Windows Security Internals

Windows Security Internals

by James Forshaw
Released April 2024
Publisher(s): No Starch Press
ISBN: 9781718501980

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Windows Security Internals is a must-have for anyone needing to understand the Windows operating system's low-level implementations, whether to discover new vulnerabilities or protect against known ones. Developers, devops, and security researchers will all find unparalleled insight into the operating system's key elements and weaknesses, surpassing even Microsoft's official documentation.

Author James Forshaw teaches through meticulously crafted PowerShell examples that can be experimented with and modified, covering everything from basic resource security analysis to advanced techniques like using network authentication. The examples will help you actively test and manipulate system behaviors, learn how Windows secures files and the registry, re-create from scratch how the system grants access to a resource, learn how Windows implements authentication both locally and over a network, and much more.

You'll also explore a wide range of topics, such as:

  • Windows security architecture, including both the kernel and user-mode applications
  • The Windows Security Reference Monitor (SRM), including access tokens, querying and setting a resource's security descriptor, and access checking and auditing
  • Interactive Windows authentication and credential storage in the Security Account Manager (SAM) and Active Directory
  • Mechanisms of network authentication protocols, including NTLM and Kerberos

In an era of sophisticated cyberattacks on Windows networks, mastering the operating system's complex security mechanisms is more crucial than ever. Whether you're defending against the latest cyber threats or delving into the intricacies of Windows security architecture, you'll find Windows Security Internals indispensable in your efforts to navigate the complexities of today's cybersecurity landscape.

Publisher resources

View/Submit Errata

Table of contents

  1. Title Page
  2. Copyright
  3. Dedication
  4. About the Author and Technical Reviewer
  5. Foreword
  6. Acknowledgments
  7. Introduction
    1. Who Is This Book For?
    2. What Is in This Book?
    3. PowerShell Conventions Used in This Book
    4. Getting in Touch
  8. Part I: An Overview of the Windows Operating System
    1. 1. Setting Up a Powershell Testing Environment
      1. Choosing a PowerShell Version
      2. Configuring PowerShell
      3. An Overview of the PowerShell Language
        1. Understanding Types, Variables, and Expressions
        2. Executing Commands
        3. Discovering Commands and Getting Help
        4. Defining Functions
        5. Displaying and Manipulating Objects
        6. Filtering, Ordering, and Grouping Objects
        7. Exporting Data
      4. Wrapping Up
    2. 2. The Windows Kernel
      1. The Windows Kernel Executive
      2. The Security Reference Monitor
      3. The Object Manager
        1. Object Types
        2. The Object Manager Namespace
        3. System Calls
        4. NTSTATUS Codes
        5. Object Handles
        6. Query and Set Information System Calls
      4. The Input/Output Manager
      5. The Process and Thread Manager
      6. The Memory Manager
        1. NtVirtualMemory Commands
        2. Section Objects
      7. Code Integrity
      8. Advanced Local Procedure Call
      9. The Configuration Manager
      10. Worked Examples
        1. Finding Open Handles by Name
        2. Finding Shared Objects
        3. Modifying a Mapped Section
        4. Finding Writable and Executable Memory
      11. Wrapping Up
    3. 3. User-Mode Applications
      1. Win32 and the User-Mode Windows APIs
        1. Loading a New Library
        2. Viewing Imported APIs
        3. Searching for DLLs
      2. The Win32 GUI
        1. GUI Kernel Resources
        2. Window Messages
        3. Console Sessions
      3. Comparing Win32 APIs and System Calls
      4. Win32 Registry Paths
        1. Opening Keys
        2. Listing the Registry’s Contents
      5. DOS Device Paths
        1. Path Types
        2. Maximum Path Lengths
      6. Process Creation
        1. Command Line Parsing
        2. Shell APIs
      7. System Processes
        1. The Session Manager
        2. The Windows Logon Process
        3. The Local Security Authority Subsystem
        4. The Service Control Manager
      8. Worked Examples
        1. Finding Executables That Import Specific APIs
        2. Finding Hidden Registry Keys or Values
      9. Wrapping Up
  9. Part II: The Windows Security Reference Monitor
    1. 4. Security Access Tokens
      1. Primary Tokens
      2. Impersonation Tokens
        1. Security Quality of Service
        2. Explicit Token Impersonation
      3. Converting Between Token Types
      4. Pseudo Token Handles
      5. Token Groups
        1. Enabled, EnabledByDefault, and Mandatory
        2. LogonId
        3. Owner
        4. UseForDenyOnly
        5. Integrity and IntegrityEnabled
        6. Resource
        7. Device Groups
      6. Privileges
      7. Sandbox Tokens
        1. Restricted Tokens
        2. Write-Restricted Tokens
        3. AppContainer and Lowbox Tokens
      8. What Makes an Administrator User?
      9. User Account Control
        1. Linked Tokens and Elevation Type
        2. UI Access
        3. Virtualization
      10. Security Attributes
      11. Creating Tokens
      12. Token Assignment
        1. Assigning a Primary Token
        2. Assigning an Impersonation Token
      13. Worked Examples
        1. Finding UI Access Processes
        2. Finding Token Handles to Impersonate
        3. Removing Administrator Privileges
      14. Wrapping Up
    2. 5. Security Descriptors
      1. The Structure of a Security Descriptor
      2. The Structure of a SID
      3. Absolute and Relative Security Descriptors
      4. Access Control List Headers and Entries
        1. The Header
        2. The ACE List
      5. Constructing and Manipulating Security Descriptors
        1. Creating a New Security Descriptor
        2. Ordering the ACEs
        3. Formatting Security Descriptors
        4. Converting to and from a Relative Security Descriptor
      6. The Security Descriptor Definition Language
      7. Worked Examples
        1. Manually Parsing a Binary SID
        2. Enumerating SIDs
      8. Wrapping Up
    3. 6. Reading and Assigning Security Descriptors
      1. Reading Security Descriptors
      2. Assigning Security Descriptors
        1. Assigning a Security Descriptor During Resource Creation
        2. Assigning a Security Descriptor to an Existing Resource
      3. Win32 Security APIs
      4. Server Security Descriptors and Compound ACEs
      5. A Summary of Inheritance Behavior
      6. Worked Examples
        1. Finding Object Manager Resource Owners
        2. Changing the Ownership of a Resource
      7. Wrapping Up
    4. 7. The Access Check Process
      1. Running an Access Check
        1. Kernel-Mode Access Checks
        2. User-Mode Access Checks
        3. The Get-NtGrantedAccess PowerShell Command
      2. The Access Check Process in PowerShell
        1. Defining the Access Check Function
        2. Performing the Mandatory Access Check
        3. Performing the Token Access Check
        4. Performing the Discretionary Access Check
      3. Sandboxing
        1. Restricted Tokens
        2. Lowbox Tokens
      4. Enterprise Access Checks
        1. The Object Type Access Check
        2. The Central Access Policy
      5. Worked Examples
        1. Using the Get-PSGrantedAccess Command
        2. Calculating Granted Access for Resources
      6. Wrapping Up
    5. 8. Other Access Checking Use Cases
      1. Traversal Checking
        1. The SeChangeNotifyPrivilege Privilege
        2. Limited Checks
      2. Handle Duplication Access Checks
      3. Sandbox Token Checks
      4. Automating Access Checks
      5. Worked Examples
        1. Simplifying an Access Check for an Object
        2. Finding Writable Section Objects
      6. Wrapping Up
    6. 9. Security Auditing
      1. The Security Event Log
        1. Configuring the System Audit Policy
        2. Configuring the Per-User Audit Policy
      2. Audit Policy Security
        1. Configuring the Resource SACL
        2. Configuring the Global SACL
      3. Worked Examples
        1. Verifying Audit Access Security
        2. Finding Resources with Audit ACEs
      4. Wrapping Up
  10. Part III: The Local Security Authority and Authentication
    1. 10. Windows Authentication
      1. Domain Authentication
        1. Local Authentication
        2. Enterprise Network Domains
        3. Domain Forests
      2. Local Domain Configuration
        1. The User Database
        2. The LSA Policy Database
      3. Remote LSA Services
        1. The SAM Remote Service
        2. The Domain Policy Remote Service
      4. The SAM and SECURITY Databases
        1. Accessing the SAM Database Through the Registry
        2. Inspecting the SECURITY Database
      5. Worked Examples
        1. RID Cycling
        2. Forcing a User‘s Password Change
        3. Extracting All Local User Hashes
      6. Wrapping Up
    2. 11. Active Directory
      1. A Brief History of Active Directory
      2. Exploring an Active Directory Domain with PowerShell
        1. The Remote Server Administration Tools
        2. Basic Forest and Domain Information
        3. The Users
        4. The Groups
        5. The Computers
      3. Objects and Distinguished Names
        1. Enumerating Directory Objects
        2. Accessing Objects in Other Domains
      4. The Schema
        1. Inspecting the Schema
        2. Accessing the Security Attributes
      5. Security Descriptors
        1. Querying Security Descriptors of Directory Objects
        2. Assigning Security Descriptors to New Directory Objects
        3. Assigning Security Descriptors to Existing Objects
        4. Inspecting a Security Descriptor’s Inherited Security
      6. Access Checks
        1. Creating Objects
        2. Deleting Objects
        3. Listing Objects
        4. Reading and Writing Attributes
        5. Checking Multiple Attributes
        6. Analyzing Property Sets
        7. Inspecting Control Access Rights
        8. Analyzing Write-Validated Access Rights
        9. Accessing the SELF SID
        10. Performing Additional Security Checks
      7. Claims and Central Access Policies
      8. Group Policies
      9. Worked Example
        1. Building the Authorization Context
        2. Gathering Object Information
        3. Running the Access Check
      10. Wrapping Up
    3. 12. Interactive Authentication
      1. Creating a User’s Desktop
      2. The LsaLogonUser API
        1. Local Authentication
        2. Domain Authentication
        3. Logon and Console Sessions
        4. Token Creation
      3. Using the LsaLogonUser API from PowerShell
      4. Creating a New Process with a Token
      5. The Service Logon Type
      6. Worked Examples
        1. Testing Privileges and Logon Account Rights
        2. Creating a Process in a Different Console Session
        3. Authenticating Virtual Accounts
      7. Wrapping Up
    4. 13. Network Authentication
      1. NTLM Network Authentication
        1. NTLM Authentication Using PowerShell
        2. The Cryptographic Derivation Process
        3. Pass-Through Authentication
        4. Local Loopback Authentication
        5. Alternative Client Credentials
      2. The NTLM Relay Attack
        1. Attack Overview
        2. Active Server Challenges
        3. Signing and Sealing
        4. Target Names
        5. Channel Binding
      3. Worked Example
        1. Overview
        2. The Code Module
        3. The Server Implementation
        4. The Client Implementation
        5. The NTLM Authentication Test
      4. Wrapping Up
    5. 14. Kerberos
      1. Interactive Authentication with Kerberos
        1. Initial User Authentication
        2. Network Service Authentication
      2. Performing Kerberos Authentication in PowerShell
      3. Decrypting the AP-REQ Message
      4. Decrypting the AP-REP Message
      5. Cross-Domain Authentication
      6. Kerberos Delegation
        1. Unconstrained Delegation
        2. Constrained Delegation
      7. User-to-User Kerberos Authentication
      8. Worked Examples
        1. Querying the Kerberos Ticket Cache
        2. Simple Kerberoasting
      9. Wrapping Up
    6. 15. Negotiate Authentication and Other Security Packages
      1. Security Buffers
        1. Using Buffers with an Authentication Context
        2. Using Buffers with Signing and Sealing
      2. The Negotiate Protocol
      3. Less Common Security Packages
        1. Secure Channel
        2. CredSSP
      4. Remote Credential Guard and Restricted Admin Mode
      5. The Credential Manager
      6. Additional Request Attribute Flags
        1. Anonymous Sessions
        2. Identity Tokens
      7. Network Authentication with a Lowbox Token
        1. Authentication with the Enterprise Authentication Capability
        2. Authentication to a Known Web Proxy
        3. Authentication with Explicit Credentials
      8. The Authentication Audit Event Log
      9. Worked Examples
        1. Identifying the Reason for an Authentication Failure
        2. Using a Secure Channel to Extract a Server’s TLS Certificate
      10. Wrapping Up
      11. Final Thoughts
  11. A: Building a Windows Domain Network for Testing
    1. The Domain Network
    2. Installing and Configuring Windows Hyper-V
    3. Creating the Virtual Machines
      1. The PRIMARYDC Server
      2. The GRAPHITE Workstation
      3. The SALESDC Server
  12. B: SDDL SID Alias Mapping
  13. Index

Product information

  • Title: Windows Security Internals
  • Author(s): James Forshaw
  • Release date: April 2024
  • Publisher(s): No Starch Press
  • ISBN: 9781718501980