• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Book Review - IIS Security

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Wed Feb 11, 2004 7:38 am    Post subject: Book Review - IIS Security Reply with quote

IIS Security

Author: Marty Jost and Michael Cobb
Publisher: Osborne Mcgraw - Hill
Book Specifications: Soft Cover, 451 pages
Category: Networking / Security
ISBN: 0-07-222439-8
Amazon.com: IIS Security US
Amazon.co.uk: IIS Security UK



Description from Back Cover

Safeguard your Web site and all its services with help from this detailed guide. After studying common Web site vulnerabilities - for both Internet and intranets - you'll find out how to plan and implement an effective and complete security framework that will prevent Denial of Service attacks, hacker intrusions, and malicious code breaches including Trojans, viruses, and worms. Learn to properly configure IIS security features and discover the ins-and-outs of auditing. This definitive guide will help you proactively manage your IIS Web environment to minimize future security risks. Focused, practical, and authoritative, this book shows you everything you need to know to secure IIS servers using real-life security challenges with proven solutions, security alerts, implementation techniques, and security check lists.

Introduction

I selected this book due to my familiarity with the subject matter. Over the past 8 years I have set up and managed dozens of IIS servers, none of which have ever been compromised (knock on wood), therefore I felt competent in tearing apart this book, and as part of my review I tore down a 2k system, began with a clean install, and followed the book as I went.

Although the apparent intended audience is the newbie to IIS servers, the authors manage to provide enough techincal detail and information to interest even seasoned veterans. Complete and concise, this book manages to cover everything you need to know to set up and manage a secure IIS 5 server (IIS 6 is not covered).

Contents

The book is broken down into 4 sections, including Appendixes, which are laid out as follows:

Contents:

Part I: Exposure, Risk, and Prevention
If you're going to read just one section of one book this year, make sure it's this one. Covering everything from security threats to the steps required to prepare and harden your server before putting it online, this section alone is worth the cost of the book.

Part II: Administration
Covers deployment issues, server management, encryption and provides overviews of many of the more common third party tools used in conjuction with IIS.

Part III: Advanced Topics
FTP, NNTP and Active Content are just a few of the topics covered in this section. Obviously not everything on these topics can be covered in this one section, but there is enough here to provide the reader with adequate iinformation to stay secure.

Part IV: Appendixes


Style And Detail

Written in an easy-to-follow style, and providing detailed information and additional 'Tip' sidebars along with screen shots and illustrations, this book takes the reader through the process and delivers on its promise of a secure IIS server. The information provided is well laid out throughout the book, with enough detail provided to interest even the IIS savvy admin while still managing to make sense to those with minimal experience.

Conclusion

If you're looking for a 'How to Hack' book, don't bother with this one. However, if your goal is to set up and deploy a secure IIS server, this book is a definite must.

Despite the fact that Chapter 1 seemed rushed and incomplete, it still managed to cover the basics that a novice needs to know, and the rest of the book more than makes up for it with its concise and detailed information. Obviously, the book focuses on IIS Security and doesn't delve into securing the underlying OS (be it 2000 or XP) other than as it relates to IIS. Therefore I wouldn't recommend it be the only book you buy if you are serious about keeping your system secure. However, if you follow the suggestions provided throughout the book, you'll find yourself with a relatively secure machine that should keep out the average script kiddie.

I found the information presented in this book makes it an invaluable resource and a perfect addition to my collection. In my opinion, this book rates a solid 9 stars out of a possible 10, and I would definitely recommend that anybody currently managing or planning to deploy an IIS server get themselves a copy.

Security Forums Discount

The publishers McGraw Hill have kindly setup a discount section for Security Forums' users. Discounts can be up to 30% off the RRP and postage is free on all orders over 20 in the UK & Central Europe.

http://www.mcgraw-hill.co.uk/securityforums


Rating

Highly Recommended 9 / 10



This review is copyright 2004 by the author and Security-Forums.com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Back to top
View user's profile Send private message Send e-mail
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Wed Feb 11, 2004 1:49 pm    Post subject: Reply with quote

How was it on topic areas such as:

1/ integrating the website with PKI (both for SSL and IPSEC using certificate based authentication)

2/ setting up two websites one for external one for internal use (updates).

3/ security templates for Active directory

4/ integration with other products such as ISA and SQL server?

As i was looking for a book on IIS hardening at the moment with an emphasis on these areas.
Back to top
View user's profile Send private message
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Wed Feb 11, 2004 7:07 pm    Post subject: Reply with quote

MattA wrote:
How was it on topic areas such as:

1/ integrating the website with PKI (both for SSL and IPSEC using certificate based authentication)


11 pages on everything from requesting a certificate to installing multiple certificates to where and how to change the registry entry that controls the cipher used.

MattA wrote:
2/ setting up two websites one for external one for internal use (updates).


It covers that pretty well also - how to configure the two sites to use two different NICs/IPs and how to keep them seperate (with different permissions on each)

MattA wrote:
3/ security templates for Active directory

It touches on AD and security templates but only in how they relate to IIS - it's certainly not the only book you would want on the subject

MattA wrote:
4/ integration with other products such as ISA and SQL server?


It touches briefly on ISA in it's section of third party tools (?) / firewalls but only briefly. As for SQL, let's just say that nowhere in the Index are the words 'SQL' or 'ODBC' found.

MattA wrote:
As i was looking for a book on IIS hardening at the moment with an emphasis on these areas.


With the exception of the last part, I think you would get a lot out of this book, especially if you're looking to harden your IIS server.
Back to top
View user's profile Send private message Send e-mail
cisco student
Just Arrived
Just Arrived


Joined: 07 Sep 2003
Posts: 8
Location: SFDC USA: Chico, California

Offline

PostPosted: Wed Feb 11, 2004 7:34 pm    Post subject: Reply with quote

I looked at buying this book, but found that IIS 6.0 Administrator's Pocket Consultant - By William R. Stanek, and the IIS 6.0 Resource kit from the IIS team from Microsoft was a better buy.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register