book

Windows Security Monitoring

by Andrei Miroshnikov

April 2018

Intermediate to advanced

648 pages

14h 51m

English

Wiley

Read now

Unlock full access

Who This Book Is ForWhat This Book CoversHow This Book Is StructuredWhat You Need to Use This BookConventionsWhat's on the Website
Security LoggingSecurity Monitoring
Legacy Auditing SettingsAdvanced Auditing SettingsWindows Auditing Group Policy SettingsWindows Auditing ArchitectureSecurity Event Structure
Account LogonAccount ManagementDetailed TrackingDS AccessLogon and LogoffObject AccessPolicy ChangePrivilege UseSystem
Interactive LogonRemoteInteractive LogonNetwork LogonBatch and Service LogonNetworkCleartext LogonNewCredentials LogonAccount Logoff and Session DisconnectSpecial GroupsAnonymous Logon

Built-in Local User AccountsBuilt-in Local User Accounts Monitoring ScenariosLocal User Account Password ModificationLocal User Account Enabled/DisabledLocal User Account Lockout EventsLocal User Account Change Events
Built-in Local Security GroupsBuilt-in Local Security Groups Monitoring Scenarios
Active Directory Built-in Security GroupsBuilt-in Active Directory AccountsActive Directory Accounts OperationsActive Directory Group OperationsActive Directory Trust OperationsDomain Policy ChangesAccount Password Migration
Active Directory Object SACLActive Directory Object Change AuditingActive Directory Object Operation AttemptsActive Directory Objects Auditing Examples
NTLM-family ProtocolsKerberos
System Startup/ShutdownSystem Time ChangesSystem Services OperationsSecurity Event Log OperationsChanges in Auditing Subsystem SettingsPer-User Auditing OperationsScheduled TasksBoot Configuration Data Changes
Logon RightsUser PrivilegesUser Privileges Policy ModificationSpecial User Privileges Assigned at Logon TimeLogon Session User Privileges OperationsBackup and Restore Privilege Use Auditing
New Application InstallationApplication Execution and TerminationApplication Crash MonitoringWindows AppLocker AuditingProcess Permissions and LSASS.exe Access Auditing
Windows FilesystemFile and Folder OperationsRemovable StorageGlobal Object Access Auditing: FilesystemFile System Object Integrity LevelsMonitoring Recommendations
Windows Registry BasicsRegistry Operations AuditingGlobal Object Access Auditing: RegistryRegistry Key Integrity LevelsMonitoring Recommendations
Network File SharesNamed Pipes
Object-Specific Access Rights

Content preview from Windows Security Monitoring

APPENDIX A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options

The Kerberos Ticket Options field in security events 4768, 4771, 4769, and 4770 contains a bitmask with Kerberos ticket flags that were received by a Key Distribution Center (KDC) in the AS_REQ, TGS_REQ, or AP_REQ message.

The Ticket Options field is recorded in events in hexadecimal format, for example, 0x40810010. To find which flags are enabled you need to convert the hexadecimal number to binary. For example:

0x40810010 = 01000000100000010000000000010000

Ticket flag bitmasks use the Most Significant Bit (MSB) 0-bit numbering format, in which bits are numbered from left to right starting from the 0 bit. So, in the preceding example bits 1, 8, 15, and 27 are enabled.

Table A-1 contains information about possible ticket flags you can find in Kerberos AS_REQ, TGS_REQ, or AP_REQ messages, as well as corresponding bits for the Ticket Options field.

Table A-1: Kerberos Ticket Flags

BIT	NAME	DESCRIPTION
`0`	`Reserved`	Reserved for future use.
`1`	`Forwardable`	Tells the ticket-granting service (part of a KDC role in Windows) that it can issue a new TGT based on the presented TGT with a different network address.
`2`	`Forwarded`	Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.
`3`	`Proxiable`	Tells the ticket-granting service (part of a KDC role in Windows) that it can issue tickets with a network address that differs from the one in the TGT.
`4`	`Proxy`	Indicates ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Mastering Windows Security and Hardening

Publisher Resources

ISBN: 9781119390640Purchase book

Windows Security Monitoring

by Andrei Miroshnikov

APPENDIX A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Mastering Windows Security and Hardening

Cyber Security and Network Security

Network Security, Firewalls, and VPNs, 3rd Edition

Windows Registry Forensics, 2nd Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Mastering Windows Security and Hardening

Cyber Security and Network Security

Network Security, Firewalls, and VPNs, 3rd Edition

Windows Registry Forensics, 2nd Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.