Windows Security Internals

A Deep Dive into Windows Authentication, Authorization, and Auditing

by James Forshaw

March 2024, 608 pp.

ISBN-13:

9781718501980

Download Chapter 5: Security Descriptors

Look Inside!

Windows Security Internals pages 246-247

Windows Security Internals pages 434-435

Learn the core components and features of the Microsoft Windows threat-mitigation system from one of the world’s foremost Windows security experts—and Microsoft’s top bug hunter—James Forshaw. In this hands-on guidebook, Forshaw distills his more than 20 years of knowledge and practical experience working with Windows security, describing the system in greater depth than any ever before.In-depth technical discussions are rounded out with l real-world examples that not only demonstrate how to use PowerShell in security work, but let you explore Windows security features for yourself as you follow along in the text.

Early chapters cover the basics, including best practices for setting up a PowerShell environment, understanding the Windows kernel interface, and working within the security reference monitor. As you progress to more advanced topics, Forshaw walks you through highly relevant case studies, as well as the implementation of complex processes like access checking and network authentication. In addition, there are example scripts using the PowerShell scripting language throughout, which can be used to test the behavior of Windows systems and, in turn, enable you to explore their security without needing a compiler or other development tools.

Essential for anyone who works with Windows security, this book dives deeper into core components of the system than even Microsoftʼs own documentation.

Author Bio

James Forshaw is a renowned computer security expert on Google’s Project Zero team. In his more than 20 years of experience analyzing and exploiting security issues in Microsoft Windows and other products, he has discovered hundreds of publicly disclosed vulnerabilities in Microsoft platforms. Others frequently cite his research, which he presents in blogs, on the world stage, or through novel tooling, and he has inspired numerous researchers in the industry. When not breaking the security of other products, James works as a defender, advising teams on their security design and improving the Chromium Windows sandbox to secure billions of users worldwide. He’s also the author of Attacking Network Protocols (No Starch Press).

Table of contents

Foreword
Acknowledgments
Introduction
Part I
Chapter 1. Setting Up a PowerShell Testing Environment
Chapter 2. The Windows Kernel
Chapter 3. User-Mode Applications
Part II
Chapter 4. Security Access Tokens
Chapter 5. Security Descriptors
Chapter 6. Reading and Assigning Security Descriptors
Chapter 7. Access Checking
Chapter 8. Other Access Checking Use Cases
Chapter 9. Security Auditing
Part III
Chapter 10. Windows Authentication
Chapter 11. Active Directory
Chapter 12. Interactive Authentication
Chapter 13. Network Authentication
Chapter 14. Kerberos
Chapter 15. Negotiate Authentication and Other Security Packages
Appendix A: Building a Windows Domain Network for Testing
Appendix B: SDDL SID Alias Mapping
Index

The chapters in red are included in this Early Access PDF.

Reviews

"This book . . . belongs on the desk of every security professional and developer working with Windows security."

—Jeffrey Snover, Inventor of PowerShell | former Chief Architect for Windows Server

"James Forshaw’s understanding of Windows Security rivals that of some of our best security teams roaming throughout Microsoft. Windows Security Internals hits the mark for being an easy-to-read introductory text and equally advanced to teach even the best security folks a thing or two. This book should be required reading for anyone interested in understanding Windows Security and will be required reading for everyone on our team in the Windows Security org."

—Steve Syfuhs, Principal Developer, Windows Authentication, at Microsoft