance of confidentiality is
crucial to the free flow of necessary information.
Mapping Microsoft Windows and
Applications Into a Typical IT
Satisfying the A-I-C Triad requires more than just implementing controls
on a single system. Today’s IT environments consist of a collection of
computers and network devices connected to one or more networks. The
collection of all computers, devices, and network components that make up
an IT environment is called an IT infrastructure.
Figure 1-2. A sample IT infrastructure.
An IT infrastructure diagram depicts the various components that work
together to satisfy the organization’s information processing requirements.
Some common infrastructure components include:
Server instances (often listed by function)
In most environments, the Microsoft Windows family of operating systems
fills both the roles of client and server. Windows systems can operate as
network devices, such as gateways or routers. It is more common to see
either purpose-built devices or Windows servers providing device services.
This book will focus on the client and server roles of Windows.
Client systems exist to provide functionality to end users. These systems are
often called customer-facing systems. Each specific application can either be
deployed as a thin or thick client.
Thin clients collect information from end users, send it to a server for
processing, and display the returned results back to the end user. Most of the
actual processing of the information occurs on a server. One of the most
common examples of a thin client application is a Web browser.
Thick clients collect information from the end user and process some, or all, of
the information locally. Commonly, the information is stored in a database
running on a server. The client handles a large amount of the information
processing work. Examples of thick client applications are legacy enterprise
applications that provide accounting and manufacturing control.
The most common Windows operating systems in use on client computers
Windows 7 (the newest Windows client)
Windows client computers are often general purpose computers that provide
end user applications for various purposes. It is common for a single Windows
client computer to have a Web browser, e-mail client, office productivity, and
even proprietary application software installed. Client computers are rarely
single-purpose devices. This multi-role functionality often makes securing
these computers more difficult.
Server computers exist in the IT infrastructure to provide specific types of
services to client applications, either directly or indirectly. Common server
applications may include Web servers, application servers, and database
servers. Microsoft provides several different server products to satisfy various
needs. In each version, it is common to tailor the specific applications installed
on the server to customize the services provided. Micro …
Purchase answer to see full
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more