book

Windows Security Internals

by James Forshaw

April 2024

Intermediate to advanced

608 pages

17h 13m

English

No Starch Press

Read now

Unlock full access

Who Is This Book For?What Is in This Book?PowerShell Conventions Used in This BookGetting in Touch
Choosing a PowerShell VersionConfiguring PowerShellAn Overview of the PowerShell LanguageUnderstanding Types, Variables, and ExpressionsExecuting CommandsDiscovering Commands and Getting HelpDefining FunctionsDisplaying and Manipulating ObjectsFiltering, Ordering, and Grouping ObjectsExporting DataWrapping Up
The Windows Kernel ExecutiveThe Security Reference MonitorThe Object ManagerObject TypesThe Object Manager NamespaceSystem CallsNTSTATUS CodesObject HandlesQuery and Set Information System CallsThe Input/Output ManagerThe Process and Thread ManagerThe Memory ManagerNtVirtualMemory CommandsSection ObjectsCode IntegrityAdvanced Local Procedure CallThe Configuration ManagerWorked ExamplesFinding Open Handles by NameFinding Shared ObjectsModifying a Mapped SectionFinding Writable and Executable MemoryWrapping Up

Win32 and the User-Mode Windows APIsLoading a New LibraryViewing Imported APIsSearching for DLLsThe Win32 GUIGUI Kernel ResourcesWindow MessagesConsole SessionsComparing Win32 APIs and System CallsWin32 Registry PathsOpening KeysListing the Registry’s ContentsDOS Device PathsPath TypesMaximum Path LengthsProcess CreationCommand Line ParsingShell APIsSystem ProcessesThe Session ManagerThe Windows Logon ProcessThe Local Security Authority SubsystemThe Service Control ManagerWorked ExamplesFinding Executables That Import Specific APIsFinding Hidden Registry Keys or ValuesWrapping Up
Primary TokensImpersonation TokensSecurity Quality of ServiceExplicit Token ImpersonationConverting Between Token TypesPseudo Token HandlesToken GroupsEnabled, EnabledByDefault, and MandatoryLogonIdOwnerUseForDenyOnlyIntegrity and IntegrityEnabledResourceDevice GroupsPrivilegesSandbox TokensRestricted TokensWrite-Restricted TokensAppContainer and Lowbox TokensWhat Makes an Administrator User?User Account ControlLinked Tokens and Elevation TypeUI AccessVirtualizationSecurity AttributesCreating TokensToken AssignmentAssigning a Primary TokenAssigning an Impersonation TokenWorked ExamplesFinding UI Access ProcessesFinding Token Handles to ImpersonateRemoving Administrator PrivilegesWrapping Up
The Structure of a Security DescriptorThe Structure of a SIDAbsolute and Relative Security DescriptorsAccess Control List Headers and EntriesThe HeaderThe ACE ListConstructing and Manipulating Security DescriptorsCreating a New Security DescriptorOrdering the ACEsFormatting Security DescriptorsConverting to and from a Relative Security DescriptorThe Security Descriptor Definition LanguageWorked ExamplesManually Parsing a Binary SIDEnumerating SIDsWrapping Up
Reading Security DescriptorsAssigning Security DescriptorsAssigning a Security Descriptor During Resource CreationAssigning a Security Descriptor to an Existing ResourceWin32 Security APIsServer Security Descriptors and Compound ACEsA Summary of Inheritance BehaviorWorked ExamplesFinding Object Manager Resource OwnersChanging the Ownership of a ResourceWrapping Up
Running an Access CheckKernel-Mode Access ChecksUser-Mode Access ChecksThe Get-NtGrantedAccess PowerShell CommandThe Access Check Process in PowerShellDefining the Access Check FunctionPerforming the Mandatory Access CheckPerforming the Token Access CheckPerforming the Discretionary Access CheckSandboxingRestricted TokensLowbox TokensEnterprise Access ChecksThe Object Type Access CheckThe Central Access PolicyWorked ExamplesUsing the Get-PSGrantedAccess CommandCalculating Granted Access for ResourcesWrapping Up
Traversal CheckingThe SeChangeNotifyPrivilege PrivilegeLimited ChecksHandle Duplication Access ChecksSandbox Token ChecksAutomating Access ChecksWorked ExamplesSimplifying an Access Check for an ObjectFinding Writable Section ObjectsWrapping Up
The Security Event LogConfiguring the System Audit PolicyConfiguring the Per-User Audit PolicyAudit Policy SecurityConfiguring the Resource SACLConfiguring the Global SACLWorked ExamplesVerifying Audit Access SecurityFinding Resources with Audit ACEsWrapping Up
Domain AuthenticationLocal AuthenticationEnterprise Network DomainsDomain ForestsLocal Domain ConfigurationThe User DatabaseThe LSA Policy DatabaseRemote LSA ServicesThe SAM Remote ServiceThe Domain Policy Remote ServiceThe SAM and SECURITY DatabasesAccessing the SAM Database Through the RegistryInspecting the SECURITY DatabaseWorked ExamplesRID CyclingForcing a User‘s Password ChangeExtracting All Local User HashesWrapping Up
A Brief History of Active DirectoryExploring an Active Directory Domain with PowerShellThe Remote Server Administration ToolsBasic Forest and Domain InformationThe UsersThe GroupsThe ComputersObjects and Distinguished NamesEnumerating Directory ObjectsAccessing Objects in Other DomainsThe SchemaInspecting the SchemaAccessing the Security AttributesSecurity DescriptorsQuerying Security Descriptors of Directory ObjectsAssigning Security Descriptors to New Directory ObjectsAssigning Security Descriptors to Existing ObjectsInspecting a Security Descriptor’s Inherited SecurityAccess ChecksCreating ObjectsDeleting ObjectsListing ObjectsReading and Writing AttributesChecking Multiple AttributesAnalyzing Property SetsInspecting Control Access RightsAnalyzing Write-Validated Access RightsAccessing the SELF SIDPerforming Additional Security ChecksClaims and Central Access PoliciesGroup PoliciesWorked ExampleBuilding the Authorization ContextGathering Object InformationRunning the Access CheckWrapping Up
Creating a User’s DesktopThe LsaLogonUser APILocal AuthenticationDomain AuthenticationLogon and Console SessionsToken CreationUsing the LsaLogonUser API from PowerShellCreating a New Process with a TokenThe Service Logon TypeWorked ExamplesTesting Privileges and Logon Account RightsCreating a Process in a Different Console SessionAuthenticating Virtual AccountsWrapping Up
NTLM Network AuthenticationNTLM Authentication Using PowerShellThe Cryptographic Derivation ProcessPass-Through AuthenticationLocal Loopback AuthenticationAlternative Client CredentialsThe NTLM Relay AttackAttack OverviewActive Server ChallengesSigning and SealingTarget NamesChannel BindingWorked ExampleOverviewThe Code ModuleThe Server ImplementationThe Client ImplementationThe NTLM Authentication TestWrapping Up
Interactive Authentication with KerberosInitial User AuthenticationNetwork Service AuthenticationPerforming Kerberos Authentication in PowerShellDecrypting the AP-REQ MessageDecrypting the AP-REP MessageCross-Domain AuthenticationKerberos DelegationUnconstrained DelegationConstrained DelegationUser-to-User Kerberos AuthenticationWorked ExamplesQuerying the Kerberos Ticket CacheSimple KerberoastingWrapping Up
Security BuffersUsing Buffers with an Authentication ContextUsing Buffers with Signing and SealingThe Negotiate ProtocolLess Common Security PackagesSecure ChannelCredSSPRemote Credential Guard and Restricted Admin ModeThe Credential ManagerAdditional Request Attribute FlagsAnonymous SessionsIdentity TokensNetwork Authentication with a Lowbox TokenAuthentication with the Enterprise Authentication CapabilityAuthentication to a Known Web ProxyAuthentication with Explicit CredentialsThe Authentication Audit Event LogWorked ExamplesIdentifying the Reason for an Authentication FailureUsing a Secure Channel to Extract a Server’s TLS CertificateWrapping UpFinal Thoughts
The Domain NetworkInstalling and Configuring Windows Hyper-VCreating the Virtual MachinesThe PRIMARYDC ServerThe GRAPHITE WorkstationThe SALESDC Server

Content preview from Windows Security Internals

`8` `OTHER ACCESS CHECKING USE CASES`

Access checks determine what access a caller should have when opening a kernel resource. However, we sometimes perform them for other reasons, as they can serve as additional security checks. This chapter details some examples of using access checks as a secondary security mechanism.

We’ll start by looking at traversal checking, which determines whether a caller has access to a hierarchy of resources. Next, we’ll discuss how access checks are used when a handle is duplicated. We’ll also consider how an access check can limit access to kernel information, such as process listings, from sandboxed applications. ...