Windows Security Internals: A Deep Dive into Windows Authentication, Authorization, and Auditing

Cover
Title Page
Copyright
Dedication
About the Author
About the Technical Reviewer
Brief Contents
Contents in Detail
Foreword
Acknowledgments
Introduction
	Who Is This Book For?
	What Is in This Book?
	PowerShell Conventions Used in This Book
	Getting in Touch
Part I: An Overview of the Windows Operating System
	1. Setting up a Powershell Testing Environment
		Choosing a PowerShell Version
		Configuring PowerShell
		An Overview of the PowerShell Language
			Understanding Types, Variables, and Expressions
			Executing Commands
			Discovering Commands and Getting Help
			Defining Functions
			Displaying and Manipulating Objects
			Filtering, Ordering, and Grouping Objects
			Exporting Data
		Wrapping Up
	2. The Windows Kernel
		The Windows Kernel Executive
		The Security Reference Monitor
		The Object Manager
			Object Types
			The Object Manager Namespace
			System Calls
			NTSTATUS Codes
			Object Handles
			Query and Set Information System Calls
		The Input/Output Manager
		The Process and Thread Manager
		The Memory Manager
			NtVirtualMemory Commands
			Section Objects
		Code Integrity
		Advanced Local Procedure Call
		The Configuration Manager
		Worked Examples
			Finding Open Handles by Name
			Finding Shared Objects
			Modifying a Mapped Section
			Finding Writable and Executable Memory
		Wrapping Up
	3. User-Mode Applications
		Win32 and the User-Mode Windows APIs
			Loading a New Library
			Viewing Imported APIs
			Searching for DLLs
		The Win32 GUI
			GUI Kernel Resources
			Window Messages
			Console Sessions
		Comparing Win32 APIs and System Calls
		Win32 Registry Paths
			Opening Keys
			Listing the Registry’s Contents
		DOS Device Paths
			Path Types
			Maximum Path Lengths
		Process Creation
			Command Line Parsing
			Shell APIs
		System Processes
			The Session Manager
			The Windows Logon Process
			The Local Security Authority Subsystem
			The Service Control Manager
		Worked Examples
			Finding Executables That Import Specific APIs
			Finding Hidden Registry Keys or Values
		Wrapping Up
Part II: The Windows Security Reference Monitor
	4. Security Access Tokens
		Primary Tokens
		Impersonation Tokens
			Security Quality of Service
			Explicit Token Impersonation
		Converting Between Token Types
		Pseudo Token Handles
		Token Groups
			Enabled, EnabledByDefault, and Mandatory
			LogonId
			Owner
			UseForDenyOnly
			Integrity and IntegrityEnabled
			Resource
			Device Groups
		Privileges
		Sandbox Tokens
			Restricted Tokens
			Write-Restricted Tokens
			AppContainer and Lowbox Tokens
		What Makes an Administrator User?
		User Account Control
			Linked Tokens and Elevation Type
			UI Access
			Virtualization
		Security Attributes
		Creating Tokens
		Token Assignment
			Assigning a Primary Token
			Assigning an Impersonation Token
		Worked Examples
			Finding UI Access Processes
			Finding Token Handles to Impersonate
			Removing Administrator Privileges
		Wrapping Up
	5. Security Descriptors
		The Structure of a Security Descriptor
		The Structure of a SID
		Absolute and Relative Security Descriptors
		Access Control List Headers and Entries
			The Header
			The ACE List
		Constructing and Manipulating Security Descriptors
			Creating a New Security Descriptor
			Ordering the ACEs
			Formatting Security Descriptors
			Converting to and from a Relative Security Descriptor
		The Security Descriptor Definition Language
		Worked Examples
			Manually Parsing a Binary SID
			Enumerating SIDs
		Wrapping Up
	6. Reading and Assigning Security Descriptors
		Reading Security Descriptors
		Assigning Security Descriptors
			Assigning a Security Descriptor During Resource Creation
			Assigning a Security Descriptor to an Existing Resource
		Win32 Security APIs
		Server Security Descriptors and Compound ACEs
		A Summary of Inheritance Behavior
		Worked Examples
			Finding Object Manager Resource Owners
			Changing the Ownership of a Resource
		Wrapping Up
	7. The Access Check Process
		Running an Access Check
			Kernel-Mode Access Checks
			User-Mode Access Checks
			The Get-NtGrantedAccess PowerShell Command
		The Access Check Process in PowerShell
			Defining the Access Check Function
			Performing the Mandatory Access Check
			Performing the Token Access Check
			Performing the Discretionary Access Check
		Sandboxing
			Restricted Tokens
			Lowbox Tokens
		Enterprise Access Checks
			The Object Type Access Check
			The Central Access Policy
		Worked Examples
			Using the Get-PSGrantedAccess Command
			Calculating Granted Access for Resources
		Wrapping Up
	8. Other Access Checking Use Cases
		Traversal Checking
			The SeChangeNotifyPrivilege Privilege
			Limited Checks
		Handle Duplication Access Checks
		Sandbox Token Checks
		Automating Access Checks
		Worked Examples
			Simplifying an Access Check for an Object
			Finding Writable Section Objects
		Wrapping Up
	9. Security Auditing
		The Security Event Log
			Configuring the System Audit Policy
			Configuring the Per-User Audit Policy
		Audit Policy Security
			Configuring the Resource SACL
			Configuring the Global SACL
		Worked Examples
			Verifying Audit Access Security
			Finding Resources with Audit ACEs
		Wrapping Up
Part III: The Local Security Authority and Authentication
	10. Windows Authentication
		Domain Authentication
			Local Authentication
			Enterprise Network Domains
			Domain Forests
		Local Domain Configuration
			The User Database
			The LSA Policy Database
		Remote LSA Services
			The SAM Remote Service
			The Domain Policy Remote Service
		The SAM and SECURITY Databases
			Accessing the SAM Database Through the Registry
			Inspecting the SECURITY Database
		Worked Examples
			RID Cycling
			Forcing a User‘s Password Change
			Extracting All Local User Hashes
		Wrapping Up
	11. Active Directory
		A Brief History of Active Directory
		Exploring an Active Directory Domain with PowerShell
			The Remote Server Administration Tools
			Basic Forest and Domain Information
			The Users
			The Groups
			The Computers
		Objects and Distinguished Names
			Enumerating Directory Objects
			Accessing Objects in Other Domains
		The Schema
			Inspecting the Schema
			Accessing the Security Attributes
		Security Descriptors
			Querying Security Descriptors of Directory Objects
			Assigning Security Descriptors to New Directory Objects
			Assigning Security Descriptors to Existing Objects
			Inspecting a Security Descriptor’s Inherited Security
		Access Checks
			Creating Objects
			Deleting Objects
			Listing Objects
			Reading and Writing Attributes
			Checking Multiple Attributes
			Analyzing Property Sets
			Inspecting Control Access Rights
			Analyzing Write-Validated Access Rights
			Accessing the SELF SID
			Performing Additional Security Checks
		Claims and Central Access Policies
		Group Policies
		Worked Example
			Building the Authorization Context
			Gathering Object Information
			Running the Access Check
		Wrapping Up
	12. Interactive Authentication
		Creating a User’s Desktop
		The LsaLogonUser API
			Local Authentication
			Domain Authentication
			Logon and Console Sessions
			Token Creation
		Using the LsaLogonUser API from PowerShell
		Creating a New Process with a Token
		The Service Logon Type
		Worked Examples
			Testing Privileges and Logon Account Rights
			Creating a Process in a Different Console Session
			Authenticating Virtual Accounts
		Wrapping Up
	13. Network Authentication
		NTLM Network Authentication
			NTLM Authentication Using PowerShell
			The Cryptographic Derivation Process
			Pass-Through Authentication
			Local Loopback Authentication
			Alternative Client Credentials
		The NTLM Relay Attack
			Attack Overview
			Active Server Challenges
			Signing and Sealing
			Target Names
			Channel Binding
		Worked Example
			Overview
			The Code Module
			The Server Implementation
			The Client Implementation
			The NTLM Authentication Test
		Wrapping Up
	14. Kerberos
		Interactive Authentication with Kerberos
			Initial User Authentication
			Network Service Authentication
		Performing Kerberos Authentication in PowerShell
		Decrypting the AP-REQ Message
		Decrypting the AP-REP Message
		Cross-Domain Authentication
		Kerberos Delegation
			Unconstrained Delegation
			Constrained Delegation
		User-to-User Kerberos Authentication
		Worked Examples
			Querying the Kerberos Ticket Cache
			Simple Kerberoasting
		Wrapping Up
	15. Negotiate Authentication and other Security Packages
		Security Buffers
			Using Buffers with an Authentication Context
			Using Buffers with Signing and Sealing
		The Negotiate Protocol
		Less Common Security Packages
			Secure Channel
			CredSSP
		Remote Credential Guard and Restricted Admin Mode
		The Credential Manager
		Additional Request Attribute Flags
			Anonymous Sessions
			Identity Tokens
		Network Authentication with a Lowbox Token
			Authentication with the Enterprise Authentication Capability
			Authentication to a Known Web Proxy
			Authentication with Explicit Credentials
		The Authentication Audit Event Log
		Worked Examples
			Identifying the Reason for an Authentication Failure
			Using a Secure Channel to Extract a Server’s TLS Certificate
		Wrapping Up
		Final Thoughts
	A Building: a Windows Domain Network for Testing
		The Domain Network
		Installing and Configuring Windows Hyper-V
		Creating the Virtual Machines
			The PRIMARYDC Server
			The GRAPHITE Workstation
			The SALESDC Server
B Sddl: Sid Alias Mapping
Index