Introduction xxix
Part I Introduction to Windows Security Monitoring 1
Chapter 1 Windows Security Logging and Monitoring Policy 3
Security Logging 3
Security Logs 4
System Requirements 5
PII and PHI 5
Availability and Protection 5
Configuration Changes 6
Secure Storage 6
Centralized Collection 6
Backup and Retention 7
Periodic Review 7
Security Monitoring 7
Communications 8
Audit Tool and Technologies 8
Network Intrusion Detection Systems 8
Host-based Intrusion Detection Systems 8
System Reviews 9
Reporting 9
Part II Windows Auditing Subsystem 11
Chapter 2 Auditing Subsystem Architecture 13
Legacy Auditing Settings 13
Advanced Auditing Settings 16
Set Advanced Audit Settings via Local Group Policy 18
Set Advanced Audit Settings via Domain Group Policy 19
Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 19
Read Current LSA Policy Database Advanced Audit Policy Settings 20
Advanced Audit Policies Enforcement and Legacy Policies Rollback 20
Switch from Advanced Audit Settings to Legacy Settings 21
Switch from Legacy Audit Settings to Advanced Settings 22
Windows Auditing Group Policy Settings 22
Manage Auditing and Security Log 22
Generate Security Audits 23
Security Auditing Policy Security Descriptor 23
Group Policy: “Audit: Shut Down System Immediately If Unable to Log Security Audits” 24
Group Policy: Protected Event Logging 25
Group Policy: “Audit: Audit the Use of Backup and Restore Privilege” 25
Group Policy: “Audit: Audit the Access of Global System Objects” 26
Audit the Access of Global System Container Objects 26
Windows Event Log Service: Security Event Log Settings 27
Changing the Maximum Security Event Log File Size 28
Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 29
Group Policy: Back Up Log Automatically When Full 29
Group Policy: Control the Location of the Log File 30
Security Event Log Security Descriptor 31
Guest and Anonymous Access to the Security Event Log 33
Windows Auditing Architecture 33
Windows Auditing Policy Flow 34
LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 35
Windows Auditing Event Flow 36
LSASS.EXE Security Event Flow 37
NTOSKRNL.EXE Security Event Flow 37
Security Event Structure 38
Chapter 3 Auditing Subcategories and Recommendations 47
Account Logon 47
Audit Credential Validation 47
Audit Kerberos Authentication Service 50
Audit Kerberos Service Ticket Operations 53
Audit Other Account Logon Events 54
Account Management 54
Audit Application Group Management 54
Audit Computer Account Management 54
Audit Distribution Group Management 55
Audit Other Account Management Events 56
Audit Security Group Management 57
Audit User Account Management 57
Detailed Tracking 58
Audit DPAPI Activity 58
Audit PNP Activity 58
Audit Process Creation 58
Audit Process Termination 59
Audit RPC Events 59
DS Access 60
Audit Detailed Directory Service Replication 60
Audit Directory Service Access 60
Audit Directory Service Changes 61
Audit Directory Service Replication 61
Logon and Logoff 61
Audit Account Lockout 61
Audit User/Device Claims 62
Audit Group Membership 62
Audit IPsec Extended Mode/Audit IPsec Main Mode/ Audit IPsec Quick Mode 63
Audit Logoff 63
Audit Logon 64
Audit Network Policy Server 65
Audit Other Logon/Logoff Events 65
Audit Special Logon 66
Object Access 66
Audit Application Generated 67
Audit Certification Services 67
Audit Detailed File Share 67
Audit File Share 67
Audit File System 68
Audit Filtering Platform Connection 68
Audit Filtering Platform Packet Drop 69
Audit Handle Manipulation 69
Audit Kernel Object 70
Audit Other Object Access Events 71
Audit Registry 71
Audit Removable Storage 72
Audit SAM 72
Audit Central Policy Staging 73
Policy Change 73
Audit Policy Change 73
Audit Authentication Policy Change 74
Audit Authorization Policy Change 74
Audit Filtering Platform Policy Change 75
Audit MPSSVC Rule-Level Policy Change 75
Audit Other Policy Change Events 75
Privilege Use 76
Audit Non Sensitive Privilege Use 76
Audit Other Privilege Use Events 77
Audit Sensitive Privilege Use 77
System 77
Audit IPsec Driver 78
Audit Other System Events 78
Audit Security State Change 78
Audit Security System Extension 79
Audit System Integrity 79
Part III Security Monitoring Scenarios 81
Chapter 4 Account Logon 83
Interactive Logon 85
Successful Local User Account Interactive Logon 85
Step 1: Winlogon Process Initialization 85
Step 1: LSASS Initialization 87
Step 2: Local System Account Logon 88
Step 3: ALPC Communications between Winlogon and LSASS 92
Step 4: Secure Desktop and SAS 92
Step 5: Authentication Data Gathering 92
Step 6: Send Credentials from Winlogon to LSASS 94
Step 7: LSA Server Credentials Flow 95
Step 8: Local User Scenario 96
Step 9: Local User Logon: MSV1_0 Answer 99
Step 10: User Logon Rights Verification 104
Step 11: Security Token Generation 105
Step 12: SSPI Call 105
Step 13: LSASS Replies to Winlogon 105
Step 14: Userinit and Explorer.exe 105
Unsuccessful Local User Account Interactive Logon 106
Successful Domain User Account Interactive Logon 110
Steps 1–7: User Logon Process 110
Step 8: Authentication Package Negotiation 110
Step 9: LSA Cache 111
Step 10: Credentials Validation on the Domain Controller 112
Steps 11–16: Logon Process 112
Unsuccessful Domain User Account Interactive Logon 112
RemoteInteractive Logon 112
Successful User Account RemoteInteractive Logon 112
Successful User Account RemoteInteractive Logon Using Cached Credentials 114
Unsuccessful User Account RemoteInteractive Logon - NLA Enabled 115
Unsuccessful User Account RemoteInteractive Logon - NLA Disabled 117
Network Logon 118
Successful User Account Network Logon 118
Unsuccessful User Account Network Logon 120
Unsuccessful User Account Network Logon - NTLM 121
Unsuccessful User Account Network Logon - Kerberos 122
Batch and Service Logon 123
Successful Service / Batch Logon 123
Unsuccessful Service / Batch Logon 125
NetworkCleartext Logon 127
Successful User Account NetworkCleartext Logon - IIS Basic Authentication 127
Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 129
NewCredentials Logon 129
Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type 132
Account Logoff and Session Disconnect 133
Terminal Session Disconnect 134
Special Groups 135
Anonymous Logon 136
Default ANONYMOUS LOGON Logon Session 136
Explicit Use of Anonymous Credentials 138
Use of Account That Has No Network Credentials 139
Computer Account Activity from Non–Domain- Joined Machine 139
Allow Local System to Use Computer Identity for NTLM 140
Chapter 5 Local User Accounts 141
Built-in Local User Accounts 142
Administrator 142
Guest 144
Custom User Account 145
HomeGroupUser$ 145
DefaultAccount 146
Built-in Local User Accounts Monitoring Scenarios 146
New Local User Account Creation 146
Successful Local User Account Creation 147
Unsuccessful Local User Account Creation: Access Denied 164
Unsuccessful Local User Account Creation: Other 165
Monitoring Scenarios: Local User Account Creation 166
Local User Account Deletion 168
Successful Local User Account Deletion 169
Unsuccessful Local User Account Deletion - Access Denied 173
Unsuccessful Local User Account Deletion - Other 175
Monitoring Scenarios: Local User Account Deletion 176
Local User Account Password Modification 177
Successful Local User Account Password Reset 178
Unsuccessful Local User Account Password Reset - Access Denied 179
Unsuccessful Local User Account Password Reset - Other 180
Monitoring Scenarios: Password Reset 181
Successful Local User Account Password Change 182
Unsuccessful Local User Account Password Change 183
Monitoring Scenarios: Password Change 184
Local User Account Enabled/Disabled 184
Local User Account Was Enabled 184
Local User Account Was Disabled 186
Monitoring Scenarios: Account Enabled/Disabled 186
Local User Account Lockout Events 187
Local User Account Lockout 188
Local User Account Unlock 190
Monitoring Scenarios: Account Enabled/Disabled 191
Local User Account Change Events 191
Local User Account Change Event 192
Local User Account Name Change Event 196
Monitoring Scenarios: Account Changes 198
Blank Password Existence Validation 199
Chapter 6 Local Security Groups 201
Built-in Local Security Groups 203
Access Control Assistance Operators 205
Administrators 205
Backup Operators 205
Certificate Service DCOM Access 205
Cryptographic Operators 205
Distributed COM Users 206
Event Log Readers 207
Guests 207
Hyper-V Administrators 207
IIS_IUSRS 208
Network Configuration Operators 208
Performance Log Users 209
Performance Monitor Users 209
Power Users 209
Print Operators 209
Remote Desktop Users 209
Remote Management Users 210
Replicator 210
Storage Replica Administrators 210
System Managed Accounts Group 210
Users 210
WinRMRemoteWMIUsers__ 211
Built-in Local Security Groups Monitoring Scenarios 211
Local Security Group Creation 212
Successful Local Security Group Creation 212
Unsuccessful Local Security Group Creation - Access Denied 217
Monitoring Scenarios: Local Security Group Creation 218
Local Security Group Deletion 218
Successful Local Security Group Deletion 219
Unsuccessful Local Security Group Deletion - Access Denied 221
Unsuccessful Local Security Group Deletion - Other 222
Monitoring Scenarios: Local Security Group Deletion 223
Local Security Group Change 223
Successful Local Security Group Change 224
Unsuccessful Local Security Group Change - Access Denied 226
Monitoring Scenarios: Local Security Group Change 227
Local Security Group Membership Operations 227
Successful New Local Group Member Add Operation 228
Successful Local Group Member Remove Operation 231
Unsuccessful Local Group Member Remove/ Add Operation - Access Denied 232
Monitoring Scenarios: Local Security Group Members Changes 233
Local Security Group Membership Enumeration 234
Monitoring Scenarios: Local Security Group Membership Enumeration 235
Chapter 7 Microsoft Active Directory 237
Active Directory Built-in Security Groups 237
Administrators 238
Account Operators 238
Incoming Forest Trust Builders 238
Pre-Windows 2000 Compatible Access 238
Server Operators 239
Terminal Server License Servers 239
Windows Authorization Access 239
Allowed RODC Password Replication Group 240
Denied RODC Password Replication Group 240
Cert Publishers 240
DnsAdmins 240
RAS and IAS Servers 241
Cloneable Domain Controllers 241
DnsUpdateProxy 241
Domain Admins 241
Domain Computers 241
Domain Controllers 242
Domain Users 242
Group Policy Creator Owners 242
Protected Users 242
Read-Only Domain Controllers 242
Enterprise Read-Only Domain Controllers 242
Enterprise Admins 243
Schema Admins 243
Built-in Active Directory Accounts 243
Administrator 243
Chapter 8 Active Directory Objects 285
Active Directory Object SACL 286
Child Object Creation and Deletion Permissions 291
Extended Rights 292
Validated Writes 294
Chapter 9 Authentication Protocols 323
NTLM-family Protocols 323
Challenge-Response Basics 323
LAN Manager 325
LM Hash 325
Chapter 10 Operating System Events 367
System Startup/Shutdown 368
Successful Normal System Shutdown 368
Unsuccessful Normal System Shutdown - Access Denied 370
Chapter 11 Logon Rights and User Privileges 419
Logon Rights 419
Logon Rights Policy Modification 420
Logon Rights Policy Settings - Member Added 421
Logon Rights Policy Settings - Member Removed 421
Unsuccessful Logons Due to Lack of Logon Rights 422
User Privileges 422
User Privileges Policy Modification 427
User Privileges Policy Settings - Member Added 427
User Privileges Policy Settings - Member Removed 428
Special User Privileges Assigned at Logon Time 429
Logon Session User Privileges Operations 430
Privilege Use 431
Successful Call of a Privileged Service 431
Unsuccessful Call of a Privileged Service 432
Successful Operation with a Privileged Object 433
Unsuccessful Operation with a Privileged Object 435
Backup and Restore Privilege Use Auditing 435
Chapter 12 Windows Applications 437
New Application Installation 437
Application Installation Using Windows Installer 440
Application Removal Using Windows Installer 443
Chapter 13 Filesystem and Removable Storage 485
Windows Filesystem 486
NTFS Security Descriptors 487
Inheritance 493
Chapter 14 Windows Registry 523
Windows Registry Basics 523
Registry Key Permissions 526
Registry Operations Auditing 528
Chapter 15 Network File Shares and Named Pipes 559
Network File Shares 559
Network File Share Access Permissions 563
File Share Creation 564
Appendix A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options 585
Appendix B Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes 589
Appendix C SDDL Access Rights 597
Object-Specific Access Rights 598
Index 603
