book

Windows Security Internals

Name: Windows Security Internals
Author: James Forshaw
ISBN: 9781718501980

by James Forshaw

April 2024

Intermediate to advanced

608 pages

17h 13m

English

No Starch Press

Read now

Unlock full access

Title Page
Copyright
Dedication
About the Author and Technical Reviewer
Foreword
Acknowledgments
Introduction
Who Is This Book For?What Is in This Book?PowerShell Conventions Used in This BookGetting in Touch
Part I: An Overview of the Windows Operating System
1. Setting Up a Powershell Testing Environment
Choosing a PowerShell VersionConfiguring PowerShellAn Overview of the PowerShell LanguageUnderstanding Types, Variables, and ExpressionsExecuting CommandsDiscovering Commands and Getting HelpDefining FunctionsDisplaying and Manipulating ObjectsFiltering, Ordering, and Grouping ObjectsExporting DataWrapping Up
2. The Windows Kernel
The Windows Kernel ExecutiveThe Security Reference MonitorThe Object ManagerObject TypesThe Object Manager NamespaceSystem CallsNTSTATUS CodesObject HandlesQuery and Set Information System CallsThe Input/Output ManagerThe Process and Thread ManagerThe Memory ManagerNtVirtualMemory CommandsSection ObjectsCode IntegrityAdvanced Local Procedure CallThe Configuration ManagerWorked ExamplesFinding Open Handles by NameFinding Shared ObjectsModifying a Mapped SectionFinding Writable and Executable MemoryWrapping Up

3. User-Mode Applications
Win32 and the User-Mode Windows APIsLoading a New LibraryViewing Imported APIsSearching for DLLsThe Win32 GUIGUI Kernel ResourcesWindow MessagesConsole SessionsComparing Win32 APIs and System CallsWin32 Registry PathsOpening KeysListing the Registry’s ContentsDOS Device PathsPath TypesMaximum Path LengthsProcess CreationCommand Line ParsingShell APIsSystem ProcessesThe Session ManagerThe Windows Logon ProcessThe Local Security Authority SubsystemThe Service Control ManagerWorked ExamplesFinding Executables That Import Specific APIsFinding Hidden Registry Keys or ValuesWrapping Up
Part II: The Windows Security Reference Monitor
4. Security Access Tokens
Primary TokensImpersonation TokensSecurity Quality of ServiceExplicit Token ImpersonationConverting Between Token TypesPseudo Token HandlesToken GroupsEnabled, EnabledByDefault, and MandatoryLogonIdOwnerUseForDenyOnlyIntegrity and IntegrityEnabledResourceDevice GroupsPrivilegesSandbox TokensRestricted TokensWrite-Restricted TokensAppContainer and Lowbox TokensWhat Makes an Administrator User?User Account ControlLinked Tokens and Elevation TypeUI AccessVirtualizationSecurity AttributesCreating TokensToken AssignmentAssigning a Primary TokenAssigning an Impersonation TokenWorked ExamplesFinding UI Access ProcessesFinding Token Handles to ImpersonateRemoving Administrator PrivilegesWrapping Up
5. Security Descriptors
The Structure of a Security DescriptorThe Structure of a SIDAbsolute and Relative Security DescriptorsAccess Control List Headers and EntriesThe HeaderThe ACE ListConstructing and Manipulating Security DescriptorsCreating a New Security DescriptorOrdering the ACEsFormatting Security DescriptorsConverting to and from a Relative Security DescriptorThe Security Descriptor Definition LanguageWorked ExamplesManually Parsing a Binary SIDEnumerating SIDsWrapping Up
6. Reading and Assigning Security Descriptors
Reading Security DescriptorsAssigning Security DescriptorsAssigning a Security Descriptor During Resource CreationAssigning a Security Descriptor to an Existing ResourceWin32 Security APIsServer Security Descriptors and Compound ACEsA Summary of Inheritance BehaviorWorked ExamplesFinding Object Manager Resource OwnersChanging the Ownership of a ResourceWrapping Up
7. The Access Check Process
Running an Access CheckKernel-Mode Access ChecksUser-Mode Access ChecksThe Get-NtGrantedAccess PowerShell CommandThe Access Check Process in PowerShellDefining the Access Check FunctionPerforming the Mandatory Access CheckPerforming the Token Access CheckPerforming the Discretionary Access CheckSandboxingRestricted TokensLowbox TokensEnterprise Access ChecksThe Object Type Access CheckThe Central Access PolicyWorked ExamplesUsing the Get-PSGrantedAccess CommandCalculating Granted Access for ResourcesWrapping Up
8. Other Access Checking Use Cases
Traversal CheckingThe SeChangeNotifyPrivilege PrivilegeLimited ChecksHandle Duplication Access ChecksSandbox Token ChecksAutomating Access ChecksWorked ExamplesSimplifying an Access Check for an ObjectFinding Writable Section ObjectsWrapping Up
9. Security Auditing
The Security Event LogConfiguring the System Audit PolicyConfiguring the Per-User Audit PolicyAudit Policy SecurityConfiguring the Resource SACLConfiguring the Global SACLWorked ExamplesVerifying Audit Access SecurityFinding Resources with Audit ACEsWrapping Up
Part III: The Local Security Authority and Authentication
10. Windows Authentication
Domain AuthenticationLocal AuthenticationEnterprise Network DomainsDomain ForestsLocal Domain ConfigurationThe User DatabaseThe LSA Policy DatabaseRemote LSA ServicesThe SAM Remote ServiceThe Domain Policy Remote ServiceThe SAM and SECURITY DatabasesAccessing the SAM Database Through the RegistryInspecting the SECURITY DatabaseWorked ExamplesRID CyclingForcing a User‘s Password ChangeExtracting All Local User HashesWrapping Up
11. Active Directory
A Brief History of Active DirectoryExploring an Active Directory Domain with PowerShellThe Remote Server Administration ToolsBasic Forest and Domain InformationThe UsersThe GroupsThe ComputersObjects and Distinguished NamesEnumerating Directory ObjectsAccessing Objects in Other DomainsThe SchemaInspecting the SchemaAccessing the Security AttributesSecurity DescriptorsQuerying Security Descriptors of Directory ObjectsAssigning Security Descriptors to New Directory ObjectsAssigning Security Descriptors to Existing ObjectsInspecting a Security Descriptor’s Inherited SecurityAccess ChecksCreating ObjectsDeleting ObjectsListing ObjectsReading and Writing AttributesChecking Multiple AttributesAnalyzing Property SetsInspecting Control Access RightsAnalyzing Write-Validated Access RightsAccessing the SELF SIDPerforming Additional Security ChecksClaims and Central Access PoliciesGroup PoliciesWorked ExampleBuilding the Authorization ContextGathering Object InformationRunning the Access CheckWrapping Up
12. Interactive Authentication
Creating a User’s DesktopThe LsaLogonUser APILocal AuthenticationDomain AuthenticationLogon and Console SessionsToken CreationUsing the LsaLogonUser API from PowerShellCreating a New Process with a TokenThe Service Logon TypeWorked ExamplesTesting Privileges and Logon Account RightsCreating a Process in a Different Console SessionAuthenticating Virtual AccountsWrapping Up
13. Network Authentication
NTLM Network AuthenticationNTLM Authentication Using PowerShellThe Cryptographic Derivation ProcessPass-Through AuthenticationLocal Loopback AuthenticationAlternative Client CredentialsThe NTLM Relay AttackAttack OverviewActive Server ChallengesSigning and SealingTarget NamesChannel BindingWorked ExampleOverviewThe Code ModuleThe Server ImplementationThe Client ImplementationThe NTLM Authentication TestWrapping Up
14. Kerberos
Interactive Authentication with KerberosInitial User AuthenticationNetwork Service AuthenticationPerforming Kerberos Authentication in PowerShellDecrypting the AP-REQ MessageDecrypting the AP-REP MessageCross-Domain AuthenticationKerberos DelegationUnconstrained DelegationConstrained DelegationUser-to-User Kerberos AuthenticationWorked ExamplesQuerying the Kerberos Ticket CacheSimple KerberoastingWrapping Up
15. Negotiate Authentication and Other Security Packages
Security BuffersUsing Buffers with an Authentication ContextUsing Buffers with Signing and SealingThe Negotiate ProtocolLess Common Security PackagesSecure ChannelCredSSPRemote Credential Guard and Restricted Admin ModeThe Credential ManagerAdditional Request Attribute FlagsAnonymous SessionsIdentity TokensNetwork Authentication with a Lowbox TokenAuthentication with the Enterprise Authentication CapabilityAuthentication to a Known Web ProxyAuthentication with Explicit CredentialsThe Authentication Audit Event LogWorked ExamplesIdentifying the Reason for an Authentication FailureUsing a Secure Channel to Extract a Server’s TLS CertificateWrapping UpFinal Thoughts
A: Building a Windows Domain Network for Testing
The Domain NetworkInstalling and Configuring Windows Hyper-VCreating the Virtual MachinesThe PRIMARYDC ServerThe GRAPHITE WorkstationThe SALESDC Server
B: SDDL SID Alias Mapping
Index

Content preview from Windows Security Internals

`9` `SECURITY AUDITING`

Intertwined with the access check process is the auditing process. An administrator can configure the system’s auditing mechanism to generate a log of accessed resources. Each log event will include details about the user and application that opened the resource and whether the access succeeded or failed. This information can help us identify incorrect security settings or detect malicious access to sensitive resources.

In this short chapter, we’ll first discuss where the resource access log gets stored once the kernel generates it. We’ll then describe how a system administrator can configure the audit mechanism. Finally, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Mastering Windows Security and Hardening - Second Edition

Publisher Resources

ISBN: 9781098168834Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Windows Security Internals

by James Forshaw

`9` `SECURITY AUDITING`

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.