Professional Documents
Culture Documents
(Download PDF) Windows Security Internals 1 Converted Edition James Forshaw Online Ebook All Chapter PDF
(Download PDF) Windows Security Internals 1 Converted Edition James Forshaw Online Ebook All Chapter PDF
https://textbookfull.com/product/windows-security-internals-a-
deep-dive-into-windows-authentication-authorization-and-
auditing-1-converted-edition-james-forshaw/
https://textbookfull.com/product/windows-security-internals-a-
deep-dive-into-windows-authentication-authorization-and-auditing-
for-true-epub-1st-edition-james-forshaw/
https://textbookfull.com/product/windows-internals-part-1-7th-
edition-pavel-yosifovich/
https://textbookfull.com/product/windows-internals-
part-2-developer-reference-7th-edition-russinovich/
Mastering Cloud Security Posture Management (CSPM) 1 /
converted Edition Qamar Nomani
https://textbookfull.com/product/mastering-cloud-security-
posture-management-cspm-1-converted-edition-qamar-nomani/
https://textbookfull.com/product/attacking-network-protocols-a-
hacker-s-guide-to-capture-analysis-and-exploitation-1st-edition-
james-forshaw-forshaw/
https://textbookfull.com/product/learning-
opentelemetry-1-converted-edition-ted-young/
https://textbookfull.com/product/android-software-internals-
quick-reference-a-field-manual-and-security-reference-guide-to-
java-based-android-components-1st-edition-james-stevenson/
https://textbookfull.com/product/powershell-7-workshop-1-
converted-edition-nick-parlow/
CONTENTS IN DETAIL
TITLE PAGE
COPYRIGHT
DEDICATION
ABOUT THE AUTHOR AND TECHNICAL REVIEWER
FOREWORD
ACKNOWLEDGMENTS
INTRODUCTION
Who Is This Book For?
What Is in This Book?
PowerShell Conventions Used in This Book
Getting in Touch
2
THE WINDOWS KERNEL
The Windows Kernel Executive
The Security Reference Monitor
The Object Manager
Object Types
The Object Manager Namespace
System Calls
NTSTATUS Codes
Object Handles
Query and Set Information System Calls
The Input/Output Manager
The Process and Thread Manager
The Memory Manager
NtVirtualMemory Commands
Section Objects
Code Integrity
Advanced Local Procedure Call
The Configuration Manager
Worked Examples
Finding Open Handles by Name
Finding Shared Objects
Modifying a Mapped Section
Finding Writable and Executable Memory
Wrapping Up
3
USER-MODE APPLICATIONS
Win32 and the User-Mode Windows APIs
Loading a New Library
Viewing Imported APIs
Searching for DLLs
The Win32 GUI
GUI Kernel Resources
Window Messages
Console Sessions
Comparing Win32 APIs and System Calls
Win32 Registry Paths
Opening Keys
Listing the Registry’s Contents
DOS Device Paths
Path Types
Maximum Path Lengths
Process Creation
Command Line Parsing
Shell APIs
System Processes
The Session Manager
The Windows Logon Process
The Local Security Authority Subsystem
The Service Control Manager
Worked Examples
Finding Executables That Import Specific APIs
Finding Hidden Registry Keys or Values
Wrapping Up
5
SECURITY DESCRIPTORS
The Structure of a Security Descriptor
The Structure of a SID
Absolute and Relative Security Descriptors
Access Control List Headers and Entries
The Header
The ACE List
Constructing and Manipulating Security Descriptors
Creating a New Security Descriptor
Ordering the ACEs
Formatting Security Descriptors
Converting to and from a Relative Security Descriptor
The Security Descriptor Definition Language
Worked Examples
Manually Parsing a Binary SID
Enumerating SIDs
Wrapping Up
6
READING AND ASSIGNING SECURITY DESCRIPTORS
Reading Security Descriptors
Assigning Security Descriptors
Assigning a Security Descriptor During Resource Creation
Assigning a Security Descriptor to an Existing Resource
Win32 Security APIs
Server Security Descriptors and Compound ACEs
A Summary of Inheritance Behavior
Worked Examples
Finding Object Manager Resource Owners
Changing the Ownership of a Resource
Wrapping Up
7
THE ACCESS CHECK PROCESS
Running an Access Check
Kernel-Mode Access Checks
User-Mode Access Checks
The Get-NtGrantedAccess PowerShell Command
The Access Check Process in PowerShell
Defining the Access Check Function
Performing the Mandatory Access Check
Performing the Token Access Check
Performing the Discretionary Access Check
Sandboxing
Restricted Tokens
Lowbox Tokens
Enterprise Access Checks
The Object Type Access Check
The Central Access Policy
Worked Examples
Using the Get-PSGrantedAccess Command
Calculating Granted Access for Resources
Wrapping Up
8
OTHER ACCESS CHECKING USE CASES
Traversal Checking
The SeChangeNotifyPrivilege Privilege
Limited Checks
Handle Duplication Access Checks
Sandbox Token Checks
Automating Access Checks
Worked Examples
Simplifying an Access Check for an Object
Finding Writable Section Objects
Wrapping Up
9
SECURITY AUDITING
The Security Event Log
Configuring the System Audit Policy
Configuring the Per-User Audit Policy
Audit Policy Security
Configuring the Resource SACL
Configuring the Global SACL
Worked Examples
Verifying Audit Access Security
Finding Resources with Audit ACEs
Wrapping Up
11
ACTIVE DIRECTORY
A Brief History of Active Directory
Exploring an Active Directory Domain with PowerShell
The Remote Server Administration Tools
Basic Forest and Domain Information
The Users
The Groups
The Computers
Objects and Distinguished Names
Enumerating Directory Objects
Accessing Objects in Other Domains
The Schema
Inspecting the Schema
Accessing the Security Attributes
Security Descriptors
Querying Security Descriptors of Directory Objects
Assigning Security Descriptors to New Directory Objects
Assigning Security Descriptors to Existing Objects
Inspecting a Security Descriptor’s Inherited Security
Access Checks
Creating Objects
Deleting Objects
Listing Objects
Reading and Writing Attributes
Checking Multiple Attributes
Analyzing Property Sets
Inspecting Control Access Rights
Analyzing Write-Validated Access Rights
Accessing the SELF SID
Performing Additional Security Checks
Claims and Central Access Policies
Group Policies
Worked Example
Building the Authorization Context
Gathering Object Information
Running the Access Check
Wrapping Up
12
INTERACTIVE AUTHENTICATION
Creating a User’s Desktop
The LsaLogonUser API
Local Authentication
Domain Authentication
Logon and Console Sessions
Token Creation
Using the LsaLogonUser API from PowerShell
Creating a New Process with a Token
The Service Logon Type
Worked Examples
Testing Privileges and Logon Account Rights
Creating a Process in a Different Console Session
Authenticating Virtual Accounts
Wrapping Up
13
NETWORK AUTHENTICATION
NTLM Network Authentication
NTLM Authentication Using PowerShell
The Cryptographic Derivation Process
Pass-Through Authentication
Local Loopback Authentication
Alternative Client Credentials
The NTLM Relay Attack
Attack Overview
Active Server Challenges
Signing and Sealing
Target Names
Channel Binding
Worked Example
Overview
The Code Module
The Server Implementation
The Client Implementation
The NTLM Authentication Test
Wrapping Up
14
KERBEROS
Interactive Authentication with Kerberos
Initial User Authentication
Network Service Authentication
Performing Kerberos Authentication in PowerShell
Decrypting the AP-REQ Message
Decrypting the AP-REP Message
Cross-Domain Authentication
Kerberos Delegation
Unconstrained Delegation
Constrained Delegation
User-to-User Kerberos Authentication
Worked Examples
Querying the Kerberos Ticket Cache
Simple Kerberoasting
Wrapping Up
15
NEGOTIATE AUTHENTICATION AND OTHER SECURITY
PACKAGES
Security Buffers
Using Buffers with an Authentication Context
Using Buffers with Signing and Sealing
The Negotiate Protocol
Less Common Security Packages
Secure Channel
CredSSP
Remote Credential Guard and Restricted Admin Mode
The Credential Manager
Additional Request Attribute Flags
Anonymous Sessions
Identity Tokens
Network Authentication with a Lowbox Token
Authentication with the Enterprise Authentication Capability
Authentication to a Known Web Proxy
Authentication with Explicit Credentials
The Authentication Audit Event Log
Worked Examples
Identifying the Reason for an Authentication Failure
Using a Secure Channel to Extract a Server’s TLS Certificate
Wrapping Up
Final Thoughts
A
BUILDING A WINDOWS DOMAIN NETWORK FOR TESTING
The Domain Network
Installing and Configuring Windows Hyper-V
Creating the Virtual Machines
The PRIMARYDC Server
The GRAPHITE Workstation
The SALESDC Server
B
SDDL SID ALIAS MAPPING
INDEX
WINDOWS SECURITY
INTERNALS
A Deep Dive into Windows
Authentication, Authorization, and
Auditing
by James Forshaw
San Francisco
WINDOWS SECURITY INTERNALS. Copyright © 2024 by James Forshaw.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any
means, electronic or mechanical, including photocopying, recording, or by any information storage or
retrieval system, without the prior written permission of the copyright owner and the publisher.
First printing
ISBN-13: 978-1-7185-0198-0 (print)
ISBN-13: 978-1-7185-0199-7 (ebook)
Published by No Starch Press®, Inc.
245 8th Street, San Francisco, CA 94103
phone: +1.415.863.9900
www.nostarch.com; info@nostarch.com
Publisher: William Pollock
Managing Editor: Jill Franklin
Production Manager: Sabrina Plomitallo-González
Production Editor: Sydney Cromwell
Developmental Editors: Alex Freed and Frances Saux
Cover Illustrator: Garry Booth
Interior Design: Octopod Studios
Technical Reviewer: Lee Holmes
Copyeditor: Rachel Head
Proofreader: Audrey Doyle
Indexer: BIM Creatives, LLC
Library of Congress Cataloging-in-Publication Data
Name: Forshaw, James, author.
Title: Windows security internals / James Forshaw.
Description: San Francisco : No Starch Press, [2024] | Includes index. | Identifiers:
LCCN 2023040842 (print) | LCCN 2023040843 (ebook) | ISBN 9781718501980 (print) |
ISBN 9781718501997 (ebook)
Subjects: LCSH: Computer security. | Microsoft Windows (Computer file) | Computer
networks—Security measures.
Classification: LCC QA76.9.A25 F65655 2024 (print) | LCC QA76.9.A25 (ebook) | DDC
005.8—dc23/eng/20231208
LC record available at https://lccn.loc.gov/2023040842
LC ebook record available at https://lccn.loc.gov/2023040843
For customer service inquiries, please contact info@nostarch.com. For information on distribution,
bulk sales, corporate sales, or translations: sales@nostarch.com. For permission to translate this work:
rights@nostarch.com. To report counterfeit copies or piracy: counterfeit@nostarch.com.
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other
product and company names mentioned herein may be the trademarks of their respective owners.
Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the
names only in an editorial fashion and to the benefit of the trademark owner, with no intention of
infringement of the trademark.
The information in this book is distributed on an “As Is” basis, without warranty. While every
precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc.
shall have any liability to any person or entity with respect to any loss or damage caused or alleged to
be caused directly or indirectly by the information contained in it.
Dedicated to my amazing wife, Huayi, and my little Jacob, without whom I
would never get anything done.
About the Author
James Forshaw is a renowned computer security expert on Google’s Project
Zero team. In his more than 20 years of experience analyzing and exploiting
security issues in Microsoft Windows and other products, he has discovered
hundreds of publicly disclosed vulnerabilities in Microsoft platforms. Others
frequently cite his research, which he presents in blogs, on the world stage, or
through novel tooling, and he has inspired numerous researchers in the
industry. When not breaking the security of other products, James works as a
defender, advising teams on their security design and improving the
Chromium Windows sandbox to secure billions of users worldwide.
A Microsoft Technical Fellow once told me he had never met someone who
understood how the security of the Windows operating system actually
worked. While I don’t think he was right (and plan to send him a copy of this
book to prove it), he had a point. Though critical, there is no doubt that
Windows security is complex.
One of the reasons for this is related to the core architectural difference
between Linux and Windows. Linux is a file-oriented operating system,
while Windows is API oriented, and though APIs can provide a much richer
set of capabilities, they come at the expense of simplicity. So, exploring an
API-oriented operating system is more difficult. You need to read the API
documentation, write code, compile and run it, and debug the results.
This is a very time-consuming loop, and it’s why so few people have a
deep understanding of how Windows security works—it’s just too hard to
explore.
It was because of these problems that I invented PowerShell. I wanted
administrators to automate Windows and had originally tried to do so by
distributing Unix tools for free. (Remember Windows Services for Unix?)
This failed because Unix tools work on files, while everything important in
Windows lives behind an API. Thus, awk didn’t work against the registry,
grep didn’t work against Windows Management Instrumentation (WMI), sed
didn’t work against Active Directory, and so on. What we needed was an
API-oriented command line interface and scripting tool. So, I created
PowerShell.
Today, James is using PowerShell to address the difficulty of acquiring
Windows security expertise; he has made the system explorable. Step one:
install his PowerShell module, NTObjectManager, which provides over 550
cmdlets to experiment with all aspects of Windows security. This hands-on
exploration will allow you to understand how things really work.
This book belongs on the desk of every security professional and
developer working with Windows security. Part I provides an overview of
Windows security’s architecture, Part II covers the details of the operating
system’s security mechanisms and services, and Part III explores the various
aspects of Windows authentication. Each chapter includes a set of
PowerShell examples.
I strongly encourage you to follow the examples provided; exploration
turns words into experience, and experience is the foundation of competence.
Run the commands, make intentional mistakes, and see what errors you get.
In doing so, you’ll acquire a deep understanding of the system.
And trust me: it will be fun.
Jeffrey Snover
Inventor of PowerShell, former chief architect for Windows Server, and
former Microsoft Technical Fellow
1
SETTING UP A POWERSHELL TESTING
ENVIRONMENT