Windows Security Internals
A Deep Dive into Windows Authentication, Authorization, and Auditing
Forshaw takes apart the Windows security model from the SRM and access tokens up through Kerberos, with live PowerShell you can run against your own machine. The most authoritative single source on how Windows actually decides who can do what.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- James Forshaw
- Published
- 2024
- Publisher
- No Starch Press
- Pages
- 608
- Language
- English
Prerequisites
Comfort with Windows internals concepts and PowerShell. Not a first security book; you should already know what a SID and an access token are.
Read this if
Vulnerability researchers, red teamers, and platform security engineers who need ground truth on tokens, SDs, logon, and the kernel security reference monitor.
Skip this if
Anyone after a high-level overview or defensive playbook. This is mechanism, not policy, and it assumes you want to read SDDL by hand.
Key takeaways
- Windows authorization is one coherent system once you see the SRM, tokens, and security descriptors as a single pipeline.
- The author's NtObjectManager PowerShell toolkit turns abstract security theory into something you can poke at interactively.
- Most Windows privilege-escalation bugs come from misunderstanding this model, not from exotic memory corruption.
Notes
Written by the Project Zero researcher who has filed more Windows logical bugs than almost anyone alive, and it shows in the precision. Where Russinovich tells you what the system does, Forshaw shows you how to interrogate it yourself with PowerShell, which is the difference between knowing and being able to find bugs. Dense and demanding, but there is no closer thing to a source of truth for Windows access control.
What to read before
What to read before Windows Security Internals →Intermediate · 2011
A Bug Hunter's Diary
Tobias Klein walks through seven real vulnerabilities he found and exploited, in the form of personal lab notes, what he tried, what failed, and what eventually shipped to vendors.
Intermediate · 2008
Hacking: The Art of Exploitation
A from-first-principles tour of low-level exploitation that still teaches the mindset two decades later.
Intermediate · 2024
Black Hat Bash
Nick Aleks and Dolev Farhi on getting offensive work done with the shell: privilege escalation tooling, lateral movement, and pipelining bash with the rest of the toolkit.
What to read next
What to read after Windows Security Internals →Advanced · 2017
Windows Internals, Part 1
The canonical Microsoft Press reference on Windows internals: how processes, threads, memory and system services are actually implemented in the modern Windows kernel. User-mode focus in this volume.
Advanced · 2017
Attacking Network Protocols
James Forshaw, Project Zero veteran, on how to capture, parse, and break protocols from the wire up to the application layer, with a strong focus on building reusable analysis tooling.
Advanced · 2006
The Art of Software Security Assessment
The 1200-page reference on auditing C/C++ codebases for security: parsing complex memory and integer interactions, language pitfalls, and how vulnerabilities arise from interactions between layers.
Explore similar books
Alternatives to Windows Security Internals →Advanced · 2017
Windows Internals, Part 1
The canonical Microsoft Press reference on Windows internals: how processes, threads, memory and system services are actually implemented in the modern Windows kernel. User-mode focus in this volume.
Intermediate · 2011
A Bug Hunter's Diary
Tobias Klein walks through seven real vulnerabilities he found and exploited, in the form of personal lab notes, what he tried, what failed, and what eventually shipped to vendors.
Advanced · 2017
Attacking Network Protocols
James Forshaw, Project Zero veteran, on how to capture, parse, and break protocols from the wire up to the application layer, with a strong focus on building reusable analysis tooling.