47,35 €*
Versandkostenfrei per Post / DHL
Lieferzeit 1-2 Wochen
Written by a former Microsoft security program manager, DEFCON "Forensics CTF" village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system's event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenario-based instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory object modifications, local security policy changes, and other activities.
This book is based on the author's experience and the results of his research into Microsoft Windows security monitoring and anomaly detection. It presents the most common scenarios people should be aware of to check for any potentially suspicious activity.
Learn to:
* Implement the Security Logging and Monitoring policy
* Dig into the Windows security auditing subsystem
* Understand the most common monitoring event patterns related to operations and changes in the Microsoft Windows operating system
About the Author
Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)² CISSP and Microsoft MCSE: Security certifications.
Written by a former Microsoft security program manager, DEFCON "Forensics CTF" village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system's event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenario-based instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory object modifications, local security policy changes, and other activities.
This book is based on the author's experience and the results of his research into Microsoft Windows security monitoring and anomaly detection. It presents the most common scenarios people should be aware of to check for any potentially suspicious activity.
Learn to:
* Implement the Security Logging and Monitoring policy
* Dig into the Windows security auditing subsystem
* Understand the most common monitoring event patterns related to operations and changes in the Microsoft Windows operating system
About the Author
Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)² CISSP and Microsoft MCSE: Security certifications.
Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)2 CISSP and Microsoft MCSE: Security certifications.
Introduction xxix
Part I Introduction to Windows Security Monitoring 1
Chapter 1 Windows Security Logging and Monitoring Policy 3
Security Logging 3
Security Logs 4
System Requirements 5
PII and PHI 5
Availability and Protection 5
Configuration Changes 6
Secure Storage 6
Centralized Collection 6
Backup and Retention 7
Periodic Review 7
Security Monitoring 7
Communications 8
Audit Tool and Technologies 8
Network Intrusion Detection Systems 8
Host-based Intrusion Detection Systems 8
System Reviews 9
Reporting 9
Part II Windows Auditing Subsystem 11
Chapter 2 Auditing Subsystem Architecture 13
Legacy Auditing Settings 13
Advanced Auditing Settings 16
Set Advanced Audit Settings via Local Group Policy 18
Set Advanced Audit Settings via Domain Group Policy 19
Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 19
Read Current LSA Policy Database Advanced Audit Policy Settings 20
Advanced Audit Policies Enforcement and Legacy Policies Rollback 20
Switch from Advanced Audit Settings to Legacy Settings 21
Switch from Legacy Audit Settings to Advanced Settings 22
Windows Auditing Group Policy Settings 22
Manage Auditing and Security Log 22
Generate Security Audits 23
Security Auditing Policy Security Descriptor 23
Group Policy: "Audit: Shut Down System Immediately If Unable to Log Security Audits" 24
Group Policy: Protected Event Logging 25
Group Policy: "Audit: Audit the Use of Backup and Restore Privilege" 25
Group Policy: "Audit: Audit the Access of Global System Objects" 26
Audit the Access of Global System Container Objects 26
Windows Event Log Service: Security Event Log Settings 27
Changing the Maximum Security Event Log File Size 28
Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 29
Group Policy: Back Up Log Automatically When Full 29
Group Policy: Control the Location of the Log File 30
Security Event Log Security Descriptor 31
Guest and Anonymous Access to the Security Event Log 33
Windows Auditing Architecture 33
Windows Auditing Policy Flow 34
LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 35
Windows Auditing Event Flow 36
[...] Security Event Flow 37
[...] Security Event Flow 37
Security Event Structure 38
Chapter 3 Auditing Subcategories and Recommendations 47
Account Logon 47
Audit Credential Validation 47
Audit Kerberos Authentication Service 50
Audit Kerberos Service Ticket Operations 53
Audit Other Account Logon Events 54
Account Management 54
Audit Application Group Management 54
Audit Computer Account Management 54
Audit Distribution Group Management 55
Audit Other Account Management Events 56
Audit Security Group Management 57
Audit User Account Management 57
Detailed Tracking 58
Audit DPAPI Activity 58
Audit PNP Activity 58
Audit Process Creation 58
Audit Process Termination 59
Audit RPC Events 59
DS Access 60
Audit Detailed Directory Service Replication 60
Audit Directory Service Access 60
Audit Directory Service Changes 61
Audit Directory Service Replication 61
Logon and Logoff 61
Audit Account Lockout 61
Audit User/Device Claims 62
Audit Group Membership 62
Audit IPsec Extended Mode/Audit IPsec Main Mode/ Audit IPsec Quick Mode 63
Audit Logoff 63
Audit Logon 64
Audit Network Policy Server 65
Audit Other Logon/Logoff Events 65
Audit Special Logon 66
Object Access 66
Audit Application Generated 67
Audit Certification Services 67
Audit Detailed File Share 67
Audit File Share 67
Audit File System 68
Audit Filtering Platform Connection 68
Audit Filtering Platform Packet Drop 69
Audit Handle Manipulation 69
Audit Kernel Object 70
Audit Other Object Access Events 71
Audit Registry 71
Audit Removable Storage 72
Audit SAM 72
Audit Central Policy Staging 73
Policy Change 73
Audit Policy Change 73
Audit Authentication Policy Change 74
Audit Authorization Policy Change 74
Audit Filtering Platform Policy Change 75
Audit MPSSVC Rule-Level Policy Change 75
Audit Other Policy Change Events 75
Privilege Use 76
Audit Non Sensitive Privilege Use 76
Audit Other Privilege Use Events 77
Audit Sensitive Privilege Use 77
System 77
Audit IPsec Driver 78
Audit Other System Events 78
Audit Security State Change 78
Audit Security System Extension 79
Audit System Integrity 79
Part III Security Monitoring Scenarios 81
Chapter 4 Account Logon 83
Interactive Logon 85
Successful Local User Account Interactive Logon 85
Step 1: Winlogon Process Initialization 85
Step 1: LSASS Initialization 87
Step 2: Local System Account Logon 88
Step 3: ALPC Communications between Winlogon and LSASS 92
Step 4: Secure Desktop and SAS 92
Step 5: Authentication Data Gathering 92
Step 6: Send Credentials from Winlogon to LSASS 94
Step 7: LSA Server Credentials Flow 95
Step 8: Local User Scenario 96
Step 9: Local User Logon: MSV1_0 Answer 99
Step 10: User Logon Rights Verification 104
Step 11: Security Token Generation 105
Step 12: SSPI Call 105
Step 13: LSASS Replies to Winlogon 105
Step 14: Userinit and [...] 105
Unsuccessful Local User Account Interactive Logon 106
Successful Domain User Account Interactive Logon 110
Steps 1-7: User Logon Process 110
Step 8: Authentication Package Negotiation 110
Step 9: LSA Cache 111
Step 10: Credentials Validation on the Domain Controller 112
Steps 11-16: Logon Process 112
Unsuccessful Domain User Account Interactive Logon 112
RemoteInteractive Logon 112
Successful User Account RemoteInteractive Logon 112
Successful User Account RemoteInteractive Logon Using Cached Credentials 114
Unsuccessful User Account RemoteInteractive Logon - NLA Enabled 115
Unsuccessful User Account RemoteInteractive Logon - NLA Disabled 117
Network Logon 118
Successful User Account Network Logon 118
Unsuccessful User Account Network Logon 120
Unsuccessful User Account Network Logon - NTLM 121
Unsuccessful User Account Network Logon - Kerberos 122
Batch and Service Logon 123
Successful Service / Batch Logon 123
Unsuccessful Service / Batch Logon 125
NetworkCleartext Logon 127
Successful User Account NetworkCleartext Logon - IIS Basic Authentication 127
Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 129
NewCredentials Logon 129
Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type 132
Account Logoff and Session Disconnect 133
Terminal Session Disconnect 134
Special Groups 135
Anonymous Logon 136
Default ANONYMOUS LOGON Logon Session 136
Explicit Use of Anonymous Credentials 138
Use of Account That Has No Network Credentials 139
Computer Account Activity from Non-Domain- Joined Machine 139
Allow Local System to Use Computer Identity for NTLM 140
Chapter 5 Local User Accounts 141
Built-in Local User Accounts 142
Administrator 142
Guest 144
Custom User Account 145
HomeGroupUser[...]
DefaultAccount 146
Built-in Local User Accounts Monitoring Scenarios 146
New Local User Account Creation 146
Successful Local User Account Creation 147
Unsuccessful Local User Account Creation: Access Denied 164
Unsuccessful Local User Account Creation: Other 165
Monitoring Scenarios: Local User Account Creation 166
Local User Account Deletion 168
Successful Local User Account Deletion 169
Unsuccessful Local User Account Deletion - Access Denied 173
Unsuccessful Local User Account Deletion - Other 175
Monitoring Scenarios: Local User Account Deletion 176
Local User Account Password Modification 177
Successful Local User Account Password Reset 178
Unsuccessful Local User Account Password Reset - Access Denied 179
Unsuccessful Local User Account Password Reset - Other 180
Monitoring Scenarios: Password Reset 181
Successful Local User Account Password Change 182
Unsuccessful Local User Account Password Change 183
Monitoring Scenarios: Password Change 184
Local User Account Enabled/Disabled 184
Local User Account Was Enabled 184
Local User Account Was Disabled 186
Monitoring Scenarios: Account Enabled/Disabled 186
Local User Account Lockout Events 187
Local User Account Lockout 188
Local User Account Unlock 190
Monitoring Scenarios: Account Enabled/Disabled 191
Local User Account Change Events 191
Local User Account Change Event 192
Local User Account Name Change Event 196
Monitoring Scenarios: Account Changes 198
Blank Password Existence Validation 199
Chapter 6 Local Security Groups 201
Built-in Local Security Groups 203
Access Control Assistance Operators 205
Administrators 205
Backup Operators 205
Certificate Service DCOM Access 205
Cryptographic...
| Erscheinungsjahr: | 2018 |
|---|---|
| Fachbereich: | Datenkommunikation, Netze & Mailboxen |
| Genre: | Informatik |
| Rubrik: | Naturwissenschaften & Technik |
| Medium: | Taschenbuch |
| Inhalt: | 648 S. |
| ISBN-13: | 9781119390640 |
| ISBN-10: | 1119390648 |
| Sprache: | Englisch |
| Einband: | Kartoniert / Broschiert |
| Autor: | Miroshnikov, Andrei |
| Hersteller: |
John Wiley & Sons
John Wiley & Sons Inc |
| Maße: | 233 x 190 x 35 mm |
| Von/Mit: | Andrei Miroshnikov |
| Erscheinungsdatum: | 22.06.2018 |
| Gewicht: | 1,135 kg |
Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)2 CISSP and Microsoft MCSE: Security certifications.
Introduction xxix
Part I Introduction to Windows Security Monitoring 1
Chapter 1 Windows Security Logging and Monitoring Policy 3
Security Logging 3
Security Logs 4
System Requirements 5
PII and PHI 5
Availability and Protection 5
Configuration Changes 6
Secure Storage 6
Centralized Collection 6
Backup and Retention 7
Periodic Review 7
Security Monitoring 7
Communications 8
Audit Tool and Technologies 8
Network Intrusion Detection Systems 8
Host-based Intrusion Detection Systems 8
System Reviews 9
Reporting 9
Part II Windows Auditing Subsystem 11
Chapter 2 Auditing Subsystem Architecture 13
Legacy Auditing Settings 13
Advanced Auditing Settings 16
Set Advanced Audit Settings via Local Group Policy 18
Set Advanced Audit Settings via Domain Group Policy 19
Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 19
Read Current LSA Policy Database Advanced Audit Policy Settings 20
Advanced Audit Policies Enforcement and Legacy Policies Rollback 20
Switch from Advanced Audit Settings to Legacy Settings 21
Switch from Legacy Audit Settings to Advanced Settings 22
Windows Auditing Group Policy Settings 22
Manage Auditing and Security Log 22
Generate Security Audits 23
Security Auditing Policy Security Descriptor 23
Group Policy: "Audit: Shut Down System Immediately If Unable to Log Security Audits" 24
Group Policy: Protected Event Logging 25
Group Policy: "Audit: Audit the Use of Backup and Restore Privilege" 25
Group Policy: "Audit: Audit the Access of Global System Objects" 26
Audit the Access of Global System Container Objects 26
Windows Event Log Service: Security Event Log Settings 27
Changing the Maximum Security Event Log File Size 28
Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 29
Group Policy: Back Up Log Automatically When Full 29
Group Policy: Control the Location of the Log File 30
Security Event Log Security Descriptor 31
Guest and Anonymous Access to the Security Event Log 33
Windows Auditing Architecture 33
Windows Auditing Policy Flow 34
LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 35
Windows Auditing Event Flow 36
[...] Security Event Flow 37
[...] Security Event Flow 37
Security Event Structure 38
Chapter 3 Auditing Subcategories and Recommendations 47
Account Logon 47
Audit Credential Validation 47
Audit Kerberos Authentication Service 50
Audit Kerberos Service Ticket Operations 53
Audit Other Account Logon Events 54
Account Management 54
Audit Application Group Management 54
Audit Computer Account Management 54
Audit Distribution Group Management 55
Audit Other Account Management Events 56
Audit Security Group Management 57
Audit User Account Management 57
Detailed Tracking 58
Audit DPAPI Activity 58
Audit PNP Activity 58
Audit Process Creation 58
Audit Process Termination 59
Audit RPC Events 59
DS Access 60
Audit Detailed Directory Service Replication 60
Audit Directory Service Access 60
Audit Directory Service Changes 61
Audit Directory Service Replication 61
Logon and Logoff 61
Audit Account Lockout 61
Audit User/Device Claims 62
Audit Group Membership 62
Audit IPsec Extended Mode/Audit IPsec Main Mode/ Audit IPsec Quick Mode 63
Audit Logoff 63
Audit Logon 64
Audit Network Policy Server 65
Audit Other Logon/Logoff Events 65
Audit Special Logon 66
Object Access 66
Audit Application Generated 67
Audit Certification Services 67
Audit Detailed File Share 67
Audit File Share 67
Audit File System 68
Audit Filtering Platform Connection 68
Audit Filtering Platform Packet Drop 69
Audit Handle Manipulation 69
Audit Kernel Object 70
Audit Other Object Access Events 71
Audit Registry 71
Audit Removable Storage 72
Audit SAM 72
Audit Central Policy Staging 73
Policy Change 73
Audit Policy Change 73
Audit Authentication Policy Change 74
Audit Authorization Policy Change 74
Audit Filtering Platform Policy Change 75
Audit MPSSVC Rule-Level Policy Change 75
Audit Other Policy Change Events 75
Privilege Use 76
Audit Non Sensitive Privilege Use 76
Audit Other Privilege Use Events 77
Audit Sensitive Privilege Use 77
System 77
Audit IPsec Driver 78
Audit Other System Events 78
Audit Security State Change 78
Audit Security System Extension 79
Audit System Integrity 79
Part III Security Monitoring Scenarios 81
Chapter 4 Account Logon 83
Interactive Logon 85
Successful Local User Account Interactive Logon 85
Step 1: Winlogon Process Initialization 85
Step 1: LSASS Initialization 87
Step 2: Local System Account Logon 88
Step 3: ALPC Communications between Winlogon and LSASS 92
Step 4: Secure Desktop and SAS 92
Step 5: Authentication Data Gathering 92
Step 6: Send Credentials from Winlogon to LSASS 94
Step 7: LSA Server Credentials Flow 95
Step 8: Local User Scenario 96
Step 9: Local User Logon: MSV1_0 Answer 99
Step 10: User Logon Rights Verification 104
Step 11: Security Token Generation 105
Step 12: SSPI Call 105
Step 13: LSASS Replies to Winlogon 105
Step 14: Userinit and [...] 105
Unsuccessful Local User Account Interactive Logon 106
Successful Domain User Account Interactive Logon 110
Steps 1-7: User Logon Process 110
Step 8: Authentication Package Negotiation 110
Step 9: LSA Cache 111
Step 10: Credentials Validation on the Domain Controller 112
Steps 11-16: Logon Process 112
Unsuccessful Domain User Account Interactive Logon 112
RemoteInteractive Logon 112
Successful User Account RemoteInteractive Logon 112
Successful User Account RemoteInteractive Logon Using Cached Credentials 114
Unsuccessful User Account RemoteInteractive Logon - NLA Enabled 115
Unsuccessful User Account RemoteInteractive Logon - NLA Disabled 117
Network Logon 118
Successful User Account Network Logon 118
Unsuccessful User Account Network Logon 120
Unsuccessful User Account Network Logon - NTLM 121
Unsuccessful User Account Network Logon - Kerberos 122
Batch and Service Logon 123
Successful Service / Batch Logon 123
Unsuccessful Service / Batch Logon 125
NetworkCleartext Logon 127
Successful User Account NetworkCleartext Logon - IIS Basic Authentication 127
Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 129
NewCredentials Logon 129
Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type 132
Account Logoff and Session Disconnect 133
Terminal Session Disconnect 134
Special Groups 135
Anonymous Logon 136
Default ANONYMOUS LOGON Logon Session 136
Explicit Use of Anonymous Credentials 138
Use of Account That Has No Network Credentials 139
Computer Account Activity from Non-Domain- Joined Machine 139
Allow Local System to Use Computer Identity for NTLM 140
Chapter 5 Local User Accounts 141
Built-in Local User Accounts 142
Administrator 142
Guest 144
Custom User Account 145
HomeGroupUser[...]
DefaultAccount 146
Built-in Local User Accounts Monitoring Scenarios 146
New Local User Account Creation 146
Successful Local User Account Creation 147
Unsuccessful Local User Account Creation: Access Denied 164
Unsuccessful Local User Account Creation: Other 165
Monitoring Scenarios: Local User Account Creation 166
Local User Account Deletion 168
Successful Local User Account Deletion 169
Unsuccessful Local User Account Deletion - Access Denied 173
Unsuccessful Local User Account Deletion - Other 175
Monitoring Scenarios: Local User Account Deletion 176
Local User Account Password Modification 177
Successful Local User Account Password Reset 178
Unsuccessful Local User Account Password Reset - Access Denied 179
Unsuccessful Local User Account Password Reset - Other 180
Monitoring Scenarios: Password Reset 181
Successful Local User Account Password Change 182
Unsuccessful Local User Account Password Change 183
Monitoring Scenarios: Password Change 184
Local User Account Enabled/Disabled 184
Local User Account Was Enabled 184
Local User Account Was Disabled 186
Monitoring Scenarios: Account Enabled/Disabled 186
Local User Account Lockout Events 187
Local User Account Lockout 188
Local User Account Unlock 190
Monitoring Scenarios: Account Enabled/Disabled 191
Local User Account Change Events 191
Local User Account Change Event 192
Local User Account Name Change Event 196
Monitoring Scenarios: Account Changes 198
Blank Password Existence Validation 199
Chapter 6 Local Security Groups 201
Built-in Local Security Groups 203
Access Control Assistance Operators 205
Administrators 205
Backup Operators 205
Certificate Service DCOM Access 205
Cryptographic...
| Erscheinungsjahr: | 2018 |
|---|---|
| Fachbereich: | Datenkommunikation, Netze & Mailboxen |
| Genre: | Informatik |
| Rubrik: | Naturwissenschaften & Technik |
| Medium: | Taschenbuch |
| Inhalt: | 648 S. |
| ISBN-13: | 9781119390640 |
| ISBN-10: | 1119390648 |
| Sprache: | Englisch |
| Einband: | Kartoniert / Broschiert |
| Autor: | Miroshnikov, Andrei |
| Hersteller: |
John Wiley & Sons
John Wiley & Sons Inc |
| Maße: | 233 x 190 x 35 mm |
| Von/Mit: | Andrei Miroshnikov |
| Erscheinungsdatum: | 22.06.2018 |
| Gewicht: | 1,135 kg |
Ähnliche Produkte
Lieferzeit 1-2 Wochen
Lieferzeit 1-2 Wochen
Lieferzeit 1-2 Werktage
Lieferzeit 1-2 Werktage
Aktuell nicht verfügbar
Aktuell nicht verfügbar
