Windows Server 2003 Security: A Technical Reference, $54.99
by Roberta Bragg
Addison-Wesley, 2005
1188 pages
ISBN 0321305019
http://www.amazon.com/exec/obidos/ASIN/0321305019/larkware-20
My old friend (and former business partner) Ken Getz recently posted a cautionary tale about the bad things that can happen when well-meaning developers start messing around with Windows Server 2003 security. While Ken is right that you ought to get professional help before messing around in this stuff, the fact of the matter is that a whole lot of us developers have little choice but to maintain our own server security, whether for public servers or just in our own little sandboxes. If you're in that situation, this monster two-volume work would be a good addition to your bookshelf.
There are, of course, any number of KnowledgeBase articles and help topics covering Windows security - but the essential ingredient that Roberta brings to this book is organization. She's been doing this security stuff for a long, long time, so not only does she have a good grasp of all the little byways of the field, she has a good structure to place them all in. Starting with a chapter on the principles of information security, she moves from securing the server itself (authorization and authentication) through securing domain services (lots of active directory and group policy here) and public key infrastructure and on into securing a virtual network, maintenance strategies, backup and restore, monitoring, and auditing.
You need to realize, of course, that this is a reference work, not a manual to follow. Part of security is figuring out which things to secure, and which you can safely leave for a little bit. One of the great strengths of this book is that Roberta discusses pros and cons throughout, and points out potential pitfalls to various lockdown techniques. The way to use this book is to skim through it when you get a copy so that you know what it covers, and then keep it close to hand. When you're ready to make sure your PKI is secure, for example, that's the time to read the PKI section in depth, understand its recommendations, and act on them. If maintaining Windows 2003 servers isn't your full-time job, but you do have to mess with their security settings once in a while, having this book around can potentially save you a whole lot of grief.