Back to Subject
Practice MCQ Subjective

Unit 2 - Notes

CSC104

Unit 2: Windows Security, User Management, and Networking

1. User Accounts and Group Management

Local vs. Domain Accounts

  • SAM (Security Account Manager): A database file (C:\Windows\System32\config\SAM) that stores local user accounts and password hashes. These accounts exist only on the specific machine.
  • Active Directory (AD): Centralized management where user accounts exist on a Domain Controller. These users can log in to any machine joined to the domain.

Security Identifiers (SID)

Every account and group is assigned a unique alphanumeric string called a SID. Windows uses SIDs, not usernames, to control access.

  • Structure: S-1-5-21-<DomainID>-<RelativeID>
  • Common SIDs:
    • ...-500: The built-in Administrator.
    • ...-501: The Guest account.

User Account Types

  1. Administrator: Full control over the computer; can change security settings, install software, and access all files.
  2. Standard User: Can use most software and change system settings that do not affect other users or the security of the computer.
  3. Guest: Limited access; usually disabled by default for security.
  4. System Accounts:
    • LocalSystem: High privilege, used by OS services.
    • NetworkService / LocalService: Limited privilege accounts for background services.

Group Management

Groups allow administrators to apply permissions to multiple users simultaneously.

  • Administrators: Members have complete and unrestricted access.
  • Users: Members are prevented from making accidental or intentional system-wide changes.
  • Remote Desktop Users: Members are allowed to log on remotely.

2. Authentication Methods

NTLM (New Technology LAN Manager)

A legacy challenge-response authentication protocol.

  • Mechanism: The server sends a random challenge; the client encrypts it with their password hash and returns it.
  • Security Risk: Susceptible to "Pass-the-Hash" attacks; generally used only for local authentication or when Kerberos is unavailable.

Kerberos

The default authentication protocol for Active Directory environments.

  • Mechanism: Uses "Tickets" issued by a Key Distribution Center (KDC/Domain Controller). Mutual authentication (client verifies server, server verifies client).
  • Time Sensitivity: Relies heavily on time synchronization between client and server (Time skew usually < 5 mins).

Windows Hello (Biometrics)

  • Replaces passwords with strong two-factor authentication.
  • Uses a PIN, facial recognition, or fingerprint. Credentials are stored in the TPM (Trusted Platform Module) hardware, not sent over the network.

3. Permissions and Access Control

ACLs (Access Control Lists)

Every object (file, folder, printer) in Windows has an ACL.

  1. DACL (Discretionary Access Control List): Determines who can access the object and what they can do (Read, Write, Full Control).
  2. SACL (System Access Control List): Determines which access attempts are audited (logged) in the Security Event Log.

NTFS Permissions

Applied at the file system level. They apply whether the user accesses the file locally or over the network.

  • Full Control: Modify, add, move, delete, and change permissions.
  • Modify: View, modify, add, and delete. Cannot change permissions.
  • Read & Execute: Run programs and scripts, view file contents.
  • List Folder Contents: See names of files/subfolders.
  • Read: View file contents only.
  • Write: Write to the file (save changes).

Permission Rules

  • Inheritance: By default, files/subfolders inherit permissions from their parent folder.
  • Explicit vs. Inherited: Explicit permissions (set directly on the object) take precedence over inherited ones.
  • Cumulative: If a user is in "Group A" (Read) and "Group B" (Write), they get Read + Write.
  • Deny Trumps Allow: An explicit "Deny" permission overrides any "Allow" permission.

4. Built-in Security Tools

Windows Defender (Microsoft Defender Antivirus)

  • Real-time Protection: Scans files as they are opened, downloaded, or copied.
  • Cloud-delivered protection: Uses Microsoft cloud data to identify new threats instantly.
  • Tamper Protection: Prevents malicious apps from changing Defender settings.

User Account Control (UAC)

A fundamental security component that runs most users (even Admins) with standard privileges until administrative rights are explicitly required.

  • Prompt: The "Dimmed desktop" (Secure Desktop) prevents software from automatically clicking "Yes."
  • Goal: Mitigates the impact of malware by preventing silent installation or system-wide changes.

Windows Firewall (Windows Defender Firewall)

A host-based stateful firewall filtering traffic based on rules.

  • Inbound Rules: Control traffic trying to enter the computer (e.g., Block Port 80).
  • Outbound Rules: Control traffic leaving the computer (e.g., Block malware calling home).
  • Network Profiles:
    • Domain: Connected to a corporate DC (Least restrictive).
    • Private: Home/Trusted network (Network discovery on).
    • Public: Coffee shop/Airport (Most restrictive, discovery off).

5. Windows Networking Basics

Core Configuration

  • IP Address: Unique identifier on the network (IPv4: 192.168.1.5).
  • Subnet Mask: Defines the size of the network (255.255.255.0).
  • Default Gateway: The router IP used to communicate outside the local network.

DNS (Domain Name System)

  • Translates human-readable names (www.google.com) into IP addresses.
  • Hosts File: Located at C:\Windows\System32\drivers\etc\hosts. Checked before querying a DNS server.

DHCP (Dynamic Host Configuration Protocol)

  • Automatically assigns IP addresses, subnet masks, gateways, and DNS servers to clients, preventing IP conflicts.

NetBIOS and LLMNR

  • NetBIOS: Legacy protocol for local network file sharing and name resolution.
  • LLMNR (Link-Local Multicast Name Resolution): Protocol used to resolve names on a local subnet when DNS fails.
  • Security Note: Both are vulnerable to spoofing attacks (LLMNR/NBT-NS Poisoning).

SMB (Server Message Block)

  • Application-layer network protocol used for file sharing, printer sharing, and inter-process communication.
  • Ports: TCP 445 (Direct TCP), TCP 139 (NetBIOS over TCP/IP).
  • Versions: SMBv1 is insecure (WannaCry ransomware vector) and should be disabled. SMBv3 is the current standard with encryption.

6. Shared Resources and Remote Access

Shared Resource Management

  • Share Permissions vs. NTFS Permissions:
    • Share permissions only apply when accessing over the network.
    • NTFS permissions always apply.
    • Rule: The most restrictive permission applies when combining Share and NTFS.
  • Administrative Shares: Hidden shares created by the system, suffixed with $.
    • C$: The root of the C drive.
    • ADMIN$: The Windows directory (used during remote administration).
    • IPC$: Inter-Process Communication (used for null sessions/authentication).

Remote Desktop Protocol (RDP)

  • Port: TCP 3389.
  • Allows a graphical user interface (GUI) connection to a remote computer.
  • Requires the "Remote Desktop Users" group membership.

PsExec (Sysinternals)

  • A lightweight telnet-replacement that lets you execute processes on other systems.
  • Does not require client software installation.
  • Often used by admins for deployment and by attackers for lateral movement.
  • Syntax: psexec \\remote-computer -u user -p password cmd.exe

7. Windows Administrative Tools

MMC (Microsoft Management Console)

  • A framework that hosts administrative tools called "snap-ins."
  • Custom consoles can be created (e.g., combining Device Manager, Event Viewer, and Disk Management in one view).

Services (services.msc)

Manages background processes.

  • Startup Types:
    • Automatic: Starts when Windows boots.
    • Automatic (Delayed): Starts shortly after boot to improve login speed.
    • Manual: Starts only when triggered by a user or application.
    • Disabled: Cannot start.

Group Policy Editor (gpedit.msc)

  • Used to configure settings for computers and users.
  • Local Group Policy (LGPO): Applies to the single computer.
  • Group Policy Objects (GPO): Used in Active Directory to push policies to thousands of machines.
  • Examples: Disabling USB drives, enforcing password complexity, setting wallpaper.

Task Scheduler and Startup

  • Task Scheduler: Automates scripts or programs based on triggers (time, logon, event ID).
  • Startup Items:
    • Folder: shell:startup
    • Registry Run Keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    • Managed via Task Manager -> Startup tab.

8. Incident Analysis and Auditing

Windows Event Logs (Event Viewer)

Three main logs located in C:\Windows\System32\winevt\Logs:

  1. System: Events from Windows components (drivers, boot processes).
  2. Application: Events logged by applications (crashes, errors).
  3. Security: Auditing events (logins, privilege use).

Key Security Event IDs

  • 4624: Successful Logon.
  • 4625: Failed Logon (Brute force indicator).
  • 4720: User Account Created.
  • 4672: Special Privileges Assigned (Administrator logon).
  • 1102: Audit Log Cleared (Suspicious activity).

Audit Policies

  • configured in secpol.msc (Local Security Policy).
  • Must be enabled to generate logs in the Security Event Viewer.
  • Categories: Audit Logon Events, Audit Object Access, Audit Privilege Use.

9. Enumeration and Reconnaissance (CLI Tools)

Basic command-line tools used for troubleshooting and initial system reconnaissance.

User & Privilege Enumeration

  • whoami: Displays current user and domain.
    • whoami /priv: Shows current privileges.
    • whoami /groups: Shows group memberships.
  • net user: Lists all user accounts.
    • net user <username>: Details about a specific user (last logon, password expiry).
  • net localgroup: Lists groups.
    • net localgroup administrators: Shows who is an admin.

Network Enumeration

  • ipconfig /all: Detailed IP, MAC address, DNS, and DHCP info.
  • netstat: Network statistics.
    • netstat -an: Show all connections and listening ports numerically.
    • netstat -b: Show the executable involved in the connection (requires Admin).
    • netstat -r: Displays the routing table.
  • arp -a: Displays the ARP cache (mapping IP addresses to MAC addresses).

Process and System Enumeration

  • tasklist: Displays all running processes and their Process IDs (PIDs).
    • tasklist /svc: Maps processes to the services hosting them.
  • systeminfo: Comprehensive system details (OS version, Hotfixes/Patches installed, Boot time).
  • wmic: Windows Management Instrumentation Command-line (powerful query tool).
    • wmic product get name,version: Lists installed software.