Mark Minasi - Administering Windows Vista Security: The Big Surprises

In June 2006, I was sitting in a session on Windows Vista security at Microsoft's TechEd, and heard some things that made my head explode. (But in a good way. Kind of. I'll explain more in a minute.) What I learned impelled me to write this book, because on the one hand I believe that these new technologies will ultimately make your job as an administrator easier, and that's good, but on the other hand, some of them are so new that it may cause some techies to shy away from rolling out Vista, and that'd be a shame, as Vista seems to me to be a significantly more secure operating system than its forebears. It's my hope that by making Vista's new security concepts easy to understand, you'll choose to use it earlier, and end up with a more secure network sooner. In laying this book out, my goal was to create a book that was short, readable, hands-on where possible, and focused on the stuff that doesn't get much coveragebut should. More specifically:

• First, while this book covers security-related issues, it's aimed not just at security experts, but instead at the broader audience of admins and the IT professional population in general. Security experts already know what SeChangeNotifyPrivilege is and why anyone cares, but I think most admins will have perhaps seen something like it without having the time to find out more about it. Similarly, I think that many admins have heard of DACEs versus SACEs, but don't understand them well enough to understand the true import of tools like the new Windows integrity mechanism. In cases like that, you'll get some quick background and review on the pre-Vista security situation in Windows. The security experts in the crowd can, of course, just skip past those sections, as they're brief.

• Second, the book explains in some detail the eight things that bring significant structural changes to Windows that will make life much more difficult for the dirtbags who are trying to attack our privacy or our wallets, but that aren't nearly as well-known as the new Explorer, or the new Windows image file format.

• Third, this book covers those topics in a readable, practical sense; we'll start out with the big concepts and, where possible, end up with practical examplesthings you can try out right on your system. I find high-level presentations about integral, this-could-break-something security technologies frustrating because if I can't see it, I have trouble understanding it. This book offers step-by-step demonstrations of the new security technologies where possible and, in case they do break something, I'll show you how to turn them off or partially disable them. I don't recommend doing that, but if you have to, you have to, and I want you to be able to do that as quickly as possible!

• Finally, we wanted to keep the book small so that we could get it out the door and into your hands around the time that Microsoft releases Vista or, if we're lucky, a bit earlier. To that end, this isn't about every single Vista security technologythat'd be a big book!it's just a closely focused explanation of the big "paradigm shifters," the cranialinfarction-causing new technologies.

But I couldn't get it all done by myself because, as I just mentioned, I wanted to get this book out fairly early and keep it relatively short so that overworked admins (yeah, I know, "overworked admins" is a horribly redundant phrase) could get through it quickly while trying to figure out their Vista deployment plans. The short time frame meant that I wouldn't have time to write the whole thing, so I enlisted the aid of some folks who are extremely smart about both security and Vista.

In the rest of this introduction, I'll explain more about why I think these new security features are so important, what we'll cover in the book, and introduce the other authors.