Windows Security Monitoring

Introduction xxix Part I Introduction to Windows Security Monitoring 1 Chapter 1 Windows Security Logging and Monitoring Policy 3 Security Logging 3 Security Logs 4 System Requirements 5 PII and PHI 5 Availability and Protection 5 Configuration Changes 6 Secure Storage 6 Centralized Collection 6 Backup and Retention 7 Periodic Review 7 Security Monitoring 7 Communications 8 Audit Tool and Technologies 8 Network Intrusion Detection Systems 8 Host-based Intrusion Detection Systems 8 System Reviews 9 Reporting 9 Part II Windows Auditing Subsystem 11 Chapter 2 Auditing Subsystem Architecture 13 Legacy Auditing Settings 13 Advanced Auditing Settings 16 Set Advanced Audit Settings via Local Group Policy 18 Set Advanced Audit Settings via Domain Group Policy 19 Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 19 Read Current LSA Policy Database Advanced Audit Policy Settings 20 Advanced Audit Policies Enforcement and Legacy Policies Rollback 20 Switch from Advanced Audit Settings to Legacy Settings 21 Switch from Legacy Audit Settings to Advanced Settings 22 Windows Auditing Group Policy Settings 22 Manage Auditing and Security Log 22 Generate Security Audits 23 Security Auditing Policy Security Descriptor 23 Group Policy: “Audit: Shut Down System Immediately If Unable to Log Security Audits” 24 Group Policy: Protected Event Logging 25 Group Policy: “Audit: Audit the Use of Backup and Restore Privilege” 25 Group Policy: “Audit: Audit the Access of Global System Objects” 26 Audit the Access of Global System Container Objects 26 Windows Event Log Service: Security Event Log Settings 27 Changing the Maximum Security Event Log File Size 28 Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 29 Group Policy: Back Up Log Automatically When Full 29 Group Policy: Control the Location of the Log File 30 Security Event Log Security Descriptor 31 Guest and Anonymous Access to the Security Event Log 33 Windows Auditing Architecture 33 Windows Auditing Policy Flow 34 LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 35 Windows Auditing Event Flow 36 LSASS.EXE Security Event Flow 37 NTOSKRNL.EXE Security Event Flow 37 Security Event Structure 38 Chapter 3 Auditing Subcategories and Recommendations 47 Account Logon 47 Audit Credential Validation 47 Audit Kerberos Authentication Service 50 Audit Kerberos Service Ticket Operations 53 Audit Other Account Logon Events 54 Account Management 54 Audit Application Group Management 54 Audit Computer Account Management 54 Audit Distribution Group Management 55 Audit Other Account Management Events 56 Audit Security Group Management 57 Audit User Account Management 57 Detailed Tracking 58 Audit DPAPI Activity 58 Audit PNP Activity 58 Audit Process Creation 58 Audit Process Termination 59 Audit RPC Events 59 DS Access 60 Audit Detailed Directory Service Replication 60 Audit Directory Service Access 60 Audit Directory Service Changes 61 Audit Directory Service Replication 61 Logon and Logoff 61 Audit Account Lockout 61 Audit User/Device Claims 62 Audit Group Membership 62 Audit IPsec Extended Mode/Audit IPsec Main Mode/ Audit IPsec Quick Mode 63 Audit Logoff 63 Audit Logon 64 Audit Network Policy Server 65 Audit Other Logon/Logoff Events 65 Audit Special Logon 66 Object Access 66 Audit Application Generated 67 Audit Certification Services 67 Audit Detailed File Share 67 Audit File Share 67 Audit File System 68 Audit Filtering Platform Connection 68 Audit Filtering Platform Packet Drop 69 Audit Handle Manipulation 69 Audit Kernel Object 70 Audit Other Object Access Events 71 Audit Registry 71 Audit Removable Storage 72 Audit SAM 72 Audit Central Policy Staging 73 Policy Change 73 Audit Policy Change 73 Audit Authentication Policy Change 74 Audit Authorization Policy Change 74 Audit Filtering Platform Policy Change 75 Audit MPSSVC Rule-Level Policy Change 75 Audit Other Policy Change Events 75 Privilege Use 76 Audit Non Sensitive Privilege Use 76 Audit Other Privilege Use Events 77 Audit Sensitive Privilege Use 77 System 77 Audit IPsec Driver 78 Audit Other System Events 78 Audit Security State Change 78 Audit Security System Extension 79 Audit System Integrity 79 Part III Security Monitoring Scenarios 81 Chapter 4 Account Logon 83 Interactive Logon 85 Successful Local User Account Interactive Logon 85 Step 1: Winlogon Process Initialization 85 Step 1: LSASS Initialization 87 Step 2: Local System Account Logon 88 Step 3: ALPC Communications between Winlogon and LSASS 92 Step 4: Secure Desktop and SAS 92 Step 5: Authentication Data Gathering 92 Step 6: Send Credentials from Winlogon to LSASS 94 Step 7: LSA Server Credentials Flow 95 Step 8: Local User Scenario 96 Step 9: Local User Logon: MSV1_0 Answer 99 Step 10: User Logon Rights Verification 104 Step 11: Security Token Generation 105 Step 12: SSPI Call 105 Step 13: LSASS Replies to Winlogon 105 Step 14: Userinit and Explorer.exe 105 Unsuccessful Local User Account Interactive Logon 106 Successful Domain User Account Interactive Logon 110 Steps 1–7: User Logon Process 110 Step 8: Authentication Package Negotiation 110 Step 9: LSA Cache 111 Step 10: Credentials Validation on the Domain Controller 112 Steps 11–16: Logon Process 112 Unsuccessful Domain User Account Interactive Logon 112 RemoteInteractive Logon 112 Successful User Account RemoteInteractive Logon 112 Successful User Account RemoteInteractive Logon Using Cached Credentials 114 Unsuccessful User Account RemoteInteractive Logon - NLA Enabled 115 Unsuccessful User Account RemoteInteractive Logon - NLA Disabled 117 Network Logon 118 Successful User Account Network Logon 118 Unsuccessful User Account Network Logon 120 Unsuccessful User Account Network Logon - NTLM 121 Unsuccessful User Account Network Logon - Kerberos 122 Batch and Service Logon 123 Successful Service / Batch Logon 123 Unsuccessful Service / Batch Logon 125 NetworkCleartext Logon 127 Successful User Account NetworkCleartext Logon - IIS Basic Authentication 127 Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 129 NewCredentials Logon 129 Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type 132 Account Logoff and Session Disconnect 133 Terminal Session Disconnect 134 Special Groups 135 Anonymous Logon 136 Default ANONYMOUS LOGON Logon Session 136 Explicit Use of Anonymous Credentials 138 Use of Account That Has No Network Credentials 139 Computer Account Activity from Non–Domain- Joined Machine 139 Allow Local System to Use Computer Identity for NTLM 140 Chapter 5 Local User Accounts 141 Built-in Local User Accounts 142 Administrator 142 Guest 144 Custom User Account 145 HomeGroupUser$ 145 DefaultAccount 146 Built-in Local User Accounts Monitoring Scenarios 146 New Local User Account Creation 146 Successful Local User Account Creation 147 Unsuccessful Local User Account Creation: Access Denied 164 Unsuccessful Local User Account Creation: Other 165 Monitoring Scenarios: Local User Account Creation 166 Local User Account Deletion 168 Successful Local User Account Deletion 169 Unsuccessful Local User Account Deletion - Access Denied 173 Unsuccessful Local User Account Deletion - Other 175 Monitoring Scenarios: Local User Account Deletion 176 Local User Account Password Modification 177 Successful Local User Account Password Reset 178 Unsuccessful Local User Account Password Reset - Access Denied 179 Unsuccessful Local User Account Password Reset - Other 180 Monitoring Scenarios: Password Reset 181 Successful Local User Account Password Change 182 Unsuccessful Local User Account Password Change 183 Monitoring Scenarios: Password Change 184 Local User Account Enabled/Disabled 184 Local User Account Was Enabled 184 Local User Account Was Disabled 186 Monitoring Scenarios: Account Enabled/Disabled 186 Local User Account Lockout Events 187 Local User Account Lockout 188 Local User Account Unlock 190 Monitoring Scenarios: Account Enabled/Disabled 191 Local User Account Change Events 191 Local User Account Change Event 192 Local User Account Name Change Event 196 Monitoring Scenarios: Account Changes 198 Blank Password Existence Validation 199 Chapter 6 Local Security Groups 201 Built-in Local Security Groups 203 Access Control Assistance Operators 205 Administrators 205 Backup Operators 205 Certificate Service DCOM Access 205 Cryptographic Operators 205 Distributed COM Users 206 Event Log Readers 207 Guests 207 Hyper-V Administrators 207 IIS_IUSRS 208 Network Configuration Operators 208 Performance Log Users 209 Performance Monitor Users 209 Power Users 209 Print Operators 209 Remote Desktop Users 209 Remote Management Users 210 Replicator 210 Storage Replica Administrators 210 System Managed Accounts Group 210 Users 210 WinRMRemoteWMIUsers__ 211 Built-in Local Security Groups Monitoring Scenarios 211 Local Security Group Creation 212 Successful Local Security Group Creation 212 Unsuccessful Local Security Group Creation - Access Denied 217 Monitoring Scenarios: Local Security Group Creation 218 Local Security Group Deletion 218 Successful Local Security Group Deletion 219 Unsuccessful Local Security Group Deletion - Access Denied 221 Unsuccessful Local Security Group Deletion - Other 222 Monitoring Scenarios: Local Security Group Deletion 223 Local Security Group Change 223 Successful Local Security Group Change 224 Unsuccessful Local Security Group Change - Access Denied 226 Monitoring Scenarios: Local Security Group Change 227 Local Security Group Membership Operations 227 Successful New Local Group Member Add Operation 228 Successful Local Group Member Remove Operation 231 Unsuccessful Local Group Member Remove/ Add Operation - Access Denied 232 Monitoring Scenarios: Local Security Group Members Changes 233 Local Security Group Membership Enumeration 234 Monitoring Scenarios: Local Security Group Membership Enumeration 235 Chapter 7 Microsoft Active Directory 237 Active Directory Built-in Security Groups 237 Administrators 238 Account Operators 238 Incoming Forest Trust Builders 238 Pre-Windows 2000 Compatible Access 238 Server Operators 239 Terminal Server License Servers 239 Windows Authorization Access 239 Allowed RODC Password Replication Group 240 Denied RODC Password Replication Group 240 Cert Publishers 240 DnsAdmins 240 RAS and IAS Servers 241 Cloneable Domain Controllers 241 DnsUpdateProxy 241 Domain Admins 241 Domain Computers 241 Domain Controllers 242 Domain Users 242 Group Policy Creator Owners 242 Protected Users 242 Read-Only Domain Controllers 242 Enterprise Read-Only Domain Controllers 242 Enterprise Admins 243 Schema Admins 243 Built-in Active Directory Accounts 243 Administrator 243 Chapter 8 Active Directory Objects 285 Active Directory Object SACL 286 Child Object Creation and Deletion Permissions 291 Extended Rights 292 Validated Writes 294 Chapter 9 Authentication Protocols 323 NTLM-family Protocols 323 Challenge-Response Basics 323 LAN Manager 325 LM Hash 325 Chapter 10 Operating System Events 367 System Startup/Shutdown 368 Successful Normal System Shutdown 368 Unsuccessful Normal System Shutdown - Access Denied 370 Chapter 11 Logon Rights and User Privileges 419 Logon Rights 419 Logon Rights Policy Modification 420 Logon Rights Policy Settings - Member Added 421 Logon Rights Policy Settings - Member Removed 421 Unsuccessful Logons Due to Lack of Logon Rights 422 User Privileges 422 User Privileges Policy Modification 427 User Privileges Policy Settings - Member Added 427 User Privileges Policy Settings - Member Removed 428 Special User Privileges Assigned at Logon Time 429 Logon Session User Privileges Operations 430 Privilege Use 431 Successful Call of a Privileged Service 431 Unsuccessful Call of a Privileged Service 432 Successful Operation with a Privileged Object 433 Unsuccessful Operation with a Privileged Object 435 Backup and Restore Privilege Use Auditing 435 Chapter 12 Windows Applications 437 New Application Installation 437 Application Installation Using Windows Installer 440 Application Removal Using Windows Installer 443 Chapter 13 Filesystem and Removable Storage 485 Windows Filesystem 486 NTFS Security Descriptors 487 Inheritance 493 Chapter 14 Windows Registry 523 Windows Registry Basics 523 Registry Key Permissions 526 Registry Operations Auditing 528 Chapter 15 Network File Shares and Named Pipes 559 Network File Shares 559 Network File Share Access Permissions 563 File Share Creation 564 Appendix A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options 585 Appendix B Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes 589 Appendix C SDDL Access Rights 597 Object-Specific Access Rights 598 Index 603