{"product_id":"windows-security-monitoring-isbn-9781119390640","title":"Windows Security Monitoring","description":"\u003cp\u003e\u003cb\u003eDig deep into the Windows auditing subsystem to monitor for malicious activities and enhance Windows system security\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWritten by a former Microsoft security program manager, DEFCON \"Forensics CTF\" village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system′s event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenario–based instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory object modifications, local security policy changes, and other activities.\u003c\/p\u003e \u003cp\u003eThis book is based on the author′s experience and the results of his research into Microsoft Windows security monitoring and anomaly detection. It presents the most common scenarios people should be aware of to check for any potentially suspicious activity.\u003c\/p\u003e \u003cp\u003e\u003cb\u003eLearn to:\u003c\/b\u003e\u003c\/p\u003e \u003cul\u003e \u003cli\u003eImplement the Security Logging and Monitoring policy\u003c\/li\u003e \u003cli\u003eDig into the Windows security auditing subsystem\u003c\/li\u003e \u003cli\u003eUnderstand the most common monitoring event patterns related to operations and changes in the Microsoft Windows operating system\u003c\/li\u003e \u003c\/ul\u003e \u003ch3\u003eAbout the Author\u003c\/h3\u003e \u003cp\u003e\u003cb\u003eAndrei Miroshnikov\u003c\/b\u003e is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference \"Forensics CTF\" village and has been a speaker at Microsoft′s Bluehat security conference. In addition, Andrei is an author of the \"Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference\" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)\u003csup\u003e2\u003c\/sup\u003e CISSP and Microsoft MCSE: Security certifications.\u003c\/p\u003e \u003cp\u003eIntroduction xxix\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart I Introduction to Windows Security Monitoring 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 1 Windows Security Logging and Monitoring Policy 3\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eSecurity Logging 3\u003c\/p\u003e \u003cp\u003eSecurity Logs 4\u003c\/p\u003e \u003cp\u003eSystem Requirements 5\u003c\/p\u003e \u003cp\u003ePII and PHI 5\u003c\/p\u003e \u003cp\u003eAvailability and Protection 5\u003c\/p\u003e \u003cp\u003eConfiguration Changes 6\u003c\/p\u003e \u003cp\u003eSecure Storage 6\u003c\/p\u003e \u003cp\u003eCentralized Collection 6\u003c\/p\u003e \u003cp\u003eBackup and Retention 7\u003c\/p\u003e \u003cp\u003ePeriodic Review 7\u003c\/p\u003e \u003cp\u003eSecurity Monitoring 7\u003c\/p\u003e \u003cp\u003eCommunications 8\u003c\/p\u003e \u003cp\u003eAudit Tool and Technologies 8\u003c\/p\u003e \u003cp\u003eNetwork Intrusion Detection Systems 8\u003c\/p\u003e \u003cp\u003eHost-based Intrusion Detection Systems 8\u003c\/p\u003e \u003cp\u003eSystem Reviews 9\u003c\/p\u003e \u003cp\u003eReporting 9\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart II Windows Auditing Subsystem 11\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 2 Auditing Subsystem Architecture 13\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eLegacy Auditing Settings 13\u003c\/p\u003e \u003cp\u003eAdvanced Auditing Settings 16\u003c\/p\u003e \u003cp\u003eSet Advanced Audit Settings via Local Group Policy 18\u003c\/p\u003e \u003cp\u003eSet Advanced Audit Settings via Domain Group Policy 19\u003c\/p\u003e \u003cp\u003eSet Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 19\u003c\/p\u003e \u003cp\u003eRead Current LSA Policy Database Advanced Audit Policy Settings 20\u003c\/p\u003e \u003cp\u003eAdvanced Audit Policies Enforcement and Legacy Policies Rollback 20\u003c\/p\u003e \u003cp\u003eSwitch from Advanced Audit Settings to Legacy Settings 21\u003c\/p\u003e \u003cp\u003eSwitch from Legacy Audit Settings to Advanced Settings 22\u003c\/p\u003e \u003cp\u003eWindows Auditing Group Policy Settings 22\u003c\/p\u003e \u003cp\u003eManage Auditing and Security Log 22\u003c\/p\u003e \u003cp\u003eGenerate Security Audits 23\u003c\/p\u003e \u003cp\u003eSecurity Auditing Policy Security Descriptor 23\u003c\/p\u003e \u003cp\u003eGroup Policy: “Audit: Shut Down System Immediately If Unable to Log Security Audits” 24\u003c\/p\u003e \u003cp\u003eGroup Policy: Protected Event Logging 25\u003c\/p\u003e \u003cp\u003eGroup Policy: “Audit: Audit the Use of Backup and Restore Privilege” 25\u003c\/p\u003e \u003cp\u003eGroup Policy: “Audit: Audit the Access of Global System Objects” 26\u003c\/p\u003e \u003cp\u003eAudit the Access of Global System Container Objects 26\u003c\/p\u003e \u003cp\u003eWindows Event Log Service: Security Event Log Settings 27\u003c\/p\u003e \u003cp\u003eChanging the Maximum Security Event Log File Size 28\u003c\/p\u003e \u003cp\u003eGroup Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 29\u003c\/p\u003e \u003cp\u003eGroup Policy: Back Up Log Automatically When Full 29\u003c\/p\u003e \u003cp\u003eGroup Policy: Control the Location of the Log File 30\u003c\/p\u003e \u003cp\u003eSecurity Event Log Security Descriptor 31\u003c\/p\u003e \u003cp\u003eGuest and Anonymous Access to the Security Event Log 33\u003c\/p\u003e \u003cp\u003eWindows Auditing Architecture 33\u003c\/p\u003e \u003cp\u003eWindows Auditing Policy Flow 34\u003c\/p\u003e \u003cp\u003eLsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 35\u003c\/p\u003e \u003cp\u003eWindows Auditing Event Flow 36\u003c\/p\u003e \u003cp\u003eLSASS.EXE Security Event Flow 37\u003c\/p\u003e \u003cp\u003eNTOSKRNL.EXE Security Event Flow 37\u003c\/p\u003e \u003cp\u003eSecurity Event Structure 38\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 3 Auditing Subcategories and Recommendations 47\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAccount Logon 47\u003c\/p\u003e \u003cp\u003eAudit Credential Validation 47\u003c\/p\u003e \u003cp\u003eAudit Kerberos Authentication Service 50\u003c\/p\u003e \u003cp\u003eAudit Kerberos Service Ticket Operations 53\u003c\/p\u003e \u003cp\u003eAudit Other Account Logon Events 54\u003c\/p\u003e \u003cp\u003eAccount Management 54\u003c\/p\u003e \u003cp\u003eAudit Application Group Management 54\u003c\/p\u003e \u003cp\u003eAudit Computer Account Management 54\u003c\/p\u003e \u003cp\u003eAudit Distribution Group Management 55\u003c\/p\u003e \u003cp\u003eAudit Other Account Management Events 56\u003c\/p\u003e \u003cp\u003eAudit Security Group Management 57\u003c\/p\u003e \u003cp\u003eAudit User Account Management 57\u003c\/p\u003e \u003cp\u003eDetailed Tracking 58\u003c\/p\u003e \u003cp\u003eAudit DPAPI Activity 58\u003c\/p\u003e \u003cp\u003eAudit PNP Activity 58\u003c\/p\u003e \u003cp\u003eAudit Process Creation 58\u003c\/p\u003e \u003cp\u003eAudit Process Termination 59\u003c\/p\u003e \u003cp\u003eAudit RPC Events 59\u003c\/p\u003e \u003cp\u003eDS Access 60\u003c\/p\u003e \u003cp\u003eAudit Detailed Directory Service Replication 60\u003c\/p\u003e \u003cp\u003eAudit Directory Service Access 60\u003c\/p\u003e \u003cp\u003eAudit Directory Service Changes 61\u003c\/p\u003e \u003cp\u003eAudit Directory Service Replication 61\u003c\/p\u003e \u003cp\u003eLogon and Logoff 61\u003c\/p\u003e \u003cp\u003eAudit Account Lockout 61\u003c\/p\u003e \u003cp\u003eAudit User\/Device Claims 62\u003c\/p\u003e \u003cp\u003eAudit Group Membership 62\u003c\/p\u003e \u003cp\u003eAudit IPsec Extended Mode\/Audit IPsec Main Mode\/ Audit IPsec Quick Mode 63\u003c\/p\u003e \u003cp\u003eAudit Logoff 63\u003c\/p\u003e \u003cp\u003eAudit Logon 64\u003c\/p\u003e \u003cp\u003eAudit Network Policy Server 65\u003c\/p\u003e \u003cp\u003eAudit Other Logon\/Logoff Events 65\u003c\/p\u003e \u003cp\u003eAudit Special Logon 66\u003c\/p\u003e \u003cp\u003eObject Access 66\u003c\/p\u003e \u003cp\u003eAudit Application Generated 67\u003c\/p\u003e \u003cp\u003eAudit Certification Services 67\u003c\/p\u003e \u003cp\u003eAudit Detailed File Share 67\u003c\/p\u003e \u003cp\u003eAudit File Share 67\u003c\/p\u003e \u003cp\u003eAudit File System 68\u003c\/p\u003e \u003cp\u003eAudit Filtering Platform Connection 68\u003c\/p\u003e \u003cp\u003eAudit Filtering Platform Packet Drop 69\u003c\/p\u003e \u003cp\u003eAudit Handle Manipulation 69\u003c\/p\u003e \u003cp\u003eAudit Kernel Object 70\u003c\/p\u003e \u003cp\u003eAudit Other Object Access Events 71\u003c\/p\u003e \u003cp\u003eAudit Registry 71\u003c\/p\u003e \u003cp\u003eAudit Removable Storage 72\u003c\/p\u003e \u003cp\u003eAudit SAM 72\u003c\/p\u003e \u003cp\u003eAudit Central Policy Staging 73\u003c\/p\u003e \u003cp\u003ePolicy Change 73\u003c\/p\u003e \u003cp\u003eAudit Policy Change 73\u003c\/p\u003e \u003cp\u003eAudit Authentication Policy Change 74\u003c\/p\u003e \u003cp\u003eAudit Authorization Policy Change 74\u003c\/p\u003e \u003cp\u003eAudit Filtering Platform Policy Change 75\u003c\/p\u003e \u003cp\u003eAudit MPSSVC Rule-Level Policy Change 75\u003c\/p\u003e \u003cp\u003eAudit Other Policy Change Events 75\u003c\/p\u003e \u003cp\u003ePrivilege Use 76\u003c\/p\u003e \u003cp\u003eAudit Non Sensitive Privilege Use 76\u003c\/p\u003e \u003cp\u003eAudit Other Privilege Use Events 77\u003c\/p\u003e \u003cp\u003eAudit Sensitive Privilege Use 77\u003c\/p\u003e \u003cp\u003eSystem 77\u003c\/p\u003e \u003cp\u003eAudit IPsec Driver 78\u003c\/p\u003e \u003cp\u003eAudit Other System Events 78\u003c\/p\u003e \u003cp\u003eAudit Security State Change 78\u003c\/p\u003e \u003cp\u003eAudit Security System Extension 79\u003c\/p\u003e \u003cp\u003eAudit System Integrity 79\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart III Security Monitoring Scenarios 81\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 4 Account Logon 83\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eInteractive Logon 85\u003c\/p\u003e \u003cp\u003eSuccessful Local User Account Interactive Logon 85\u003c\/p\u003e \u003cp\u003eStep 1: Winlogon Process Initialization 85\u003c\/p\u003e \u003cp\u003eStep 1: LSASS Initialization 87\u003c\/p\u003e \u003cp\u003eStep 2: Local System Account Logon 88\u003c\/p\u003e \u003cp\u003eStep 3: ALPC Communications between Winlogon and LSASS 92\u003c\/p\u003e \u003cp\u003eStep 4: Secure Desktop and SAS 92\u003c\/p\u003e \u003cp\u003eStep 5: Authentication Data Gathering 92\u003c\/p\u003e \u003cp\u003eStep 6: Send Credentials from Winlogon to LSASS 94\u003c\/p\u003e \u003cp\u003eStep 7: LSA Server Credentials Flow 95\u003c\/p\u003e \u003cp\u003eStep 8: Local User Scenario 96\u003c\/p\u003e \u003cp\u003eStep 9: Local User Logon: MSV1_0 Answer 99\u003c\/p\u003e \u003cp\u003eStep 10: User Logon Rights Verification 104\u003c\/p\u003e \u003cp\u003eStep 11: Security Token Generation 105\u003c\/p\u003e \u003cp\u003eStep 12: SSPI Call 105\u003c\/p\u003e \u003cp\u003eStep 13: LSASS Replies to Winlogon 105\u003c\/p\u003e \u003cp\u003eStep 14: Userinit and Explorer.exe 105\u003c\/p\u003e \u003cp\u003eUnsuccessful Local User Account Interactive Logon 106\u003c\/p\u003e \u003cp\u003eSuccessful Domain User Account Interactive Logon 110\u003c\/p\u003e \u003cp\u003eSteps 1–7: User Logon Process 110\u003c\/p\u003e \u003cp\u003eStep 8: Authentication Package Negotiation 110\u003c\/p\u003e \u003cp\u003eStep 9: LSA Cache 111\u003c\/p\u003e \u003cp\u003eStep 10: Credentials Validation on the Domain Controller 112\u003c\/p\u003e \u003cp\u003eSteps 11–16: Logon Process 112\u003c\/p\u003e \u003cp\u003eUnsuccessful Domain User Account Interactive Logon 112\u003c\/p\u003e \u003cp\u003eRemoteInteractive Logon 112\u003c\/p\u003e \u003cp\u003eSuccessful User Account RemoteInteractive Logon 112\u003c\/p\u003e \u003cp\u003eSuccessful User Account RemoteInteractive Logon Using Cached Credentials 114\u003c\/p\u003e \u003cp\u003eUnsuccessful User Account RemoteInteractive Logon - NLA Enabled 115\u003c\/p\u003e \u003cp\u003eUnsuccessful User Account RemoteInteractive Logon - NLA Disabled 117\u003c\/p\u003e \u003cp\u003eNetwork Logon 118\u003c\/p\u003e \u003cp\u003eSuccessful User Account Network Logon 118\u003c\/p\u003e \u003cp\u003eUnsuccessful User Account Network Logon 120\u003c\/p\u003e \u003cp\u003eUnsuccessful User Account Network Logon - NTLM 121\u003c\/p\u003e \u003cp\u003eUnsuccessful User Account Network Logon - Kerberos 122\u003c\/p\u003e \u003cp\u003eBatch and Service Logon 123\u003c\/p\u003e \u003cp\u003eSuccessful Service \/ Batch Logon 123\u003c\/p\u003e \u003cp\u003eUnsuccessful Service \/ Batch Logon 125\u003c\/p\u003e \u003cp\u003eNetworkCleartext Logon 127\u003c\/p\u003e \u003cp\u003eSuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 127\u003c\/p\u003e \u003cp\u003eUnsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 129\u003c\/p\u003e \u003cp\u003eNewCredentials Logon 129\u003c\/p\u003e \u003cp\u003eInteractive and RemoteInteractive Session Lock Operations and Unlock Logon Type 132\u003c\/p\u003e \u003cp\u003eAccount Logoff and Session Disconnect 133\u003c\/p\u003e \u003cp\u003eTerminal Session Disconnect 134\u003c\/p\u003e \u003cp\u003eSpecial Groups 135\u003c\/p\u003e \u003cp\u003eAnonymous Logon 136\u003c\/p\u003e \u003cp\u003eDefault ANONYMOUS LOGON Logon Session 136\u003c\/p\u003e \u003cp\u003eExplicit Use of Anonymous Credentials 138\u003c\/p\u003e \u003cp\u003eUse of Account That Has No Network Credentials 139\u003c\/p\u003e \u003cp\u003eComputer Account Activity from Non–Domain- Joined Machine 139\u003c\/p\u003e \u003cp\u003eAllow Local System to Use Computer Identity for NTLM 140\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 5 Local User Accounts 141\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eBuilt-in Local User Accounts 142\u003c\/p\u003e \u003cp\u003eAdministrator 142\u003c\/p\u003e \u003cp\u003eGuest 144\u003c\/p\u003e \u003cp\u003eCustom User Account 145\u003c\/p\u003e \u003cp\u003eHomeGroupUser$ 145\u003c\/p\u003e \u003cp\u003eDefaultAccount 146\u003c\/p\u003e \u003cp\u003eBuilt-in Local User Accounts Monitoring Scenarios 146\u003c\/p\u003e \u003cp\u003eNew Local User Account Creation 146\u003c\/p\u003e \u003cp\u003eSuccessful Local User Account Creation 147\u003c\/p\u003e \u003cp\u003eUnsuccessful Local User Account Creation: Access Denied 164\u003c\/p\u003e \u003cp\u003eUnsuccessful Local User Account Creation: Other 165\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Local User Account Creation 166\u003c\/p\u003e \u003cp\u003eLocal User Account Deletion 168\u003c\/p\u003e \u003cp\u003eSuccessful Local User Account Deletion 169\u003c\/p\u003e \u003cp\u003eUnsuccessful Local User Account Deletion - Access Denied 173\u003c\/p\u003e \u003cp\u003eUnsuccessful Local User Account Deletion - Other 175\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Local User Account Deletion 176\u003c\/p\u003e \u003cp\u003eLocal User Account Password Modification 177\u003c\/p\u003e \u003cp\u003eSuccessful Local User Account Password Reset 178\u003c\/p\u003e \u003cp\u003eUnsuccessful Local User Account Password Reset - Access Denied 179\u003c\/p\u003e \u003cp\u003eUnsuccessful Local User Account Password Reset - Other 180\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Password Reset 181\u003c\/p\u003e \u003cp\u003eSuccessful Local User Account Password Change 182\u003c\/p\u003e \u003cp\u003eUnsuccessful Local User Account Password Change 183\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Password Change 184\u003c\/p\u003e \u003cp\u003eLocal User Account Enabled\/Disabled 184\u003c\/p\u003e \u003cp\u003eLocal User Account Was Enabled 184\u003c\/p\u003e \u003cp\u003eLocal User Account Was Disabled 186\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Account Enabled\/Disabled 186\u003c\/p\u003e \u003cp\u003eLocal User Account Lockout Events 187\u003c\/p\u003e \u003cp\u003eLocal User Account Lockout 188\u003c\/p\u003e \u003cp\u003eLocal User Account Unlock 190\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Account Enabled\/Disabled 191\u003c\/p\u003e \u003cp\u003eLocal User Account Change Events 191\u003c\/p\u003e \u003cp\u003eLocal User Account Change Event 192\u003c\/p\u003e \u003cp\u003eLocal User Account Name Change Event 196\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Account Changes 198\u003c\/p\u003e \u003cp\u003eBlank Password Existence Validation 199\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 6 Local Security Groups 201\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eBuilt-in Local Security Groups 203\u003c\/p\u003e \u003cp\u003eAccess Control Assistance Operators 205\u003c\/p\u003e \u003cp\u003eAdministrators 205\u003c\/p\u003e \u003cp\u003eBackup Operators 205\u003c\/p\u003e \u003cp\u003eCertificate Service DCOM Access 205\u003c\/p\u003e \u003cp\u003eCryptographic Operators 205\u003c\/p\u003e \u003cp\u003eDistributed COM Users 206\u003c\/p\u003e \u003cp\u003eEvent Log Readers 207\u003c\/p\u003e \u003cp\u003eGuests 207\u003c\/p\u003e \u003cp\u003eHyper-V Administrators 207\u003c\/p\u003e \u003cp\u003eIIS_IUSRS 208\u003c\/p\u003e \u003cp\u003eNetwork Configuration Operators 208\u003c\/p\u003e \u003cp\u003ePerformance Log Users 209\u003c\/p\u003e \u003cp\u003ePerformance Monitor Users 209\u003c\/p\u003e \u003cp\u003ePower Users 209\u003c\/p\u003e \u003cp\u003ePrint Operators 209\u003c\/p\u003e \u003cp\u003eRemote Desktop Users 209\u003c\/p\u003e \u003cp\u003eRemote Management Users 210\u003c\/p\u003e \u003cp\u003eReplicator 210\u003c\/p\u003e \u003cp\u003eStorage Replica Administrators 210\u003c\/p\u003e \u003cp\u003eSystem Managed Accounts Group 210\u003c\/p\u003e \u003cp\u003eUsers 210\u003c\/p\u003e \u003cp\u003eWinRMRemoteWMIUsers__ 211\u003c\/p\u003e \u003cp\u003eBuilt-in Local Security Groups Monitoring Scenarios 211\u003c\/p\u003e \u003cp\u003eLocal Security Group Creation 212\u003c\/p\u003e \u003cp\u003eSuccessful Local Security Group Creation 212\u003c\/p\u003e \u003cp\u003eUnsuccessful Local Security Group Creation - Access Denied 217\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Local Security Group Creation 218\u003c\/p\u003e \u003cp\u003eLocal Security Group Deletion 218\u003c\/p\u003e \u003cp\u003eSuccessful Local Security Group Deletion 219\u003c\/p\u003e \u003cp\u003eUnsuccessful Local Security Group Deletion - Access Denied 221\u003c\/p\u003e \u003cp\u003eUnsuccessful Local Security Group Deletion - Other 222\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Local Security Group Deletion 223\u003c\/p\u003e \u003cp\u003eLocal Security Group Change 223\u003c\/p\u003e \u003cp\u003eSuccessful Local Security Group Change 224\u003c\/p\u003e \u003cp\u003eUnsuccessful Local Security Group Change - Access Denied 226\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Local Security Group Change 227\u003c\/p\u003e \u003cp\u003eLocal Security Group Membership Operations 227\u003c\/p\u003e \u003cp\u003eSuccessful New Local Group Member Add Operation 228\u003c\/p\u003e \u003cp\u003eSuccessful Local Group Member Remove Operation 231\u003c\/p\u003e \u003cp\u003eUnsuccessful Local Group Member Remove\/ Add Operation - Access Denied 232\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Local Security Group Members Changes 233\u003c\/p\u003e \u003cp\u003eLocal Security Group Membership Enumeration 234\u003c\/p\u003e \u003cp\u003eMonitoring Scenarios: Local Security Group Membership Enumeration 235\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 7 Microsoft Active Directory 237\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eActive Directory Built-in Security Groups 237\u003c\/p\u003e \u003cp\u003eAdministrators 238\u003c\/p\u003e \u003cp\u003eAccount Operators 238\u003c\/p\u003e \u003cp\u003eIncoming Forest Trust Builders 238\u003c\/p\u003e \u003cp\u003ePre-Windows 2000 Compatible Access 238\u003c\/p\u003e \u003cp\u003eServer Operators 239\u003c\/p\u003e \u003cp\u003eTerminal Server License Servers 239\u003c\/p\u003e \u003cp\u003eWindows Authorization Access 239\u003c\/p\u003e \u003cp\u003eAllowed RODC Password Replication Group 240\u003c\/p\u003e \u003cp\u003eDenied RODC Password Replication Group 240\u003c\/p\u003e \u003cp\u003eCert Publishers 240\u003c\/p\u003e \u003cp\u003eDnsAdmins 240\u003c\/p\u003e \u003cp\u003eRAS and IAS Servers 241\u003c\/p\u003e \u003cp\u003eCloneable Domain Controllers 241\u003c\/p\u003e \u003cp\u003eDnsUpdateProxy 241\u003c\/p\u003e \u003cp\u003eDomain Admins 241\u003c\/p\u003e \u003cp\u003eDomain Computers 241\u003c\/p\u003e \u003cp\u003eDomain Controllers 242\u003c\/p\u003e \u003cp\u003eDomain Users 242\u003c\/p\u003e \u003cp\u003eGroup Policy Creator Owners 242\u003c\/p\u003e \u003cp\u003eProtected Users 242\u003c\/p\u003e \u003cp\u003eRead-Only Domain Controllers 242\u003c\/p\u003e \u003cp\u003eEnterprise Read-Only Domain Controllers 242\u003c\/p\u003e \u003cp\u003eEnterprise Admins 243\u003c\/p\u003e \u003cp\u003eSchema Admins 243\u003c\/p\u003e \u003cp\u003eBuilt-in Active Directory Accounts 243\u003c\/p\u003e \u003cp\u003eAdministrator 243\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 8 Active Directory Objects 285\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eActive Directory Object SACL 286\u003c\/p\u003e \u003cp\u003eChild Object Creation and Deletion Permissions 291\u003c\/p\u003e \u003cp\u003eExtended Rights 292\u003c\/p\u003e \u003cp\u003eValidated Writes 294\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 9 Authentication Protocols 323\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eNTLM-family Protocols 323\u003c\/p\u003e \u003cp\u003eChallenge-Response Basics 323\u003c\/p\u003e \u003cp\u003eLAN Manager 325\u003c\/p\u003e \u003cp\u003eLM Hash 325\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 10 Operating System Events 367\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eSystem Startup\/Shutdown 368\u003c\/p\u003e \u003cp\u003eSuccessful Normal System Shutdown 368\u003c\/p\u003e \u003cp\u003eUnsuccessful Normal System Shutdown - Access Denied 370\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 11 Logon Rights and User Privileges 419\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eLogon Rights 419\u003c\/p\u003e \u003cp\u003eLogon Rights Policy Modification 420\u003c\/p\u003e \u003cp\u003eLogon Rights Policy Settings - Member Added 421\u003c\/p\u003e \u003cp\u003eLogon Rights Policy Settings - Member Removed 421\u003c\/p\u003e \u003cp\u003eUnsuccessful Logons Due to Lack of Logon Rights 422\u003c\/p\u003e \u003cp\u003eUser Privileges 422\u003c\/p\u003e \u003cp\u003eUser Privileges Policy Modification 427\u003c\/p\u003e \u003cp\u003eUser Privileges Policy Settings - Member Added 427\u003c\/p\u003e \u003cp\u003eUser Privileges Policy Settings - Member Removed 428\u003c\/p\u003e \u003cp\u003eSpecial User Privileges Assigned at Logon Time 429\u003c\/p\u003e \u003cp\u003eLogon Session User Privileges Operations 430\u003c\/p\u003e \u003cp\u003ePrivilege Use 431\u003c\/p\u003e \u003cp\u003eSuccessful Call of a Privileged Service 431\u003c\/p\u003e \u003cp\u003eUnsuccessful Call of a Privileged Service 432\u003c\/p\u003e \u003cp\u003eSuccessful Operation with a Privileged Object 433\u003c\/p\u003e \u003cp\u003eUnsuccessful Operation with a Privileged Object 435\u003c\/p\u003e \u003cp\u003eBackup and Restore Privilege Use Auditing 435\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 12 Windows Applications 437\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eNew Application Installation 437\u003c\/p\u003e \u003cp\u003eApplication Installation Using Windows Installer 440\u003c\/p\u003e \u003cp\u003eApplication Removal Using Windows Installer 443\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 13 Filesystem and Removable Storage 485\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWindows Filesystem 486\u003c\/p\u003e \u003cp\u003eNTFS Security Descriptors 487\u003c\/p\u003e \u003cp\u003eInheritance 493\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 14 Windows Registry 523\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWindows Registry Basics 523\u003c\/p\u003e \u003cp\u003eRegistry Key Permissions 526\u003c\/p\u003e \u003cp\u003eRegistry Operations Auditing 528\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 15 Network File Shares and Named Pipes 559\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eNetwork File Shares 559\u003c\/p\u003e \u003cp\u003eNetwork File Share Access Permissions 563\u003c\/p\u003e \u003cp\u003eFile Share Creation 564\u003c\/p\u003e \u003cp\u003eAppendix A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options 585\u003c\/p\u003e \u003cp\u003eAppendix B Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes 589\u003c\/p\u003e \u003cp\u003eAppendix C SDDL Access Rights 597\u003c\/p\u003e \u003cp\u003eObject-Specific Access Rights 598\u003c\/p\u003e \u003cp\u003eIndex 603 \u003c\/p\u003e   \u003cp\u003e\u003cb\u003eAndrei Miroshnikov\u003c\/b\u003e is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference \"Forensics CTF\" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the \"Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference\" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)\u003csup\u003e2\u003c\/sup\u003e CISSP and Microsoft MCSE: Security certifications.    \u003c\/p\u003e\u003cp\u003e\u003cb\u003eDig deep into the Windows auditing subsystem to monitor for malicious activities and enhance Windows system security\u003c\/b\u003e  \u003c\/p\u003e\u003cp\u003eWritten by a former Microsoft security program manager, DEFCON \"Forensics CTF\" village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system's event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenario-based instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory object modifications, local security policy changes, and other activities.  \u003c\/p\u003e\u003cp\u003eThis book is based on the author's experience and the results of his research into Microsoft Windows security monitoring and anomaly detection. It presents the most common scenarios people should be aware of to check for any potentially suspicious activity.  \u003c\/p\u003e\u003cp\u003e\u003cb\u003eLearn to:\u003c\/b\u003e \u003c\/p\u003e\u003cul\u003e \u003cli\u003eImplement the Security Logging and Monitoring policy\u003c\/li\u003e \u003cli\u003eDig into the Windows security auditing subsystem\u003c\/li\u003e \u003cli\u003eUnderstand the most common monitoring event patterns related to operations and  changes in the Microsoft Windows operating system\u003c\/li\u003e \u003c\/ul\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47990495314149,"sku":"NP9781119390640","price":50.0,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9781119390640.jpg?v=1761788057","url":"https:\/\/k12savings.com\/es\/products\/windows-security-monitoring-isbn-9781119390640","provider":"K12savings","version":"1.0","type":"link"}