SEC240 - Windows Security Internals

Security is one of the most important responsibilities of a multi-user operating system. Windows provides an enormous number of security features, many of them added quite recently, many of them still unknown to users and system administrators. This seminar presents the security features of Windows in "internals" terms, covering not only administrator-level controls and visibility, but also describing their internal implementation, their visibility, and tradeoffs of their use.

Level: Intermediate

Applications developers; systems software developers; system administrators; system integrators; hardware OEMs; I.T. support personnel. 


This seminar provides a comprehensive analysis of the functionality, internal design, and implementation of the security components of modern Windows operating systems. 

We will first describe the most frequent methods of attack, such as malware, malicious web sites, network attacks, poorly written applications and drivers, and stolen data, and Microsoft’s responses to mitigate those attacks. We will show how the security features in Windows address these threats. We will also show how to protect and control users from an administrative perspective.

We will then show how security is implemented, describing the major operating system components that provide security services, such as the Object Manager, Security Reference Monitor, LSASS, Security Account Manager, Memory Manager, Active Directory, and Kernel Patch Protection (PatchGuard).

We provide detailed descriptions of the internal operation of some of the most important security mechanisms in Windows, such as: File and Object security, Mandatory Integrity Controls,  BitLocker, Encrypting File System, Address Space Layout Randomization, Information Rights Management, Rights Management Service, Certificate Management, and Service security.

Claims-based security (part of dynamic access control) is one of the most powerful and important features that have been added to Windows security in the last decade. Claims provide an expression-based mechanism for making authorization decisions instead of just group membership, allowing you to specify not only which users are allowed to access a file (or any other object), but how the user logged in (smart card, password, biometrics, etc.) and any other properties that you desire.

This seminar will include the security enhancements in the latest released versions of Windows (Windows 10 and Server 2012 R2). 

  • Security threats and responses
  • Windows security features
    • Discretionary access controls
    • Mandatory integrity controls
    • Claims-based access controls
    • Kernel patch protection
    • Windows cryptography
    • BitLocker
    • Address Space Layout Randomization
    • Information Rights Management
    • Certificate Management
    • Service security
  • Windows security components and operation
    • Object Manager
    • Security Reference Monitor
    • Local Security Authentication Subsystem
    • Security Account Manager
    • Memory Manager
    • Active Directory
  • Security internals
  • Monitoring and auditing security 
  • Secure startup
  • Windows Security Guide
  • Security design lifecycle
  • Windows 10 security enhancements

All attendees must have attended one of our Windows Internals seminars, or have equivalent experience. This seminar builds on, and does not repeat, material presented in our Windows Internals seminars.

Operating systems supported: Windows Vista through Windows 10/Windows Server 2012 R2
Durations and formats: 4 days with labs
3 days lecture only

We strongly recommend the hands-on labs version of this seminar:

As in all of our seminars, we have carefully designed a series of demonstrations, lab exercises, and problems that illustrate, help present, and build on the information presented. For this seminar, we follow nearly every point discussion of a security mechanism, principle, or concept with a lab exercise. We have you exercise or manipulate the part of the system described, and then examine displays that confirm the expected results. We also have you look for interactions with, and effects on, the rest of the system. This of course results in greatly increased comprehension and retention of the material.

In the lecture-only version, the lab exercises are replaced with brief demonstrations by the instructor.

Additional information:

When this seminar is presented as part of a series with one of our five-day Windows Internals seminars, it may be shortened to two days with labs, due to some overlap in the subject matter.