Cybersecurity Essentials - Module 7 Cheat Sheet

# Module 7: The Windows Operating System :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 7.1 Windows History #### **7.1.1 Disk Operating System (DOS)** - **Definition**: DOS was the foundational operating system used to manage early storage devices like floppy disks and hard drives. - **Role of MS-DOS**: - Allowed basic file and program management using command-line inputs. - Early versions of Windows (1.0) ran as a GUI over MS-DOS. - **Commands Overview**: | **MS-DOS Command** | **Description** | |-----------------------|----------------------------------------------------------------------------------------------| | **dir** | Shows a listing of all the files in the current directory (folder). | | **cd directory** | Changes the directory to the indicated directory. | | **cd ..** | Changes the directory to the directory above the current directory. | | **cd\\** | Changes the directory to the root directory (often C:). | | **copy source destination** | Copies files to another location. | | **del filename** | Deletes one or more files. | | **find** | Searches for text in files. | | **mkdir directory** | Creates a new directory. | | **ren oldname newname** | Renames a file. | | **help** | Displays all the commands that can be used, with a brief description. | | **help command** | Displays extensive help for the indicated command. | --- #### **7.1.2 Windows Versions** - **Development Overview**: - Transition from MS-DOS-based Windows to NT (New Technology) OS. - NT brought multi-user support, enhanced security, and 64-bit architecture. - **Notable Features**: - **Windows XP**: First with a 64-bit edition. - **Windows 7, 8, and 10**: Offered multiple editions tailored to business and consumer needs. - **Windows 10**: Introduced as a service with continuous updates. - **Editions Overview**: - Example: Windows 10 has editions like Home, Pro, Enterprise, etc. | **OS** | **Versions** | |---------------------------|--------------------------------------------------------------------------------------------------| | **Windows 7** | Starter, Home Basic, Home Premium, Professional, Enterprise, Ultimate | | **Windows Server 2008 R2** | Foundation, Standard, Enterprise, Datacenter, Web Server, HPC Server, Itanium-Based Systems | | **Windows Home Server 2011** | None | | **Windows 8** | Windows 8, Windows 8 Pro, Windows 8 Enterprise, Windows RT | | **Windows Server 2012** | Foundation, Essentials, Standard, Datacenter | | **Windows 8.1** | Windows 8.1, Windows 8.1 Pro, Windows 8.1 Enterprise, Windows RT 8.1 | | **Windows Server 2012 R2** | Foundation, Essentials, Standard, Datacenter | | **Windows 10** | Home, Pro, Pro Education, Enterprise, Education, IoT Core, Mobile, Mobile Enterprise | | **Windows Server 2016** | Essentials, Standard, Datacenter, Multipoint Premium Server, Storage Server, Hyper-V Server | --- #### **7.1.3 Windows Graphical User Interface (GUI)** - **Core Features**: - **Desktop**: Main workspace with customizable background, icons (e.g., Recycle Bin). - **Task Bar**: Includes: - **Start Menu**: Access programs/settings. - **Quick Launch Icons**: Shortcuts for frequent programs. - **Notification Area**: Displays system alerts (e.g., network status, email). ![Capture d’écran 2024-11-21 à 14.12.49 (1)](https://hackmd.io/_uploads/r1IKkLnMJx.png) - **Context Menus**: Right-click options for quick actions like copy, delete, or print. --- #### **7.1.4 Operating System Vulnerabilities** - **Definition**: Flaws in OS or software that attackers can exploit. - **Common Security Recommendations**: - **Virus Protection**: Enable Windows Defender or other antivirus tools. - **Firewall**: Periodically review rules in Windows Firewall to prevent unnecessary access. - **Permissions**: Avoid granting "Full Control" to the "Everyone" group. - **Passwords**: Use strong, unique passwords for all accounts. - **Login Best Practices**: Avoid logging in as an administrator for daily tasks; use a standard user account. >[!Warning]Recap >The first computers required a Disk Operating System (DOS) to create and manage files. Microsoft developed MS-DOS as a command line interface (CLI) to access the disk drive and load the operating system files. Early versions of Windows consisted of a Graphical User Interface (GUI) that ran over MS-DOS. However, modern Windows versions are in direct control of the computer and its hardware and support multiple user processes. This is much different than the single process, single user MS-DOS. Since 1993, there have been more than 20 releases of Windows that are based on the NT operating system. Users use a Windows GUI to work with data files and software. The GUI has a main area that is known as the Desktop and a Task Bar situated below the desktop. The Task Bar includes the Start menu, quick launch icons, and a notification area. Windows has many vulnerabilities. Recommendations to secure the Windows OS include use of virus or malware protection, use of strong passwords, use of firewall, and limited use of the administrator account, among others. ### 7.2 Windows Architecture and Operations --- #### **7.2.1 Hardware Abstraction Layer** **Definition**: The Hardware Abstraction Layer (HAL) is software that isolates the operating system kernel from hardware differences. It facilitates communication between hardware and the kernel, which is the core of the OS. - **Kernel**: Handles input/output requests, memory, and peripherals. - **Hardware**: HAL minimizes the dependency of the kernel on specific hardware. ![Capture d’écran 2024-11-21 à 14.19.26](https://hackmd.io/_uploads/Hy7-WLhMyl.png) --- #### **7.2.2 User Mode and Kernel Mode** **User Mode**: - Runs installed applications. - Restricted access to hardware and memory; goes through the OS. - Errors in user mode crash only the specific application, not the system. **Kernel Mode**: - Runs OS code and critical drivers. - Unrestricted access to hardware and memory. - Crashes in kernel mode stop the entire system. **Key Notes**: - User mode code has isolated memory spaces. - Kernel mode code shares memory spaces and is not isolated, which can lead to OS crashes if drivers malfunction. --- #### **7.2.3 Windows File Systems** | **File System** | **Key Features** | |-------------------|---------------------------------------------------------------------------------------------------| | **exFAT** | Simple system, supports large files, used on flash storage. | | **HFS+** | Used by macOS, supports large filenames and file sizes. Windows can only read HFS+ with software. | | **EXT** | Used by Linux, requires software for Windows compatibility. | | **NTFS** | Most commonly used for Windows. Supports large files, security features, encryption, and timestamps. | **NTFS Structure**: - **Partition Boot Sector**: Location of the Master File Table (MFT). - **Master File Table (MFT)**: Tracks files and directories. - **System Files**: Hidden files storing volume attributes. - **File Area**: Space for storing files and directories. --- #### **7.2.4 Alternate Data Streams (ADS)** **Definition**: NTFS supports additional data streams, where hidden data can be stored alongside files. - Example: `Testfile.txt:ADS` contains the alternate data stream. - Commands to identify ADS: - `dir` (basic view, does not show ADS). - `dir /r` (shows ADS attached to files). ```powershell C:∖ADS> echo "Alternate Data Here" > Testfile.txt:ADS C:∖ADS> dir Volume in drive C is Windows Volume Serial Number is A606-CB1B Directory of C:∖ADS 2020-04-28 04:01 PM <DIR> . 2020-04-28 04:01 PM <DIR> .. 2020-04-28 04:01 PM 0 Testfile.txt 1 File(s) 0 bytes 2 Dir(s) 43,509,571,584 bytes free C:∖ADS> more < Testfile.txt:ADS "Alternate Data Here" C:∖ADS> dir /r Volume in drive C is Windows Volume Serial Number is A606-CB1B Directory of C:∖ADS 2020-04-28 04:01 PM <DIR> 2020-04-28 04:01 PM <DIR> 2020-04-28 04:01 PM 0 Testfile.txt 24 Testfile.txt:ADS:$DATA 1 File(s) 0 bytes 2 Dir(s) 43,509,624,832 bytes free C:∖ADS> ``` - **Use Case**: While useful for legitimate purposes, ADS can hide malware. --- #### **7.2.5 Windows Boot Process** ![Capture d’écran 2024-11-21 à 14.22.53](https://hackmd.io/_uploads/By1Ab83z1g.png) | **Step** | **Action** | |----------------------------|---------------------------------------------------------------------------------------------------| | **BIOS/UEFI Initialization** | Initializes hardware and performs Power-On Self-Test (POST). | | **Boot Manager (Bootmgr.exe)** | Switches system to protected mode and reads the Boot Configuration Database (BCD). | | **Winresume.exe** | Resumes the system from hibernation using `Hiberfil.sys`. | | **Winload.exe** | Loads hardware configuration, validates drivers, and starts the kernel (Ntoskrnl.exe). | | **Kernel Initialization** | Sets up the Hardware Abstraction Layer (HAL) and Session Manager Subsystem (SMSS) to enable user login. | --- #### **7.2.6 Windows Startup** | **Registry Hive** | **Function** | |---------------------------|---------------------------------------------------------------------------------------------------| | **HKEY_LOCAL_MACHINE** | Stores global settings for all users, including services that start at boot. | | **HKEY_CURRENT_USER** | Stores user-specific settings for services that start at login. | **Msconfig Tool**: - **General**: Normal, Diagnostic, or Selective startup. - **Boot**: Select OS or safe boot options. - **Services**: Manage services that start at boot. - **Startup**: Enable/disable startup applications via Task Manager. - **Tools**: Access common system utilities. --- #### **7.2.7 Windows Shutdown** **Options**: - **Shutdown**: Powers off the computer. - **Restart**: Restarts the system. - **Hibernate**: Saves the system state to disk for faster recovery. **Shutdown Process**: 1. Closes user mode applications. 2. Shuts down kernel processes. 3. Displays notifications for unresponsive applications. --- #### **7.2.8 Processes, Threads, and Services** - **Process**: A program in execution. - **Thread**: The smallest executable unit within a process. - **Services**: Background programs supporting OS or applications. **Task Manager**: Used to monitor processes and threads. **Windows Services Panel**: Configure services, start/stop them, or change startup behavior. --- #### **7.2.9 Memory Allocation and Handles** - **Virtual Address Space**: A process's set of addresses. - 32-bit: Supports up to 4 GB of virtual memory. - 64-bit: Supports up to 8 TB of virtual memory. - **Handles**: Allow user mode processes to access kernel resources indirectly. - **RAMMap Tool**: Visualizes memory allocation for kernel, processes, and applications. --- #### **7.2.10 The Windows Registry** **Definition**: A hierarchical database storing hardware, application, and system settings. | **Hive** | **Purpose** | |------------------------|-----------------------------------------------------------------------------------------------| | **HKEY_CURRENT_USER** | Current logged-in user settings. | | **HKEY_USERS** | All user account settings. | | **HKEY_CLASSES_ROOT** | OLE and file association settings. | | **HKEY_LOCAL_MACHINE** | System-wide settings. | | **HKEY_CURRENT_CONFIG**| Hardware profile of the current session. | **Editing Tool**: `regedit.exe` - Key types: - **REG_BINARY**: Numbers or Boolean values. - **REG_DWORD**: Raw data or numbers greater than 32 bits. - **REG_SZ**: Strings. **Security Note**: Monitor application startup keys to detect malicious entries, such as hidden malware or keyloggers. The registry also stores activity history, useful for forensic investigations. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/3-2-12-check-your-understanding-identify-the-windows-registry-hive-answers.html). ::: >[!Warning]Recap >Windows consists of a hardware abstraction layer (HAL) that is software that handles all of the communication between the hardware and the kernel. The kernel has control over the entire computer and handles input and output requests, memory, and all of the peripherals connected to the computer. Windows operates in two different modes. The first is user mode. Most Windows programs run in user mode. The second is kernel mode. It allows operating system code direct access to the computer hardware. Windows supports several different file systems, but NTFS is the most widely used. NTFS volumes include the partition boot sector, master file table, system files and the file area. When a computer boots, it first accesses system information and code that is stored in BIOS hardware. The BIOS boot code performs a system self-test called POST, locates and loads the Windows OS, and loads other associated programs to start the operating system. Windows should always be shutdown properly. > >A computer works by storing instructions in RAM until the CPU processes them. Each process in a 32-bit Windows computer supports a virtual address space that enables addressing up to 4 gigabytes. Each process in a 64-bit Windows computer supports a virtual address space of up to 8 terabytes. Windows stores all of the information about hardware, applications, users, and system settings in a large database known as the registry. The registry is a hierarchical database where the highest level is known as a hive, below that there are keys, followed by subkeys. There are five registry hives that contain data regarding the configuration and operation of Windows. There are hundreds of keys and subkeys. ### 7.3 Windows Configuration and Monitoring --- #### **7.3.1 Run as Administrator** **Purpose**: Prevent malware or unauthorized applications from gaining administrative access by default. **Methods**: 1. **Run as Administrator** - Right-click a file in File Explorer. - Select **Run as Administrator** from the Context Menu. 2. **Administrator Command Prompt** - Search for `cmd.exe` or PowerShell. - Right-click the program and choose **Run as Administrator**. - All commands executed in this session will have admin privileges. --- #### **7.3.2 Local Users and Domains** **Local Users**: - Created during Windows installation. Stores user-specific settings, files, and permissions. **Default Accounts**: - **Administrator**: Disabled by default; should remain disabled unless absolutely necessary. - **Guest**: No password, limited permissions, and also disabled by default. **User Groups**: - Groups assign specific permissions to users. - A user can belong to multiple groups. - Group permissions (e.g., “deny”) override individual permissions. - Managed via `lusrmgr.msc`. **Domains**: - Centralized control of users, groups, and security settings through domain controllers (DCs). - Users and computers must authenticate with DCs to access network resources. --- #### **7.3.3 CLI and PowerShell** **CLI (Command Line Interface)**: - Used for file system navigation and script execution. - Access via `cmd.exe`. - Commands are case-insensitive. Use `/` for options and `Tab` for auto-complete. **PowerShell**: - Advanced scripting and task automation. - Commands include: - **Cmdlets**: Perform actions and return outputs. - **Scripts**: `.ps1` files containing PowerShell commands. - **Functions**: Code snippets used in scripts. - Example: Use `Get-Help <command>` for command details. --- #### **7.3.4 Windows Management Instrumentation (WMI)** **Purpose**: Manage remote computers and monitor system health. **Access**: - Open **Computer Management** via Administrative Tools. - Expand **Services and Applications** > Right-click **WMI Control** > Select **Properties**. **Tabs in WMI Control Properties**: 1. **General**: Summary of local computer and WMI. 2. **Backup/Restore**: Manual backup of gathered statistics. 3. **Security**: Manage access to WMI statistics. 4. **Advanced**: Configure default namespaces for WMI. **Security Note**: Limit WMI access, as it can be exploited for remote attacks. --- #### **7.3.5 The `net` Command** **Purpose**: Manage system resources from the command line. | **Command** | **Description** | |-------------------|-------------------------------------------------------------------| | `net accounts` | Set password and logon requirements. | | `net session` | List or disconnect network sessions. | | `net share` | Manage shared network resources. | | `net start` | Start network services or list running ones. | | `net stop` | Stop network services. | | `net use` | Manage connections to shared resources. | | `net view` | Display computers and devices on the network. | --- #### **7.3.6 Task Manager and Resource Monitor** **Task Manager**: - **Access**: Right-click the Taskbar or press `Ctrl+Shift+Esc`. | **Tab** | **Purpose** | |------------------|---------------------------------------------------------------------------------------------------| | **Processes** | Lists running processes and their resource usage. | | **Performance** | CPU, memory, disk, and network performance overview. | | **App History** | Tracks resource usage by applications over time. | | **Startup** | Manage programs and services that launch on startup. | | **Users** | Displays logged-in users and their resource usage. | | **Details** | Advanced process management (e.g., priority, CPU affinity). | | **Services** | Lists system services, their status (Running/Stopped), and allows service management. | **Resource Monitor**: - Provides detailed statistics about resource usage across the system. | **Tab** | **Details** | |-------------------|--------------------------------------------------------------------------------------------------| | **Overview** | General usage of resources (CPU, Memory, Disk, Network). | | **CPU** | Displays process IDs (PIDs), thread count, and CPU usage. | | **Memory** | Tracks memory usage for each process. | | **Disk** | Tracks disk read/write operations for processes. | | **Network** | Displays active TCP connections, listening ports, and process-specific network usage. | --- #### **7.3.7 Networking** **Network and Sharing Center**: - Configure and troubleshoot network connections. - Access by searching for **Network and Sharing Center**. **Adapter Configuration**: 1. Choose **Change adapter settings**. 2. Right-click adapter > **Properties**. 3. Configure **IPv4** or **IPv6**: - Choose **Obtain address automatically** (DHCP) or manually set IP, subnet, gateway, and DNS. **Commands**: - `nslookup <hostname>`: Test DNS functionality. - `netstat`: Show active network connections and open ports. --- #### **7.3.8 Accessing Network Resources** **Server Message Block (SMB)**: - Share files and folders using Universal Naming Convention (UNC): `\\servername\sharename\file`. - Special Administrative Shares: - `C$`, `D$`, `admin$`, `print$`. **Remote Desktop Protocol (RDP)**: - Access remote computers for troubleshooting or configuration. - **Security Note**: Limit RDP exposure and implement strict access controls. --- #### **7.3.9 Windows Server** **Purpose**: Provide services in a networked environment. | **Service Type** | **Examples** | |-------------------------|--------------------------------------------------| | **Network Services** | DNS, DHCP, Hyper-V, Network Controller. | | **File Services** | SMB, NFS, DFS. | | **Web Services** | FTP, HTTP, HTTPS. | | **Management** | Group Policy, Active Directory domain services. | >[!Warning]Recap >For security reasons, it is not advisable to log on to Windows using the Administrator account or an account with administrative privileges. Do not give standard users administrative privileges. Do not enable the Guests account unless the computer is going to be used by many different people who do not have accounts. Use Windows groups to make administration of users easier. Local users and groups are managed with the lusrmgr.msc control panel applet. > >You can use the CLI or the Windows PowerShell to execute commands. PowerShell can be used to create scripts to automate tasks that the regular CLI is unable to automate. Windows Management Instrumentation (WMI) is used to manage remote computers. The net command can be combined with switches to focus on specific output. Task Manager provides a lot of information about what is running, and the general performance of the computer. The Resource Monitor provides more detailed information about resource usage. The Network and Sharing Center is used to configure Windows networking properties and test networking settings. The Server Message Block (SMB) protocol is used to share network resources such as files on remote hosts. The Universal Naming Convention (UNC) format is used to connect to resources. Windows Server is an edition of Windows that is mainly used in data centers. It provides network, file, web, and management services to a Windows network or domain. ### 7.4 Windows Security --- #### **7.4.1 The `netstat` Command** **Purpose**: Monitor active TCP connections to detect suspicious or unauthorized communication. **Usage**: - Basic: `netstat` — Displays all active TCP connections. - Advanced: `netstat -abno` — Lists connections, listening ports, associated processes, and their PIDs (Process IDs). - **Example Output**: | **Protocol** | **Local Address** | **Foreign Address** | **State** | **PID** | |--------------|-------------------|---------------------|---------------|---------| | TCP | 0.0.0.0:80 | 0.0.0.0:0 | LISTENING | 4 | **Analysis**: 1. Match suspicious PIDs to processes using Task Manager. 2. Right-click column headers in Task Manager and enable the **PID** column to locate the specific process. 3. Stop processes if necessary and use malware removal tools for cleanup. --- #### **7.4.2 Event Viewer** **Purpose**: Review logs for troubleshooting, security, and system management. **Access**: - Search for **Event Viewer** in the Start menu. **Log Categories**: 1. **Windows Logs**: Application, security, setup, and system events. 2. **Application and Services Logs**: Specific application events. **Event Levels**: - **Information**: Normal operations. - **Warning**: Potential issues. - **Error**: System issues requiring attention. - **Critical**: Severe problems causing system failure. **Features**: - **Custom Views**: Filter events by level, time, or source. - **Built-in View**: Administrative Events aggregates critical, error, and warning logs for quick analysis. --- #### **7.4.3 Windows Update Management** **Purpose**: Ensure system security and stability through patches and updates. **Key Points**: - **Updates Types**: Security patches, critical updates, and service packs. - **Configuration**: - Access **Windows Update** via search. - Set **Active Hours** to avoid automatic restarts during work hours. - Configure **Advanced Options** for update scheduling. - **Manual Checks**: Use **Check for Updates** to verify and install updates. - **Restart Options**: Define when the system should restart after updates. --- #### **7.4.4 Local Security Policy** **Purpose**: Secure stand-alone systems with configurable policies. **Access**: - Search for **Local Security Policy**. **Key Policies**: 1. **Password Policy**: - Define complexity requirements and expiration rules. 2. **Account Lockout Policy**: - Limit login attempts to deter brute force attacks. - Example: Lock account after 5 incorrect attempts for 30 minutes. 3. **Idle Locking**: - Require a screensaver password after inactivity. **Export/Import Policies**: - Use the **Export Policy** feature to replicate security settings across systems. **Advanced Features**: - Configure **User Rights**, **Firewall Rules**, and **AppLocker** to restrict application execution. --- #### **7.4.5 Windows Defender** **Purpose**: Protect systems against malware, including viruses, spyware, and phishing attempts. **Features**: - **Real-Time Protection**: Monitors threats continuously. - **Manual Scans**: Perform on-demand scans for deeper inspection. - **Update Tab**: Keep malware definitions up to date. - **History Tab**: Review logs of past detections. **Types of Protection**: - Antivirus, adware, phishing, and spyware detection. - Warns users about unsafe programs or websites. **Note**: Run only one active antimalware program to avoid conflicts. --- #### **7.4.6 Windows Defender Firewall** **Purpose**: Manage network traffic by restricting or allowing communication through specific ports. **Access**: - Navigate to **Control Panel > System and Security > Windows Defender Firewall**. **Configuration**: 1. **Allow App Access**: Enable trusted programs through the firewall. 2. **Disable Firewall**: Only if using a third-party firewall. - **Steps**: Choose **Turn Windows Firewall On/Off**. **Advanced Settings**: - Create inbound and outbound traffic rules based on criteria such as IP, port, or application. - Import/export firewall configurations for consistency across systems. **Security Policies**: - Default to **restrictive mode**, where only explicitly permitted traffic is allowed. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/3-4-7-check-your-understanding-identify-the-windows-tool-answers.html). ::: >[!Warning]Recap >Malware can open communication ports to communicate and spread. The Windows netstat command displays all open communication ports on a computer and can also display the software processes that are associated with the ports. This enables unknown potentially malicious software to be identified and shutdown. Windows Event Viewer provides access to numerous logged events regarding the operation of a computer. Windows logs Windows events and applications and services events. Logged event severity levels range through the information, warning, error, or critical levels. It is very important to keep Windows up to date to guard against new security threats. Software patches, updates, and service packs address security vulnerabilities as they are discovered. Windows should be configured to automatically download and install updates as they become available. Windows can be configured to only install and restart a computer at specified times of day.