Suche
Lesesoftware
Info / Kontakt
Windows Security Monitoring - Scenarios and Patterns
von: Andrei Miroshnikov
Wiley, 2018
ISBN: 9781119390893 , 651 Seiten
Format: PDF, Online Lesen
Kopierschutz: DRM
Preis: 32,99 EUR
eBook anfordern
Cover
1
Title Page
5
Copyright
6
About the Author
9
About the Technical Editor
9
Credits
11
Acknowledgments
13
Contents
17
Introduction
31
Who This Book Is For
32
What This Book Covers
32
How This Book Is Structured
33
What You Need to Use This Book
34
Conventions
35
What’s on the Website
35
Part I: Introduction to Windows Security Monitoring
37
Chapter 1: Windows Security Logging and Monitoring Policy
39
Security Logging
39
Security Logs
40
System Requirements
41
PII and PHI
41
Availability and Protection
41
Configuration Changes
42
Secure Storage
42
Centralized Collection
42
Backup and Retention
43
Periodic Review
43
Security Monitoring
43
Communications
44
Audit Tool and Technologies
44
Network Intrusion Detection Systems
44
Host-based Intrusion Detection Systems
44
System Reviews
45
Reporting
45
Part II: Windows Auditing Subsystem
47
Chapter 2: Auditing Subsystem Architecture
49
Legacy Auditing Settings
49
Advanced Auditing Settings
52
Set Advanced Audit Settings via Local Group Policy
54
Set Advanced Audit Settings via Domain Group Policy
55
Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database
55
Read Current LSA Policy Database Advanced Audit Policy Settings
56
Advanced Audit Policies Enforcement and Legacy Policies Rollback
56
Switch from Advanced Audit Settings to Legacy Settings
57
Switch from Legacy Audit Settings to Advanced Settings
58
Windows Auditing Group Policy Settings
58
Manage Auditing and Security Log
58
Generate Security Audits
59
Security Auditing Policy Security Descriptor
59
Group Policy: “Audit: Shut Down System Immediately If Unable to Log Security Audits”
60
Group Policy: Protected Event Logging
61
Group Policy: “Audit: Audit the Use of Backup and Restore Privilege”
61
Group Policy: “Audit: Audit the Access of Global System Objects”
62
Audit the Access of Global System Container Objects
62
Windows Event Log Service: Security Event Log Settings
63
Changing the Maximum Security Event Log File Size
64
Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size
65
Group Policy: Back Up Log Automatically When Full
65
Group Policy: Control the Location of the Log File
66
Security Event Log Security Descriptor
67
Guest and Anonymous Access to the Security Event Log
69
Windows Auditing Architecture
69
Windows Auditing Policy Flow
70
LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route
71
Windows Auditing Event Flow
72
LSASS.EXE Security Event Flow
73
NTOSKRNL.EXE Security Event Flow
73
Security Event Structure
74
Chapter 3: Auditing Subcategories and Recommendations
83
Account Logon
83
Audit Credential Validation
83
Audit Kerberos Authentication Service
86
Audit Kerberos Service Ticket Operations
89
Audit Other Account Logon Events
90
Account Management
90
Audit Application Group Management
90
Audit Computer Account Management
90
Audit Distribution Group Management
91
Audit Other Account Management Events
92
Audit Security Group Management
93
Audit User Account Management
93
Detailed Tracking
94
Audit DPAPI Activity
94
Audit PNP Activity
94
Audit Process Creation
94
Audit Process Termination
95
Audit RPC Events
95
DS Access
96
Audit Detailed Directory Service Replication
96
Audit Directory Service Access
96
Audit Directory Service Changes
97
Audit Directory Service Replication
97
Logon and Logoff
97
Audit Account Lockout
97
Audit User/Device Claims
98
Audit Group Membership
98
Audit IPsec Extended Mode/Audit IPsec Main Mode/Audit IPsec Quick Mode
99
Audit Logoff
99
Audit Logon
100
Audit Network Policy Server
101
Audit Other Logon/Logoff Events
101
Audit Special Logon
102
Object Access
102
Audit Application Generated
103
Audit Certification Services
103
Audit Detailed File Share
103
Audit File Share
103
Audit File System
104
Audit Filtering Platform Connection
104
Audit Filtering Platform Packet Drop
105
Audit Handle Manipulation
105
Audit Kernel Object
106
Audit Other Object Access Events
107
Audit Registry
107
Audit Removable Storage
108
Audit SAM
108
Audit Central Policy Staging
109
Policy Change
109
Audit Policy Change
109
Audit Authentication Policy Change
110
Audit Authorization Policy Change
110
Audit Filtering Platform Policy Change
111
Audit MPSSVC Rule-Level Policy Change
111
Audit Other Policy Change Events
111
Privilege Use
112
Audit Non Sensitive Privilege Use
112
Audit Other Privilege Use Events
113
Audit Sensitive Privilege Use
113
System
113
Audit IPsec Driver
114
Audit Other System Events
114
Audit Security State Change
114
Audit Security System Extension
115
Audit System Integrity
115
Part III: Security Monitoring Scenarios
117
Chapter 4: Account Logon
119
Interactive Logon
121
Successful Local User Account Interactive Logon
121
Step 1: Winlogon Process Initialization
121
Step 1: LSASS Initialization
123
Step 2: Local System Account Logon
124
Step 3: ALPC Tunnel between Winlogon and LSASS
128
Step 4: Secure Desktop and SAS
128
Step 5: Authentication Data Gathering
128
Step 6: Send Credentials from Winlogon to LSASS
130
Step 7: LSA Server Credentials Flow
131
Step 8: Local User Scenario
132
Step 9: Local User Logon: MSV1_0 Answer
135
Step 10: User Logon Rights Verification
140
Step 11: Security Token Generation
141
Step 12: SSPI Call
141
Step 13: LSASS Replies to Winlogon
141
Step 14: Userinit and Explorer.exe
141
Unsuccessful Local User Account Interactive Logon
142
Successful Domain User Account Interactive Logon
146
Steps 1–7: User Logon Process
146
Step 8: Authentication Package Negotiation
146
Step 9: LSA Cache
147
Step 10: Credentials Validation on the Domain Controller
148
Steps 11–16: Logon Process
148
Unsuccessful Domain User Account Interactive Logon
148
RemoteInteractive Logon
148
Successful User Account RemoteInteractive Logon
148
Successful User Account RemoteInteractive Logon Using Cached Credentials
150
Unsuccessful User Account RemoteInteractive Logon - NLA Enabled
151
Unsuccessful User Account RemoteInteractive Logon - NLA Disabled
153
Network Logon
154
Successful User Account Network Logon
154
Unsuccessful User Account Network Logon
156
Unsuccessful User Account Network Logon - NTLM
157
Unsuccessful User Account Network Logon - Kerberos
158
Batch and Service Logon
159
Successful Service / Batch Logon
159
Unsuccessful Service / Batch Logon
161
NetworkCleartext Logon
163
Successful User Account NetworkCleartext Logon - IIS Basic Authentication
163
Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication
165
NewCredentials Logon
165
Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type
168
Account Logoff and Session Disconnect
169
Terminal Session Disconnect
170
Special Groups
171
Anonymous Logon
172
Default ANONYMOUS LOGON Logon Session
172
Explicit Use of Anonymous Credentials
174
Use of Account That Has No Network Credentials
175
Computer Account Activity from Non–Domain-Joined Machine
175
Allow Local System to Use Computer Identity for NTLM
176
Chapter 5: Local User Accounts
177
Built-in Local User Accounts
178
Administrator
178
Guest
180
Custom User Account
181
HomeGroupUser$
181
DefaultAccount
182
Built-in Local User Accounts Monitoring Scenarios
182
New Local User Account Creation
182
Successful Local User Account Creation
183
Unsuccessful Local User Account Creation: Access Denied
200
Unsuccessful Local User Account Creation: Other
201
Monitoring Scenarios: Local User Account Creation
202
Local User Account Deletion
204
Successful Local User Account Deletion
205
Unsuccessful Local User Account Deletion - Access Denied
209
Unsuccessful Local User Account Deletion - Other
211
Monitoring Scenarios: Local User Account Deletion
212
Local User Account Password Modification
213
Successful Local User Account Password Reset
214
Unsuccessful Local User Account Password Reset - Access Denied
215
Unsuccessful Local User Account Password Reset - Other
216
Monitoring Scenarios: Password Reset
217
Successful Local User Account Password Change
218
Unsuccessful Local User Account Password Change
219
Monitoring Scenarios: Password Change
220
Local User Account Enabled/Disabled
220
Local User Account Was Enabled
220
Local User Account Was Disabled
222
Monitoring Scenarios: Account Enabled/Disabled
222
Local User Account Lockout Events
223
Local User Account Lockout
224
Local User Account Unlock
226
Monitoring Scenarios: Account Enabled/Disabled
227
Local User Account Change Events
227
Local User Account Change Event
228
Local User Account Name Change Event
232
Monitoring Scenarios: Account Changes
234
Blank Password Existence Validation
235
Chapter 6: Local Security Groups
237
Built-in Local Security Groups
239
Access Control Assistance Operators
241
Administrators
241
Backup Operators
241
Certificate Service DCOM Access
241
Cryptographic Operators
241
Distributed COM Users
242
Event Log Readers
243
Guests
243
Hyper-V Administrators
243
IIS_IUSRS
244
Network Configuration Operators
244
Performance Log Users
245
Performance Monitor Users
245
Power Users
245
Print Operators
245
Remote Desktop Users
245
Remote Management Users
246
Replicator
246
Storage Replica Administrators
246
System Managed Accounts Group
246
Users
246
WinRMRemoteWMIUsers__
247
Built-in Local Security Groups Monitoring Scenarios
247
Local Security Group Creation
248
Successful Local Security Group Creation
248
Unsuccessful Local Security Group Creation - Access Denied
253
Monitoring Scenarios: Local Security Group Creation
254
Local Security Group Deletion
254
Successful Local Security Group Deletion
255
Unsuccessful Local Security Group Deletion - Access Denied
257
Unsuccessful Local Security Group Deletion - Other
258
Monitoring Scenarios: Local Security Group Deletion
259
Local Security Group Change
259
Successful Local Security Group Change
260
Unsuccessful Local Security Group Change - Access Denied
262
Monitoring Scenarios: Local Security Group Change
263
Local Security Group Membership Operations
263
Successful New Local Group Member Add Operation
264
Successful Local Group Member Remove Operation
267
Unsuccessful Local Group Member Remove/Add Operation - Access Denied
268
Monitoring Scenarios: Local Security Group Members Changes
269
Local Security Group Membership Enumeration
270
Monitoring Scenarios: Local Security Group Membership Enumeration
271
Chapter 7: Microsoft Active Directory
273
Active Directory Built-in Security Groups
273
Administrators
274
Account Operators
274
Incoming Forest Trust Builders
274
Pre-Windows 2000 Compatible Access
274
Server Operators
275
Terminal Server License Servers
275
Windows Authorization Access
275
Allowed RODC Password Replication Group
276
Denied RODC Password Replication Group
276
Cert Publishers
276
DnsAdmins
276
RAS and IAS Servers
277
Cloneable Domain Controllers
277
DnsUpdateProxy
277
Domain Admins
277
Domain Computers
277
Domain Controllers
278
Domain Users
278
Group Policy Creator Owners
278
Protected Users
278
Read-Only Domain Controllers
278
Enterprise Read-Only Domain Controllers
278
Enterprise Admins
279
Schema Admins
279
Built-in Active Directory Accounts
279
Administrator
279
Krbtgt
280
Directory Services Restore Mode (DSRM) Account
280
Active Directory Accounts Operations
281
Active Directory User Accounts Operations
281
Successful Active Directory User Creation
281
Unsuccessful Active Directory User Creation
286
Successful Active Directory User Deletion
287
Unsuccessful Active Directory User Deletion
288
Other Active Directory User Account Operations
288
Successful Active Directory User SID History Addition
288
Active Directory Computer Account Operations
289
Successful Computer Account Creation - Joining a Domain
289
Successful Computer Account Creation - Manual Creation
291
Unsuccessful Computer Account Creation
292
Successful Computer Account Deletion
293
Unsuccessful Computer Account Deletion
293
Successful Computer Account Modification
293
Unsuccessful Computer Account Modification
295
Active Directory Group Operations
295
Active Directory Group Creation
296
Active Directory Group Deletion
297
Active Directory Group Modification
298
Active Directory Group New Member Added
299
Active Directory Group Member Removed
301
Group Type and Scope Type Changes
302
Active Directory Trust Operations
303
Active Directory Trust Creation Operations
303
Active Directory Trust Modification Operations
308
Active Directory Trust Deletion Operations
309
Operations with Forest Trust Records
310
Active Directory Forest Trust Record Creation Operations
310
Active Directory Forest Trust Record Modification Operations
313
Active Directory Forest Trust Record Remove Operations
314
Domain Policy Changes
315
Password and Account Lockout Policies
315
Kerberos Policy
316
Account Password Migration
318
Chapter 8: Active Directory Objects
321
Active Directory Object SACL
322
Child Object Creation and Deletion Permissions
327
Extended Rights
328
Validated Writes
330
Properties
331
Default SACLs
332
Active Directory Object Change Auditing
340
Active Directory Object Creation
341
Active Directory Object Deletion
342
Active Directory Object Undeletion
343
Active Directory Object Movement
345
Active Directory Object Modification
346
Add Value Operation
346
Delete Value Operation
349
Active Directory Object Operation Attempts
349
Successful Active Directory Object Operation Attempts
349
Unsuccessful Active Directory Object Operation Attempts
354
Active Directory Objects Auditing Examples
356
Organizational Unit Creation/Deletion
356
Organizational Unit Child Object Creation/Deletion
356
adminCount Attribute Modification for User Accounts
356
Group Policy Link/Unlink Operations
357
Chapter 9: Authentication Protocols
359
NTLM-family Protocols
359
Challenge-Response Basics
359
LAN Manager
361
LM Hash
361
LM Challenge-Response Mechanism
363
NT LAN Manager
365
NTLM Hash
365
NTLM Challenge-Response Mechanism
366
NT LAN Manager V2
366
NTLMv2 Challenge-Response Mechanism
366
NTLMSSP and Anonymous Authentication
369
NTLMv1 Session Security and NTLMv2 Session Security
369
NTLMv2 Session Response
370
Anonymous Authentication
371
NTLM-family Protocols Monitoring
371
Network Security: Restrict NTLM Security Group Policy Settings
371
Local Account Authentication
372
Domain Account Authentication
380
Cross-Domain Challenge-Response
383
Kerberos
384
Ticket-Granting Ticket (TGT)
384
Successful AS_REQ Message
388
Unsuccessful AS_REQ Message - Password Expired, Wrong Password, Smart Card Logon Issues
390
Unsuccessful AS_REQ Message - Other Scenarios
392
TGT Renewal
393
Ticket-Granting Service (TGS) Ticket
394
Successful TGS_REQ Message
398
Unsuccessful TGS_REQ and AP_REQ Messages
400
Chapter 10: Operating System Events
403
System Startup/Shutdown
404
Successful Normal System Shutdown
404
Unsuccessful Normal System Shutdown - Access Denied
406
Successful System Startup
407
Monitoring Scenarios: System Startup/Shutdown
407
System Time Changes
408
Successful System Time Zone Change
409
Unsuccessful System Time Zone Change
410
Successful System Clock Settings Change
410
Unsuccessful System Clock Settings Change
412
Monitoring Scenarios: System Time Changes
412
System Services Operations
412
Successful Service Installation - Prior to Windows 10/2016
413
Successful Service Installation - Windows 10/2016
415
Unsuccessful Service Installation - Access Denied
416
System Service State Changes
418
Unsuccessful Service Stop Operation - Access Denied
419
Monitoring Scenarios: System Services Operations
420
Security Event Log Operations
422
Successful Security Event Log Erase Operation
422
Unsuccessful Security Event Log Erase Operation
423
Successful Security Event Log Service Shutdown
423
Unsuccessful Security Event Log Service Shutdown
424
Monitoring Scenarios: Security Event Log Operations
424
Changes in Auditing Subsystem Settings
424
Successful Auditing Subsystem Security Descriptor Change
424
Unsuccessful Auditing Subsystem Security Descriptor Change
430
Successful System Audit Policy Changes
431
Unsuccessful System Audit Policy Changes
436
Monitoring Scenarios: Changes in Auditing Subsystem Settings
436
Per-User Auditing Operations
437
Successful Per-User Auditing Policy Changes
438
Unsuccessful Per-User Auditing Policy Changes
440
Per-User Auditing Database Initialization
440
Monitoring Scenarios: Per-User Auditing Operations
440
Scheduled Tasks
441
Successful Scheduled Task Creation
442
Unsuccessful Scheduled Task Creation - Access Denied
444
Successful Scheduled Task Deletion
446
Unsuccessful Scheduled Task Deletion
446
Successful Scheduled Task Change
446
Unsuccessful Scheduled Task Change
447
Successful Scheduled Task Enable/Disable Operations
447
Monitoring Scenarios: Scheduled Tasks
449
Boot Configuration Data Changes
449
Monitoring Scenarios: Boot Configuration Data
453
Chapter 11: Logon Rights and User Privileges
455
Logon Rights
455
Logon Rights Policy Modification
456
Logon Rights Policy Settings - Member Added
457
Logon Rights Policy Settings - Member Removed
457
Unsuccessful Logons Due to Lack of Logon Rights
458
User Privileges
458
User Privileges Policy Modification
463
User Privileges Policy Settings - Member Added
463
User Privileges Policy Settings - Member Removed
464
Special User Privileges Assigned at Logon Time
465
Logon Session User Privileges Operations
466
Privilege Use
467
Successful Call of a Privileged Service
467
Unsuccessful Call of a Privileged Service
468
Successful Operation with a Privileged Object
469
Unsuccessful Operation with a Privileged Object
471
Backup and Restore Privilege Use Auditing
471
Chapter 12: Windows Applications
473
New Application Installation
473
Application Installation Using Windows Installer
476
Application Removal Using Windows Installer
479
Application Installation Using Other Methods
480
Application Installation - Process Creation
480
Application Installation - Software Registry Keys
481
Application Installation - New Folders in Program Files and Program Files (x86) Folders
484
Application Removal Using Other Methods
484
Application Removal - Process Creation
484
Application Removal - Software Registry Keys
485
Application Removal - Folder Removal in the Program Files and Program Files (x86) Folders
487
Application Execution and Termination
489
Successful Process Creation
491
Successful Process Creation - CreateProcessWithLogonW initiated
496
Unsuccessful Process Creation
497
Process Termination
499
Application Crash Monitoring
500
Windows Error Reporting
503
WER Report
507
Windows AppLocker Auditing
507
AppLocker Policy
507
AppLocker Monitoring
508
EXE and DLL
510
MSI and Script
515
Packaged app-Execution and Packaged app-Deployment
516
Process Permissions and LSASS.exe Access Auditing
516
LSASS’s Process Default SACL
518
Chapter 13: Filesystem and Removable Storage
521
Windows Filesystem
522
NTFS Security Descriptors
523
Inheritance
529
SACL
530
File and Folder Operations
531
File/Folder Creation
531
Successful File Creation
531
Unsuccessful File Creation
534
Successful Folder Creation
537
Unsuccessful Folder Creation
538
File/Folder Deletion
539
Successful File Deletion
539
Unsuccessful File Deletion
540
Successful Folder Deletion
540
Unsuccessful Folder Deletion
541
File Content Modification
541
Successful File Content Modification
541
Unsuccessful File Content Modification
542
File Read Data
542
Successful File Read Data Operations
542
Unsuccessful File Read Data Operations
543
File/Folder Attribute Changes
543
Successful File/Folder Attribute Changes
543
Unsuccessful File/Folder Attribute Changes
544
File/Folder Owner Change
544
Successful File/Folder Owner Change
544
Unsuccessful File/Folder Owner Change
545
File/Folder Access Permissions Change
546
Successful Access Permissions Changes
546
Unsuccessful Access Permissions Changes
547
File/Folder SACL Changes
547
Successful Auditing Settings (SACL) Change
547
Unsuccessful Auditing Settings Change
550
Removable Storage
551
Global Object Access Auditing: Filesystem
552
File System Object Integrity Levels
553
File System Object Integrity Level Modification
554
File System Object Access Attempt - Access Denied by Integrity Policy Check
556
Monitoring Recommendations
556
Monitoring Scenarios
557
Chapter 14: Windows Registry
559
Windows Registry Basics
559
Registry Key Permissions
562
Registry Operations Auditing
564
Registry Key Creation
564
Successful Registry Key Creation
564
Unsuccessful Registry Key Creation
567
Registry Key Deletion
568
Successful Registry Key Deletion
568
Unsuccessful Registry Key Deletion
569
Operations with Registry Key Values
569
Successful Registry Value Creation
570
Unsuccessful Registry Value Creation
571
Successful Registry Value Deletion
572
Unsuccessful Registry Value Deletion
574
Successful Registry Value Modification
574
Unsuccessful Registry Value Modification
575
Registry Key Read and Keys Enumeration Operations
575
Successful Registry Key Read Operation
575
Unsuccessful Registry Key Read Operation
576
Successful Registry Key Subkeys Enumeration
577
Unsuccessful Registry Key Subkeys Enumeration
578
Successful Registry Key Access Permissions Read
578
Unsuccessful Registry Key Access Permissions Read
579
Successful Registry Key Audit Permissions Read
579
Unsuccessful Registry Key Audit Permissions Read
581
DACL, SACL, and Ownership Change Operations
581
Successful Registry Key Access Permissions Change
582
Unsuccessful Registry Key Access Permissions Change
583
Successful Registry Key Audit Permissions Change
584
Unsuccessful Registry Key Audit Permissions Change
587
Successful Registry Key Owner Change
587
Global Object Access Auditing: Registry
589
Registry Key Integrity Levels
590
Registry Key Integrity Level Modification
590
Monitoring Recommendations
592
Monitoring Scenarios
593
Chapter 15: Network File Shares and Named Pipes
595
Network File Shares
595
Network File Share Access Permissions
599
File Share Creation
600
Successful File Share Creation
600
Monitoring Recommendations
601
File Share Deletion
602
Successful File Share Deletion
602
Unsuccessful File Share Deletion
603
Monitoring Recommendations
603
File Share Modification
603
Successful File Share Modification
604
Unsuccessful File Share Deletion
606
Monitoring Recommendations
606
File Share Access
606
Successful File Share Session Creation
606
Successful File Share File/Folder Operations
608
Unsuccessful Admin File Share Session Creation
610
Unsuccessful File Share Access - File Share Permissions
610
Unsuccessful File Share Access - File System Permissions
611
Monitoring Recommendations
612
Named Pipes
613
Successful Named Pipe Auditing Settings Changes
614
Unsuccessful Named Pipe Auditing Settings Changes
616
Successful Named Pipe Access Permissions Changes
617
Named Pipe Access Attempts
618
IPC$ Share Access Attempts
618
Monitoring Recommendations
620
Appendix A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options
621
Appendix B Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes
625
Appendix C SDDL Access Rights
633
Object-Specific Access Rights
634
Index
639
EULA
651