Windows Security Monitoring Scenarios and Patterns 1st Edition by Andrei Miroshnikov ISBN 1119390648 978-1119390640

Windows Security Monitoring Scenarios and Patterns 1st Edition by Andrei Miroshnikov – Ebook PDF Instant Download/Delivery:  1119390648 ,978-1119390640
Full download Windows Security Monitoring Scenarios and Patterns 1st Edition after payment

Product details:

ISBN 10: 1119390648

ISBN 13: 978-1119390640

Author: Andrei Miroshnikov

Dig deep into the Windows auditing subsystem to monitor for malicious activities and enhance Windows system security

Written by a former Microsoft security program manager, DEFCON “Forensics CTF” village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system′s event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenario–based instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory object modifications, local security policy changes, and other activities.

This book is based on the author′s experience and the results of his research into Microsoft Windows security monitoring and anomaly detection. It presents the most common scenarios people should be aware of to check for any potentially suspicious activity.

Learn to:

• Implement the Security Logging and Monitoring policy
• Dig into the Windows security auditing subsystem
• Understand the most common monitoring event patterns related to operations and changes in the Microsoft Windows operating system

About the Author

Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference “Forensics CTF” village and has been a speaker at Microsoft′s Bluehat security conference. In addition, Andrei is an author of the “Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference” and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)² CISSP and Microsoft MCSE: Security certifications.

 

 Windows Security Monitoring Scenarios and Patterns 1st Table of contents:

Part I Introduction to Windows Security Monitoring 

Chapter 1 Windows Security Logging and Monitoring Policy 

Security Logging 

Security Logs 

System Requirements 

PII and PHI 

Availability and Protection 

Configuration Changes 

Secure Storage 

Centralized Collection 

Backup and Retention 

Periodic Review 

Security Monitoring 

Communications 

Audit Tool and Technologies 

Network Intrusion Detection Systems 

Host-based Intrusion Detection Systems 

System Reviews 

Reporting 

Part II Windows Auditing Subsystem 

Chapter 2 Auditing Subsystem Architecture 

Legacy Auditing Settings 

Advanced Auditing Settings 

Set Advanced Audit Settings via Local Group Policy 

Set Advanced Audit Settings via Domain Group Policy 

Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 

Read Current LSA Policy Database Advanced Audit Policy Settings 

Advanced Audit Policies Enforcement and Legacy Policies Rollback 

Switch from Advanced Audit Settings to Legacy Settings 

Switch from Legacy Audit Settings to Advanced Settings 

Windows Auditing Group Policy Settings 

Manage Auditing and Security Log 

Generate Security Audits 

Security Auditing Policy Security Descriptor 

Group Policy: “Audit: Shut Down System Immediately If Unable to Log Security Audits” 

Group Policy: Protected Event Logging 

Group Policy: “Audit: Audit the Use of Backup and Restore Privilege” 

Group Policy: “Audit: Audit the Access of Global System Objects” 

Audit the Access of Global System Container Objects 

Windows Event Log Service: Security Event Log Settings 

Changing the Maximum Security Event Log File Size 

Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 

Group Policy: Back Up Log Automatically When Full 

Group Policy: Control the Location of the Log File 

Security Event Log Security Descriptor 

Guest and Anonymous Access to the Security Event Log 

Windows Auditing Architecture 

Windows Auditing Policy Flow 

LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 

Windows Auditing Event Flow 

LSASS.EXE Security Event Flow 

NTOSKRNL.EXE Security Event Flow 

Security Event Structure 

Chapter 3 Auditing Subcategories and Recommendations 

Account Logon 

Audit Credential Validation 

Audit Kerberos Authentication Service 

Audit Kerberos Service Ticket Operations 

Audit Other Account Logon Events 

Account Management 

Audit Application Group Management 

Audit Computer Account Management 

Audit Distribution Group Management 

Audit Other Account Management Events 

Audit Security Group Management 

Audit User Account Management 

Detailed Tracking 

Audit DPAPI Activity 

Audit PNP Activity 

Audit Process Creation 

Audit Process Termination 

Audit RPC Events 

DS Access 

Audit Detailed Directory Service Replication 

Audit Directory Service Access 

Audit Directory Service Changes 

Audit Directory Service Replication 

Logon and Logoff 

Audit Account Lockout 

Audit User/Device Claims 

Audit Group Membership 

Audit IPsec Extended Mode/Audit IPsec Main Mode/ Audit IPsec Quick Mode 

Audit Logoff 

Audit Logon 

Audit Network Policy Server 

Audit Other Logon/Logoff Events 

Audit Special Logon 

Object Access 

Audit Application Generated 

Audit Certification Services 

Audit Detailed File Share 

Audit File Share 

Audit File System 

Audit Filtering Platform Connection 

Audit Filtering Platform Packet Drop 

Audit Handle Manipulation 

Audit Kernel Object 

Audit Other Object Access Events 

Audit Registry 

Audit Removable Storage 

Audit SAM 

Audit Central Policy Staging 

Policy Change 

Audit Policy Change 

Audit Authentication Policy Change 

Audit Authorization Policy Change 

Audit Filtering Platform Policy Change 

Audit MPSSVC Rule-Level Policy Change 

Audit Other Policy Change Events 

Privilege Use 

Audit Non Sensitive Privilege Use 

Audit Other Privilege Use Events 

Audit Sensitive Privilege Use 

System 

Audit IPsec Driver 

Audit Other System Events 

Audit Security State Change 

Audit Security System Extension 

Audit System Integrity 

Part III Security Monitoring Scenarios 

Chapter 4 Account Logon 

Interactive Logon 

Successful Local User Account Interactive Logon 

Step 1: Winlogon Process Initialization 

Step 1: LSASS Initialization 

Step 2: Local System Account Logon 

Step 3: ALPC Communications between Winlogon and LSASS 

Step 4: Secure Desktop and SAS 

Step 5: Authentication Data Gathering 

Step 6: Send Credentials from Winlogon to LSASS 

Step 7: LSA Server Credentials Flow 

Step 8: Local User Scenario 

Step 9: Local User Logon: MSV1_0 Answer 

Step 10: User Logon Rights Verification 

Step 11: Security Token Generation 

Step 12: SSPI Call 

Step 13: LSASS Replies to Winlogon 

Step 14: Userinit and Explorer.exe 

Unsuccessful Local User Account Interactive Logon 

Successful Domain User Account Interactive Logon 

Steps 1–7: User Logon Process 

Step 8: Authentication Package Negotiation 

Step 9: LSA Cache 

Step 10: Credentials Validation on the Domain Controller 

Steps 11–16: Logon Process 

Unsuccessful Domain User Account Interactive Logon 

RemoteInteractive Logon 

Successful User Account RemoteInteractive Logon 

Successful User Account RemoteInteractive Logon Using Cached Credentials 

Unsuccessful User Account RemoteInteractive Logon – NLA Enabled 

Unsuccessful User Account RemoteInteractive Logon – NLA Disabled 

Network Logon 

Successful User Account Network Logon 

Unsuccessful User Account Network Logon 

Unsuccessful User Account Network Logon – NTLM 

Unsuccessful User Account Network Logon – Kerberos 

Batch and Service Logon 

Successful Service / Batch Logon 

Unsuccessful Service / Batch Logon 

NetworkCleartext Logon 

Successful User Account NetworkCleartext Logon – IIS Basic Authentication 

Unsuccessful User Account NetworkCleartext Logon – IIS Basic Authentication 

NewCredentials Logon 

Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type 

Account Logoff and Session Disconnect 

Terminal Session Disconnect 

Special Groups 

Anonymous Logon 

Default ANONYMOUS LOGON Logon Session 

Explicit Use of Anonymous Credentials 

Use of Account That Has No Network Credentials 

Computer Account Activity from Non–Domain- Joined Machine 

Allow Local System to Use Computer Identity for NTLM 

Chapter 5 Local User Accounts 

Built-in Local User Accounts 

Administrator 

Guest 

Custom User Account 

HomeGroupUser$ 

DefaultAccount 

Built-in Local User Accounts Monitoring Scenarios 

New Local User Account Creation 

Successful Local User Account Creation 

Unsuccessful Local User Account Creation: Access Denied 

Unsuccessful Local User Account Creation: Other

Monitoring Scenarios: Local User Account Creation 

Local User Account Deletion 

Successful Local User Account Deletion 

Unsuccessful Local User Account Deletion – Access Denied 

Unsuccessful Local User Account Deletion – Other 

Monitoring Scenarios: Local User Account Deletion 

Local User Account Password Modification 

Successful Local User Account Password Reset 

Unsuccessful Local User Account Password Reset – Access Denied 

Unsuccessful Local User Account Password Reset – Other 

Monitoring Scenarios: Password Reset 

Successful Local User Account Password Change 

Unsuccessful Local User Account Password Change 

Monitoring Scenarios: Password Change 

Local User Account Enabled/Disabled 

Local User Account Was Enabled 

Local User Account Was Disabled 

Monitoring Scenarios: Account Enabled/Disabled 

Local User Account Lockout Events 

Local User Account Lockout 

Local User Account Unlock 

Monitoring Scenarios: Account Enabled/Disabled

Local User Account Change Events 

Local User Account Change Event 

Local User Account Name Change Event 

Monitoring Scenarios: Account Changes 

Blank Password Existence Validation 

Chapter 6 Local Security Groups 

Built-in Local Security Groups 

Access Control Assistance Operators 

Administrators 

Backup Operators 

Certificate Service DCOM Access 

Cryptographic Operators 

Distributed COM Users 

Event Log Readers 

Guests 

Hyper-V Administrators 

IIS_IUSRS 

Network Configuration Operators 

Performance Log Users 

Performance Monitor Users 

Power Users 

Print Operators 

Remote Desktop Users 

Remote Management Users 

Replicator 

Storage Replica Administrators 

System Managed Accounts Group 

Users 

WinRMRemoteWMIUsers

Built-in Local Security Groups Monitoring Scenarios 

Local Security Group Creation 

Successful Local Security Group Creation 

Unsuccessful Local Security Group Creation – Access Denied 

Monitoring Scenarios: Local Security Group Creation 

Local Security Group Deletion 

Successful Local Security Group Deletion 

Unsuccessful Local Security Group Deletion – Access Denied 

Unsuccessful Local Security Group Deletion – Other 

Monitoring Scenarios: Local Security Group Deletion 

Local Security Group Change 

Successful Local Security Group Change 

Unsuccessful Local Security Group Change – Access Denied 

Monitoring Scenarios: Local Security Group Change 

Local Security Group Membership Operations 

Successful New Local Group Member Add Operation 

Successful Local Group Member Remove Operation 

Unsuccessful Local Group Member Remove/ Add Operation – Access Denied 

Monitoring Scenarios: Local Security Group Members Changes 

Local Security Group Membership Enumeration 

Monitoring Scenarios: Local Security Group Membership Enumeration 

Chapter 7 Microsoft Active Directory 

Active Directory Built-in Security Groups 

Administrators 

Account Operators 

Incoming Forest Trust Builders 

Pre-Windows 2000 Compatible Access 

Server Operators 

Terminal Server License Servers 

Windows Authorization Access 

Allowed RODC Password Replication Group 

Denied RODC Password Replication Group 

Cert Publishers 

DnsAdmins 

RAS and IAS Servers 

Cloneable Domain Controllers 

DnsUpdateProxy 

Domain Admins 

Domain Computers 

Domain Controllers 

Domain Users 

Group Policy Creator Owners 

Protected Users 

Read-Only Domain Controllers 

Enterprise Read-Only Domain Controllers

Enterprise Admins 

Schema Admins 

Built-in Active Directory Accounts 

Administrator 

Chapter 8 Active Directory Objects 

Active Directory Object SACL 

Child Object Creation and Deletion Permissions 

Extended Rights 

Validated Writes 

Chapter 9 Authentication Protocols 

NTLM-family Protocols 

Challenge-Response Basics 

LAN Manager 

LM Hash 

Chapter 10 Operating System Events 

System Startup/Shutdown 

Successful Normal System Shutdown 

Unsuccessful Normal System Shutdown – Access Denied 

Chapter 11 Logon Rights and User Privileges 

Logon Rights 

Logon Rights Policy Modification 

Logon Rights Policy Settings – Member Added 

Logon Rights Policy Settings – Member Removed 

Unsuccessful Logons Due to Lack of Logon Rights 

User Privileges 

User Privileges Policy Modification 

User Privileges Policy Settings – Member Added 

User Privileges Policy Settings – Member Removed 

Special User Privileges Assigned at Logon Time 

Logon Session User Privileges Operations 

Privilege Use 

Successful Call of a Privileged Service 

Unsuccessful Call of a Privileged Service 

Successful Operation with a Privileged Object 

Unsuccessful Operation with a Privileged Object 

Backup and Restore Privilege Use Auditing 

Chapter 12 Windows Applications 

New Application Installation 

Application Installation Using Windows Installer 

Application Removal Using Windows Installer 

Chapter 13 Filesystem and Removable Storage 

Windows Filesystem 

NTFS Security Descriptors 

Inheritance 

Chapter 14 Windows Registry 

Windows Registry Basics 

Registry Key Permissions 

Registry Operations Auditing 

Chapter 15 Network File Shares and Named Pipes 

Network File Shares 

Network File Share Access Permissions 

File Share Creation 

Appendix A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options 

Appendix B Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes 

Appendix C SDDL Access Rights 

Object-Specific Access Rights 

Index 

People also search for Windows Security Monitoring Scenarios and Patterns 1st :

windows security monitoring scenarios and patterns

windows security model

windows security reference monitor

hmonitor win32

kb67561

Tags:

Andrei Miroshnikov, Patterns,Windows Security Monitoring Scenarios