Windows Security Internals placeholder cover

Windows Security Internals

A Deep Dive into Windows Authentication, Authorization, and Auditing
by James Forshaw
April 2024, 608 pp.

Download Chapter 5: Security Descriptors

Look Inside!

Windows Security Internals back coverWindows Security Internals pages 94-95Windows Security Internals pages 246-247Windows Security Internals pages 434-435

Windows Security Internals is a must-have for anyone needing to understand the Windows operating system’s low-level implementations, whether to discover new vulnerabilities or protect against known ones. Developers, devops, and security researchers will all find unparalleled insight into the operating system’s key elements and weaknesses, surpassing even Microsoft’s official documentation.

Author James Forshaw teaches through meticulously crafted PowerShell examples that can be experimented with and modified, covering everything from basic resource security analysis to advanced techniques like using network authentication. The examples will help you actively test and manipulate system behaviors, learn how Windows secures files and the registry, re-create from scratch how the system grants access to a resource, learn how Windows implements authentication both locally and over a network, and much more.

You’ll also explore a wide range of topics, such as:

  • Windows security architecture, including both the kernel and user-mode applications
  • The Windows Security Reference Monitor (SRM), including access tokens, querying and setting a resource’s security descriptor, and access checking and auditing
  • Interactive Windows authentication and credential storage in the Security Account Manager (SAM) and Active Directory
  • Mechanisms of network authentication protocols, including NTLM and Kerberos


In an era of sophisticated cyberattacks on Windows networks, mastering the operating system’s complex security mechanisms is more crucial than ever. Whether you’re defending against the latest cyber threats or delving into the intricacies of Windows security architecture, you’ll find Windows Security Internals indispensable in your efforts to navigate the complexities of today’s cybersecurity landscape.

Author Bio 

James Forshaw is a renowned computer security expert on Google’s Project Zero team. In his more than 20 years of experience analyzing and exploiting security issues in Microsoft Windows and other products, he has discovered hundreds of publicly disclosed vulnerabilities in Microsoft platforms. Others frequently cite his research, which he presents in blogs, on the world stage, or through novel tooling, and he has inspired numerous researchers in the industry. When not breaking the security of other products, James works as a defender, advising teams on their security design and improving the Chromium Windows sandbox to secure billions of users worldwide. He’s also the author of Attacking Network Protocols (No Starch Press).

Table of contents 

Part I 
Chapter 1. Setting Up a PowerShell Testing Environment
Chapter 2. The Windows Kernel
Chapter 3. User-Mode Applications
Part II
Chapter 4. Security Access Tokens
Chapter 5. Security Descriptors
Chapter 6. Reading and Assigning Security Descriptors
Chapter 7. Access Checking
Chapter 8. Other Access Checking Use Cases
Chapter 9. Security Auditing
Part III
Chapter 10. Windows Authentication
Chapter 11. Active Directory
Chapter 12. Interactive Authentication
Chapter 13. Network Authentication
Chapter 14. Kerberos
Chapter 15. Negotiate Authentication and Other Security Packages
Appendix A: Building a Windows Domain Network for Testing
Appendix B: SDDL SID Alias Mapping

View the Copyright page
View the detailed Table of Contents
View the Index


"This book . . . belongs on the desk of every security professional and developer working with Windows security."
—Jeffrey Snover, Inventor of PowerShell | former Chief Architect for Windows Server

"James Forshaw’s understanding of Windows Security rivals that of some of our best security teams roaming throughout Microsoft. Windows Security Internals hits the mark for being an easy-to-read introductory text and equally advanced to teach even the best security folks a thing or two. This book should be required reading for anyone interested in understanding Windows Security and will be required reading for everyone on our team in the Windows Security org."
—Steve Syfuhs, Principal Developer, Windows Authentication, at Microsoft

"An invaluable gem of a book! Highly recommended for every security researcher or enthusiast that wants to understand yet undocumented Security perks of the Windows operating system. James is a fountain of knowledge; he explains clearly and concisely, but also very detailed, what you ever wanted to know about Windows security internals."
Miriam C. Wiesner, Sr. Security Researcher at Microsoft, author of PowerShell Automation and Scripting for Cybersecurity 

Extra Stuff 

All of the code listings from the book are available from the author's GitHub page