Windows Security Monitoring

Book description

Go deep into Windows security tools to implement more robust protocols and processes

Windows Security Monitoring goes beyond Windows admin and security certification guides to provide in-depth information for security professionals. Written by a Microsoft security program manager, DEFCON organizer and CISSP, this book digs deep into the underused tools that help you keep Windows systems secure. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful native tools, while scenario-based instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event detection to incident response procedures and best practices, this book provides detailed information on all of the security tools your Windows system has to offer.

Windows includes many native tools that can help IT professionals and security experts spot and remedy suspicious activities on servers, networks, and end-user computers. If you're like many Windows pros, you're probably not taking full advantage of these features. This book takes you deep into Windows' underutilized built-in security tools to help you beef up your monitoring, detection, and response processes.

  • Detect anomalous events and implement centralized alerting infrastructure
  • Dig into the native Windows tools that enable robust security measures
  • Understand the details of Powershell, Applocker, LogParser, and other tools
  • Adopt effective incident response processes for various common scenarios

Fully applicable to a range of Windows versions—back to Windows Vista and Windows Server 2008—this book is designed for real-world implementation. As the threats to your data grow more numerous by the day, it becomes ever more critical to use every security tool at your disposal. Windows Security Monitoring offers complete, expert guidance toward robust security with specialist-level use of powerful Windows tools.

Table of contents

  1. Cover
  2. Title Page
  3. Introduction
    1. Who This Book Is For
    2. What This Book Covers
    3. How This Book Is Structured
    4. What You Need to Use This Book
    5. Conventions
    6. What's on the Website
  4. Part I: Introduction to Windows Security Monitoring
    1. CHAPTER 1: Windows Security Logging and Monitoring Policy
      1. Security Logging
      2. Security Monitoring
  5. Part II: Windows Auditing Subsystem
    1. CHAPTER 2: Auditing Subsystem Architecture
      1. Legacy Auditing Settings
      2. Advanced Auditing Settings
      3. Windows Auditing Group Policy Settings
      4. Windows Auditing Architecture
      5. Security Event Structure
    2. CHAPTER 3: Auditing Subcategories and Recommendations
      1. Account Logon
      2. Account Management
      3. Detailed Tracking
      4. DS Access
      5. Logon and Logoff
      6. Object Access
      7. Policy Change
      8. Privilege Use
      9. System
  6. Part III: Security Monitoring Scenarios
    1. CHAPTER 4: Account Logon
      1. Interactive Logon
      2. RemoteInteractive Logon
      3. Network Logon
      4. Batch and Service Logon
      5. NetworkCleartext Logon
      6. NewCredentials Logon
      7. Account Logoff and Session Disconnect
      8. Special Groups
      9. Anonymous Logon
    2. CHAPTER 5: Local User Accounts
      1. Built-in Local User Accounts
      2. Built-in Local User Accounts Monitoring Scenarios
      3. Local User Account Password Modification
      4. Local User Account Enabled/Disabled
      5. Local User Account Lockout Events
      6. Local User Account Change Events
    3. CHAPTER 6: Local Security Groups
      1. Built-in Local Security Groups
      2. Built-in Local Security Groups Monitoring Scenarios
    4. CHAPTER 7: Microsoft Active Directory
      1. Active Directory Built-in Security Groups
      2. Built-in Active Directory Accounts
      3. Active Directory Accounts Operations
      4. Active Directory Group Operations
      5. Active Directory Trust Operations
      6. Domain Policy Changes
      7. Account Password Migration
    5. CHAPTER 8: Active Directory Objects
      1. Active Directory Object SACL
      2. Active Directory Object Change Auditing
      3. Active Directory Object Operation Attempts
      4. Active Directory Objects Auditing Examples
    6. CHAPTER 9: Authentication Protocols
      1. NTLM-family Protocols
      2. Kerberos
    7. CHAPTER 10: Operating System Events
      1. System Startup/Shutdown
      2. System Time Changes
      3. System Services Operations
      4. Security Event Log Operations
      5. Changes in Auditing Subsystem Settings
      6. Per-User Auditing Operations
      7. Scheduled Tasks
      8. Boot Configuration Data Changes
    8. CHAPTER 11: Logon Rights and User Privileges
      1. Logon Rights
      2. User Privileges
      3. User Privileges Policy Modification
      4. Special User Privileges Assigned at Logon Time
      5. Logon Session User Privileges Operations
      6. Backup and Restore Privilege Use Auditing
    9. CHAPTER 12: Windows Applications
      1. New Application Installation
      2. Application Execution and Termination
      3. Application Crash Monitoring
      4. Windows AppLocker Auditing
      5. Process Permissions and LSASS.exe Access Auditing
    10. CHAPTER 13: Filesystem and Removable Storage
      1. Windows Filesystem
      2. File and Folder Operations
      3. Removable Storage
      4. Global Object Access Auditing: Filesystem
      5. File System Object Integrity Levels
      6. Monitoring Recommendations
    11. CHAPTER 14: Windows Registry
      1. Windows Registry Basics
      2. Registry Operations Auditing
      3. Global Object Access Auditing: Registry
      4. Registry Key Integrity Levels
      5. Monitoring Recommendations
    12. CHAPTER 15: Network File Shares and Named Pipes
      1. Network File Shares
      2. Named Pipes
  7. APPENDIX A: Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options
  8. APPENDIX B: Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes
  9. APPENDIX C: SDDL Access Rights
    1. Object-Specific Access Rights
  10. End User License Agreement

Product information

  • Title: Windows Security Monitoring
  • Author(s): Andrei Miroshnikov
  • Release date: April 2018
  • Publisher(s): Wiley
  • ISBN: 9781119390640