Guide to Self-Learning Windows and Active Directory: Part II

June 2022

Now that you’ve had some time to delve into the suggestions in the Beginners Guide to Self-Learning Windows and Active Directory Part I, we can dig a bit deeper. In this post, I’ll share some of the next steps I’ve taken in my journey in self-learning Windows and Active Directory, namely internals, protocol technical specifications and overviews, and some security.

While there has been a large shift to cloud and hybrid environments as discussed in the previous post, on-premises Windows and Active Directory are not going away. Therefore, in fashion with the previous post, this post will focus on on-premises Windows and Active Directory.


Up to this point if following along with Part I, you’ve spent somewhere between $300-$500 for a used server and power cord to set up your lab. Now it’s time to invest a bit more money in some books:

Inside Windows NT — This book comes in 2 editions and either is fine. If you’re anything like me, I have to go all the way back to the beginning and try to get into the mindset of the designers and developers of the first Windows NT operating system.

The Windows Internals books are extensions on Helen Custer’s first edition of Inside Windows NT. They are currently in the 7th edition focused on Windows 10 and Server 2016. While some say the Windows Internals books are more of a developer reference, there is still much to be gained as a system administrator, security researcher, or even just a hobbyist like myself.

Windows Internals Part 1: This book focuses on system architecture, processes, threads, memory management, IO, and Security.

Windows Internals Part 2: This book focuses on system mechanisms, virtualization technologies, management, diagnostics, tracing, caching, file systems, startup and shutdown.

If you can afford more Windows Internals editions, the 3rd through 6th editions cover major changes in Windows 2000, XP, 2003, Vista, Windows 7, 2008, and 2012.

One might think there cannot possibly be more to self-learning Windows and Active Directory than what’s included in Part I of this blog post and Windows Internals books, right? Wrong. We are just scratching the surface.


Now it’s time for some hands on keyboard hacktivities after all that reading. Fire up your lab because it’s time to have some fun!

Open a command prompt, pick a directory, and run:

winget install sysinternals

Be sure to check out the documentation on the above page. If you prefer a companion book for these tools:


Outside of Windows Internals, now we’re getting to the guts of Windows, Active Directory and Office. Warning: This documentation is vast. For example, the download just for Windows Protocol technical specifications and overviews is 600MB compressed. It’s pinned to my Twitter profile:

The amount of information here can be overwhelming, so let me share with you where to start: MS-WPO and MS-DOCO. These 2 documents describe how to navigate the Windows Protocols documentation.

For Windows Protocols, the documentation is split up into Windows Technology Overviews, Windows Technical Specifications, and References.

When exploring a particular subject, always start with the overviews:


Now we’ll briefly explore the nuts and bolts of Windows.

IPC: Short for Interprocess Communications, IPC is a blanket term describing the mechanisms by which components of Windows communicate with each other, whether it be application to application, application to kernel, computer to computer, process to process, etc.

LPC, ALPC, RPC: Acronyms for Local Procedure Call (LPC), Asynchronous Local Procedure Call (ALPC), and Remote Procedure Call (RPC), these protocols are the foundation of Windows. Other protocols are typically extensions of them. In the Windows Protocols Technical Specifications, you will find MS-RPCE which explains relationships to other Windows Protocols. Also, you may want to read Open Group’s DCE 1.1: Remote Procedure Call documentation.

A blog I really enjoyed when learning about ALPC, RPC, and IPC looks at these mechanisms from an offensive standpoint, which I highly recommend when learning any technology:

OLE: Short for Object Linking and Embedding, you can find the technical specification for this protocol in Windows Protocols under MS-OAUT. When you think of OLE, the first thing that should come to mind is Microsoft Office and COM (see below).

COM, DCOM: COM stands for Component Object Model, and DCOM stands for Distributed Component Object Model. Both of these protocols are extensions of RPC (Remote Procedure Protocol), but instead of calling procedures remotely, they use objects, the basis of object oriented programming and distributed computing in Windows today. See MS-RPCE, MS-DCOM, MS-COM+, MS-COMA, MS-COMEV, MS-COMQC, and MS-COMT.

Summary: Learning the underpinnings of the Windows operating systems is no easy task. Below are a couple of my favorite blogs for learning about these protocols in Windows. James Foreshaw has been writing about these protocols (and many others) since at least 2014 and has given many conference talks available on Youtube. Also, @bohops on Twitter has been writing about abuses of these protocols for several years.


Some might wonder why I’m mentioning compliance tools in a guide for self-learning Windows and Active Directory. Great question. We are going to use these benchmarks as a guide in our labs to practice “securing” Windows and Active Directory.

For those readers not yet familiar with CIS: Center for Internet Security (CIS), is a collaboration of experts resulting in guidelines (or benchmarks) for securing technology.

First, sign up to get access to benchmarks if you don’t already have an account:

Shortly after completing this form you will get an email to login and get access to all the benchmarks available. In the STIGs (Security Technical Information Guide), there are 4 levels of recommendations.

  • Level 1: Not likely to cause utility and performance impacts in production
  • Level 2: A bit more hardened and may have utility and performance impacts
  • Next Generation: Likely to run into incompatibilities in production and requires a lot of testing before implementation in production
  • STIG: DoD recommendations; overlap with above levels; expect utility and performance impacts

When viewing the table of contents, you may wonder what automated and manual refer to:

  • Automated — audits of suggested security implementations can be automated
  • Manual — audits require additional manual steps to confirm the security measures are in place

These benchmarks are a great source of information for students and professionals alike and should be a go to resource when exploring security implementations.

I hope you have enjoyed learning Windows and Active Directory Domain Services with me thus far. It’s been, and will continue to be, a fascinating journey.



Security Consultant

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store