Windows Security Monitoring : Scenarios and Patterns.

By: Miroshnikov, AndreiMaterial type: TextTextSeries: eBooks on DemandPublisher: Newark : John Wiley & Sons, Incorporated, 2018Copyright date: ©2018Description: 1 online resource (651 pages)Content type: text Media type: computer Carrier type: online resourceISBN: 9781119390893Subject(s): Microsoft Windows (Computer file) | Computer securityGenre/Form: Electronic books.Additional physical formats: Print version:: Windows Security Monitoring : Scenarios and PatternsDDC classification: 005.8 LOC classification: QA76.76.W56 .M576 2018Online resources: Click here to view this ebook.
Contents:
Cover -- Title Page -- Copyright -- About the Author -- About the Technical Editor -- Credits -- Acknowledgments -- Contents -- Introduction -- Who This Book Is For -- What This Book Covers -- How This Book Is Structured -- What You Need to Use This Book -- Conventions -- What's on the Website -- Part I: Introduction to Windows Security Monitoring -- Chapter 1: Windows Security Logging and Monitoring Policy -- Security Logging -- Security Logs -- System Requirements -- PII and PHI -- Availability and Protection -- Configuration Changes -- Secure Storage -- Centralized Collection -- Backup and Retention -- Periodic Review -- Security Monitoring -- Communications -- Audit Tool and Technologies -- Network Intrusion Detection Systems -- Host-based Intrusion Detection Systems -- System Reviews -- Reporting -- Part II: Windows Auditing Subsystem -- Chapter 2: Auditing Subsystem Architecture -- Legacy Auditing Settings -- Advanced Auditing Settings -- Set Advanced Audit Settings via Local Group Policy -- Set Advanced Audit Settings via Domain Group Policy -- Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database -- Read Current LSA Policy Database Advanced Audit Policy Settings -- Advanced Audit Policies Enforcement and Legacy Policies Rollback -- Switch from Advanced Audit Settings to Legacy Settings -- Switch from Legacy Audit Settings to Advanced Settings -- Windows Auditing Group Policy Settings -- Manage Auditing and Security Log -- Generate Security Audits -- Security Auditing Policy Security Descriptor -- Group Policy: "Audit: Shut Down System Immediately If Unable to Log Security Audits" -- Group Policy: Protected Event Logging -- Group Policy: "Audit: Audit the Use of Backup and Restore Privilege" -- Group Policy: "Audit: Audit the Access of Global System Objects" -- Audit the Access of Global System Container Objects.
Windows Event Log Service: Security Event Log Settings -- Changing the Maximum Security Event Log File Size -- Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size -- Group Policy: Back Up Log Automatically When Full -- Group Policy: Control the Location of the Log File -- Security Event Log Security Descriptor -- Guest and Anonymous Access to the Security Event Log -- Windows Auditing Architecture -- Windows Auditing Policy Flow -- LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route -- Windows Auditing Event Flow -- LSASS.EXE Security Event Flow -- NTOSKRNL.EXE Security Event Flow -- Security Event Structure -- Chapter 3: Auditing Subcategories and Recommendations -- Account Logon -- Audit Credential Validation -- Audit Kerberos Authentication Service -- Audit Kerberos Service Ticket Operations -- Audit Other Account Logon Events -- Account Management -- Audit Application Group Management -- Audit Computer Account Management -- Audit Distribution Group Management -- Audit Other Account Management Events -- Audit Security Group Management -- Audit User Account Management -- Detailed Tracking -- Audit DPAPI Activity -- Audit PNP Activity -- Audit Process Creation -- Audit Process Termination -- Audit RPC Events -- DS Access -- Audit Detailed Directory Service Replication -- Audit Directory Service Access -- Audit Directory Service Changes -- Audit Directory Service Replication -- Logon and Logoff -- Audit Account Lockout -- Audit User/Device Claims -- Audit Group Membership -- Audit IPsec Extended Mode/Audit IPsec Main Mode/Audit IPsec Quick Mode -- Audit Logoff -- Audit Logon -- Audit Network Policy Server -- Audit Other Logon/Logoff Events -- Audit Special Logon -- Object Access -- Audit Application Generated -- Audit Certification Services -- Audit Detailed File Share -- Audit File Share.
Audit File System -- Audit Filtering Platform Connection -- Audit Filtering Platform Packet Drop -- Audit Handle Manipulation -- Audit Kernel Object -- Audit Other Object Access Events -- Audit Registry -- Audit Removable Storage -- Audit SAM -- Audit Central Policy Staging -- Policy Change -- Audit Policy Change -- Audit Authentication Policy Change -- Audit Authorization Policy Change -- Audit Filtering Platform Policy Change -- Audit MPSSVC Rule-Level Policy Change -- Audit Other Policy Change Events -- Privilege Use -- Audit Non Sensitive Privilege Use -- Audit Other Privilege Use Events -- Audit Sensitive Privilege Use -- System -- Audit IPsec Driver -- Audit Other System Events -- Audit Security State Change -- Audit Security System Extension -- Audit System Integrity -- Part III: Security Monitoring Scenarios -- Chapter 4: Account Logon -- Interactive Logon -- Successful Local User Account Interactive Logon -- Step 1: Winlogon Process Initialization -- Step 1: LSASS Initialization -- Step 2: Local System Account Logon -- Step 3: ALPC Tunnel between Winlogon and LSASS -- Step 4: Secure Desktop and SAS -- Step 5: Authentication Data Gathering -- Step 6: Send Credentials from Winlogon to LSASS -- Step 7: LSA Server Credentials Flow -- Step 8: Local User Scenario -- Step 9: Local User Logon: MSV1_0 Answer -- Step 10: User Logon Rights Verification -- Step 11: Security Token Generation -- Step 12: SSPI Call -- Step 13: LSASS Replies to Winlogon -- Step 14: Userinit and Explorer.exe -- Unsuccessful Local User Account Interactive Logon -- Successful Domain User Account Interactive Logon -- Steps 1-7: User Logon Process -- Step 8: Authentication Package Negotiation -- Step 9: LSA Cache -- Step 10: Credentials Validation on the Domain Controller -- Steps 11-16: Logon Process -- Unsuccessful Domain User Account Interactive Logon.
RemoteInteractive Logon -- Successful User Account RemoteInteractive Logon -- Successful User Account RemoteInteractive Logon Using Cached Credentials -- Unsuccessful User Account RemoteInteractive Logon - NLA Enabled -- Unsuccessful User Account RemoteInteractive Logon - NLA Disabled -- Network Logon -- Successful User Account Network Logon -- Unsuccessful User Account Network Logon -- Unsuccessful User Account Network Logon - NTLM -- Unsuccessful User Account Network Logon - Kerberos -- Batch and Service Logon -- Successful Service / Batch Logon -- Unsuccessful Service / Batch Logon -- NetworkCleartext Logon -- Successful User Account NetworkCleartext Logon - IIS Basic Authentication -- Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication -- NewCredentials Logon -- Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type -- Account Logoff and Session Disconnect -- Terminal Session Disconnect -- Special Groups -- Anonymous Logon -- Default ANONYMOUS LOGON Logon Session -- Explicit Use of Anonymous Credentials -- Use of Account That Has No Network Credentials -- Computer Account Activity from Non-Domain-Joined Machine -- Allow Local System to Use Computer Identity for NTLM -- Chapter 5: Local User Accounts -- Built-in Local User Accounts -- Administrator -- Guest -- Custom User Account -- HomeGroupUser -- DefaultAccount -- Built-in Local User Accounts Monitoring Scenarios -- New Local User Account Creation -- Successful Local User Account Creation -- Unsuccessful Local User Account Creation: Access Denied -- Unsuccessful Local User Account Creation: Other -- Monitoring Scenarios: Local User Account Creation -- Local User Account Deletion -- Successful Local User Account Deletion -- Unsuccessful Local User Account Deletion - Access Denied -- Unsuccessful Local User Account Deletion - Other.
Monitoring Scenarios: Local User Account Deletion -- Local User Account Password Modification -- Successful Local User Account Password Reset -- Unsuccessful Local User Account Password Reset - Access Denied -- Unsuccessful Local User Account Password Reset - Other -- Monitoring Scenarios: Password Reset -- Successful Local User Account Password Change -- Unsuccessful Local User Account Password Change -- Monitoring Scenarios: Password Change -- Local User Account Enabled/Disabled -- Local User Account Was Enabled -- Local User Account Was Disabled -- Monitoring Scenarios: Account Enabled/Disabled -- Local User Account Lockout Events -- Local User Account Lockout -- Local User Account Unlock -- Monitoring Scenarios: Account Enabled/Disabled -- Local User Account Change Events -- Local User Account Change Event -- Local User Account Name Change Event -- Monitoring Scenarios: Account Changes -- Blank Password Existence Validation -- Chapter 6: Local Security Groups -- Built-in Local Security Groups -- Access Control Assistance Operators -- Administrators -- Backup Operators -- Certificate Service DCOM Access -- Cryptographic Operators -- Distributed COM Users -- Event Log Readers -- Guests -- Hyper-V Administrators -- IIS_IUSRS -- Network Configuration Operators -- Performance Log Users -- Performance Monitor Users -- Power Users -- Print Operators -- Remote Desktop Users -- Remote Management Users -- Replicator -- Storage Replica Administrators -- System Managed Accounts Group -- Users -- WinRMRemoteWMIUsers__ -- Built-in Local Security Groups Monitoring Scenarios -- Local Security Group Creation -- Successful Local Security Group Creation -- Unsuccessful Local Security Group Creation - Access Denied -- Monitoring Scenarios: Local Security Group Creation -- Local Security Group Deletion -- Successful Local Security Group Deletion.
Unsuccessful Local Security Group Deletion - Access Denied.
Tags from this library: No tags from this library for this title. Log in to add tags.
Item type Current location Call number URL Status Date due Barcode
Electronic Book UT Tyler Online
Online
QA76.76.W56 .M576 2018 (Browse shelf) https://ebookcentral.proquest.com/lib/uttyler/detail.action?docID=5322517 Available EBC5322517

Cover -- Title Page -- Copyright -- About the Author -- About the Technical Editor -- Credits -- Acknowledgments -- Contents -- Introduction -- Who This Book Is For -- What This Book Covers -- How This Book Is Structured -- What You Need to Use This Book -- Conventions -- What's on the Website -- Part I: Introduction to Windows Security Monitoring -- Chapter 1: Windows Security Logging and Monitoring Policy -- Security Logging -- Security Logs -- System Requirements -- PII and PHI -- Availability and Protection -- Configuration Changes -- Secure Storage -- Centralized Collection -- Backup and Retention -- Periodic Review -- Security Monitoring -- Communications -- Audit Tool and Technologies -- Network Intrusion Detection Systems -- Host-based Intrusion Detection Systems -- System Reviews -- Reporting -- Part II: Windows Auditing Subsystem -- Chapter 2: Auditing Subsystem Architecture -- Legacy Auditing Settings -- Advanced Auditing Settings -- Set Advanced Audit Settings via Local Group Policy -- Set Advanced Audit Settings via Domain Group Policy -- Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database -- Read Current LSA Policy Database Advanced Audit Policy Settings -- Advanced Audit Policies Enforcement and Legacy Policies Rollback -- Switch from Advanced Audit Settings to Legacy Settings -- Switch from Legacy Audit Settings to Advanced Settings -- Windows Auditing Group Policy Settings -- Manage Auditing and Security Log -- Generate Security Audits -- Security Auditing Policy Security Descriptor -- Group Policy: "Audit: Shut Down System Immediately If Unable to Log Security Audits" -- Group Policy: Protected Event Logging -- Group Policy: "Audit: Audit the Use of Backup and Restore Privilege" -- Group Policy: "Audit: Audit the Access of Global System Objects" -- Audit the Access of Global System Container Objects.

Windows Event Log Service: Security Event Log Settings -- Changing the Maximum Security Event Log File Size -- Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size -- Group Policy: Back Up Log Automatically When Full -- Group Policy: Control the Location of the Log File -- Security Event Log Security Descriptor -- Guest and Anonymous Access to the Security Event Log -- Windows Auditing Architecture -- Windows Auditing Policy Flow -- LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route -- Windows Auditing Event Flow -- LSASS.EXE Security Event Flow -- NTOSKRNL.EXE Security Event Flow -- Security Event Structure -- Chapter 3: Auditing Subcategories and Recommendations -- Account Logon -- Audit Credential Validation -- Audit Kerberos Authentication Service -- Audit Kerberos Service Ticket Operations -- Audit Other Account Logon Events -- Account Management -- Audit Application Group Management -- Audit Computer Account Management -- Audit Distribution Group Management -- Audit Other Account Management Events -- Audit Security Group Management -- Audit User Account Management -- Detailed Tracking -- Audit DPAPI Activity -- Audit PNP Activity -- Audit Process Creation -- Audit Process Termination -- Audit RPC Events -- DS Access -- Audit Detailed Directory Service Replication -- Audit Directory Service Access -- Audit Directory Service Changes -- Audit Directory Service Replication -- Logon and Logoff -- Audit Account Lockout -- Audit User/Device Claims -- Audit Group Membership -- Audit IPsec Extended Mode/Audit IPsec Main Mode/Audit IPsec Quick Mode -- Audit Logoff -- Audit Logon -- Audit Network Policy Server -- Audit Other Logon/Logoff Events -- Audit Special Logon -- Object Access -- Audit Application Generated -- Audit Certification Services -- Audit Detailed File Share -- Audit File Share.

Audit File System -- Audit Filtering Platform Connection -- Audit Filtering Platform Packet Drop -- Audit Handle Manipulation -- Audit Kernel Object -- Audit Other Object Access Events -- Audit Registry -- Audit Removable Storage -- Audit SAM -- Audit Central Policy Staging -- Policy Change -- Audit Policy Change -- Audit Authentication Policy Change -- Audit Authorization Policy Change -- Audit Filtering Platform Policy Change -- Audit MPSSVC Rule-Level Policy Change -- Audit Other Policy Change Events -- Privilege Use -- Audit Non Sensitive Privilege Use -- Audit Other Privilege Use Events -- Audit Sensitive Privilege Use -- System -- Audit IPsec Driver -- Audit Other System Events -- Audit Security State Change -- Audit Security System Extension -- Audit System Integrity -- Part III: Security Monitoring Scenarios -- Chapter 4: Account Logon -- Interactive Logon -- Successful Local User Account Interactive Logon -- Step 1: Winlogon Process Initialization -- Step 1: LSASS Initialization -- Step 2: Local System Account Logon -- Step 3: ALPC Tunnel between Winlogon and LSASS -- Step 4: Secure Desktop and SAS -- Step 5: Authentication Data Gathering -- Step 6: Send Credentials from Winlogon to LSASS -- Step 7: LSA Server Credentials Flow -- Step 8: Local User Scenario -- Step 9: Local User Logon: MSV1_0 Answer -- Step 10: User Logon Rights Verification -- Step 11: Security Token Generation -- Step 12: SSPI Call -- Step 13: LSASS Replies to Winlogon -- Step 14: Userinit and Explorer.exe -- Unsuccessful Local User Account Interactive Logon -- Successful Domain User Account Interactive Logon -- Steps 1-7: User Logon Process -- Step 8: Authentication Package Negotiation -- Step 9: LSA Cache -- Step 10: Credentials Validation on the Domain Controller -- Steps 11-16: Logon Process -- Unsuccessful Domain User Account Interactive Logon.

RemoteInteractive Logon -- Successful User Account RemoteInteractive Logon -- Successful User Account RemoteInteractive Logon Using Cached Credentials -- Unsuccessful User Account RemoteInteractive Logon - NLA Enabled -- Unsuccessful User Account RemoteInteractive Logon - NLA Disabled -- Network Logon -- Successful User Account Network Logon -- Unsuccessful User Account Network Logon -- Unsuccessful User Account Network Logon - NTLM -- Unsuccessful User Account Network Logon - Kerberos -- Batch and Service Logon -- Successful Service / Batch Logon -- Unsuccessful Service / Batch Logon -- NetworkCleartext Logon -- Successful User Account NetworkCleartext Logon - IIS Basic Authentication -- Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication -- NewCredentials Logon -- Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type -- Account Logoff and Session Disconnect -- Terminal Session Disconnect -- Special Groups -- Anonymous Logon -- Default ANONYMOUS LOGON Logon Session -- Explicit Use of Anonymous Credentials -- Use of Account That Has No Network Credentials -- Computer Account Activity from Non-Domain-Joined Machine -- Allow Local System to Use Computer Identity for NTLM -- Chapter 5: Local User Accounts -- Built-in Local User Accounts -- Administrator -- Guest -- Custom User Account -- HomeGroupUser -- DefaultAccount -- Built-in Local User Accounts Monitoring Scenarios -- New Local User Account Creation -- Successful Local User Account Creation -- Unsuccessful Local User Account Creation: Access Denied -- Unsuccessful Local User Account Creation: Other -- Monitoring Scenarios: Local User Account Creation -- Local User Account Deletion -- Successful Local User Account Deletion -- Unsuccessful Local User Account Deletion - Access Denied -- Unsuccessful Local User Account Deletion - Other.

Monitoring Scenarios: Local User Account Deletion -- Local User Account Password Modification -- Successful Local User Account Password Reset -- Unsuccessful Local User Account Password Reset - Access Denied -- Unsuccessful Local User Account Password Reset - Other -- Monitoring Scenarios: Password Reset -- Successful Local User Account Password Change -- Unsuccessful Local User Account Password Change -- Monitoring Scenarios: Password Change -- Local User Account Enabled/Disabled -- Local User Account Was Enabled -- Local User Account Was Disabled -- Monitoring Scenarios: Account Enabled/Disabled -- Local User Account Lockout Events -- Local User Account Lockout -- Local User Account Unlock -- Monitoring Scenarios: Account Enabled/Disabled -- Local User Account Change Events -- Local User Account Change Event -- Local User Account Name Change Event -- Monitoring Scenarios: Account Changes -- Blank Password Existence Validation -- Chapter 6: Local Security Groups -- Built-in Local Security Groups -- Access Control Assistance Operators -- Administrators -- Backup Operators -- Certificate Service DCOM Access -- Cryptographic Operators -- Distributed COM Users -- Event Log Readers -- Guests -- Hyper-V Administrators -- IIS_IUSRS -- Network Configuration Operators -- Performance Log Users -- Performance Monitor Users -- Power Users -- Print Operators -- Remote Desktop Users -- Remote Management Users -- Replicator -- Storage Replica Administrators -- System Managed Accounts Group -- Users -- WinRMRemoteWMIUsers__ -- Built-in Local Security Groups Monitoring Scenarios -- Local Security Group Creation -- Successful Local Security Group Creation -- Unsuccessful Local Security Group Creation - Access Denied -- Monitoring Scenarios: Local Security Group Creation -- Local Security Group Deletion -- Successful Local Security Group Deletion.

Unsuccessful Local Security Group Deletion - Access Denied.

Description based on publisher supplied metadata and other sources.

Author notes provided by Syndetics

Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)2 CISSP and Microsoft MCSE: Security certifications.

There are no comments on this title.

to post a comment.