book

Windows Security Monitoring

by Andrei Miroshnikov

April 2018

Intermediate to advanced

648 pages

14h 51m

English

Wiley

Read now

Unlock full access

Who This Book Is ForWhat This Book CoversHow This Book Is StructuredWhat You Need to Use This BookConventionsWhat's on the Website
Security LoggingSecurity Monitoring
Legacy Auditing SettingsAdvanced Auditing SettingsWindows Auditing Group Policy SettingsWindows Auditing ArchitectureSecurity Event Structure
Account LogonAccount ManagementDetailed TrackingDS AccessLogon and LogoffObject AccessPolicy ChangePrivilege UseSystem
Interactive LogonRemoteInteractive LogonNetwork LogonBatch and Service LogonNetworkCleartext LogonNewCredentials LogonAccount Logoff and Session DisconnectSpecial GroupsAnonymous Logon

Built-in Local User AccountsBuilt-in Local User Accounts Monitoring ScenariosLocal User Account Password ModificationLocal User Account Enabled/DisabledLocal User Account Lockout EventsLocal User Account Change Events
Built-in Local Security GroupsBuilt-in Local Security Groups Monitoring Scenarios
Active Directory Built-in Security GroupsBuilt-in Active Directory AccountsActive Directory Accounts OperationsActive Directory Group OperationsActive Directory Trust OperationsDomain Policy ChangesAccount Password Migration
Active Directory Object SACLActive Directory Object Change AuditingActive Directory Object Operation AttemptsActive Directory Objects Auditing Examples
NTLM-family ProtocolsKerberos
System Startup/ShutdownSystem Time ChangesSystem Services OperationsSecurity Event Log OperationsChanges in Auditing Subsystem SettingsPer-User Auditing OperationsScheduled TasksBoot Configuration Data Changes
Logon RightsUser PrivilegesUser Privileges Policy ModificationSpecial User Privileges Assigned at Logon TimeLogon Session User Privileges OperationsBackup and Restore Privilege Use Auditing
New Application InstallationApplication Execution and TerminationApplication Crash MonitoringWindows AppLocker AuditingProcess Permissions and LSASS.exe Access Auditing
Windows FilesystemFile and Folder OperationsRemovable StorageGlobal Object Access Auditing: FilesystemFile System Object Integrity LevelsMonitoring Recommendations
Windows Registry BasicsRegistry Operations AuditingGlobal Object Access Auditing: RegistryRegistry Key Integrity LevelsMonitoring Recommendations
Network File SharesNamed Pipes
Object-Specific Access Rights

Content preview from Windows Security Monitoring

APPENDIX C SDDL Access Rights

A Security Descriptor Definition Language (SDDL) access control entry (ACE) has a section where you should define the access rights of the ACE.

Predefined constants for generic access rights (Table C-1) can be mapped to any other access rights for a securable object. For example, the GENERIC_READ access right for a filesystem object maps for the following access rights:

Table C-1: Generic Access Rights

HEX	STRING	NAME
`0x10000000`	`GA`	`GENERIC_ALL`
`0x80000000`	`GR`	`GENERIC_READ`
`0x40000000`	`GW`	`GENERIC_WRITE`
`0x20000000`	`GX`	`GENERIC_EXECUTE`

READ_CONTROL + SYNCHRONIZE + FILE_READ_DATA + FILE_READ_EA + FILE_READ_ATTRIBUTES.

There is also a set of standard access rights that are applicable to most securable objects (Table C-2).

Table C-2: Standard Access Rights

HEX	STRING	NAME
`0x00010000`	`SD`	`DELETE`
`0x00020000`	`RC`	`READ_CONTROL`
`0x00040000`	`WD`	`WRITE_DAC`
`0x00080000`	`WO`	`WRITE_OWNER`
`0x00100000`	`-`	`SYNCHRONIZE`
`0x000F0000`	`-`	`STANDARD_RIGHTS_REQUIRED`
`0x01000000`	`-`	`ACCESS_SYSTEM_SECURITY`
`0x00250000`	`-`	`STANDARD_RIGHTS_ALL`

Object-Specific Access Rights

Each securable object type may have a dedicated set of object-specific access rights associated to it.

Table C-3 contains information about Directory Service object access rights.

Table C-3: Directory Service Object Access Rights

HEX	STRING	NAME
`0x1`	`CC`	`ADS_RIGHT_DS_CREATE_CHILD`
`0x2`	`DC`	`ADS_RIGHT_DS_DELETE_CHILD`
`0x4`	`LC`	`ADS_RIGHT_ACTRL_DS_LIST`
`0x8`	`SW`	`ADS_RIGHT_DS_SELF`
`0x10`