book

Windows Security Monitoring

by Andrei Miroshnikov

April 2018

Intermediate to advanced

648 pages

14h 51m

English

Wiley

Read now

Unlock full access

Who This Book Is ForWhat This Book CoversHow This Book Is StructuredWhat You Need to Use This BookConventionsWhat's on the Website
Security LoggingSecurity Monitoring
Legacy Auditing SettingsAdvanced Auditing SettingsWindows Auditing Group Policy SettingsWindows Auditing ArchitectureSecurity Event Structure
Account LogonAccount ManagementDetailed TrackingDS AccessLogon and LogoffObject AccessPolicy ChangePrivilege UseSystem
Interactive LogonRemoteInteractive LogonNetwork LogonBatch and Service LogonNetworkCleartext LogonNewCredentials LogonAccount Logoff and Session DisconnectSpecial GroupsAnonymous Logon

Built-in Local User AccountsBuilt-in Local User Accounts Monitoring ScenariosLocal User Account Password ModificationLocal User Account Enabled/DisabledLocal User Account Lockout EventsLocal User Account Change Events
Built-in Local Security GroupsBuilt-in Local Security Groups Monitoring Scenarios
Active Directory Built-in Security GroupsBuilt-in Active Directory AccountsActive Directory Accounts OperationsActive Directory Group OperationsActive Directory Trust OperationsDomain Policy ChangesAccount Password Migration
Active Directory Object SACLActive Directory Object Change AuditingActive Directory Object Operation AttemptsActive Directory Objects Auditing Examples
NTLM-family ProtocolsKerberos
System Startup/ShutdownSystem Time ChangesSystem Services OperationsSecurity Event Log OperationsChanges in Auditing Subsystem SettingsPer-User Auditing OperationsScheduled TasksBoot Configuration Data Changes
Logon RightsUser PrivilegesUser Privileges Policy ModificationSpecial User Privileges Assigned at Logon TimeLogon Session User Privileges OperationsBackup and Restore Privilege Use Auditing
New Application InstallationApplication Execution and TerminationApplication Crash MonitoringWindows AppLocker AuditingProcess Permissions and LSASS.exe Access Auditing
Windows FilesystemFile and Folder OperationsRemovable StorageGlobal Object Access Auditing: FilesystemFile System Object Integrity LevelsMonitoring Recommendations
Windows Registry BasicsRegistry Operations AuditingGlobal Object Access Auditing: RegistryRegistry Key Integrity LevelsMonitoring Recommendations
Network File SharesNamed Pipes
Object-Specific Access Rights

Content preview from Windows Security Monitoring

CHAPTER 13Filesystem and Removable Storage

This chapter is probably one of the most interesting chapters in the book, because it answers some of the most common questions asked during incident investigation procedures:

Who deleted the file?
Who created the file?
How was this file accessed—using which tool or application?
When was this file deleted?
Who changed this file?
and so on

Some of these questions are easy to answer, but some of them are not. In this chapter you will find information about monitoring recommendations for most common scenarios related to the local drive and removable storage filesystem objects.

Windows Filesystem

Currently the most common Windows filesystem is the New Technology File System (NTFS). You can still find the File Allocation Table 32 (FAT32) filesystem, most likely on some USB drives or legacy operating systems, like Windows 98, for example.

The FAT32 filesystem was developed as an extension and replacement of the older FAT16 filesystem to overcome some FAT16 filesystem limitations, such as maximum file size limitations, and to improve other characteristics.

FAT16 was first introduced in November 1987, with FAT32 coming in 1996. Table 13-1 compares some of the characteristics of these two filesystems.

Table 13-1: FAT16 Compared to FAT32

LIMIT	FAT16	FAT32
Max. volume size	4 GB (64KB clusters)	16 TB (4KB sectors)
Max. file size	4 GB	4 GB
Max. number of files	65,460 (32KB clusters)	268,173,300 (32KB clusters)
Max. filename ...