Unit2 - Subjective Questions
CSC104 • Practice Questions with Detailed Answers
Distinguish between Local User Accounts and Domain User Accounts in the context of Windows User Management.
Local User Accounts and Domain User Accounts serve different scopes of authentication and authorization:
1. Local User Accounts:
- Scope: Restricted to the single computer where they are created.
- Storage: Credentials are stored in the local Security Account Manager (SAM) database.
- Usage: Ideal for standalone home computers or small workgroups.
- Management: Managed via
lusrmgr.mscor Control Panel on the specific machine.
2. Domain User Accounts:
- Scope: Valid across the entire network (domain). The user can log in to any authorized computer in the network.
- Storage: Credentials are stored in the Active Directory (AD) database on a Domain Controller.
- Usage: Standard for enterprise environments to ensure centralized management.
- Management: Managed centrally via Active Directory Users and Computers (ADUC).
Explain the concept of Windows Authentication with a focus on NTLM and Kerberos protocols.
Windows Authentication verifies the identity of a user or service.
NTLM (New Technology LAN Manager):
- A challenge-response authentication protocol.
- Historically used in older Windows systems and workgroup environments.
- Mechanism: The server sends a random challenge, and the client responds with a hashed password. It is considered less secure than Kerberos due to vulnerabilities like Pass-the-Hash attacks.
Kerberos:
- The default authentication protocol for Windows domains (Active Directory).
- Mechanism: It relies on a trusted third party called the Key Distribution Center (KDC). It uses tickets (Ticket-Granting Ticket - TGT) rather than transmitting password hashes.
- Advantages: Mutual authentication (client and server verify each other) and time-stamping to prevent replay attacks.
Compare Share Permissions and NTFS Permissions. How do they interact when both are applied?
Share Permissions:
- Apply only when a user accesses a file or folder over the network (remotely).
- Do not apply to local users logging on to the machine directly.
- Limited granularity: Read, Change, Full Control.
NTFS Permissions:
- Apply to all users, whether they access the file locally or over the network.
- Detailed granularity: Read, Write, Modify, Execute, List Folder Contents, Full Control.
- Stored in the file system ACLs.
Interaction (The Rule of Least Privilege):
When both permissions are present (accessing a share over a network):
- Windows checks the Share permissions.
- Windows checks the NTFS permissions.
- The most restrictive permission applies.
Define Access Control Lists (ACLs) in Windows and differentiate between DACL and SACL.
An Access Control List (ACL) is a list of Access Control Entries (ACEs) attached to an object (like a file, folder, or printer) that defines the security protections for that object.
1. Discretionary Access Control List (DACL):
- Identifies the users and groups that are allowed or denied access to the object.
- Example: User A has 'Read' access, and User B is 'Denied' access.
- If a DACL is missing, everyone has full access; if it is empty, no one has access.
2. System Access Control List (SACL):
- Used for Auditing purposes.
- It defines which access attempts (Success or Failure) should generate security event logs.
- Example: Log an event whenever User A successfully deletes a file.
Describe the function of User Account Control (UAC) and why it is critical for Windows security.
User Account Control (UAC) is a security feature that prevents unauthorized changes to the operating system.
Key Functions:
- Least Privilege: Even administrators run applications with standard user privileges by default.
- Elevation: When an action requires administrative rights (e.g., installing software, changing system time), UAC prompts the user for confirmation (consent prompt) or credentials (credential prompt).
- Secure Desktop: The UAC prompt dims the screen and creates a secure environment that isolates the prompt from running processes, preventing malware from automatically clicking 'Yes'.
Criticality: It mitigates the impact of malware by ensuring that malicious code cannot make system-wide changes without the user's explicit knowledge and approval.
Explain the role of Windows Defender in a modern Windows environment.
Windows Defender (now part of Microsoft Defender Antivirus) is the built-in anti-malware component of Windows.
Key Roles:
- Real-time Protection: Scans files and programs as they are opened or downloaded to detect malicious activity immediately.
- Cloud-delivered Protection: Uses Microsoft's cloud infrastructure to identify new threats faster than traditional signature updates.
- Tamper Protection: Prevents malicious apps from changing important Windows Defender settings.
- Integration: It works alongside the Windows Firewall and SmartScreen to provide comprehensive endpoint security.
Describe the Windows Firewall and explain the three network profiles associated with it.
Windows Firewall filters network traffic based on rules (IP address, port, protocol) to block unauthorized access while permitting authorized communications.
Network Profiles:
- Domain Profile:
- Applied when the computer is connected to a network where it can detect a Domain Controller.
- Usually the least restrictive as the internal network is trusted.
- Private Profile:
- Applied to networks designated by the user as private (e.g., Home or Office).
- Allows network discovery and file sharing.
- Public Profile:
- Applied to public networks (e.g., Coffee shops, Airports).
- Most restrictive: Blocks network discovery and remote access to protect the machine from other devices on the untrusted network.
Briefly explain the roles of DNS and DHCP in Windows Networking.
1. DNS (Domain Name System):
- Role: Name Resolution.
- It translates human-readable hostnames (e.g.,
www.google.comorFileServer01) into IP addresses (e.g.,192.168.1.50) that computers use to communicate. - In Active Directory, DNS is critical for locating Domain Controllers.
2. DHCP (Dynamic Host Configuration Protocol):
- Role: IP Address Management.
- It automatically assigns IP addresses, Subnet Masks, Gateway addresses, and DNS server details to clients on a network.
- This eliminates the need to manually configure IP settings on every device, reducing errors and IP conflicts.
What is the SMB (Server Message Block) protocol, and why is it significant in Windows networking?
SMB (Server Message Block) is a client-server communication protocol used for sharing access to files, printers, serial ports, and other resources on a network.
Significance:
- File Sharing: It is the primary protocol for mapping network drives and accessing shared folders in Windows.
- IPC: It enables Inter-Process Communication allowing applications to talk to services on other computers.
Security Note: Older versions (SMBv1) are vulnerable to exploits (e.g., WannaCry ransomware) and should be disabled. Modern Windows uses SMBv3 which supports encryption.
Discuss Remote Desktop Protocol (RDP). How does it function and what are the security risks associated with it?
Remote Desktop Protocol (RDP) allows a user to connect to a Windows computer remotely and interact with its graphical user interface as if they were physically present.
Functionality:
- It typically operates on TCP port 3389.
- It transmits screen updates from the host to the client and keyboard/mouse inputs from the client to the host.
Security Risks:
- Brute Force Attacks: Attackers frequently scan the internet for open port 3389 and attempt to guess passwords.
- Vulnerabilities: Unpatched RDP services (e.g., BlueKeep vulnerability) can allow remote code execution.
- Mitigation: Use strong passwords, Network Level Authentication (NLA), VPNs, and change default ports to secure RDP.
What is PsExec? Describe its utility in remote administration and its security implications.
PsExec is a command-line tool, part of the Sysinternals suite, that allows administrators to execute processes on remote systems.
Utility:
- It does not require installing client software on the remote target.
- It allows running commands as
SYSTEM(higher privilege than Administrator). - Syntax example:
psexec \\remote-computer cmd.exeopens a remote command shell.
Security Implications:
- Lateral Movement: It is frequently used by attackers after compromising a network to move from one machine to another.
- Detection: Since it is a legitimate administrative tool, it is often whitelisted by antivirus software (Living off the Land binary), making malicious use harder to detect.
Explain the structure and purpose of the Microsoft Management Console (MMC).
Structure:
- Host: MMC (
mmc.exe) is a container or framework; it does not perform management functions itself. - Snap-ins: These are the actual management components (DLLs) added to the console (e.g., Device Manager, Event Viewer, Disk Management).
- Console Tree: The left pane showing the hierarchy of snap-ins.
Purpose:
- It provides a unified interface for system administrators to create custom consoles containing only the specific tools they need.
- Example: An admin can create a
.mscfile containing only 'Users & Groups' and 'Event Viewer' for a Help Desk staff member.
Describe the Services.msc console and the different Startup Types for a Windows Service.
Services.msc is the management console used to view, start, stop, and configure background services in Windows.
Startup Types:
- Automatic: The service starts immediately when Windows boots.
- Automatic (Delayed Start): The service starts shortly after boot to reduce boot time and disk contention.
- Manual: The service does not start at boot; it starts only when a user or another program triggers it.
- Disabled: The service cannot be started by the system, user, or dependent services.
Security Implication: Disabling unnecessary services reduces the attack surface of the OS.
Explain the hierarchy of Group Policy Object (GPO) processing in a Windows Domain environment.
Group Policies allow admins to implement specific configurations for users and computers. They are applied in a specific order known as LSDOU.
Processing Order:
- Local (L): Policies defined on the local machine.
- Site (S): Policies defined at the Active Directory Site level.
- Domain (D): Policies defined at the Domain level.
- Organizational Unit (OU): Policies defined at the OU level.
Precedence Rule:
- The last policy applied wins.
- Therefore, OU policies generally overwrite Domain, Site, and Local policies (unless 'Enforced' or 'Block Inheritance' is used).
Describe the Windows Event Viewer and list the three primary types of logs found in it.
Windows Event Viewer (eventvwr.msc) is a centralized log repository used for monitoring system health, security, and troubleshooting errors.
Primary Log Types:
- Application Log: Contains events logged by applications or programs (e.g., a database error or a crash in a text editor).
- System Log: Contains events logged by Windows system components (e.g., driver failure, startup services errors, network connection issues).
- Security Log: Records security auditing events. It tracks success and failure audits (e.g., valid logins, failed password attempts, file access/deletion). Accessing this log usually requires Admin privileges.
What are Audit Policies in Windows Security? Give examples of events that should be audited.
Audit Policies determine which security events are recorded in the Security Log. They are configured via Group Policy or Local Security Policy (secpol.msc).
Purpose:
To track user activities and system changes for forensic analysis and intrusion detection.
Examples of Auditable Events:
- Audit Logon Events: Tracks when a user logs on or logs off (Success/Failure).
- Audit Object Access: Tracks access to specific files, folders, or registry keys (requires SACL).
- Audit Account Management: Tracks changes to user accounts (creation, deletion, password changes).
- Audit Privilege Use: Tracks when a user exercises a user right (e.g., changing system time).
Explain how Scheduled Tasks work in Windows and how they can be used for persistence by attackers.
Scheduled Tasks (managed via taskschd.msc) allow Windows to run scripts or programs automatically at specific times or in response to specific events (triggers).
Components:
- Trigger: The event that starts the task (e.g., "At 9:00 AM" or "At System Startup").
- Action: The program or script to execute.
- Security Context: The user account under which the task runs (e.g., SYSTEM or specific user).
Security/Persistence Risk:
Attackers often create malicious scheduled tasks to maintain persistence. Even if the malware process is killed or the computer is rebooted, the Scheduled Task will re-execute the malware automatically based on the trigger (e.g., every time the user logs in).
Describe the usage of whoami and ipconfig commands for basic reconnaissance.
1. whoami:
- Purpose: Displays user, group, and privileges information for the user who is currently logged on.
- Usage:
whoami: Showsdomain\username.whoami /priv: Lists the security privileges enabled (e.g., SeShutdownPrivilege).whoami /groups: Lists groups the user belongs to.
2. ipconfig:
- Purpose: Displays current TCP/IP network configuration values.
- Usage:
ipconfig: Shows IP address, Subnet Mask, and Default Gateway.ipconfig /all: Detailed view including MAC address, DHCP server, and DNS server.ipconfig /flushdns: Clears the DNS resolver cache.
Analyze the utility of netstat and tasklist in identifying suspicious activity on a Windows host.
1. netstat (Network Statistics):
- Displays active TCP connections, listening ports, and routing tables.
- Suspicious Activity: Helps identify if the computer is communicating with known malicious IP addresses or if a backdoor is listening on a specific port.
- Key Command:
netstat -anodisplays all connections/ports (-a), numerically (-n), showing the Process ID (-o) responsible for the connection.
2. tasklist:
- Displays a list of currently running processes on the local or a remote computer.
- Suspicious Activity: Helps identify unknown processes, or legitimate system processes (like
svchost.exe) running from the wrong folder or without a parent process. - Correlation: You can take the PID found in
netstatand look it up intasklistto see exactly which malware executable is making a network connection.
What are Startup Items? Where are they located in the Registry and file system?
Startup Items are programs configured to launch automatically when the operating system boots or a user logs in.
File System Locations:
- User specific:
C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup - System wide:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Registry Locations (Common):
HKCU\Software\Microsoft\Windows\CurrentVersion\Run(Current User)HKLM\Software\Microsoft\Windows\CurrentVersion\Run(Local Machine - All Users)HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Security: These locations are prime targets for malware persistence.