Zum Hauptinhalt springen
Dekorationsartikel gehören nicht zum Leistungsumfang.
Windows Security Monitoring
Scenarios and Patterns
Taschenbuch von Andrei Miroshnikov
Sprache: Englisch

47,35 €*

inkl. MwSt.

Versandkostenfrei per Post / DHL

Lieferzeit 1-2 Wochen

Kategorien:
Beschreibung
Dig deep into the Windows auditing subsystem to monitor for malicious activities and enhance Windows system security

Written by a former Microsoft security program manager, DEFCON "Forensics CTF" village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system's event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenario-based instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory object modifications, local security policy changes, and other activities.

This book is based on the author's experience and the results of his research into Microsoft Windows security monitoring and anomaly detection. It presents the most common scenarios people should be aware of to check for any potentially suspicious activity.

Learn to:
* Implement the Security Logging and Monitoring policy
* Dig into the Windows security auditing subsystem
* Understand the most common monitoring event patterns related to operations and changes in the Microsoft Windows operating system
About the Author

Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)² CISSP and Microsoft MCSE: Security certifications.
Dig deep into the Windows auditing subsystem to monitor for malicious activities and enhance Windows system security

Written by a former Microsoft security program manager, DEFCON "Forensics CTF" village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system's event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenario-based instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory object modifications, local security policy changes, and other activities.

This book is based on the author's experience and the results of his research into Microsoft Windows security monitoring and anomaly detection. It presents the most common scenarios people should be aware of to check for any potentially suspicious activity.

Learn to:
* Implement the Security Logging and Monitoring policy
* Dig into the Windows security auditing subsystem
* Understand the most common monitoring event patterns related to operations and changes in the Microsoft Windows operating system
About the Author

Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)² CISSP and Microsoft MCSE: Security certifications.
Über den Autor

Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)2 CISSP and Microsoft MCSE: Security certifications.

Inhaltsverzeichnis

Introduction xxix

Part I Introduction to Windows Security Monitoring 1

Chapter 1 Windows Security Logging and Monitoring Policy 3

Security Logging 3

Security Logs 4

System Requirements 5

PII and PHI 5

Availability and Protection 5

Configuration Changes 6

Secure Storage 6

Centralized Collection 6

Backup and Retention 7

Periodic Review 7

Security Monitoring 7

Communications 8

Audit Tool and Technologies 8

Network Intrusion Detection Systems 8

Host-based Intrusion Detection Systems 8

System Reviews 9

Reporting 9

Part II Windows Auditing Subsystem 11

Chapter 2 Auditing Subsystem Architecture 13

Legacy Auditing Settings 13

Advanced Auditing Settings 16

Set Advanced Audit Settings via Local Group Policy 18

Set Advanced Audit Settings via Domain Group Policy 19

Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 19

Read Current LSA Policy Database Advanced Audit Policy Settings 20

Advanced Audit Policies Enforcement and Legacy Policies Rollback 20

Switch from Advanced Audit Settings to Legacy Settings 21

Switch from Legacy Audit Settings to Advanced Settings 22

Windows Auditing Group Policy Settings 22

Manage Auditing and Security Log 22

Generate Security Audits 23

Security Auditing Policy Security Descriptor 23

Group Policy: "Audit: Shut Down System Immediately If Unable to Log Security Audits" 24

Group Policy: Protected Event Logging 25

Group Policy: "Audit: Audit the Use of Backup and Restore Privilege" 25

Group Policy: "Audit: Audit the Access of Global System Objects" 26

Audit the Access of Global System Container Objects 26

Windows Event Log Service: Security Event Log Settings 27

Changing the Maximum Security Event Log File Size 28

Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 29

Group Policy: Back Up Log Automatically When Full 29

Group Policy: Control the Location of the Log File 30

Security Event Log Security Descriptor 31

Guest and Anonymous Access to the Security Event Log 33

Windows Auditing Architecture 33

Windows Auditing Policy Flow 34

LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 35

Windows Auditing Event Flow 36

[...] Security Event Flow 37

[...] Security Event Flow 37

Security Event Structure 38

Chapter 3 Auditing Subcategories and Recommendations 47

Account Logon 47

Audit Credential Validation 47

Audit Kerberos Authentication Service 50

Audit Kerberos Service Ticket Operations 53

Audit Other Account Logon Events 54

Account Management 54

Audit Application Group Management 54

Audit Computer Account Management 54

Audit Distribution Group Management 55

Audit Other Account Management Events 56

Audit Security Group Management 57

Audit User Account Management 57

Detailed Tracking 58

Audit DPAPI Activity 58

Audit PNP Activity 58

Audit Process Creation 58

Audit Process Termination 59

Audit RPC Events 59

DS Access 60

Audit Detailed Directory Service Replication 60

Audit Directory Service Access 60

Audit Directory Service Changes 61

Audit Directory Service Replication 61

Logon and Logoff 61

Audit Account Lockout 61

Audit User/Device Claims 62

Audit Group Membership 62

Audit IPsec Extended Mode/Audit IPsec Main Mode/ Audit IPsec Quick Mode 63

Audit Logoff 63

Audit Logon 64

Audit Network Policy Server 65

Audit Other Logon/Logoff Events 65

Audit Special Logon 66

Object Access 66

Audit Application Generated 67

Audit Certification Services 67

Audit Detailed File Share 67

Audit File Share 67

Audit File System 68

Audit Filtering Platform Connection 68

Audit Filtering Platform Packet Drop 69

Audit Handle Manipulation 69

Audit Kernel Object 70

Audit Other Object Access Events 71

Audit Registry 71

Audit Removable Storage 72

Audit SAM 72

Audit Central Policy Staging 73

Policy Change 73

Audit Policy Change 73

Audit Authentication Policy Change 74

Audit Authorization Policy Change 74

Audit Filtering Platform Policy Change 75

Audit MPSSVC Rule-Level Policy Change 75

Audit Other Policy Change Events 75

Privilege Use 76

Audit Non Sensitive Privilege Use 76

Audit Other Privilege Use Events 77

Audit Sensitive Privilege Use 77

System 77

Audit IPsec Driver 78

Audit Other System Events 78

Audit Security State Change 78

Audit Security System Extension 79

Audit System Integrity 79

Part III Security Monitoring Scenarios 81

Chapter 4 Account Logon 83

Interactive Logon 85

Successful Local User Account Interactive Logon 85

Step 1: Winlogon Process Initialization 85

Step 1: LSASS Initialization 87

Step 2: Local System Account Logon 88

Step 3: ALPC Communications between Winlogon and LSASS 92

Step 4: Secure Desktop and SAS 92

Step 5: Authentication Data Gathering 92

Step 6: Send Credentials from Winlogon to LSASS 94

Step 7: LSA Server Credentials Flow 95

Step 8: Local User Scenario 96

Step 9: Local User Logon: MSV1_0 Answer 99

Step 10: User Logon Rights Verification 104

Step 11: Security Token Generation 105

Step 12: SSPI Call 105

Step 13: LSASS Replies to Winlogon 105

Step 14: Userinit and [...] 105

Unsuccessful Local User Account Interactive Logon 106

Successful Domain User Account Interactive Logon 110

Steps 1-7: User Logon Process 110

Step 8: Authentication Package Negotiation 110

Step 9: LSA Cache 111

Step 10: Credentials Validation on the Domain Controller 112

Steps 11-16: Logon Process 112

Unsuccessful Domain User Account Interactive Logon 112

RemoteInteractive Logon 112

Successful User Account RemoteInteractive Logon 112

Successful User Account RemoteInteractive Logon Using Cached Credentials 114

Unsuccessful User Account RemoteInteractive Logon - NLA Enabled 115

Unsuccessful User Account RemoteInteractive Logon - NLA Disabled 117

Network Logon 118

Successful User Account Network Logon 118

Unsuccessful User Account Network Logon 120

Unsuccessful User Account Network Logon - NTLM 121

Unsuccessful User Account Network Logon - Kerberos 122

Batch and Service Logon 123

Successful Service / Batch Logon 123

Unsuccessful Service / Batch Logon 125

NetworkCleartext Logon 127

Successful User Account NetworkCleartext Logon - IIS Basic Authentication 127

Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 129

NewCredentials Logon 129

Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type 132

Account Logoff and Session Disconnect 133

Terminal Session Disconnect 134

Special Groups 135

Anonymous Logon 136

Default ANONYMOUS LOGON Logon Session 136

Explicit Use of Anonymous Credentials 138

Use of Account That Has No Network Credentials 139

Computer Account Activity from Non-Domain- Joined Machine 139

Allow Local System to Use Computer Identity for NTLM 140

Chapter 5 Local User Accounts 141

Built-in Local User Accounts 142

Administrator 142

Guest 144

Custom User Account 145

HomeGroupUser[...]

DefaultAccount 146

Built-in Local User Accounts Monitoring Scenarios 146

New Local User Account Creation 146

Successful Local User Account Creation 147

Unsuccessful Local User Account Creation: Access Denied 164

Unsuccessful Local User Account Creation: Other 165

Monitoring Scenarios: Local User Account Creation 166

Local User Account Deletion 168

Successful Local User Account Deletion 169

Unsuccessful Local User Account Deletion - Access Denied 173

Unsuccessful Local User Account Deletion - Other 175

Monitoring Scenarios: Local User Account Deletion 176

Local User Account Password Modification 177

Successful Local User Account Password Reset 178

Unsuccessful Local User Account Password Reset - Access Denied 179

Unsuccessful Local User Account Password Reset - Other 180

Monitoring Scenarios: Password Reset 181

Successful Local User Account Password Change 182

Unsuccessful Local User Account Password Change 183

Monitoring Scenarios: Password Change 184

Local User Account Enabled/Disabled 184

Local User Account Was Enabled 184

Local User Account Was Disabled 186

Monitoring Scenarios: Account Enabled/Disabled 186

Local User Account Lockout Events 187

Local User Account Lockout 188

Local User Account Unlock 190

Monitoring Scenarios: Account Enabled/Disabled 191

Local User Account Change Events 191

Local User Account Change Event 192

Local User Account Name Change Event 196

Monitoring Scenarios: Account Changes 198

Blank Password Existence Validation 199

Chapter 6 Local Security Groups 201

Built-in Local Security Groups 203

Access Control Assistance Operators 205

Administrators 205

Backup Operators 205

Certificate Service DCOM Access 205

Cryptographic...

Details
Erscheinungsjahr: 2018
Fachbereich: Datenkommunikation, Netze & Mailboxen
Genre: Informatik
Rubrik: Naturwissenschaften & Technik
Medium: Taschenbuch
Inhalt: 648 S.
ISBN-13: 9781119390640
ISBN-10: 1119390648
Sprache: Englisch
Einband: Kartoniert / Broschiert
Autor: Miroshnikov, Andrei
Hersteller: John Wiley & Sons
John Wiley & Sons Inc
Maße: 233 x 190 x 35 mm
Von/Mit: Andrei Miroshnikov
Erscheinungsdatum: 22.06.2018
Gewicht: 1,135 kg
Artikel-ID: 109127014
Über den Autor

Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)2 CISSP and Microsoft MCSE: Security certifications.

Inhaltsverzeichnis

Introduction xxix

Part I Introduction to Windows Security Monitoring 1

Chapter 1 Windows Security Logging and Monitoring Policy 3

Security Logging 3

Security Logs 4

System Requirements 5

PII and PHI 5

Availability and Protection 5

Configuration Changes 6

Secure Storage 6

Centralized Collection 6

Backup and Retention 7

Periodic Review 7

Security Monitoring 7

Communications 8

Audit Tool and Technologies 8

Network Intrusion Detection Systems 8

Host-based Intrusion Detection Systems 8

System Reviews 9

Reporting 9

Part II Windows Auditing Subsystem 11

Chapter 2 Auditing Subsystem Architecture 13

Legacy Auditing Settings 13

Advanced Auditing Settings 16

Set Advanced Audit Settings via Local Group Policy 18

Set Advanced Audit Settings via Domain Group Policy 19

Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 19

Read Current LSA Policy Database Advanced Audit Policy Settings 20

Advanced Audit Policies Enforcement and Legacy Policies Rollback 20

Switch from Advanced Audit Settings to Legacy Settings 21

Switch from Legacy Audit Settings to Advanced Settings 22

Windows Auditing Group Policy Settings 22

Manage Auditing and Security Log 22

Generate Security Audits 23

Security Auditing Policy Security Descriptor 23

Group Policy: "Audit: Shut Down System Immediately If Unable to Log Security Audits" 24

Group Policy: Protected Event Logging 25

Group Policy: "Audit: Audit the Use of Backup and Restore Privilege" 25

Group Policy: "Audit: Audit the Access of Global System Objects" 26

Audit the Access of Global System Container Objects 26

Windows Event Log Service: Security Event Log Settings 27

Changing the Maximum Security Event Log File Size 28

Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 29

Group Policy: Back Up Log Automatically When Full 29

Group Policy: Control the Location of the Log File 30

Security Event Log Security Descriptor 31

Guest and Anonymous Access to the Security Event Log 33

Windows Auditing Architecture 33

Windows Auditing Policy Flow 34

LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 35

Windows Auditing Event Flow 36

[...] Security Event Flow 37

[...] Security Event Flow 37

Security Event Structure 38

Chapter 3 Auditing Subcategories and Recommendations 47

Account Logon 47

Audit Credential Validation 47

Audit Kerberos Authentication Service 50

Audit Kerberos Service Ticket Operations 53

Audit Other Account Logon Events 54

Account Management 54

Audit Application Group Management 54

Audit Computer Account Management 54

Audit Distribution Group Management 55

Audit Other Account Management Events 56

Audit Security Group Management 57

Audit User Account Management 57

Detailed Tracking 58

Audit DPAPI Activity 58

Audit PNP Activity 58

Audit Process Creation 58

Audit Process Termination 59

Audit RPC Events 59

DS Access 60

Audit Detailed Directory Service Replication 60

Audit Directory Service Access 60

Audit Directory Service Changes 61

Audit Directory Service Replication 61

Logon and Logoff 61

Audit Account Lockout 61

Audit User/Device Claims 62

Audit Group Membership 62

Audit IPsec Extended Mode/Audit IPsec Main Mode/ Audit IPsec Quick Mode 63

Audit Logoff 63

Audit Logon 64

Audit Network Policy Server 65

Audit Other Logon/Logoff Events 65

Audit Special Logon 66

Object Access 66

Audit Application Generated 67

Audit Certification Services 67

Audit Detailed File Share 67

Audit File Share 67

Audit File System 68

Audit Filtering Platform Connection 68

Audit Filtering Platform Packet Drop 69

Audit Handle Manipulation 69

Audit Kernel Object 70

Audit Other Object Access Events 71

Audit Registry 71

Audit Removable Storage 72

Audit SAM 72

Audit Central Policy Staging 73

Policy Change 73

Audit Policy Change 73

Audit Authentication Policy Change 74

Audit Authorization Policy Change 74

Audit Filtering Platform Policy Change 75

Audit MPSSVC Rule-Level Policy Change 75

Audit Other Policy Change Events 75

Privilege Use 76

Audit Non Sensitive Privilege Use 76

Audit Other Privilege Use Events 77

Audit Sensitive Privilege Use 77

System 77

Audit IPsec Driver 78

Audit Other System Events 78

Audit Security State Change 78

Audit Security System Extension 79

Audit System Integrity 79

Part III Security Monitoring Scenarios 81

Chapter 4 Account Logon 83

Interactive Logon 85

Successful Local User Account Interactive Logon 85

Step 1: Winlogon Process Initialization 85

Step 1: LSASS Initialization 87

Step 2: Local System Account Logon 88

Step 3: ALPC Communications between Winlogon and LSASS 92

Step 4: Secure Desktop and SAS 92

Step 5: Authentication Data Gathering 92

Step 6: Send Credentials from Winlogon to LSASS 94

Step 7: LSA Server Credentials Flow 95

Step 8: Local User Scenario 96

Step 9: Local User Logon: MSV1_0 Answer 99

Step 10: User Logon Rights Verification 104

Step 11: Security Token Generation 105

Step 12: SSPI Call 105

Step 13: LSASS Replies to Winlogon 105

Step 14: Userinit and [...] 105

Unsuccessful Local User Account Interactive Logon 106

Successful Domain User Account Interactive Logon 110

Steps 1-7: User Logon Process 110

Step 8: Authentication Package Negotiation 110

Step 9: LSA Cache 111

Step 10: Credentials Validation on the Domain Controller 112

Steps 11-16: Logon Process 112

Unsuccessful Domain User Account Interactive Logon 112

RemoteInteractive Logon 112

Successful User Account RemoteInteractive Logon 112

Successful User Account RemoteInteractive Logon Using Cached Credentials 114

Unsuccessful User Account RemoteInteractive Logon - NLA Enabled 115

Unsuccessful User Account RemoteInteractive Logon - NLA Disabled 117

Network Logon 118

Successful User Account Network Logon 118

Unsuccessful User Account Network Logon 120

Unsuccessful User Account Network Logon - NTLM 121

Unsuccessful User Account Network Logon - Kerberos 122

Batch and Service Logon 123

Successful Service / Batch Logon 123

Unsuccessful Service / Batch Logon 125

NetworkCleartext Logon 127

Successful User Account NetworkCleartext Logon - IIS Basic Authentication 127

Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 129

NewCredentials Logon 129

Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type 132

Account Logoff and Session Disconnect 133

Terminal Session Disconnect 134

Special Groups 135

Anonymous Logon 136

Default ANONYMOUS LOGON Logon Session 136

Explicit Use of Anonymous Credentials 138

Use of Account That Has No Network Credentials 139

Computer Account Activity from Non-Domain- Joined Machine 139

Allow Local System to Use Computer Identity for NTLM 140

Chapter 5 Local User Accounts 141

Built-in Local User Accounts 142

Administrator 142

Guest 144

Custom User Account 145

HomeGroupUser[...]

DefaultAccount 146

Built-in Local User Accounts Monitoring Scenarios 146

New Local User Account Creation 146

Successful Local User Account Creation 147

Unsuccessful Local User Account Creation: Access Denied 164

Unsuccessful Local User Account Creation: Other 165

Monitoring Scenarios: Local User Account Creation 166

Local User Account Deletion 168

Successful Local User Account Deletion 169

Unsuccessful Local User Account Deletion - Access Denied 173

Unsuccessful Local User Account Deletion - Other 175

Monitoring Scenarios: Local User Account Deletion 176

Local User Account Password Modification 177

Successful Local User Account Password Reset 178

Unsuccessful Local User Account Password Reset - Access Denied 179

Unsuccessful Local User Account Password Reset - Other 180

Monitoring Scenarios: Password Reset 181

Successful Local User Account Password Change 182

Unsuccessful Local User Account Password Change 183

Monitoring Scenarios: Password Change 184

Local User Account Enabled/Disabled 184

Local User Account Was Enabled 184

Local User Account Was Disabled 186

Monitoring Scenarios: Account Enabled/Disabled 186

Local User Account Lockout Events 187

Local User Account Lockout 188

Local User Account Unlock 190

Monitoring Scenarios: Account Enabled/Disabled 191

Local User Account Change Events 191

Local User Account Change Event 192

Local User Account Name Change Event 196

Monitoring Scenarios: Account Changes 198

Blank Password Existence Validation 199

Chapter 6 Local Security Groups 201

Built-in Local Security Groups 203

Access Control Assistance Operators 205

Administrators 205

Backup Operators 205

Certificate Service DCOM Access 205

Cryptographic...

Details
Erscheinungsjahr: 2018
Fachbereich: Datenkommunikation, Netze & Mailboxen
Genre: Informatik
Rubrik: Naturwissenschaften & Technik
Medium: Taschenbuch
Inhalt: 648 S.
ISBN-13: 9781119390640
ISBN-10: 1119390648
Sprache: Englisch
Einband: Kartoniert / Broschiert
Autor: Miroshnikov, Andrei
Hersteller: John Wiley & Sons
John Wiley & Sons Inc
Maße: 233 x 190 x 35 mm
Von/Mit: Andrei Miroshnikov
Erscheinungsdatum: 22.06.2018
Gewicht: 1,135 kg
Artikel-ID: 109127014
Warnhinweis