acceptable use policies (AUPs), 209t, 278, 331

access control entries (ACEs), 42, 221

access control lists (ACLs), 28, 42, 210, 251

access controls, 25–27, 63

• access models, 43–44

• auditing and tracking, 55–57

• and authentication, 25–27

• best practices for, 60

• calculating access permissions, 54–55

• class identifiers (CLSIDs), 52–54

• discretionary access control list (DACL), 49–51

• globally unique identifier (GUIDs), 52–54

• Kerberos, 48

• least privilege and LUAs, 41

• managed service accounts, 47–48

• management tools, 57–59

• methods, 26–27

• Orange Book, 40–41

• rights and permissions, 42–43

• security identifiers (SIDs), 52–54

• sharing SIDs and SATs, 47

• user account control (UAC), 45–46

access management tools, 57–60, 58t

access permissions, 54–55

access rules, 28–29

accounts, 60

• lockout policy, 103t

• policy, 243

ACEs. See access control entries

ACLs. See access control lists

Active Directory (AD), 29–30

• Domain Services server, 161t

• GPOs types in, 110–113

• Group Policies, 102, 107

• Group Policy Objects (GPOs) and, 212

• for IT operations, 245–246

• Security Access Token and, 47

• security control, 211t, 212t

• security groups, 41t

• user accounts in, 211, 243, 244

activities, SCM, 321–322

activity coordination, 321

AD. See Active Directory

Add Roles Wizard windows, 272, 272f

adding/removing programs and services, 238, 240–242, 241f

administration. See also security administration

• anti-malware software, 225

• backup, 217–218

• discretionary access control list (DACL), 221–222

• encryption, 223–225

• firewalls, 213–215

• Group Policy, 220–221

• hardening, 247–248

• OS service pack, 219

administrative controls, 4

Administrator account, 243, 247

Advanced Encryption Standard (AES), 66

advanced security settings dialog, 50, 51f, 54

AES. See Advanced Encryption Standard

agile software development, 309–310, 310f

AGULP approach, 60, 335

A-I-C triad, 4–6. See also confidentiality-integrity-availability (C-I-A) triad

“allow” ACE, 54

analysis step, 14

Animal (Trojan), 89

anti-malware protection/shield, 95, 211t, 212t, 214t

anti-malware software, 91–93, 96, 97, 199, 209t, 225, 250, 265, 267t, 268t, 275, 333

anti-spyware software, 93

antivirus software, 91–93

application backup and recovery

• backup process, 153

• in business continuity setting, 166–168

• need for backups, 151–153

• restore process, 154–155

application security. See also application software security

• basic rules of, 327–328

• best practices, 280, 326–338

• case studies, 279

• client applications, 262–263

• principles, 261–262

• server applications, 269–279

• trends in management, 336–337

• web browsers, 263–269

application software, 261, 334–335

• attacks, 261–262

application software security

• best practices, 323–324

• development, 314–317

• implementation, 317–319

• maintenance, 319–320

• management, 310–313

• revision, 320–323

applications

• best practices for securing, 280

• client, 262–263

• encryption, 276

• hardening, 262

• server, 161t, 188–189, 269–279

• verifier, 312

AppLocker, 268–269

apply encryption, 44

architecture, 22–24

asymmetric algorithms, 80

attack surface, 30–32, 233

attackers, 3, 6, 152, 243, 336–337

attacks, 15, 15t, 211, 211t, 212t, 213

audit file access, 44

auditing

• best practices, 329

• defined, 141–142

• policy, 103t

• and scanning process, of malware, 96

• strategy, 271t, 277

• and tracking Windows access, 55–57

• Windows tools, 145t

AUPs. See acceptable use policies

authentication, 25, 26t, 43–44, 199, 200, 211, 212t, 225, 242–244, 252–253, 255, 271t, 277, 278, 316

authorization, 30, 199, 200, 211–212

authorized users, 4

availability, 4, 5f, 6, 150, 212–213

Azure, 7, 278, 279

backup

• policies, 209t

• Windows Registry, 238, 240

backup administration

• Windows server backups, 218

• Windows workstation backups, 217

backup and recovery tools, 150–176

• application, 151–155, 166–168

• best practices for, 175–176

• business continuity plan, 168

• cloud backups, 165–166

• commercial products for, 160t

• disaster recovery plan, 167–168

• media security, 153

• network backups, 164–165

• rebuilding systems from bare metal, 171–173

• server backups, 160–164

• virtual machines, 174–175

• workstation backups, 156–160

Backup and Restore utility, with Windows, 156–160, 166–171, 217

bare metal recovery, 172, 173f

baselines, 13, 33, 126, 146, 237, 247, 321, 322, 330

BCP. See business continuity plan

best evidence rule, 300

best practices

• for access control, 60

• for application security, 280, 326–338

• for application software security, 323–324

• for backup and recovery, 175–176

• for encryption techniques, 81–82

• for group policy, 121–122, 122t

• for handling incidents, 302

• for hardening OS, 257

• for malware prevention, 97–98

• for network security, 202–203

• for security administration, 228

• for security audits, 146–147

“Bitcoin Baron”, 6

BitLocker, 66–72

• authentication modes, 67t

• authentication options, 74, 75f

• enabling, 73f, 223–225, 224f

• and Encrypting File System (EFS), 68t, 267t, 268t, 275, 276

• installation, 69–71f

• management tool, 72, 74f, 224f

• protection, 328

• recovery information, 328

BitLocker To Go, 70–72, 74, 76f, 223–225

Bluetooth, 184

boot devices, 64

BSIMM. See Building Security in Maturity Model

buffer overflow, 88

Building Security in Maturity Model (BSIMM), 314–315, 323

Burp Suite Web Vulnerability Scanner, 140, 142f, 143f

business continuity plan (BCP), 167, 168, 175, 214t, 274, 285, 327

business drivers, 225

CA. See Certificate Authority

cacls.exe CLI tool, 57–58, 58t

California Consumer Privacy Act (CCPA), 225

campus area network (CAN), 181

CAN. See campus area network

CAPEC. See Common Attack Pattern Enumeration and Classification

CCB. See Configuration Control Board

CCPA. See California Consumer Privacy Act

Certificate Authority (CA), 81, 255, 328

chain of custody, 300–301, 301f

change control, 321

checklists, 287

cipher, 77

Cisco Systems, 253, 254

Class Identifiers (CLSIDs), 52–54, 53t

classification, 26

classified data, 44

clearance, 26

CLI tools. See command-line interface tools

client applications, 262–263

client systems, 7

cloud backups, 165–166

cloud-based software, 279

cloud computing, 174, 202, 337

cloud security, and internal network, 201–202

cmd.exe, 57

coaxial cable, 183, 184t

code analyzer, 312

code execution, 316

code generation phase, 308

cold site, 167

command-line interface (CLI) tools, 57, 146

• for MBSA, 131, 134, 135–136f

command-line SCA tool, 128, 132–133f

command-line server backups, 162

command-line workstation backups, 159

Common Attack Pattern Enumeration and Classification (CAPEC), 14t

Common Criteria for Information Technology Security Evaluation, 41

Common Vulnerabilities and Exposures (CVE), 14t

Common Weakness Enumeration (CWE), 14t

communication, 321

• CSIRT, 289

• data encryption, 75, 77

• protocols, 185, 190

• and remote access, hardening, 251–255

• service, 22t

compensating controls, 161

compiler option, 312

complete system backup, 172

compliance, 225

Compliance Manager, 226, 227f

computer and device security, 182, 233

computer environment, 3

Computer Management tool, 27, 27f

computer security incident response team (CSIRT), 285, 288–289

• process management tools, 297

• roles, 288t

computer virus, 88

confidentiality, 4, 5, 5f, 210, 211t, 213, 274, 276

confidentiality-integrity-availability (C-I-A) triad, 4–6, 189, 200, 210–213, 261, 269, 274, 290

configuration

• auditing, 322

• control, 321

• identification, 322

• status accounting, 322

Configuration Control Board (CCB), 322

connection media, 182–185

• wired network connections, 183

• wireless network connections, 183–185

connection security rules, 215

contacts and hierarchy, CSIRT communication, 289

containers, 112

containment step in handling incidents, 286t, 293, 295

contractors, 255, 256t

control, 19

control file access, 44

controlling access, 21

cookie settings, 264t

cooperative agreement, 167

corrective controls, 4

Creator Group ID, 28t

Creator Owner ID, 28t

Creeper virus, 88

critical incidents, 289

cross-site scripting, 15t

cryptocurrency, 90

cryptojacking, 90

CryptoLocker, 11–12

CSIRT. See computer security incident response team

customer-facing systems, 7

CVE. See Common Vulnerabilities and Exposures

CWE. See Common Weakness Enumeration

cyber attackers, 6

DAC. See discretionary access control; dynamic access control

DACL. See discretionary access control list

Darwin (game), 87

data at rest, 63

data classification/identification, 44

Data Collector Sets, 215

data in transit, 63

data integrity, 155, 277

data loss, 151–152, 152f

data reconstruction, 153

data storage, 188

database server, 161t, 275–277

Datacenter edition

• Windows Server 2008 R2, 8, 234

• Windows Server 2012 R2, 9

• Windows Server 2016, 9, 235t

• Windows Server 2019, 9, 234, 236–237t

DC. See domain controller

DDoS attack. See distributed denial of service attack

decomposition, 307

decryption keys, 65

default ports, 277

default users, 277

defense in depth, 3, 31

deliverables, 306

demilitarized zone (DMZ), 189, 190f, 203, 333

Deming cycle, 207, 329

denial of service (DoS) attack, 6, 15t, 199, 213, 261

“deny” ACE, 54

deployment domain, 315

design SDL phase, 312

desktop network security, 198

detective controls, 4

developer security training, 315

device driver programs, 20

device security, 182

DHCP Client service program, 240

digital certificates, 80, 81t, 255

direct file or resource access, 261

Directory Service Restore Mode (DSRM), 246, 332

directory services, 29

directory traversal and listing, 271t

disabling programs and services, 238, 240–242, 241f

disaster recovery plan (DRP), 166–168, 214t, 274, 285

disasters, 213

discovery step, 13–14

discovery–analysis–remediation cycle, 13–15, 13f

discretionary access control (DAC), 26

discretionary access control list (DACL), 42, 43f, 44, 46, 54, 57, 210, 211–212, 211t, 212t, 221–222, 222f, 331

disk volume encryption, 67

disposition phase, 308

distributed denial of service (DDoS) attack, 200, 213

DMZ. See demilitarized zone

documentary evidence, 299–300

documented plans, 227

domain admin account, 195

domain controller (DC), 47, 47f, 112–113, 246

domain GPOs, 106, 115

DoS attack. See denial of service attack

DRP. See disaster recovery plan

DSRM. See Directory Service Restore Mode

due diligence, 225–226

DumpEvt utility, 145t

DumpReg utility, 145t

DumpSec utility, 145t

dynamic access control (DAC), 44–45

dynamic code execution, 316

eavesdropping, 198

ECC algorithms. See Elliptic Curve Cryptography algorithms

Effective Access, 54f, 55

EFS. See Encrypting File System

Elliptic Curve Cryptography (ECC) algorithms, 66

email clients, 264–266

• securing, 267t

email server, 274–275

employees, 256t

encapsulating protocol, 254

encrypted data transmission, 76f

Encrypting File System (EFS), 65–66, 68t, 72, 82, 211t, 223, 223f, 267t, 268t, 275, 276, 328

encryption, 209t, 211t, 223–225, 253–255, 271t, 274, 276, 316

encryption tools/technologies

• algorithms, 80

• best practices for, 81–82

• BitLocker, 66–70, 72–74

• BitLocker To Go, 70–72, 74

• in communications, 75–77

• enabling type of, 72–74

• Encrypting File System, 65–66, 72

• protocols, 77–80

• public key infrastructure, 81

• security certificates, 80

• supporting methods, 64–65

End-User License Agreement (EULA), 9–10, 10t

ENISA website. See European Network and Information Security Agency website

Enterprise edition, of Windows Server 2008 R2, 8

Enterprise Resource Planning (ERP) software, 278

entry points, 335

environment network services, securing

• necessary services, 196

• service accounts, 195–196

• service updates, 194–195

environment subsystem, 24t

environmental issues, 152

eradication step in handling incidents, 286t, 295

ERP software. See Enterprise Resource Planning (ERP) software

error detection and alerts service, 22t

error handling, 316

escalation confirmation, 45

Essentials edition

• Windows Server 2008, 234

• Windows Server 2012 R2, 9

• Windows Server 2016, 9, 235t

• Windows Server 2019, 9, 234, 236–237t

EternalBlue, 13

EULA. See End-User License Agreement

European Network and Information Security Agency (ENISA) website, 297

European Union

• General Data Protection Regulation (GDPR), 255

event log, 103t

Event Viewer, 56

events, 284

evidence collection rules, 301

evidence, types of, 299–300

Exabeam, 290

Exchange Server, 274–275

executive (kernel mode program), 24t

exploits, 31

Expression-Based Security Audit Policy, 57

extra-application data access, 262

faulty installation procedure, 318

FCI. See File Classification Infrastructure

FDE. See Full Disk Encryption

Federal Information Security Management Act (FISMA), 255

fiber optic cable, 184t

file authentication, 212t

File Classification Infrastructure (FCI), 44

File History backup option, 156, 157f, 158f

file server, 161t, 187

file system, 103t

• service, 22t

File Transfer Protocol (FTP), 268

file transfer software, 268

files backup, 162

firewalls, 79, 189–190, 201, 203, 213–215, 214t, 244, 333

FISMA. See Federal Information Security Management Act

folder encryption, 66, 72

folders backup, 162

formal testing phase, 308, 313

Foundation edition

• Windows Server 2008 R2, 8

• Windows Server 2012 R2, 9

frequency expectations, 289

FTP. See File Transfer Protocol

Full Disclosure, 14t

Full Disk Encryption (FDE), 70

full interruption test, 176

Full Volume Encryption (FVE), 70

FVE. See Full Volume Encryption

GAN. See global area network

gateway, 187

• and routers, 7

GDPR. See General Data Protection Regulation

General Data Protection Regulation (GDPR), 225, 255

GLBA. See Gramm-Leach-Bliley Act

global area network (GAN), 181

global groups, 60, 335

globally unique identifier (GUIDs), 52–54

gMSA. See group managed service accounts

GNessUs, 137

governance domain, 314

GPMC. See Group Policy Management Console

GPOs. See Group Policy Objects

Gramm-Leach-Bliley Act (GLBA), 225

graphical user interface (GUI), 234

• MBSA using, 129–130, 133f

Greenbone Security Assistant (GSA), 137, 138f

group-based ACLs, 60

group managed service accounts (gMSA), 195

Group Policy, 101, 102, 104f, 243–244, 251, 268–269, 330

• administration, 220–221

• auditing and managing, 119–121

• best practices, 121–122, 122t

• Best Practices Analyzer (BPA), 122t

• deploying, 117–119

• design guidelines, 121–122

• and security policy, 105–106

• security responsibility, 105

• settings, 103–104

• targets, 106

Group Policy Inventory tool (gpinventory.exe), 119–120

Group Policy Management Console (GPMC), 111–112, 111f, 220, 221f, 247, 247f, 269

Group Policy Management Editor, 244, 246f

Group Policy Objects (GPOs), 101, 102, 212, 244, 255, 329, 330

• analyzing effect of, 120–121

• application order, 115

• caching, 102

• categories of settings in, 103t

• on domain controller, 112–113

• linking, 104

• Local Group Policy Editor, 107–109

• order, 106f

• Policies folder, 112, 113f

• in Registry Editor, 109–110

• security filters, 115–116

• types in Active Directory, 110–113

• types in Registry, 107–110

• WMI filters, 116–117

Group Policy Settings Reference, 104, 107, 330

Group Policy Update tool, 117

group security policy objects, 42

groups, 41, 41–42t

GSA. See Greenbone Security Assistant

GUI. See graphical user interface

GUIDs. See globally unique identifier

hackers, 261

hacktivists, 6

HAL. See Hardware Abstraction Layer

hardening, 233

• applications, 262, 332–333

• authentication, 242–244, 255

• communications and remote access, 251–255

• data access and controls, 251

• network infrastructure, 244

• PKI, 255

• process, 233–242

• securing directory information, 245–246

• server computers, 248–250

• user security training and awareness, 255–256

• Windows OS, 247–248, 257, 331–332

• workstation computers, 250–251

Hardware Abstraction Layer (HAL), 24t

hardware errors, 151

harvesting stored data, 263

hash rules, 269

Health Information Technology for Economic and Clinical Health (HITECH) Act, 225

Health Insurance Portability and Accountability Act (HIPAA), 225, 255, 301

heuristics, 92

• based software, 94

HIPAA. See Health Insurance Portability and Accountability Act

HITECH Act. See Health Information Technology for Economic and Clinical Health Act

hot site, 167

HTTP. See Hypertext Transfer Protocol

HTTPS. See Hypertext Transfer Protocol Secure

hub (legacy device), 186

hybrid malware, 91

Hyper-V technology, 174

Hypertext Transfer Protocol (HTTP), 191, 192t, 270

Hypertext Transfer Protocol Secure (HTTPS), 192t, 270

icacls.exe CLI tool, 58t, 59, 59t

IDE. See Integrated Development Environment

identification, 25, 43–44

• baselines, 321, 322

• configuration, 322

• data, 44

• step in handling incidents, 286t, 291–293

• user, 211

identity spoofing, 261

IDS. See intrusion detection system

IEEE. See Institute of Electrical and Electronics Engineers

IIS. See Internet Information Services

implementation phase, 308

• in SDL, 312

inbound rules, 215

incident(s), 284, 335

• classifications, 293, 294t

• data collection and management tools, 298, 299t

• evidence, 299–301

• handling and management tools, 297, 298t

• investigation, 298

• lead on CSIRT, 288t, 293

• reporting form, 292f

• scope, 293

• severity levels, 293, 294t

incident response, 291–296

• handling, 291–296

• plan, 287–291

• tools, 299

information availability, 150

information leakage, 316

information systems security, 3–4

initiation phase, 307

injection attacks, 15t

input and output service, 22t

input validation, 316

installation procedure, 318

Institute of Electrical and Electronics Engineers (IEEE), 183

• 802.11 standard, 183, 185t

integral subsystem, 24t

Integrated Development Environment (IDE), 312

integrity, 4, 5–6, 5f, 77, 210–212, 211t, 212t, 274, 276

intelligence domain, 315

intercept communication, 263

interfaces with other programs, 318

internal network and cloud security, 201–202

• cloud computing, 202

• IPv4 versus IPv6, 202

International Telecommunications Union (ITU-T) standard, 80

Internet backups, 165

Internet-based services, 10t

Internet gateway, 187

Internet Information Services (IIS), 31, 233, 271–272

Internet Key Exchange (IKEv2), 78, 192t, 254

Internet Message Access Protocol 4 (IMAP4), 274

Internet of Things (IoT), 197

Internet Options dialog box, in Internet Explorer 11, 264, 265f

Internet Protocol Security (IPSec), 77, 192, 246, 250, 254, 332

Internet Service Providers (ISPs), 253

interruptions, 213

intrusion detection system (IDS), 214t

intrusion prevention system (IPS), 214t

investigations, 298, 302, 335

IoT. See Internet of Things

IPS. See intrusion prevention system

IPSec. See Internet Protocol Security

IPv4 versus IPv6, 202

ISPs. See Internet Service Providers

IT infrastructure

• domains, 179, 180f

• mapping applications to, 6–9

• sample, 7f

IT liaison on CSIRT, 288t

Itanium edition, of Windows Server 2008 R2, 9

junk filter function, 267t

KDC. See key distribution center

Kerberos, 48, 48f, 193t, 200, 203, 333

• policy, 103t, 244

kernel, 20–21, 20f

• mode drivers/programs, 21, 23, 24t

key distribution center (KDC), 48

L2FP. See Layer 2 Forwarding Protocol

L2TP. See Layer 2 Tunneling Protocol

LAN. See local area network

laptop computer backups, 166

Layer 2 Forwarding Protocol (L2FP), 254

Layer 2 Tunneling Protocol (L2TP), 78, 192t, 254

layered protocols, 193

least privilege user accounts (LUAs), 41

legal representative on CSIRT, 288t, 293

lessons learned step in handling incidents, 286t, 296

LGPO tool, 238

LGPO.zip, 237

lightweight database, 266

limited warranty, 10t

line of business (LOB) software, 278–279

Livedemo, OpenVAS, 137

LOB software. See line of business software

local area network (LAN), 179, 180t

Local Group Policies, 102

Local Group Policy Editor, 107–109, 108–109f, 111

local groups, 60

Local Policy Tool (LPT), 330

local resource, 181

local security identifier, 28t

Local Security Policy maintenance tool, 55

local users and groups section, 27

Locky, 12

log files, 56–57, 209t

logging mode, of RSOP, 120

logical access, 182

logical controls, 4

LPT. See Local Policy Tool

LUAs. See least privilege user accounts

MAC. See mandatory access control; Media Access Control (MAC)

Madison 911 Emergency Services, 6

mail server, 161t

maintenance phase, 308

malformed input, 261

malicious software, 11, 85, 86, 152

• server network security, 201

• workstation network security, 199

malware, 15t, 250, 263, 266–267, 337

• anti-malware software, 91–93

• best practices, 97–98

• maintaining malware-free environment, 93, 95–96

• mitigation techniques, 93–94

• prevention strategies, 98

• protecting against, 85–98

• purpose of, 86–87

• scanning and auditing, 96

• software updation and, 94

• tools and techniques for removing, 96–97

• types of, 87–91

MAN. See metropolitan area network

man-in-the-middle attack, 263

managed service accounts (MSA), 47–48, 195

management role, on CSIRT, 288t

mandatory access control (MAC), 26

mapping applications to IT infrastructure, 6–9

Marriott Starwood hotels incident, 285

maximum password age, setting, 105

maximum privilege mode, 20

MBSA utility. See Microsoft Baseline Security Analyzer utility

mbsacli.exe command, 131, 136t, 145t

Media Access Control (MAC)

• address filtering, 198

media security, backup, 153

media server, 161t

memory-resident kernel code, 20

message digest, 212t

metropolitan area network (MAN), 179, 180t

microkernel architecture, 20, 22, 24t

Microsoft Azure, 278, 279

Microsoft Baseline Security Analyzer (MBSA) utility, 128–136, 145t, 219, 257, 330

• command-line interface for, 131, 134, 135–136f

• graphical user interface (GUI) of, 129–130, 133f

• scan options/results, 134f

Microsoft Exchange Server, 274–275

Microsoft Malicious Software Removal Tool (MSRT), 97

Microsoft Management Console (MMC), 128, 129f

• snap-in, 129f, 195, 196

Microsoft Office 365, 7, 202, 279

Microsoft Office Outlook, 264–266

Microsoft OneDrive, 279

Microsoft Security Assessment Tool (MSAT), 145t

Microsoft Windows, 6–9. See also under Windows

• incident handling and management, 283–302

mitigation, 32

• techniques, malware, 93–94

MMC. See Microsoft Management Console

mobile devices, 7–8, 337

monitor system performance measurements, 209t

monitoring, 215

Morris, Robert, 87, 88

Morris worm, 88

MSA. See managed service accounts

MSAT. See Microsoft Security Assessment Tool

MSRT. See Microsoft Malicious Software Removal Tool

multifactor authentication, 25

multilayered defense, 31–32, 31f

NAC. See network access control

NAS. See Network Attached Storage

NAT. See network address translation

National Cybersecurity and Communication Integration Center (NCCIC), 293

National Vulnerability Database, 14t

natural disasters, 152

NCCIC. See National Cybersecurity and Communication Integration Center

need to know (NTK) basis, 5

Nessus, 137

• Essentials, 139, 140f, 141f

NetChk Protect Limited, 139f

network, 179

network access control (NAC), 251–252

• software, 252t, 332

network address translation (NAT), 189

Network Attached Storage (NAS), 188

network backups, 164–165

network bandwidth, 165

network communication protocols, 192–193t

network data storage, 188

network devices, 7

network entry, 335–336

network file server, 187–188

network infrastructure, hardening, 244

network management tools and policies, 333–334

network print server, 188

network security, 179–181

• best practices, 202–203

• common components, in networks, 182, 183f

• connection media, 182–185

• controls, 181

• environment network services, 194–196

• internal network and cloud security, 201–202

• network connections (wired/wireless), 183–185, 197–198

• networking devices, 185–187

• principles of, 181–190

• protocols and services, 190–194

• server computers and services devices, 187–190

• server security, 200–201

• workstation, 198–200

network traffic filtering, server network security, 201

networking devices, 182, 185–187

• gateway, 187

• hub (legacy device), 186

• router, 186–187

• switch, 186

nmap utility, 249, 250

nodes, 190

non-Microsoft services, 195

nonrepudiation, 77

null security identifier, 28t

object(s), 26, 48–52

• access requests, 54

• DACLs, 211t, 212t

• page, 66f, 73f

• security page, 49f

Office-2016-baseline.zip, 237

Office 365, 7, 202, 279

OneDrive, 279

Open Systems Interconnection (OSI) Reference Model, 190, 191f

Open Vulnerability Assessment System (OpenVAS), 137–138, 138–139f

Open Web Application Security Project (OWASP), 262

OpenVAS. See Open Vulnerability Assessment System

OpenVPN protocol, 254

operating system

• architecture, 22–24

• components, 23f

• general services, 22t

• hardening, 247–248, 257

• service pack administration, 219

operating system security

• access control methods, 26–27

• access rules, 28–29

• active directory, 29–30

• architecture, 22–24

• authentication methods, 25

• components, 19–22

• kernel, 20

• mitigation, 32

• monitoring and maintenance, 32–33

• multilayered defense, 31–32

• security identifier, 28

• workgroups, 29

Orange Book, 40–41

organizational units (OUs), 104, 330

• GPOs, 106, 115

OSI Reference Model. See Open Systems Interconnection Reference Model

OUs. See organizational units

outbound rules, 215

outbound traffic filtering, workstation network security, 199–200

Outlook, 264–266

OWASP. See Open Web Application Security Project

packet sniffing, 15t

PAN. See personal area network

partial security, 210

password, 25

• controls, 209t

• policy, 103t, 211t, 212t, 243

path rules, 269

PDCA process. See Plan-Do-Check-Act process

penetration testing, 319

PerfMon toolset, 214t

performance, 213

• information, 33

• monitoring, 277

Performance Monitor, 215–216

permissions, 28, 42, 60

personal area network (PAN), 181

Phase Identification, 320

Phase Transition, 320

phishing attacks, 15t

physical access controls, 209t, 211–212t

physical and logical access, 182

physical controls, 4, 64, 75

physical security, 209t

PKI. See public key infrastructure

plaintext (unencrypted), 66, 72, 267t

Plan-Do-Check-Act (PDCA) process, 207–208, 208f, 226, 329

planning phase, 307

Point-to-Point Protocol (PPP), 192t, 254

Point-to-Point Tunneling Protocol (PPTP), 79, 192t, 254

Policies folder, in Group Policy Objects, 112, 113f

policy analyzer tool, 238, 239f

PolicyAnalyzer.zip, 237

ports, 191, 194

• scanning, 249, 250

Post Office Protocol version 3 (POP3), 274

powershell.exe, 57

PPP. See Point-to-Point Protocol

PPTP. See Point-to-Point Tunneling Protocol

pre-shared key (PSK) mode, 80

preparation step, in handling incidents, 286t, 291

presentation, 266

preventive controls, 4, 55

primary copy, 151

principle of least privilege, 41–42

print server, 188

printer actions auditing, 147

private data disclosure, 266

privilege escalation, 261

• request, 45, 45f

privileged mode, 23

proactive plan, 208

process table, 20

productivity software, 266–267

• securing, 268t

profiling, 126–128

Program Files folder, 147

program removal, 238, 240–242

program/process management service, 22t

project management, 266

• techniques, 306–307

protocols, 183, 190, 270t, 274

• communication, 185, 190

• encapsulating, 254

• encryption, 77–80

• layered, 193

• network communication, 192–193t

• network security, 190–194

• use of, 268

• wireless, 184, 185t

PSK mode. See pre-shared key mode

public key, 48

• cryptography, 77

public key infrastructure (PKI), 81, 255

public relations representative, on CSIRT, 288t

publisher rules, 269

publishing, 266

pull technology, 102

quality process, 208

query, 275

Quora incident, 285

RA. See registration authority

RADIUS. See Remote Authentication Dial In User Service

RAID. See redundant array of independent disks

ransomware, 11–13, 90, 91t

RBAC. See role based access control

Read/List access auditing, 147

real evidence, 299

Reaper program, 88

recovery keys, 82

recovery plan, 175

recovery step, in handling incidents, 286t, 295–296

recovery time objective (RTO), 155, 175, 327

redundant array of independent disks (RAID), 161

registration authority (RA), 81

Registry, 103t

• GPOs types in, 107–110

Registry Editor, 109, 110f

Registry.pol file, 238

regression testing, 317

release SDL phase, 312

remediation

• cycles, 329

• step, 15

Remote Authentication Dial In User Service (RADIUS), 252–253

remote clients, 336

Remote Group Policy Update, 102

Remote Registry service, 240

remote resources, 181

remote system access, 316

remote users and systems, 335

remote workstations, 199

removable storage device, 70

removing programs and services, 238, 240–242, 241f

repeatable process, 321

replay attack, 200

requirements, SDL phase, 312

response. See also incident response

• framework, 289

• SDL phase, 312

responsibilities, CSIRT communication, 289

restore

• operation, 154

• process, 154–155, 169

• uses, 154

• utilities, 154, 168, 169

• Windows Backup and, 217

Restore All Users’ Files link, 169

Restore My Files button, 169

restricted groups, 103t

Resultant Set of Policy (RSOP) tool, 120

rights, 28, 42

Rights Management Services (RMS), 44

risk, 6

• management plan, 287

RMS. See Rights Management Services

robocopy CLI utility, 59

robocopy.exe, 58t, 59, 60t

role based access control (RBAC), 26

roles, 234, 270, 272–274

rootkits, 89, 91t

router, 186–187

RSOP tool. See Resultant Set of Policy tool

RTO. See recovery time objective

run modes, 23

Salesforce.com, 202

SAN. See Storage Area Network

Sarbanes-Oxley Act (SOX), 225, 255

SAT. See Security Access Token

SCA tool. See Security Configuration and Analysis tool

scanner, 95t

scanning/auditing process, of malware, 96, 97t

schemas, 318

Schneier, Bruce, 226

SCM. See software configuration management

scope of restore operation, 169

scripts, 271t

SCT. See Security Compliance Toolkit

SCW. See Security Configuration Wizard

SDL. See Security Development Lifecycle

SDLC model. See System Development Life Cycle model

secedit.exe, 145t

secondary copy, 151, 153

securable objects, 48

secure accounts for services, 195–196

secure connections, 267t

Secure File Transfer Protocol (SFTP), 268

Secure Hash Algorithm (SHA), 66

secure libraries, 312

Secure Shell (SSH), 192t, 268

Secure Socket Tunneling Protocol (SSTP), 79, 193t, 254, 328

Secure Sockets Layer (SSL), 77, 254

• Transport Layer Security (SSL/TLS), 77, 192t, 254, 265

Secure Software Development Lifecycle (SSDL) touchpoints, 315

Secure Web application connection, 78f

Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption, 265

Security. See also application security; application software security; network security

• awareness programs, 255

• baseline, 126, 330

• certificates, 80, 81t

• controls, 4, 181, 207, 212t, 213, 214t

• exceptions, 312

• filters of GPO, 115–116, 117f

• goals, 227, 228

• guidelines, 228

• incidents, handling, 284–286, 285t

• monitoring, 33. See also operating system security

• options, 103t

• patches, 268t, 277, 319

• policy, 105–106, 227, 284, 330

• procedure, 228

• profiling, 126–128

• protocols and services, 190–194

• responsibility, 105

• standard, 228

• templates, 127, 127f

• vulnerabilities, 14t

Security Access Token (SAT), 28, 44, 44f, 47

security administration, 212t, 331

• anti-malware software, 225

• backup administration, 217–218

• best practices, 228

• cycle, 207–208

• DACL administration, 221–222

• due diligence and regulatory compliance, 225–226

• encryption administration, 223–225

• firewall administration, 213–215

• Group Policy administration, 220–221

• maintaining C-I-A triad, 210–213

• need for security policies/guidelines, 226–228

• OS service pack administration, 219

• overview, 207–210

• performance monitor, 215–216

• tasks, 208–210, 209t

Security and Configuration Analysis (SCA) snap-in, 145t

security audit, 141–144

• tools, 144–146

Security Compliance Toolkit (SCT), 122t, 145t, 237–238, 243

Security Configuration and Analysis (SCA) tool, 127–128, 330

• command-line tool, 128, 132–133f

• snap-in, 128, 129f, 130, 131f, 145t

Security Configuration Wizard (SCW), 128, 331

Security Development Lifecycle (SDL), 312, 313f, 334

security identifiers (SIDs), 28, 28t, 43, 47, 52–54

Security information and event management (SIEM) tools, 14, 33

Security Orchestration, Automation and Response (SOAR) tools, 297

Select Role Services for Web Server (IIS) role, 273, 273f

sensitive data, 63

separation of duties, 318

separator, 270t

server applications, 269–279

server backups, 160–164, 218

server computers, 8–9

• application servers, 188–189

• data storage, 188

• firewalls, 189–190

• hardening, 248–250

• network file server, 187–188

• network print server, 188

• and services devices, 182, 187–190

Server Core, 32

• installation option, 234

Server Manager, 32, 67, 68f

Server Message Block (SMB) protocol, 13

server network security

• authentication and authorization, 200

• malicious software protection, 201

• network traffic filtering, 201

Server Recovery Wizard, 170–171, 170f

servers, types of, 161t

service level agreement (SLA), 167, 202

service pack administration, 219

Service Set Identifier (SSID), 198, 328

service updates/accounts, 194–196

services devices, 182, 187–190

Services Microsoft Management Console (MMC) snap-in, 195, 196

session hijacking and credential reuse, 15t

SHA. See Secure Hash Algorithm

shield, 95t, 96

shielded twisted pair (STP) cable, 184t

SIDs. See security identifiers

SIEM tools. See Security information and event management tools

signature, 92, 93

• based anti-malware tools, 94

• database, 92, 94, 95t

site GPOs, 106, 115

SLA. See service level agreement

smart card, 72

SMB protocol. See Server Message Block protocol

SMEs. See subject matter experts

snap-in, SCA, 128, 129f, 130, 131f

SOAR tools. See Security Orchestration, Automation and Response tools

social engineering, 337

software configuration management (SCM), 321–323

• tools, 323t

software control, 321

software development, 306

• issues with, 320–321

software errors, 151

software license agreement, 9

software project scope, 311t

software requirement analysis, 307

Software Restriction Policies (SRP), 268–269

Software Security Framework (SSF), 314–315, 314f

software security management, 310–313

software testing, 334–335

software updates, 94, 211t, 212t

solid disaster recovery plan, 167

SomarSoft utilities, 145t

source code, OpenVAS, 137

SOX. See Sarbanes-Oxley Act

special Windows object permissions, 52t

spoofing, 261

spreadsheet, 266

sprints, 309

spyware, 89–90, 91t

SQL. See Structured Query Language

SRP. See Software Restriction Policies

SSDL touchpoints. See Secure Software Development Lifecycle touchpoints

SSF. See Software Security Framework

SSH. See Secure Shell

SSID. See Service Set Identifier

SSL. See Secure Sockets Layer

SSTP. See Secure Socket Tunneling Protocol

stakeholders, 227

standalone firewalls, 201

Standard edition

• Windows Server 2008 R2, 8, 234

• Windows Server 2012 R2, 9

• Windows Server 2016, 9, 235t

• Windows Server 2019, 9, 234, 236–237t

Startup type value, 240

Storage Area Network (SAN), 188

STP cable. See shielded twisted pair cable

strong authentication, 277, 278

Structured Query Language (SQL), 276–277

• injection, 15t, 277

• Server, 278

subject, 26

subject matter experts (SMEs), 288t, 293

supervisor mode, 21

switch, 186

symmetric algorithms, 80

symmetric key, 66

system analysis and design, 307–308

system configuration information, 33

System Development Life Cycle (SDLC) model, 306–309, 306f, 311

system rebuilding, 171–173

system services, 103t

system/information engineering and modeling, 307

T-Mobile incident, 285

targets, 106

TDE. See Transparent Data Encryption

team lead on CSIRT, 288t

technical controls, 4

technical security controls, 331

Telnet protocol, 192t

Terminal Access Controller Access-Control System Plus (TACACS+), 253

test scenarios, 317

thick clients, 7

thin clients, 7

threats, 11

time-tested strategy, 39

TLS. See Transport Layer Security

Top 10 Web Application Security Risks, 281

TPM. See Trusted Platform Module

traditional software development management, 309

traffic flow, 182

training, on security development, 312

Transmission Control Protocol/Internet Protocol (TCP/IP) Reference Model, 190, 191, 191f, 192t, 268

Transparent Data Encryption (TDE), 276

Transport Control Protocol (TCP), 244

Transport Layer Security (TLS), 77

Trojan horse, 89, 91t

Truecrypt, 65

Trusted Platform Module (TPM), 67

trusted sites, 264t

trusted source, 81

Tucker, Charles, 6

tunneling, concept of, 253

two-factor authentication (2FA), 25, 200, 328

Type I authentication, 25, 26t

Type II authentication, 25, 26t

Type III authentication, 25, 26t

UAC. See user account control

UDP. See User Datagram Protocol

UML. See Unified Modeling Language

unauthorized users, 4

Unified Modeling Language (UML), 307

uniform resource locator (URL), 270

• individual parts of, 270t

uninstalling programs and services, 238, 240–242, 241f

United States Computer Emergency Readiness Team (US-CERT), 14t, 293

universal groups, 60, 335

universally unique identifier (UUID), 52

unprotected windows share, 15t

unshielded twisted pair (UTP) cable, 184t

unused services, 196

updates, Windows, 10t, 247, 248f, 249f

URL. See uniform resource locator

user account control (UAC), 45–46, 45f

user accounts, 195, 196, 243, 275–276, 277, 278

user actions, 152

user authentication, 199, 211

user authorization, 199, 211

User Configuration category, 108

User Datagram Protocol (UDP), 192t, 253

user identification, 211

user mode, 21

• programs, 23, 24

user rights, 42

• assignment, 103t

user security training and awareness, 255–256, 256t

username (or user ID), 25

UTP cable. See unshielded twisted pair cable

UUID. See universally unique identifier

UUIDGEN.EXE program, 53

vault, 95t

VCSs. See version control systems

Veracrypt, 65

verification SDL phase, 312

version control systems (VCSs), 322–323

virtual appliance, OpenVAS in, 137

virtual images, 165

virtual machines (VMs), 174–175

virtual PC, 174

virtual private networks (VPNs), 79, 79f, 253–255, 268, 328

virtualBox, 174

virtualization, 174–175

virus, 88, 91t

visitor/guest, 255, 256t

Visual Studio, 312, 317

Visual Studio Code, 312

VMs. See virtual machines

VMWare, 174

Volume Shadow Copy Service (VSS), 155

VPNs. See virtual private networks

VSS. See Volume Shadow Copy Service

vulnerabilities

• anatomy of, 11–13

• assessment software package, 137

• identifying, 33

• security, 14t

• testing for, 316

• types of, 182

• Windows threats and, 11–13

WAN. See wide area network

WannaCry, 12–13

warm site, 167

warranty, 10t

wbadmin command, 159, 162

web browsers, 263–269

• securing, 264t

Web edition, of Windows Server 2008 R2, 9

web proxies, 79

web servers, 31, 161t, 270–274

• securing, 271t

WebServ01, 233

WEP. See Wired Equivalent Privacy

Wi-Fi jacking, 196

Wi-Fi Protected Access (WPA), 80, 185, 193t

• WPA3, 80

• WPA/WPA2 encryption, 198

wide area network (WAN), 179, 180t

Windows 10, 8, 22, 122t, 137, 234

• Security Compliance Management, 330

• Version 1809 and Windows Server 2019 Security Baseline.zip, 238

• Version xxxx Security Baseline.zip, 238

Windows 7, 22, 157–160, 217, 217f, 234

Windows 8/8.1, 22, 122t, 129, 156, 234

Windows Backup and Restore, 217, 217f

Windows BitLocker, 251

Windows boot media, 173

Windows clients, 8

Windows computers, securing, 233

Windows Encrypting File System (EFS), 251

Windows Firewall with Advanced Security, 213, 214, 215f, 244, 245f, 246f

Windows Group Policy, 251

Windows High Performance Computing server, 9

Windows Management Instrumentation (WMI) filters, 116–117, 118f, 121, 330

Windows NT code base, 22

Windows OS. See operating system

Windows Performance Monitor, 214t, 215, 216f

Windows Registry backup, 238, 240

Windows Server 2008, 214

Windows Server 2008 R2, 8–9, 22, 234, 272

Windows Server 2012, 9, 22, 57, 102, 129

• default Active Directory security groups, 41–42t

Windows Server 2012 R2, 9

• Security Baseline, 122t, 238

Windows Server 2016, 9, 22

• default Active Directory security groups, 41–42t

• editions and roles, 234, 235–236t

• Security Baseline, 122t

Windows Server 2019, 9, 22, 137

• default Active Directory security groups, 41–42t

• editions and roles, 234, 236–237t, 237

• Security Baseline, 122t

Windows servers, 8–9

• backup utility, 162, 163f, 218, 218f

• backups, 218

• recovery utility, restoring with, 170–171

• Security Compliance Management, 330

Windows services, 191

• maintenance utility, 240, 241f

• properties, 242

• startup options, 197f

Windows Subsystem for Linux (WSL), 137

Windows Update, 247, 248f

• advanced options, 247, 249f

Windows workstation backups, 217

Wired Equivalent Privacy (WEP), 80, 185, 193t, 328

wired network connections, 183, 184t

wireless local area network (WLAN), 183

wireless network connections, 183–185, 185t

wireless networking, securing, 197–198

wireless protocols, 184, 185t

wireless security, 79–80

WLAN. See wireless local area network

WMI filters. See Windows Management Instrumentation filters

WMI Query Language (WQL), 116

word processing, 266

workgroups, 29

• environments, 30

workstation

• backups, 156–160, 217

• computers, hardening, 250–251

• securing, 278

workstation network security, 198–200

• malicious software protection, 199

• outbound traffic filtering, 199–200

• user authorization and authentication, 199

world security identifier, 28t

worms, 12, 88–89, 91t

WPA. See Wi-Fi Protected Access

WQL. See WMI Query Language

WSL. See Windows Subsystem for Linux

X.509 standard, 80

zero-day attack, 94, 96