Air Force Association’s CyberPatriot

Click to edit Master title style

The National High School Cyber Defense Competition

Click to edit Master subtitle

style

Windows Operating Systems: Basic Security

Module 3
 GCCS Timeline
Objectives
Definitions
Objectives

Explain Windows Operating System (OS) common configurations

Recognize OS related threats
Apply major steps in securing the OS

2
 GCCS
Windows Timeline
Objectives
Operating
Definitions
Windows System
Operating System

History of Versions
Control Panel Components
Local Firewall
Local Security Policies
Users and Groups
Permissions and Rights
Tools
Checklist

3
HistoryGCCS
History ofTimeline
ofDefinitions
Objectives
Windows Versions
Windows Versions

http://en.wikipedia.org/wiki/File:Windows_Family_Tree.svg
4
 GCCS Timeline
Control
Objectives
Panel
Definitions
Control Panel

The control panel is where system changes and configurations

can be made for the Windows operating system.
Click Start -> Control Panel

5
 GCCS Timeline
Security
Objectives
Center
Definitions
Action Center

Windows Action Center can help enhance your computer's security by

checking the status of several security essentials on your computer, including
firewall settings, Windows automatic updating, anti-malware software
settings, Internet security settings, and user account control settings.
Click Start -> Control
Panel –> System and
Security –> Action Center

6
 GCCS Timeline
Local Firewall
Objectives
– General
Definitions
Windows Tab
Firewall

Firewalls are designed to

prevent unauthorized access
to a system. They can be
implemented via hardware or
software.
A firewall is essential to
security and should always
be turned ‘on’. To do so Click
Start -> Control Panel –>
System and Security –>
Windows Firewall
Find the link in the left hand
column that says Turn
Windows Firewall on or off
7
 GCCS Timeline
Local Firewall
Objectives
– General
Definitions
Windows Tab
Firewall

You will then have the option

of turning the firewall ‘on’ or
‘off’ for different types of
networks: Home, Work, and
Public
Firewalls should be turned ‘on’
for each of these networks,
especially for Public, as it is the
most insecure of the three
You can also select Display a
notification when Windows
Firewall blocks a program to
be notified
8
 GCCS
LocalWindows
Firewall –Timeline
Objectives
Exceptions
Definitions
Firewall Tab
- Exceptions

You can allow unsolicited

requests to connect to a
program on your
computer
Be more specific about
where the request is
allowed to initiate from
Click Start -> Control
Panel –> System and
Security –> Windows
Firewall –> Allow a
program through
Windows Firewall
Click Change Settings
9
 Local
Windows GCCS
Firewall –Timeline
Objectives
FirewallExceptions
Definitions TabExamples
– Exception

File and Printer Sharing

Allows you to share the contents of selected folders and locally attached
printers with other computers
Remote Assistance
Allows a user to temporarily control a remote Windows computer over a
network or the Internet to resolve issues
Remote Desktop
Allows older Windows platforms to remotely connect to a computer
running Windows XP
UPnP Framework
Allows "plug-and-play“ devices to connect to a network and
automatically establish working configurations with other devices

10
 Windows GCCS
Local Firewall Timeline
Objectives
– Advanced
Definitions
Firewall Tab Settings
– Advanced

Click Start -> Control Panel –>

System and Security –> Windows
Firewall –> Advanced Settings
Inbound Rules – Set policy to govern
incoming traffic
Outbound Rules – Set policy to
govern outgoing traffic
Connection Security Rules – Set
general connection security policy
Monitoring – Set policy to log and
display notifications for blocked
programs
11
 GCCS Timeline
Automatic
Objectives
Updates
Definitions
Automatic Updates

It is important to keep your

computer updated to
protect it from the latest
threats.
You can set Windows to
update automatically by
going to Control Panel –>
System and Security –>
Windows Update –> Turn
automatic updating on or
off

12
 GCCS
Performance Timeline
Objectives
and Maintenance
Definitions
Administrative Tools

Administrative Tools is
where you define your
policies and monitor
system activity.
Click Start -> Control
Panel -> System and
Security->
Administrative Tools

13
 GCCS Timeline
Administrative
Objectives
Definitions ToolsTools
Administrative

Local Security Policy - view and edit group policy settings

Group Policy is a set of rules which control the working environment of
user accounts and computer accounts
Event Viewer – records application, security, and system events
Services - lists all available on the system and their status

14
 GCCS
Local
Local Timeline
Objectives
Security Policies
Definitions
Security Policies

Local Security Policies enforce standards amongst the organization to

strengthen its security posture as a whole
Click Start -> Control Panel -> Performance and Maintenance ->
Administrative Tools -> Local Security Policy
Password policy
Defining and enforcing strong password policies for an organization can help
prevent attackers from impersonating users and help prevent the loss,
exposure, or corruption of sensitive information
Account lockout policy
Disables a user account if an incorrect password is entered a specified
number of times over a specified period
Audit policies
Monitoring the creation or modification of objects gives a way to track
potential security problems, helps to ensure user accountability, and provides
evidence in the event of a security breach
15
 GCCS
Local
Local Timeline
Objectives
Security Policies
Definitions
Security Policies

Define a strong password policy

Enforce password history – set to “5”. A user cannot use the same
password when their password expires.
Maximum password age - default is "42". This specifies how long a user
can use the same password. After 42 days, the user must change his/her
password. Set to “90” for user accounts and “30” for administrator.
Minimum password length - set to "8". This means that a password must
be at least 8 characters long.
Password must meet complexity requirements - set to "Enabled". This
means a password must include upper and lower case letters, a number
and a special character.
Store password using reversible encryption for all users in the domain -
always leave "Disabled". If you enable this policy, all users' passwords will
be easy to crack.
16
 GCCS
Local
Local Timeline
Objectives
Security Policies
Definitions
Security Policies

Define an account lockout policy

These policy settings help you to prevent attackers from guessing users'
passwords, and they decrease the likelihood of successful attacks on your
network.
Account lockout duration - the number of minutes a locked-out account
remains locked out before automatically becoming unlocked
Account lockout threshold - the number of failed logon attempts that causes
a user account to be locked out
Reset account lockout counter after - the number of minutes that must
elapse before the failed logon attempt counter is reset to 0
Be careful not to set these too low. If users lock themselves out because
of mistyping their passwords, this can provide for more work for your
organization.

17
 GCCS
Local
Local Timeline
Objectives
Security Policies
Definitions
Security Policies

Define audit policies

Audit policies must be set and enabled for logs to be available in
the Event Viewer
Audit account logon events – enable to prevent random hacks or
stolen passwords
Audit object access – enable to prevent improper access to sensitive
files
Audit process tracking – enable to monitor attempts to modify
program files to help detect virus outbreaks
Account management - enable to see if a change has occurred to an
account name, enabled or disabled an account, created or deleted an
account, changed a password, or changed a user group

18
 GCCS
Local
Local Timeline
Objectives
Security Policies
Definitions
Security Policies

Directory service access – enable to track accesses to an Active

Directory® directory service object that has its own system access
control list (SACL)
Logon events – enable to see when someone has logged on or off
to the computer
Privilege use – enable to see when someone performs a user right
Policy change - enable to see attempts to change local security
policies, user rights assignments, auditing policies, or trust policies
System events - enable to see when someone has shut down or
restarted the computer, or when a process or program tries to do
something it does not have permission to do

19
 GCCS
Local
Local Timeline
Objectives
Security Policies
Definitions
Security Policies

Security Setting
Success setting generates an event when the requested action succeeds
Failure setting generates an event when the requested action fails
No Auditing does not generate an event for the associated action

20
 GCCS
Local
Local Timeline
Objectives
Security Policies
Definitions
Security Policies

Windows XP grants the "Everyone" account the ability to access

your computer over the network
Remove "Everyone" Access to Your Computer
By deleting the Everyone account, you gain more control over who can
access your XP system
To remove access to your computer by the Everyone account
Click Start-> Control Panel ->Performance and Maintenance ->
Administrative Tools -> Local Security Policy
In the Security Settings tree, click Local Policies ->User Rights Assignment
In the right pane, double click the setting for Access this computer from
the Network

21
 GCCS
EventTimeline
Objectives
Viewer
Definitions
Event Viewer

Event Viewer
Click Start -> Control Panel -> Performance and Maintenance ->
Administrative Tools -> Event Viewer
Displays logs that capture events occurring on the system
These logs are based on the policies you have created and/or
enabled (local security policy, audit policies, etc.)
Logs sources for use by the Windows operating system and
Windows applications respectively
Three log sources under ‘Windows Logs’: System, Application
and Security

22
 GCCS
EventTimeline
Objectives
Viewer
Definitions
Event Viewer

Application log – events logged by programs

Security log - any successful or unsuccessful logon attempts
System log - events logged by system components ( i.e., driver
fails to load during startup)

23
 GCCS Timeline
Objectives
Services
Definitions
Services

Services are programs that run invisibly in the background on a

system (e.g., RemoteAccess, DHCP, Spooler, etc.)
They load and run whether or not anyone logs into the system
To view all available services
Click Start -> Control Panel -> Performance and Maintenance -> Administrative
Tools -> Services

24
 GCCS Timeline
Objectives
Services
Definitions
Services

Services are configured by Startup Type

Automatic - service starts automatically when the system starts or when the
service is called for the first time
Manual – service must be started manually before it can be loaded by the
operating system and made available for use
Disabled - cannot be started automatically or manually

25
 GCCS Timeline
Objectives
Services
Definitions
Services

Disable unnecessary services

Turning off unnecessary services can greatly reduce your exploit risk,
while improving system performance
IIS – web server capabilities
NetMeeting Remote Desktop Sharing - VoIP
Remote Desktop Help Session Manager
Remote Registry – allows remote users to edit registry
Routing and Remote Access - allows the system to be used as a router
Simple File Sharing
SSDP Discovery Service – plug and play
Telnet – allows remote users to log on
Universal Plug and Play Device Host – installation of plug and play devices
Windows Messenger Service – not necessary to use windows instant
messenger; allows ‘netsend’ command to be used
26
 GCCS Timeline
Performance
Objectives
Monitoring
Definitions
Performance Monitoring

Performance monitoring
Viewing performance data for the system, both in real time and from log
files
Obtain information about hardware, software, and system components,
and monitor security events on a local or remote computer
Allows you to see what processes may be over utilizing resources or not
functioning properly
Monitor processes to see if unknown programs are running
Identify and diagnose the source of current system problems, or help you
predict potential system problems

27
 GCCS Timeline
Performance
Objectives
Monitoring
Definitions
Performance Monitoring

Task Manager will show programs, services, and processes

currently running on the system
The Applications Tab
Allows you to see all programs currently running
Allows you to select a program and terminate it
Right Click on the Menu Bar -> Click Task Manager -> Applications Tab
to see applications and their current status

28
 GCCS Timeline
Performance
Objectives
Monitoring
Definitions
Performance Monitoring

Task Manager functions

Show programs, services, and processes currently running on the system
Show network activity and resource utilization
Terminate processes, etc.
Set process priorities
A common target for malware
Some malware processes (rootkits) will prevent themselves from being list in
the task manager making them harder to detect
Right Click on the Menu Bar -> Click Task Manager

29
 GCCS Timeline
Performance
Objectives
Monitoring
Definitions
Performance Monitoring

The Processes Tab

Shows all processes running;
also shows the owner , CPU
usage and Memory Usage of
each process
Allows you to sort processes
based on name, user, cpu or
memory usage
Right Click on the Menu Bar ->
Click Task Manager -> Processes
Tab

30
 GCCS Timeline
Performance
Objectives
Monitoring
Definitions
Performance Monitoring

Performance tab
Monitor performance and resources
Overall statistics for system usage
CPU usage
Memory usage
Right Click on the Menu Bar -> Click
Task Manager -> Performance Tab
The Networking tab
Shows wired and wireless activity in a
chart format (network adapter
activity)
Right Click on the Menu Bar -> Click
Task Manager -> Networking Tab
31
 GCCS Timeline
Performance
Objectives
Monitoring
Definitions
Performance Monitoring

Users tab
Shows all users currently logged into the system
Users can be disconnected and/or logged off via this tab
Right Click on the Menu Bar -> Click Task Manager -> Users Tab

32
 GCCS Timeline
Performance
Objectives
Monitoring
Definitions
Performance Monitoring

Sysinternals
A third-party tool that helps manage, troubleshoot and diagnose
Windows systems and applications
http://technet.microsoft.com/en-us/sysinternals
Tools can be run live from the Internet
http://live.sysinternals.com
File and disk utilities
Networking utilities
Process utilities
Security utilities
System information utilities

33
 GCCS Timeline
Performance
Objectives
Monitoring
Definitions
Performance Monitoring

Example – Process Monitor utility

Monitors real-time file system, Windows registry, processes, threads and
DLL activity
Name, what the process is doing (operation), the result and details

34
 GCCS
User Timeline
Objectives
Accounts
Definitions
User Accounts

Local Users and Groups limit the ability of users and groups to
perform certain actions by assigning them rights and
permissions
User accounts
A collection of information that tells Windows what files a user can
access, what changes a user can make
Allow multiple users to share a computer, but still have their own files
and settings
Each user accesses their user account with a user name and password
Administrator account
Can change security settings, install software and hardware, and access
all files on the computer; including make changes to other user accounts

35
 UserUser GCCS
and and
Group Timeline
Objectives
Account
Definitions
Group Permissions
Account Permissions

Permissions are customizable by individual user or by a group of

users
Full Control – all file permissions granted (administrator level)
Modify – permission to change content but not ownership of files;
cannot delete files or folders
Read & Execute - permission allows or denies the user to read and
execute files
List Folder Contents - permission allows or denies the user from viewing
file names
Read - permission allows or denies the user from viewing the attributes
of a file or folder
Write - permission applies only to files and allows or denies the user from
making changes to the file and overwriting existing content by NTFS

36
 UserUser GCCS
and and
Group Timeline
Objectives
Account
Definitions
Group Permissions
Account Permissions

Inherited permissions
If an object’s permissions are shaded, the object has inherited
permissions from the parent object
Three ways to make changes to inherited permissions
Make the changes to the parent object, and then the object will inherit
these permissions
Select the opposite permission (Allow or Deny) to override the inherited
permission
Clear the Inherit from parent the permission entries that apply to child
objects

37
 Account GCCS
Account Timeline
Permissions
Objectives
BestBest
Definitions
Permissions Practices
Practices

User accounts settings

Limit Administrative Privileges
Make sure user accounts are set to ‘limited’
Do not give ‘full control’ as that equals Administrator access
Running as Administrator may allow malicious software to gain access
Make sure all accounts have passwords
Disable Guest account
Administrator account
Change password - Administrator account has default or no password
upon initial installation
Obfuscate the account - change name
Don’t use the account
Websites have default passwords published
http://www.phenoelit-us.org/dpl/dpl.html
38
 GCCS
LocalLocal
vs. vs.Timeline
Objectives
Domain
DefinitionsAccounts
Domain Accounts

Local account
Username and encrypted password are stored on the computer itself
Permissions apply only to this computer
Domain account
Resides on a Domain Controller
A server that manages access to a set of network resources such as print
servers, applications, etc.
A user can log into the domain controller and is given permissions to all
network resources
Username and password are stored on a domain controller rather than
on each computer the user accesses
Permissions apply to a network of computers and peripherals
Network administrators only have one place to store user information

39
 GCCS Timeline
Objectives
Tools
Definitions
Tools

Microsoft Baseline Security Analyzer (MBSA)

Free vulnerability assessment tool for the Microsoft platform
Helps with the assessment phase of an overall security management
strategy for legacy platforms and products
Can perform local or remote scans of Windows systems
Checks for
Insecure security settings
Windows administrative vulnerabilities
Weak passwords
IIS and SQL administrative vulnerabilities
To download the latest version go to
http://technet.microsoft.com/en-us/security/cc184923

40
 GCCS Timeline
Objectives
Tools
Definitions
Tools

Microsoft Update
Creates an inventory of applicable and installed security updates and
service packs on each computer
Configures the hierarchy for weekly scanning of all computers to identify
security update compliance levels
Integrates software update management features of Windows and
Microsoft Update with the existing SMS 2003 Software update
management feature. This means you can now take advantage of a single
tool for Windows, Office, SQL Server, Exchange updates, etc.
Automated task obtains the latest catalog of updates
Creates reports to help monitor software update compliance and
distribution status
Located in the Control Panel or
Click Start -> All programs -> Windows Update
41
 FirstFirst
StepsGCCS
to
Steps Timeline
Objectives
Securing
Definitions
to a Machine
Securing a Machine

Install the operating system and components (such as hardware

drivers, system services, and so on).
Install Service Packs and Windows Updates.
Update installed applications (Adobe Reader, Flash, etc).
Install anti-virus/anti-spyware utilities and scan for malware
Configure critical operating system parameters (such as
password policy, access control, audit policy, kernel mode driver
configuration, and so on).
Take ownership of files that have become inaccessible.
Configure and monitor the security and auditing logs.
When it is clean and secure, back up the system and create a
restore point. 42
 GCCS Timeline
Objectives
Checklist
Definitions
Checklist

Disable unnecessary services

Disable dangerous features
Employ email security practices
Install and maintain malware protection software
Patch more than just the OS
Research and test updates
Use a desktop firewall
Look for alternatives to default applications

43
 GCCS
List Timeline
Objectives
of References
Definitions
References

http://technet.microsoft.com/
http://www.sans.org/score/checklists/ID_Windows.pdf
http://en.wikipedia.org/wiki/File:Windows_Family_Tree.svg
http://technet.microsoft.com/en-us/library/cc875811.aspx
http://help.artaro.eu/index.php/windows-xp/essential-
administration-xp/local-security-policy-xp.html
http://www.phenoelit-us.org/dpl/dpl.html
http://www.techrepublic.com/blog/security/10-services-to-turn-
off-in-ms-windows-xp/354

44