Defense-in-depth is a proven technique of layered protection that reduces the exposure of vulnerabilities. For example, you might design a network with three layers of packet filtering: a packet-filtering router, a hardware firewall, and software firewalls on each of the hosts (such as Internet Connection Firewall). If an attacker manages to bypass one or two of the layers of protection, the hosts are still protected.
The real benefit of defense-in-depth is its ability to protect against human error. Whereas a single layer of defense is sufficient to protect you under normal circumstances, an administrator who disables the defense during troubleshooting, an accidental misconfiguration, or a newly discovered vulnerability can disable that single layer of defense. Defense-in-depth provides protection even when a single vulnerability exists.
Although most new Windows security features are preventive countermeasures that focus on directly mitigating risk by blocking vulnerabilities from being exploited, your defense-in-depth strategy should also include detective and reactive countermeasures.
Auditing and third-party intrusion-detection systems can help to analyze an attack after the fact, enabling administrators to block future attacks and possibly identify the attacker. Backups and a disaster recovery plan enable you to react to an attack and limit the potential data lost.
