book

Windows Security Monitoring

by Andrei Miroshnikov

April 2018

Intermediate to advanced

648 pages

14h 51m

English

Wiley

Read now

Unlock full access

Who This Book Is ForWhat This Book CoversHow This Book Is StructuredWhat You Need to Use This BookConventionsWhat's on the Website
Security LoggingSecurity Monitoring
Legacy Auditing SettingsAdvanced Auditing SettingsWindows Auditing Group Policy SettingsWindows Auditing ArchitectureSecurity Event Structure
Account LogonAccount ManagementDetailed TrackingDS AccessLogon and LogoffObject AccessPolicy ChangePrivilege UseSystem
Interactive LogonRemoteInteractive LogonNetwork LogonBatch and Service LogonNetworkCleartext LogonNewCredentials LogonAccount Logoff and Session DisconnectSpecial GroupsAnonymous Logon

Built-in Local User AccountsBuilt-in Local User Accounts Monitoring ScenariosLocal User Account Password ModificationLocal User Account Enabled/DisabledLocal User Account Lockout EventsLocal User Account Change Events
Built-in Local Security GroupsBuilt-in Local Security Groups Monitoring Scenarios
Active Directory Built-in Security GroupsBuilt-in Active Directory AccountsActive Directory Accounts OperationsActive Directory Group OperationsActive Directory Trust OperationsDomain Policy ChangesAccount Password Migration
Active Directory Object SACLActive Directory Object Change AuditingActive Directory Object Operation AttemptsActive Directory Objects Auditing Examples
NTLM-family ProtocolsKerberos
System Startup/ShutdownSystem Time ChangesSystem Services OperationsSecurity Event Log OperationsChanges in Auditing Subsystem SettingsPer-User Auditing OperationsScheduled TasksBoot Configuration Data Changes
Logon RightsUser PrivilegesUser Privileges Policy ModificationSpecial User Privileges Assigned at Logon TimeLogon Session User Privileges OperationsBackup and Restore Privilege Use Auditing
New Application InstallationApplication Execution and TerminationApplication Crash MonitoringWindows AppLocker AuditingProcess Permissions and LSASS.exe Access Auditing
Windows FilesystemFile and Folder OperationsRemovable StorageGlobal Object Access Auditing: FilesystemFile System Object Integrity LevelsMonitoring Recommendations
Windows Registry BasicsRegistry Operations AuditingGlobal Object Access Auditing: RegistryRegistry Key Integrity LevelsMonitoring Recommendations
Network File SharesNamed Pipes
Object-Specific Access Rights

Content preview from Windows Security Monitoring

CHAPTER 1Windows Security Logging and Monitoring Policy

The purpose of the Security Logging and Monitoring (SL&M) policy is to ensure the confidentiality, integrity, and availability of information by specifying the minimum requirements for security logging and monitoring of company systems.

It is recommended to have such a policy defined and published in order to standardize security logging and monitoring requirements.

This chapter guides you through the sections of the SL&M policy and provides basic information for creating your own version.

Security Logging

This section outlines the requirements for what needs to be logged and how logs need to be managed.

Security logs provide vital information about system events that may, when correlated with other events or used independently, indicate a breach or misuse of resources. When configured and managed properly, logs are key in establishing accountability and attribution for any event. They provide answers to the critical questions about security events: who is involved, what happened, when and where it happened, and how it happened.

Companies should ensure that information passing through their systems, including user activities such as web sites visited and servers accessed, is logged, reviewed, and otherwise utilized.

Implementing the recommendations in this section can mitigate the risk of an attacker's activities going unnoticed and enhance a company's ability to conclude whether an attack led to a breach.