There Is No Perfect SolutionRisk Management Is the Key

Dont let paranoia disrupt business goals (and vice versa). Many of the specific
recommendations we make in this book are fairly restrictive. Thats our natureweve
seen the damage less restrictive policies can do. However, these are still just
recommendations. We recognize the technical and political realities you will face in
attempting to implement these recommendations. The goal of this book is to arm you
with the right information to make a persuasive case for the more restrictive stance,
knowing that you may not win all the arguments. Pick your battles, and win the ones
that matter.

Realize that Technology Will Not Protect You from Social Attacks
This book is targeted mainly at technology-driven attackssoftware exploits that require
a computer and technical skills to implement. However, some of the most damaging
attacks we have seen and heard of do not involve technology at all. So-called social
engineering uses human-to-human trickery and misdirection to gain unauthorized access
to data. The information in this book can protect you only at the level of bits and bytes
it will not protect you from social attacks that circumvent those bits and bytes entirely.
Educate yourself about common social engineering tactics like phishing, and educate your organization through good
communication and training.

Learn Your Platforms and Applications Better than the Enemy
This book is designed to convey a holistic view of Windows security, not just a fiscript-
kiddiefl checklist of configuration settings that will render you bulletproof. We hope that
by the end of the book you will have a greater appreciation of the Windows security
architecture, where it breaks down, and best practices to mitigate the risk when it does.
We also hope these practices will prove timeless and will prepare you for whatever is
coming down the pike in the next version of Windows, as well as from the hacking
community.