book

Windows Security Monitoring

by Andrei Miroshnikov

April 2018

Intermediate to advanced

648 pages

14h 51m

English

Wiley

Read now

Unlock full access

Who This Book Is ForWhat This Book CoversHow This Book Is StructuredWhat You Need to Use This BookConventionsWhat's on the Website
Security LoggingSecurity Monitoring
Legacy Auditing SettingsAdvanced Auditing SettingsWindows Auditing Group Policy SettingsWindows Auditing ArchitectureSecurity Event Structure
Account LogonAccount ManagementDetailed TrackingDS AccessLogon and LogoffObject AccessPolicy ChangePrivilege UseSystem
Interactive LogonRemoteInteractive LogonNetwork LogonBatch and Service LogonNetworkCleartext LogonNewCredentials LogonAccount Logoff and Session DisconnectSpecial GroupsAnonymous Logon

Built-in Local User AccountsBuilt-in Local User Accounts Monitoring ScenariosLocal User Account Password ModificationLocal User Account Enabled/DisabledLocal User Account Lockout EventsLocal User Account Change Events
Built-in Local Security GroupsBuilt-in Local Security Groups Monitoring Scenarios
Active Directory Built-in Security GroupsBuilt-in Active Directory AccountsActive Directory Accounts OperationsActive Directory Group OperationsActive Directory Trust OperationsDomain Policy ChangesAccount Password Migration
Active Directory Object SACLActive Directory Object Change AuditingActive Directory Object Operation AttemptsActive Directory Objects Auditing Examples
NTLM-family ProtocolsKerberos
System Startup/ShutdownSystem Time ChangesSystem Services OperationsSecurity Event Log OperationsChanges in Auditing Subsystem SettingsPer-User Auditing OperationsScheduled TasksBoot Configuration Data Changes
Logon RightsUser PrivilegesUser Privileges Policy ModificationSpecial User Privileges Assigned at Logon TimeLogon Session User Privileges OperationsBackup and Restore Privilege Use Auditing
New Application InstallationApplication Execution and TerminationApplication Crash MonitoringWindows AppLocker AuditingProcess Permissions and LSASS.exe Access Auditing
Windows FilesystemFile and Folder OperationsRemovable StorageGlobal Object Access Auditing: FilesystemFile System Object Integrity LevelsMonitoring Recommendations
Windows Registry BasicsRegistry Operations AuditingGlobal Object Access Auditing: RegistryRegistry Key Integrity LevelsMonitoring Recommendations
Network File SharesNamed Pipes
Object-Specific Access Rights

Content preview from Windows Security Monitoring

CHAPTER 12Windows Applications

There are multiple types of Windows applications: console, desktop, service, and so on. Applications can be portable, which don't require installation, or installable, which need to be installed and registered in the local Windows application registry. Applications are almost always involved in cybersecurity incidents—for example, malware is often executable, malicious macros run in Microsoft Word, and phishing e-mail can be received by Microsoft Outlook.

It is important to monitor use of applications on the host. You should monitor activities such as application installation, removal, execution, application crashes, and application blocking events by AppLocker. In this chapter you will find detailed information about monitoring these scenarios and more.

New Application Installation

Depending on how software installation is designed, it may register an application in the Windows software manager database. The software manager is designed to provide users an easy-to-use interface to remove, modify, and repair installed applications, components, and updates.

In Windows Server 2016 and Windows 10, the software manager can be invoked using Programs and Features item in Control Panel or using the command rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl. Figure 12-1 shows the Windows Server 2016 software manager.