Website under construction

116 
CHAPTER 4 | Security and identity 
New fields in the 
process creation 
event 
The sign-in event ID 4688 has been updated to include more verbose 
information to make it easier to analyze. The following fields have been added 
to event 4688: 

TargetUserSid String 
The SID of the target principal. 

TargetUserName String 
The account name of the target user. 

TargetDomainName String 
The domain of the target user. 

TargetLogonId String 
The logon ID of the target user. 

ParentProcessName String 
The name of the creator process. 

ParentProcessId String 
A pointer to the actual parent process if it's different from the creator 
process. 
Security Account 
Manager (SAM) 
events 
New SAM events were added to cover SAM APIs that perform read/query 
operations. In previous versions of Windows, only write operations were 
audited. The new events are event ID 4798 and event ID 4799. The following 
APIs are now audited: 
SamrEnumerateGroupsInDomain 
SamrEnumerateUsersInDomain 
SamrEnumerateAliasesInDomain 
SamrGetAliasMembership 
SamrLookupNamesInDomain 
SamrLookupIdsInDomain 
SamrQueryInformationUser 
SamrQueryInformationGroup 
SamrQueryInformationUserAlias 
SamrGetMembersInGroup
SamrGetMembersInAlias 
SamrGetUserDomainPasswordInformation 
Boot 
Configuration 
Database (BCD) 
events 
Event ID 4826 has been added to track the following changes to the BCD: 
DEP/NEX settings 
Test signing 
PCAT SB simulation 
Debug 
Boot debug 
Integrity Services 
Disable Winload debugging menu 
PNP Events 
Event ID 6416 has been added to track when an external device is detected 
through plug-and-play. One important scenario is if an external device that 
contains malware is inserted into a high-value machine that doesn’t expect 
this type of action, such as a domain controller. 

117 
CHAPTER 4 | Security and identity 
Securing privileged access 
In this section, we are going to explore a few concepts regarding securing privileged access. First we 
are going to dive into the concepts of Just-in-Time and Just Enough Administration. Then, we are 
going to explain how you combine all of the tools and technologies we have discussed in this chapter 
into an implementation strategy for your organization. 
Just-in-Time and Just Enough Administration 
Just-in-Time (JIT) administration is a fairly basic concept: the principal is that we evolve to a state in 
which there are no full-time administrators, or, more specifically, we have no accounts that have full-
time administrator privileges. Rather, through a simple process, the privileges required are requested 
just before they are actually needed, then approved, and then granted to the account for a specific 
time period. This ensures that the task can be carried out successfully with the correct amount of 
privileges for the allotted time. JIT works in conjunction with Just Enough Administration (JEA) to 
secure the correct privileges. In Windows Server 2016, these technologies are combined to provide 
Privileged Access Management (PAM). 

Download 13,37 Mb.

Do'stlaringiz bilan baham: