book

Windows Security Internals

by James Forshaw

April 2024

Intermediate to advanced

608 pages

17h 13m

English

No Starch Press

Read now

Unlock full access

Who Is This Book For?What Is in This Book?PowerShell Conventions Used in This BookGetting in Touch
Choosing a PowerShell VersionConfiguring PowerShellAn Overview of the PowerShell LanguageUnderstanding Types, Variables, and ExpressionsExecuting CommandsDiscovering Commands and Getting HelpDefining FunctionsDisplaying and Manipulating ObjectsFiltering, Ordering, and Grouping ObjectsExporting DataWrapping Up
The Windows Kernel ExecutiveThe Security Reference MonitorThe Object ManagerObject TypesThe Object Manager NamespaceSystem CallsNTSTATUS CodesObject HandlesQuery and Set Information System CallsThe Input/Output ManagerThe Process and Thread ManagerThe Memory ManagerNtVirtualMemory CommandsSection ObjectsCode IntegrityAdvanced Local Procedure CallThe Configuration ManagerWorked ExamplesFinding Open Handles by NameFinding Shared ObjectsModifying a Mapped SectionFinding Writable and Executable MemoryWrapping Up

Win32 and the User-Mode Windows APIsLoading a New LibraryViewing Imported APIsSearching for DLLsThe Win32 GUIGUI Kernel ResourcesWindow MessagesConsole SessionsComparing Win32 APIs and System CallsWin32 Registry PathsOpening KeysListing the Registry’s ContentsDOS Device PathsPath TypesMaximum Path LengthsProcess CreationCommand Line ParsingShell APIsSystem ProcessesThe Session ManagerThe Windows Logon ProcessThe Local Security Authority SubsystemThe Service Control ManagerWorked ExamplesFinding Executables That Import Specific APIsFinding Hidden Registry Keys or ValuesWrapping Up
Primary TokensImpersonation TokensSecurity Quality of ServiceExplicit Token ImpersonationConverting Between Token TypesPseudo Token HandlesToken GroupsEnabled, EnabledByDefault, and MandatoryLogonIdOwnerUseForDenyOnlyIntegrity and IntegrityEnabledResourceDevice GroupsPrivilegesSandbox TokensRestricted TokensWrite-Restricted TokensAppContainer and Lowbox TokensWhat Makes an Administrator User?User Account ControlLinked Tokens and Elevation TypeUI AccessVirtualizationSecurity AttributesCreating TokensToken AssignmentAssigning a Primary TokenAssigning an Impersonation TokenWorked ExamplesFinding UI Access ProcessesFinding Token Handles to ImpersonateRemoving Administrator PrivilegesWrapping Up
The Structure of a Security DescriptorThe Structure of a SIDAbsolute and Relative Security DescriptorsAccess Control List Headers and EntriesThe HeaderThe ACE ListConstructing and Manipulating Security DescriptorsCreating a New Security DescriptorOrdering the ACEsFormatting Security DescriptorsConverting to and from a Relative Security DescriptorThe Security Descriptor Definition LanguageWorked ExamplesManually Parsing a Binary SIDEnumerating SIDsWrapping Up
Reading Security DescriptorsAssigning Security DescriptorsAssigning a Security Descriptor During Resource CreationAssigning a Security Descriptor to an Existing ResourceWin32 Security APIsServer Security Descriptors and Compound ACEsA Summary of Inheritance BehaviorWorked ExamplesFinding Object Manager Resource OwnersChanging the Ownership of a ResourceWrapping Up
Running an Access CheckKernel-Mode Access ChecksUser-Mode Access ChecksThe Get-NtGrantedAccess PowerShell CommandThe Access Check Process in PowerShellDefining the Access Check FunctionPerforming the Mandatory Access CheckPerforming the Token Access CheckPerforming the Discretionary Access CheckSandboxingRestricted TokensLowbox TokensEnterprise Access ChecksThe Object Type Access CheckThe Central Access PolicyWorked ExamplesUsing the Get-PSGrantedAccess CommandCalculating Granted Access for ResourcesWrapping Up
Traversal CheckingThe SeChangeNotifyPrivilege PrivilegeLimited ChecksHandle Duplication Access ChecksSandbox Token ChecksAutomating Access ChecksWorked ExamplesSimplifying an Access Check for an ObjectFinding Writable Section ObjectsWrapping Up
The Security Event LogConfiguring the System Audit PolicyConfiguring the Per-User Audit PolicyAudit Policy SecurityConfiguring the Resource SACLConfiguring the Global SACLWorked ExamplesVerifying Audit Access SecurityFinding Resources with Audit ACEsWrapping Up
Domain AuthenticationLocal AuthenticationEnterprise Network DomainsDomain ForestsLocal Domain ConfigurationThe User DatabaseThe LSA Policy DatabaseRemote LSA ServicesThe SAM Remote ServiceThe Domain Policy Remote ServiceThe SAM and SECURITY DatabasesAccessing the SAM Database Through the RegistryInspecting the SECURITY DatabaseWorked ExamplesRID CyclingForcing a User‘s Password ChangeExtracting All Local User HashesWrapping Up
A Brief History of Active DirectoryExploring an Active Directory Domain with PowerShellThe Remote Server Administration ToolsBasic Forest and Domain InformationThe UsersThe GroupsThe ComputersObjects and Distinguished NamesEnumerating Directory ObjectsAccessing Objects in Other DomainsThe SchemaInspecting the SchemaAccessing the Security AttributesSecurity DescriptorsQuerying Security Descriptors of Directory ObjectsAssigning Security Descriptors to New Directory ObjectsAssigning Security Descriptors to Existing ObjectsInspecting a Security Descriptor’s Inherited SecurityAccess ChecksCreating ObjectsDeleting ObjectsListing ObjectsReading and Writing AttributesChecking Multiple AttributesAnalyzing Property SetsInspecting Control Access RightsAnalyzing Write-Validated Access RightsAccessing the SELF SIDPerforming Additional Security ChecksClaims and Central Access PoliciesGroup PoliciesWorked ExampleBuilding the Authorization ContextGathering Object InformationRunning the Access CheckWrapping Up
Creating a User’s DesktopThe LsaLogonUser APILocal AuthenticationDomain AuthenticationLogon and Console SessionsToken CreationUsing the LsaLogonUser API from PowerShellCreating a New Process with a TokenThe Service Logon TypeWorked ExamplesTesting Privileges and Logon Account RightsCreating a Process in a Different Console SessionAuthenticating Virtual AccountsWrapping Up
NTLM Network AuthenticationNTLM Authentication Using PowerShellThe Cryptographic Derivation ProcessPass-Through AuthenticationLocal Loopback AuthenticationAlternative Client CredentialsThe NTLM Relay AttackAttack OverviewActive Server ChallengesSigning and SealingTarget NamesChannel BindingWorked ExampleOverviewThe Code ModuleThe Server ImplementationThe Client ImplementationThe NTLM Authentication TestWrapping Up
Interactive Authentication with KerberosInitial User AuthenticationNetwork Service AuthenticationPerforming Kerberos Authentication in PowerShellDecrypting the AP-REQ MessageDecrypting the AP-REP MessageCross-Domain AuthenticationKerberos DelegationUnconstrained DelegationConstrained DelegationUser-to-User Kerberos AuthenticationWorked ExamplesQuerying the Kerberos Ticket CacheSimple KerberoastingWrapping Up
Security BuffersUsing Buffers with an Authentication ContextUsing Buffers with Signing and SealingThe Negotiate ProtocolLess Common Security PackagesSecure ChannelCredSSPRemote Credential Guard and Restricted Admin ModeThe Credential ManagerAdditional Request Attribute FlagsAnonymous SessionsIdentity TokensNetwork Authentication with a Lowbox TokenAuthentication with the Enterprise Authentication CapabilityAuthentication to a Known Web ProxyAuthentication with Explicit CredentialsThe Authentication Audit Event LogWorked ExamplesIdentifying the Reason for an Authentication FailureUsing a Secure Channel to Extract a Server’s TLS CertificateWrapping UpFinal Thoughts
The Domain NetworkInstalling and Configuring Windows Hyper-VCreating the Virtual MachinesThe PRIMARYDC ServerThe GRAPHITE WorkstationThe SALESDC Server

Content preview from Windows Security Internals

`5` `SECURITY DESCRIPTORS`

In the preceding chapter, we discussed the security access token, which describes the user’s identity to the SRM. In this chapter, you’ll learn how security descriptors define a resource’s security. A security descriptor does several things. It specifies the owner of a resource, allowing the SRM to grant specific rights to users who are accessing their own data. It also contains the discretionary access control (DAC) and mandatory access control (MAC), which grant or deny access to users and groups. Finally, it

can contain entries that generate audit events. Almost every kernel resource has a security descriptor, and ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Mastering Linux Security and Hardening - Third Edition

Publisher Resources

ISBN: 9781098168834Errata Page

Windows Security Internals

by James Forshaw

`5` `SECURITY DESCRIPTORS`

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Mastering Linux Security and Hardening - Third Edition

Mastering Linux Security and Hardening - Second Edition

Mastering Windows Security and Hardening - Second Edition

Web Application Security, 2nd Edition

Publisher Resources

5 SECURITY DESCRIPTORS

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Mastering Linux Security and Hardening - Third Edition

Mastering Linux Security and Hardening - Second Edition

Mastering Windows Security and Hardening - Second Edition

Web Application Security, 2nd Edition

Publisher Resources

`5` `SECURITY DESCRIPTORS`

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.