Now that you’ve had some time to delve into the suggestions in the Beginners Guide to Self-Learning Windows and Active Directory Part I, we can dig a bit deeper. In this post, I’ll share some of the next steps I’ve taken in my journey in self-learning Windows and Active Directory, namely internals, protocol technical specifications and overviews, and some security.
While there has been a large shift to cloud and hybrid environments as discussed in the previous post, on-premises Windows and Active Directory are not going away. Therefore, in fashion with the previous post, this post will focus on on-premises Windows and Active Directory.
1. WINDOWS INTERNALS
Up to this point if following along with Part I, you’ve spent somewhere between $300-$500 for a used server and power cord to set up your lab. Now it’s time to invest a bit more money in some books:
Inside Windows NT — This book comes in 2 editions and either is fine. If you’re anything like me, I have to go all the way back to the beginning and try to get into the mindset of the designers and developers of the first Windows NT operating system.
Inside Windows NT
Microsoft Windows NT is the foundation of the new 32-bit operating system designed to support the most powerful…
The Windows Internals books are extensions on Helen Custer’s first edition of Inside Windows NT. They are currently in the 7th edition focused on Windows 10 and Server 2016. While some say the Windows Internals books are more of a developer reference, there is still much to be gained as a system administrator, security researcher, or even just a hobbyist like myself.
Windows Internals Part 1: This book focuses on system architecture, processes, threads, memory management, IO, and Security.
Windows Internals, Part 1: System architecture, processes, threads, memory management, and more…
The definitive guide-fully updated for Windows 10 and Windows Server 2016 Delve inside Windows architecture and…
Windows Internals Part 2: This book focuses on system mechanisms, virtualization technologies, management, diagnostics, tracing, caching, file systems, startup and shutdown.
Windows Internals, Part 2 (Developer Reference)
Amazon - Windows Internals, Part 2 (Developer Reference): Allievi, Andrea, Russinovich, Mark, Ionescu, Alex, Solomon…
If you can afford more Windows Internals editions, the 3rd through 6th editions cover major changes in Windows 2000, XP, 2003, Vista, Windows 7, 2008, and 2012.
One might think there cannot possibly be more to self-learning Windows and Active Directory than what’s included in Part I of this blog post and Windows Internals books, right? Wrong. We are just scratching the surface.
Now it’s time for some hands on keyboard hacktivities after all that reading. Fire up your lab because it’s time to have some fun!
Sysinternals - Windows Sysinternals
The Sysinternals web site was created in 1996 by Mark Russinovich to host his advanced system utilities and technical…
Open a command prompt, pick a directory, and run:
winget install sysinternals
Be sure to check out the documentation on the above page. If you prefer a companion book for these tools:
3. OPEN SPECIFICATIONS
[MS-OPENSPECLP]: Open Specifications
Through the Open Specifications program, Microsoft is helping developers open new opportunities by making technical…
Outside of Windows Internals, now we’re getting to the guts of Windows, Active Directory and Office. Warning: This documentation is vast. For example, the download just for Windows Protocol technical specifications and overviews is 600MB compressed. It’s pinned to my Twitter profile:
The amount of information here can be overwhelming, so let me share with you where to start: MS-WPO and MS-DOCO. These 2 documents describe how to navigate the Windows Protocols documentation.
For Windows Protocols, the documentation is split up into Windows Technology Overviews, Windows Technical Specifications, and References.
[MS-WINPROTLP]: Windows Protocols
The Windows Protocols documentation contains detailed technical specifications for Microsoft protocols that are…
When exploring a particular subject, always start with the overviews:
4. IPC, LPC, ALPC, RPC, OLE, COM, DCOM, OH MY
Now we’ll briefly explore the nuts and bolts of Windows.
IPC: Short for Interprocess Communications, IPC is a blanket term describing the mechanisms by which components of Windows communicate with each other, whether it be application to application, application to kernel, computer to computer, process to process, etc.
Interprocess Communications - Win32 apps
The Windows operating system provides mechanisms for facilitating communications and data sharing between applications…
LPC, ALPC, RPC: Acronyms for Local Procedure Call (LPC), Asynchronous Local Procedure Call (ALPC), and Remote Procedure Call (RPC), these protocols are the foundation of Windows. Other protocols are typically extensions of them. In the Windows Protocols Technical Specifications, you will find MS-RPCE which explains relationships to other Windows Protocols. Also, you may want to read Open Group’s DCE 1.1: Remote Procedure Call documentation.
A blog I really enjoyed when learning about ALPC, RPC, and IPC looks at these mechanisms from an offensive standpoint, which I highly recommend when learning any technology:
Offensive Windows IPC Internals 1: Named Pipes
This post marks the start of a series of posts about the internals and interesting bits of various Windows based Inter…
Offensive Windows IPC Internals 2: RPC
This is part 2 of my series: Offensive Windows IPC Internals. If you missed part one and want to take a look, you'll…
Offensive Windows IPC Internals 3: ALPC
After talking about two inter-process communication ( IPC) protocols that can be uses remotely as well as locally…
OLE: Short for Object Linking and Embedding, you can find the technical specification for this protocol in Windows Protocols under MS-OAUT. When you think of OLE, the first thing that should come to mind is Microsoft Office and COM (see below).
[MS-WPO]: OLE Automation Protocol
The OLE Automation Protocol, specified in [MS-OAUT], allows applications, called automation clients, to create…
COM, DCOM: COM stands for Component Object Model, and DCOM stands for Distributed Component Object Model. Both of these protocols are extensions of RPC (Remote Procedure Protocol), but instead of calling procedures remotely, they use objects, the basis of object oriented programming and distributed computing in Windows today. See MS-RPCE, MS-DCOM, MS-COM+, MS-COMA, MS-COMEV, MS-COMQC, and MS-COMT.
Summary: Learning the underpinnings of the Windows operating systems is no easy task. Below are a couple of my favorite blogs for learning about these protocols in Windows. James Foreshaw has been writing about these protocols (and many others) since at least 2014 and has given many conference talks available on Youtube. Also, @bohops on Twitter has been writing about abuses of these protocols for several years.
A Tale of Two .NET Methods
Sometimes the simplest things amuse me. Take for example CVE-2014-0257 which was a bug in the way DCOM was implemented…
5. CIS BENCHMARKS AND STIGS
Some might wonder why I’m mentioning compliance tools in a guide for self-learning Windows and Active Directory. Great question. We are going to use these benchmarks as a guide in our labs to practice “securing” Windows and Active Directory.
For those readers not yet familiar with CIS: Center for Internet Security (CIS), is a collaboration of experts resulting in guidelines (or benchmarks) for securing technology.
First, sign up to get access to benchmarks if you don’t already have an account:
The CIS Benchmarks are distributed free of charge in PDF format to propagate their worldwide use and adoption as…
Shortly after completing this form you will get an email to login and get access to all the benchmarks available. In the STIGs (Security Technical Information Guide), there are 4 levels of recommendations.
- Level 1: Not likely to cause utility and performance impacts in production
- Level 2: A bit more hardened and may have utility and performance impacts
- Next Generation: Likely to run into incompatibilities in production and requires a lot of testing before implementation in production
- STIG: DoD recommendations; overlap with above levels; expect utility and performance impacts
When viewing the table of contents, you may wonder what automated and manual refer to:
- Automated — audits of suggested security implementations can be automated
- Manual — audits require additional manual steps to confirm the security measures are in place
These benchmarks are a great source of information for students and professionals alike and should be a go to resource when exploring security implementations.
I hope you have enjoyed learning Windows and Active Directory Domain Services with me thus far. It’s been, and will continue to be, a fascinating journey.