Description

Book Synopsis

Dig deep into the Windows auditing subsystem to monitor for malicious activities and enhance Windows system security

Written by a former Microsoft security program manager, DEFCON Forensics CTF village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system's event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenariobased instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory ob

Table of Contents

Introduction xxix

Part I Introduction to Windows Security Monitoring 1

Chapter 1 Windows Security Logging and Monitoring Policy 3

Security Logging 3

Security Logs 4

System Requirements 5

PII and PHI 5

Availability and Protection 5

Configuration Changes 6

Secure Storage 6

Centralized Collection 6

Backup and Retention 7

Periodic Review 7

Security Monitoring 7

Communications 8

Audit Tool and Technologies 8

Network Intrusion Detection Systems 8

Host-based Intrusion Detection Systems 8

System Reviews 9

Reporting 9

Part II Windows Auditing Subsystem 11

Chapter 2 Auditing Subsystem Architecture 13

Legacy Auditing Settings 13

Advanced Auditing Settings 16

Set Advanced Audit Settings via Local Group Policy 18

Set Advanced Audit Settings via Domain Group Policy 19

Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 19

Read Current LSA Policy Database Advanced Audit Policy Settings 20

Advanced Audit Policies Enforcement and Legacy Policies Rollback 20

Switch from Advanced Audit Settings to Legacy Settings 21

Switch from Legacy Audit Settings to Advanced Settings 22

Windows Auditing Group Policy Settings 22

Manage Auditing and Security Log 22

Generate Security Audits 23

Security Auditing Policy Security Descriptor 23

Group Policy: “Audit: Shut Down System Immediately If Unable to Log Security Audits” 24

Group Policy: Protected Event Logging 25

Group Policy: “Audit: Audit the Use of Backup and Restore Privilege” 25

Group Policy: “Audit: Audit the Access of Global System Objects” 26

Audit the Access of Global System Container Objects 26

Windows Event Log Service: Security Event Log Settings 27

Changing the Maximum Security Event Log File Size 28

Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 29

Group Policy: Back Up Log Automatically When Full 29

Group Policy: Control the Location of the Log File 30

Security Event Log Security Descriptor 31

Guest and Anonymous Access to the Security Event Log 33

Windows Auditing Architecture 33

Windows Auditing Policy Flow 34

LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 35

Windows Auditing Event Flow 36

LSASS.EXE Security Event Flow 37

NTOSKRNL.EXE Security Event Flow 37

Security Event Structure 38

Chapter 3 Auditing Subcategories and Recommendations 47

Account Logon 47

Audit Credential Validation 47

Audit Kerberos Authentication Service 50

Audit Kerberos Service Ticket Operations 53

Audit Other Account Logon Events 54

Account Management 54

Audit Application Group Management 54

Audit Computer Account Management 54

Audit Distribution Group Management 55

Audit Other Account Management Events 56

Audit Security Group Management 57

Audit User Account Management 57

Detailed Tracking 58

Audit DPAPI Activity 58

Audit PNP Activity 58

Audit Process Creation 58

Audit Process Termination 59

Audit RPC Events 59

DS Access 60

Audit Detailed Directory Service Replication 60

Audit Directory Service Access 60

Audit Directory Service Changes 61

Audit Directory Service Replication 61

Logon and Logoff 61

Audit Account Lockout 61

Audit User/Device Claims 62

Audit Group Membership 62

Audit IPsec Extended Mode/Audit IPsec Main Mode/ Audit IPsec Quick Mode 63

Audit Logoff 63

Audit Logon 64

Audit Network Policy Server 65

Audit Other Logon/Logoff Events 65

Audit Special Logon 66

Object Access 66

Audit Application Generated 67

Audit Certification Services 67

Audit Detailed File Share 67

Audit File Share 67

Audit File System 68

Audit Filtering Platform Connection 68

Audit Filtering Platform Packet Drop 69

Audit Handle Manipulation 69

Audit Kernel Object 70

Audit Other Object Access Events 71

Audit Registry 71

Audit Removable Storage 72

Audit SAM 72

Audit Central Policy Staging 73

Policy Change 73

Audit Policy Change 73

Audit Authentication Policy Change 74

Audit Authorization Policy Change 74

Audit Filtering Platform Policy Change 75

Audit MPSSVC Rule-Level Policy Change 75

Audit Other Policy Change Events 75

Privilege Use 76

Audit Non Sensitive Privilege Use 76

Audit Other Privilege Use Events 77

Audit Sensitive Privilege Use 77

System 77

Audit IPsec Driver 78

Audit Other System Events 78

Audit Security State Change 78

Audit Security System Extension 79

Audit System Integrity 79

Part III Security Monitoring Scenarios 81

Chapter 4 Account Logon 83

Interactive Logon 85

Successful Local User Account Interactive Logon 85

Step 1: Winlogon Process Initialization 85

Step 1: LSASS Initialization 87

Step 2: Local System Account Logon 88

Step 3: ALPC Communications between Winlogon and LSASS 92

Step 4: Secure Desktop and SAS 92

Step 5: Authentication Data Gathering 92

Step 6: Send Credentials from Winlogon to LSASS 94

Step 7: LSA Server Credentials Flow 95

Step 8: Local User Scenario 96

Step 9: Local User Logon: MSV1_0 Answer 99

Step 10: User Logon Rights Verification 104

Step 11: Security Token Generation 105

Step 12: SSPI Call 105

Step 13: LSASS Replies to Winlogon 105

Step 14: Userinit and Explorer.exe 105

Unsuccessful Local User Account Interactive Logon 106

Successful Domain User Account Interactive Logon 110

Steps 1–7: User Logon Process 110

Step 8: Authentication Package Negotiation 110

Step 9: LSA Cache 111

Step 10: Credentials Validation on the Domain Controller 112

Steps 11–16: Logon Process 112

Unsuccessful Domain User Account Interactive Logon 112

RemoteInteractive Logon 112

Successful User Account RemoteInteractive Logon 112

Successful User Account RemoteInteractive Logon Using Cached Credentials 114

Unsuccessful User Account RemoteInteractive Logon - NLA Enabled 115

Unsuccessful User Account RemoteInteractive Logon - NLA Disabled 117

Network Logon 118

Successful User Account Network Logon 118

Unsuccessful User Account Network Logon 120

Unsuccessful User Account Network Logon - NTLM 121

Unsuccessful User Account Network Logon - Kerberos 122

Batch and Service Logon 123

Successful Service / Batch Logon 123

Unsuccessful Service / Batch Logon 125

NetworkCleartext Logon 127

Successful User Account NetworkCleartext Logon - IIS Basic Authentication 127

Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 129

NewCredentials Logon 129

Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type 132

Account Logoff and Session Disconnect 133

Terminal Session Disconnect 134

Special Groups 135

Anonymous Logon 136

Default ANONYMOUS LOGON Logon Session 136

Explicit Use of Anonymous Credentials 138

Use of Account That Has No Network Credentials 139

Computer Account Activity from Non–Domain- Joined Machine 139

Allow Local System to Use Computer Identity for NTLM 140

Chapter 5 Local User Accounts 141

Built-in Local User Accounts 142

Administrator 142

Guest 144

Custom User Account 145

HomeGroupUser$ 145

DefaultAccount 146

Built-in Local User Accounts Monitoring Scenarios 146

New Local User Account Creation 146

Successful Local User Account Creation 147

Unsuccessful Local User Account Creation: Access Denied 164

Unsuccessful Local User Account Creation: Other 165

Monitoring Scenarios: Local User Account Creation 166

Local User Account Deletion 168

Successful Local User Account Deletion 169

Unsuccessful Local User Account Deletion - Access Denied 173

Unsuccessful Local User Account Deletion - Other 175

Monitoring Scenarios: Local User Account Deletion 176

Local User Account Password Modification 177

Successful Local User Account Password Reset 178

Unsuccessful Local User Account Password Reset - Access Denied 179

Unsuccessful Local User Account Password Reset - Other 180

Monitoring Scenarios: Password Reset 181

Successful Local User Account Password Change 182

Unsuccessful Local User Account Password Change 183

Monitoring Scenarios: Password Change 184

Local User Account Enabled/Disabled 184

Local User Account Was Enabled 184

Local User Account Was Disabled 186

Monitoring Scenarios: Account Enabled/Disabled 186

Local User Account Lockout Events 187

Local User Account Lockout 188

Local User Account Unlock 190

Monitoring Scenarios: Account Enabled/Disabled 191

Local User Account Change Events 191

Local User Account Change Event 192

Local User Account Name Change Event 196

Monitoring Scenarios: Account Changes 198

Blank Password Existence Validation 199

Chapter 6 Local Security Groups 201

Built-in Local Security Groups 203

Access Control Assistance Operators 205

Administrators 205

Backup Operators 205

Certificate Service DCOM Access 205

Cryptographic Operators 205

Distributed COM Users 206

Event Log Readers 207

Guests 207

Hyper-V Administrators 207

IIS_IUSRS 208

Network Configuration Operators 208

Performance Log Users 209

Performance Monitor Users 209

Power Users 209

Print Operators 209

Remote Desktop Users 209

Remote Management Users 210

Replicator 210

Storage Replica Administrators 210

System Managed Accounts Group 210

Users 210

WinRMRemoteWMIUsers__ 211

Built-in Local Security Groups Monitoring Scenarios 211

Local Security Group Creation 212

Successful Local Security Group Creation 212

Unsuccessful Local Security Group Creation - Access Denied 217

Monitoring Scenarios: Local Security Group Creation 218

Local Security Group Deletion 218

Successful Local Security Group Deletion 219

Unsuccessful Local Security Group Deletion - Access Denied 221

Unsuccessful Local Security Group Deletion - Other 222

Monitoring Scenarios: Local Security Group Deletion 223

Local Security Group Change 223

Successful Local Security Group Change 224

Unsuccessful Local Security Group Change - Access Denied 226

Monitoring Scenarios: Local Security Group Change 227

Local Security Group Membership Operations 227

Successful New Local Group Member Add Operation 228

Successful Local Group Member Remove Operation 231

Unsuccessful Local Group Member Remove/ Add Operation - Access Denied 232

Monitoring Scenarios: Local Security Group Members Changes 233

Local Security Group Membership Enumeration 234

Monitoring Scenarios: Local Security Group Membership Enumeration 235

Chapter 7 Microsoft Active Directory 237

Active Directory Built-in Security Groups 237

Administrators 238

Account Operators 238

Incoming Forest Trust Builders 238

Pre-Windows 2000 Compatible Access 238

Server Operators 239

Terminal Server License Servers 239

Windows Authorization Access 239

Allowed RODC Password Replication Group 240

Denied RODC Password Replication Group 240

Cert Publishers 240

DnsAdmins 240

RAS and IAS Servers 241

Cloneable Domain Controllers 241

DnsUpdateProxy 241

Domain Admins 241

Domain Computers 241

Domain Controllers 242

Domain Users 242

Group Policy Creator Owners 242

Protected Users 242

Read-Only Domain Controllers 242

Enterprise Read-Only Domain Controllers 242

Enterprise Admins 243

Schema Admins 243

Built-in Active Directory Accounts 243

Administrator 243

Chapter 8 Active Directory Objects 285

Active Directory Object SACL 286

Child Object Creation and Deletion Permissions 291

Extended Rights 292

Validated Writes 294

Chapter 9 Authentication Protocols 323

NTLM-family Protocols 323

Challenge-Response Basics 323

LAN Manager 325

LM Hash 325

Chapter 10 Operating System Events 367

System Startup/Shutdown 368

Successful Normal System Shutdown 368

Unsuccessful Normal System Shutdown - Access Denied 370

Chapter 11 Logon Rights and User Privileges 419

Logon Rights 419

Logon Rights Policy Modification 420

Logon Rights Policy Settings - Member Added 421

Logon Rights Policy Settings - Member Removed 421

Unsuccessful Logons Due to Lack of Logon Rights 422

User Privileges 422

User Privileges Policy Modification 427

User Privileges Policy Settings - Member Added 427

User Privileges Policy Settings - Member Removed 428

Special User Privileges Assigned at Logon Time 429

Logon Session User Privileges Operations 430

Privilege Use 431

Successful Call of a Privileged Service 431

Unsuccessful Call of a Privileged Service 432

Successful Operation with a Privileged Object 433

Unsuccessful Operation with a Privileged Object 435

Backup and Restore Privilege Use Auditing 435

Chapter 12 Windows Applications 437

New Application Installation 437

Application Installation Using Windows Installer 440

Application Removal Using Windows Installer 443

Chapter 13 Filesystem and Removable Storage 485

Windows Filesystem 486

NTFS Security Descriptors 487

Inheritance 493

Chapter 14 Windows Registry 523

Windows Registry Basics 523

Registry Key Permissions 526

Registry Operations Auditing 528

Chapter 15 Network File Shares and Named Pipes 559

Network File Shares 559

Network File Share Access Permissions 563

File Share Creation 564

Appendix A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options 585

Appendix B Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes 589

Appendix C SDDL Access Rights 597

Object-Specific Access Rights 598

Index 603

Windows Security Monitoring

    Product form

    £30.39

    Includes FREE delivery

    RRP £37.99 – you save £7.60 (20%)

    Order before 4pm tomorrow for delivery by Sat 4 Jul 2026.

    A Paperback / softback by Andrei Miroshnikov

      Trusted by thousands of customers. See 2,385+ Customer Reviews

      View other formats and editions of Windows Security Monitoring by Andrei Miroshnikov

      Publisher: John Wiley & Sons Inc
      Publication Date: 22/06/2018
      ISBN13: 9781119390640, 978-1119390640
      ISBN10: 1119390648
      Also in:
      Computing Computer networking and communications

      Description

      Book Synopsis

      Dig deep into the Windows auditing subsystem to monitor for malicious activities and enhance Windows system security

      Written by a former Microsoft security program manager, DEFCON Forensics CTF village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system's event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenariobased instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory ob

      Table of Contents

      Introduction xxix

      Part I Introduction to Windows Security Monitoring 1

      Chapter 1 Windows Security Logging and Monitoring Policy 3

      Security Logging 3

      Security Logs 4

      System Requirements 5

      PII and PHI 5

      Availability and Protection 5

      Configuration Changes 6

      Secure Storage 6

      Centralized Collection 6

      Backup and Retention 7

      Periodic Review 7

      Security Monitoring 7

      Communications 8

      Audit Tool and Technologies 8

      Network Intrusion Detection Systems 8

      Host-based Intrusion Detection Systems 8

      System Reviews 9

      Reporting 9

      Part II Windows Auditing Subsystem 11

      Chapter 2 Auditing Subsystem Architecture 13

      Legacy Auditing Settings 13

      Advanced Auditing Settings 16

      Set Advanced Audit Settings via Local Group Policy 18

      Set Advanced Audit Settings via Domain Group Policy 19

      Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 19

      Read Current LSA Policy Database Advanced Audit Policy Settings 20

      Advanced Audit Policies Enforcement and Legacy Policies Rollback 20

      Switch from Advanced Audit Settings to Legacy Settings 21

      Switch from Legacy Audit Settings to Advanced Settings 22

      Windows Auditing Group Policy Settings 22

      Manage Auditing and Security Log 22

      Generate Security Audits 23

      Security Auditing Policy Security Descriptor 23

      Group Policy: “Audit: Shut Down System Immediately If Unable to Log Security Audits” 24

      Group Policy: Protected Event Logging 25

      Group Policy: “Audit: Audit the Use of Backup and Restore Privilege” 25

      Group Policy: “Audit: Audit the Access of Global System Objects” 26

      Audit the Access of Global System Container Objects 26

      Windows Event Log Service: Security Event Log Settings 27

      Changing the Maximum Security Event Log File Size 28

      Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 29

      Group Policy: Back Up Log Automatically When Full 29

      Group Policy: Control the Location of the Log File 30

      Security Event Log Security Descriptor 31

      Guest and Anonymous Access to the Security Event Log 33

      Windows Auditing Architecture 33

      Windows Auditing Policy Flow 34

      LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 35

      Windows Auditing Event Flow 36

      LSASS.EXE Security Event Flow 37

      NTOSKRNL.EXE Security Event Flow 37

      Security Event Structure 38

      Chapter 3 Auditing Subcategories and Recommendations 47

      Account Logon 47

      Audit Credential Validation 47

      Audit Kerberos Authentication Service 50

      Audit Kerberos Service Ticket Operations 53

      Audit Other Account Logon Events 54

      Account Management 54

      Audit Application Group Management 54

      Audit Computer Account Management 54

      Audit Distribution Group Management 55

      Audit Other Account Management Events 56

      Audit Security Group Management 57

      Audit User Account Management 57

      Detailed Tracking 58

      Audit DPAPI Activity 58

      Audit PNP Activity 58

      Audit Process Creation 58

      Audit Process Termination 59

      Audit RPC Events 59

      DS Access 60

      Audit Detailed Directory Service Replication 60

      Audit Directory Service Access 60

      Audit Directory Service Changes 61

      Audit Directory Service Replication 61

      Logon and Logoff 61

      Audit Account Lockout 61

      Audit User/Device Claims 62

      Audit Group Membership 62

      Audit IPsec Extended Mode/Audit IPsec Main Mode/ Audit IPsec Quick Mode 63

      Audit Logoff 63

      Audit Logon 64

      Audit Network Policy Server 65

      Audit Other Logon/Logoff Events 65

      Audit Special Logon 66

      Object Access 66

      Audit Application Generated 67

      Audit Certification Services 67

      Audit Detailed File Share 67

      Audit File Share 67

      Audit File System 68

      Audit Filtering Platform Connection 68

      Audit Filtering Platform Packet Drop 69

      Audit Handle Manipulation 69

      Audit Kernel Object 70

      Audit Other Object Access Events 71

      Audit Registry 71

      Audit Removable Storage 72

      Audit SAM 72

      Audit Central Policy Staging 73

      Policy Change 73

      Audit Policy Change 73

      Audit Authentication Policy Change 74

      Audit Authorization Policy Change 74

      Audit Filtering Platform Policy Change 75

      Audit MPSSVC Rule-Level Policy Change 75

      Audit Other Policy Change Events 75

      Privilege Use 76

      Audit Non Sensitive Privilege Use 76

      Audit Other Privilege Use Events 77

      Audit Sensitive Privilege Use 77

      System 77

      Audit IPsec Driver 78

      Audit Other System Events 78

      Audit Security State Change 78

      Audit Security System Extension 79

      Audit System Integrity 79

      Part III Security Monitoring Scenarios 81

      Chapter 4 Account Logon 83

      Interactive Logon 85

      Successful Local User Account Interactive Logon 85

      Step 1: Winlogon Process Initialization 85

      Step 1: LSASS Initialization 87

      Step 2: Local System Account Logon 88

      Step 3: ALPC Communications between Winlogon and LSASS 92

      Step 4: Secure Desktop and SAS 92

      Step 5: Authentication Data Gathering 92

      Step 6: Send Credentials from Winlogon to LSASS 94

      Step 7: LSA Server Credentials Flow 95

      Step 8: Local User Scenario 96

      Step 9: Local User Logon: MSV1_0 Answer 99

      Step 10: User Logon Rights Verification 104

      Step 11: Security Token Generation 105

      Step 12: SSPI Call 105

      Step 13: LSASS Replies to Winlogon 105

      Step 14: Userinit and Explorer.exe 105

      Unsuccessful Local User Account Interactive Logon 106

      Successful Domain User Account Interactive Logon 110

      Steps 1–7: User Logon Process 110

      Step 8: Authentication Package Negotiation 110

      Step 9: LSA Cache 111

      Step 10: Credentials Validation on the Domain Controller 112

      Steps 11–16: Logon Process 112

      Unsuccessful Domain User Account Interactive Logon 112

      RemoteInteractive Logon 112

      Successful User Account RemoteInteractive Logon 112

      Successful User Account RemoteInteractive Logon Using Cached Credentials 114

      Unsuccessful User Account RemoteInteractive Logon - NLA Enabled 115

      Unsuccessful User Account RemoteInteractive Logon - NLA Disabled 117

      Network Logon 118

      Successful User Account Network Logon 118

      Unsuccessful User Account Network Logon 120

      Unsuccessful User Account Network Logon - NTLM 121

      Unsuccessful User Account Network Logon - Kerberos 122

      Batch and Service Logon 123

      Successful Service / Batch Logon 123

      Unsuccessful Service / Batch Logon 125

      NetworkCleartext Logon 127

      Successful User Account NetworkCleartext Logon - IIS Basic Authentication 127

      Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 129

      NewCredentials Logon 129

      Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type 132

      Account Logoff and Session Disconnect 133

      Terminal Session Disconnect 134

      Special Groups 135

      Anonymous Logon 136

      Default ANONYMOUS LOGON Logon Session 136

      Explicit Use of Anonymous Credentials 138

      Use of Account That Has No Network Credentials 139

      Computer Account Activity from Non–Domain- Joined Machine 139

      Allow Local System to Use Computer Identity for NTLM 140

      Chapter 5 Local User Accounts 141

      Built-in Local User Accounts 142

      Administrator 142

      Guest 144

      Custom User Account 145

      HomeGroupUser$ 145

      DefaultAccount 146

      Built-in Local User Accounts Monitoring Scenarios 146

      New Local User Account Creation 146

      Successful Local User Account Creation 147

      Unsuccessful Local User Account Creation: Access Denied 164

      Unsuccessful Local User Account Creation: Other 165

      Monitoring Scenarios: Local User Account Creation 166

      Local User Account Deletion 168

      Successful Local User Account Deletion 169

      Unsuccessful Local User Account Deletion - Access Denied 173

      Unsuccessful Local User Account Deletion - Other 175

      Monitoring Scenarios: Local User Account Deletion 176

      Local User Account Password Modification 177

      Successful Local User Account Password Reset 178

      Unsuccessful Local User Account Password Reset - Access Denied 179

      Unsuccessful Local User Account Password Reset - Other 180

      Monitoring Scenarios: Password Reset 181

      Successful Local User Account Password Change 182

      Unsuccessful Local User Account Password Change 183

      Monitoring Scenarios: Password Change 184

      Local User Account Enabled/Disabled 184

      Local User Account Was Enabled 184

      Local User Account Was Disabled 186

      Monitoring Scenarios: Account Enabled/Disabled 186

      Local User Account Lockout Events 187

      Local User Account Lockout 188

      Local User Account Unlock 190

      Monitoring Scenarios: Account Enabled/Disabled 191

      Local User Account Change Events 191

      Local User Account Change Event 192

      Local User Account Name Change Event 196

      Monitoring Scenarios: Account Changes 198

      Blank Password Existence Validation 199

      Chapter 6 Local Security Groups 201

      Built-in Local Security Groups 203

      Access Control Assistance Operators 205

      Administrators 205

      Backup Operators 205

      Certificate Service DCOM Access 205

      Cryptographic Operators 205

      Distributed COM Users 206

      Event Log Readers 207

      Guests 207

      Hyper-V Administrators 207

      IIS_IUSRS 208

      Network Configuration Operators 208

      Performance Log Users 209

      Performance Monitor Users 209

      Power Users 209

      Print Operators 209

      Remote Desktop Users 209

      Remote Management Users 210

      Replicator 210

      Storage Replica Administrators 210

      System Managed Accounts Group 210

      Users 210

      WinRMRemoteWMIUsers__ 211

      Built-in Local Security Groups Monitoring Scenarios 211

      Local Security Group Creation 212

      Successful Local Security Group Creation 212

      Unsuccessful Local Security Group Creation - Access Denied 217

      Monitoring Scenarios: Local Security Group Creation 218

      Local Security Group Deletion 218

      Successful Local Security Group Deletion 219

      Unsuccessful Local Security Group Deletion - Access Denied 221

      Unsuccessful Local Security Group Deletion - Other 222

      Monitoring Scenarios: Local Security Group Deletion 223

      Local Security Group Change 223

      Successful Local Security Group Change 224

      Unsuccessful Local Security Group Change - Access Denied 226

      Monitoring Scenarios: Local Security Group Change 227

      Local Security Group Membership Operations 227

      Successful New Local Group Member Add Operation 228

      Successful Local Group Member Remove Operation 231

      Unsuccessful Local Group Member Remove/ Add Operation - Access Denied 232

      Monitoring Scenarios: Local Security Group Members Changes 233

      Local Security Group Membership Enumeration 234

      Monitoring Scenarios: Local Security Group Membership Enumeration 235

      Chapter 7 Microsoft Active Directory 237

      Active Directory Built-in Security Groups 237

      Administrators 238

      Account Operators 238

      Incoming Forest Trust Builders 238

      Pre-Windows 2000 Compatible Access 238

      Server Operators 239

      Terminal Server License Servers 239

      Windows Authorization Access 239

      Allowed RODC Password Replication Group 240

      Denied RODC Password Replication Group 240

      Cert Publishers 240

      DnsAdmins 240

      RAS and IAS Servers 241

      Cloneable Domain Controllers 241

      DnsUpdateProxy 241

      Domain Admins 241

      Domain Computers 241

      Domain Controllers 242

      Domain Users 242

      Group Policy Creator Owners 242

      Protected Users 242

      Read-Only Domain Controllers 242

      Enterprise Read-Only Domain Controllers 242

      Enterprise Admins 243

      Schema Admins 243

      Built-in Active Directory Accounts 243

      Administrator 243

      Chapter 8 Active Directory Objects 285

      Active Directory Object SACL 286

      Child Object Creation and Deletion Permissions 291

      Extended Rights 292

      Validated Writes 294

      Chapter 9 Authentication Protocols 323

      NTLM-family Protocols 323

      Challenge-Response Basics 323

      LAN Manager 325

      LM Hash 325

      Chapter 10 Operating System Events 367

      System Startup/Shutdown 368

      Successful Normal System Shutdown 368

      Unsuccessful Normal System Shutdown - Access Denied 370

      Chapter 11 Logon Rights and User Privileges 419

      Logon Rights 419

      Logon Rights Policy Modification 420

      Logon Rights Policy Settings - Member Added 421

      Logon Rights Policy Settings - Member Removed 421

      Unsuccessful Logons Due to Lack of Logon Rights 422

      User Privileges 422

      User Privileges Policy Modification 427

      User Privileges Policy Settings - Member Added 427

      User Privileges Policy Settings - Member Removed 428

      Special User Privileges Assigned at Logon Time 429

      Logon Session User Privileges Operations 430

      Privilege Use 431

      Successful Call of a Privileged Service 431

      Unsuccessful Call of a Privileged Service 432

      Successful Operation with a Privileged Object 433

      Unsuccessful Operation with a Privileged Object 435

      Backup and Restore Privilege Use Auditing 435

      Chapter 12 Windows Applications 437

      New Application Installation 437

      Application Installation Using Windows Installer 440

      Application Removal Using Windows Installer 443

      Chapter 13 Filesystem and Removable Storage 485

      Windows Filesystem 486

      NTFS Security Descriptors 487

      Inheritance 493

      Chapter 14 Windows Registry 523

      Windows Registry Basics 523

      Registry Key Permissions 526

      Registry Operations Auditing 528

      Chapter 15 Network File Shares and Named Pipes 559

      Network File Shares 559

      Network File Share Access Permissions 563

      File Share Creation 564

      Appendix A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options 585

      Appendix B Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes 589

      Appendix C SDDL Access Rights 597

      Object-Specific Access Rights 598

      Index 603

      Recently viewed products

      © 2026 Book Curl

        • American Express
        • Apple Pay
        • Diners Club
        • Discover
        • Google Pay
        • Maestro
        • Mastercard
        • PayPal
        • Shop Pay
        • Union Pay
        • Visa

        Login

        Forgot your password?

        Don't have an account yet?
        Create account