Windows

avatar
Created by
EarlyHorse17571

Cards (48)

  • Services
    • Windows Services create and manage critical functions such as network connectivity, storage, memory, sound, user credentials, and data backup and runs automatically in the background. These services are managed by the Service Control Manager panel and divided into three categories, i.e. Local, Network & System. Many applications like browsers and anti-virus software can also run their services for a seamless user experience.
    Type services.msc in the Run window to access Windows services.
  • Windows Registry 
    • The Windows registry is a unified container database that stores configurational settings, essential keys and shared preferences for Windows and third-party applications. Usually, on the installation of most applications, it uses a registry editor for storing various states of the application. For example, suppose an application (malicious or normal) wants to execute itself during the computer boot-up process; In that case, it will store its entry in the Run & Run Once key.
  • Windows Registry 
    • Usually, a malicious program makes undesired changes in the registry editor and tries to abuse its program or service as part of system routine activities. It is always recommended to protect the registry editor by limiting its access to unauthorised users.
    • Type regedit in the Run dialogue or taskbar search to access the registry editor.
  • Event Viewer:
    • Event Viewer is an app that shows log details about all events occurring on your computer, including driver updates, hardware failures, changes in the operating system, invalid authentication attempts and application crash logs. Event Viewer receives notifications from different services and applications running on the computer and stores them in a centralised database.
  • Hackers and malicious actors access Event Viewer to increase their attack surface and enhance the target system's profiling. Event categories are as below:
    • Application: Records events of already installed programs.
    • System: Records events of system components.
    • Security: Logs events related to security and authentication etc.
    We can access Event Viewer by typing eventvwr in the Run window. The default location for storing events is C:\WINDOWS\system32\config\folder in the attached VM (MACHINE_IP).
  • Telemetry
    • Telemetry is a data collection system used by Microsoft to enhance the user experience by preemptively identifying security and functional issues in software. An application seamlessly shares data (crash logs, application-specific) with Microsoft to improve the user experience for future releases.  
  • Telemetry
    • Telemetry functionality is achieved by Universal Telemetry Client (UTC) services available in Windows and runs through diagtrack.dll. Contents acquired through telemetry service are stored encrypted in a local folder %ProgramData%\Microsoft\Diagnosis and sent to Microsoft after 15 minutes or so.
    • We can access The DiagTrack through the Services console in Windows 10.
  • In Windows, the Registry Editor can be used to find a specific key. Here's a quick way to find a key in the Windows Registry:
    1. Open Registry Editor:
    • Press Win + R to open the Run dialog.
    • Type regedit and press Enter.
    1. Navigate to Find Option:
    • Press Ctrl + F to open the Find dialog.
    • Enter the key or value you are looking for.
    • Click "Find Next."
  • Standard vs Admin Account
    • Identity and access management involves employing best practices to ensure that only authenticated and authorised users can access the system. There are two types of accounts in Windows, i.e. Admin and Standard Account.
  • Standard vs Admin Account
    • Per best practice, the Admin account should only be used to carry out tasks like software installation and accessing the registry editor, service panel, etc. Routine functions like access to regular applications, including Microsoft Office, browser, etc., can be allowed to standard accounts. Go to Control Panel > User Accounts to create standard or administrator accounts.
    • In either case, a user can authenticate themselves on the system through a password; however, Windows 10 has introduced a new feature called Windows Hello, which allows authenticating someone based on “something you have, something you know or something you are”. 
    • To access accounts and select the sign-in option, go to Settings > Accounts > Sign-in Options.
    • User Account Control (UAC) User Account Control (UAC) is a feature that enforces enhanced access control and ensures that all services and applications execute in non-administrator accounts. It helps mitigate malware's impact and minimises privilege escalation by bypassing UAC. Actions requiring elevated privileges will automatically prompt for administrative user account credentials if the logged-in user does not already possess these.
    • User Account Control (UAC):For example, installing device drivers or allowing inbound connections through Windows Firewall requires more permissions than already available privileges for a standard user. We have covered the topic in detail in Windows Fundamental 1.
  • User Account Control (UAC)
    • As a principle, always follow the Principle of Least Privilege, which states that (Per CISA) “a subject should be given only those privileges needed for it to complete its task. If a subject does not need an access right, the subject should not have that right”.To access UAC, go to Control Panel -> User Accounts and click on Change User Account Control Setting
    • Local Policy and Group Policies Editor Group Policy Editor is a built-in interactive tool by Microsoft that allows to configure and implement local and group policies. We mainly use this feature when part of a network; however, we can also use it for a workstation to limit the execution of vulnerable extensions, set password policies, and other administrative settings. Note: The feature is not available in Windows Home but only in the Pro and Enterprise versions.
  • Password Policies
    One primary use of a local policy editor is to ensure complex and strong passwords for user accounts. For example, we can design password policies to maximise our security:
    • Passwords must contain both uppercase and lowercase characters.
    • Check passwords against leaked or already hacked databases or a dictionary of compromised passwords.
    • In case of 6 failed login attempts within 15 minutes, the account will remain locked for at least 1 hour.
    We can access Password policies through the Local group policy editor.Go to Security settings > Account Policies > Password policy 
    • Setting A Lockout Policy To protect your system password from being guessed by an attacker, we can set out a lockout policy so the account will automatically lock after certain invalid attempts. To set a lockout policy, go to Local Security Policy > Windows Settings > Account Policies > Account Lockout Policy and configure values to lock out hackers after three invalid attempts.
  • Windows Defender Firewall: Windows Defender Firewall is a built-in application that protects computers from malicious attacks and blocks unauthorised traffic through inbound and outbound rules or filters. As an analogy, this is equivalent to “who is coming in and going out of your home”.
  • Windows Defender FirewallMalicious actors abuse Windows Firewall by bypassing existing rules. For example, if we have configured the firewall to allow incoming connections, hackers will try to manipulate the functionality by creating a remote connection to the victim's computer. We can access Windows Defender Firewall by accessing WF.msc in the Run dialogue.
  • Windows Defender Firewall
    • As mentioned in the Windows Fundamentals room, it has three main profiles Domain, Public and Private.  The Private profile must be activated with "Blocked Incoming Connections" while using the computer at home. View detailed settings for each profile by clicking on Windows Defender Firewall Properties.
    • Whenever possible, enable the Windows Defender Firewall default settings. For blocking all the incoming traffic, always configure the firewall with a 'default deny' rule before making an exception rule that allows more specific traffic.
  • Disable unused Networking Devices
    • Network devices like routers, ethernet cards, WiFI adapters etc., enable data sharing between computers. If the device is improperly configured or not being used by the owner, it is recommended to disable the interface so that threat actors cannot access them and use them for data retrieval from the victim's computer.To disable the unused Networking Devices, go to the Control panel > System and Security Setting > System > Device Manager and disable all the unused Networking
    • Disable SMB protocol SMB is a file-sharing protocol exploited by hackers in the wild. The protocol is primarily used for file sharing in a network; therefore, you must disable the protocol if your computer is not part of a network by issuing the following command in PowerShell.
  • Protecting Local Domain Name System (DNS)  The domain name system (DNS) is a naming system that translates Fully Qualified Domain Names (FQDN) into IP addresses. If the attacker places himself in the middle, he may intercept and manipulate DNS requests and point them to attacker-controlled systems since DNS replies are neither authenticated nor encrypted.
  • Protecting Local Domain Name System (DNS) The hosts file located in Windows acts like local DNS and is responsible for resolving hostnames to IP addresses. Malicious actors try to edit the file's content to reroute traffic to their command and control server.The hosts file is located at C:\Windows\System32\Drivers\etc\hosts.
    • Mitigating Address Resolution Protocol Attack   The address resolution protocol resolves MAC addresses from given IP addresses saved in the workstations ARP cache. The ARP offers no authentication and accepts responses from any user in the network. An attacker can flood target systems with crafted ARP responses, which point to an attacker-controlled machine and put him in the middle of communication between the targeted hosts.
  • Mitigating Address Resolution Protocol Attack  
    • You can check ARP entries using the command arp -a in the command prompt. 
    • The table contains MAC addresses in the middle and IP addresses in the left.  
    • If the table includes a MAC mapped to two IPs, you are probably susceptible to an ARP poisoning attack. To clear the ARP cache and prevent the attack, issue the command arp -d.
  • Preventing Remote Access to Machine
    • Remote access provides a way to connect to other computers/networks even located at a different geographical location for file sharing and remotely make changes to a workstation. Microsoft has developed a Remote Desktop Protocol (RDP) for connecting with other computers. Hackers have exploited the protocol in the past, like the famous Blue Keep vulnerability, to gain unauthorised access to the target system.
  • Preventing Remote Access to MachineWe must disable remote access (if not required) by going to settings > Remote Desktop. Do not attempt this in VM attached to this room.
  • Trusted Application Store:
    • Microsoft Store offers a complete range of applications (games, utilities) and allows downloading non-malicious files through a single click. Malicious actors bind legitimate software with trojans and viruses and upload it on the internet to infect and access the victim's computer. Therefore, downloading applications from the Microsoft Store ensures that the downloaded software is not malicious. We can access Microsoft Application Store by typing ms-windows-store: in the Run dialogue.
    • Safe App Installation: Only allow installation of applications from the Microsoft Store on your computer.  Go to Setting > Select Apps and Features and then select The Microsoft Store only. 
  • Malware Removal through Windows Defender Anti Virus Windows Defender Anti Virus is a complete anti-malware program capable of identifying malicious programs and taking remedial measures like quarantine. The program used to have an entire Graphical User Interface; however, Windows 10 and newer versions manage the same through Windows Security Centre.
  • Malware Removal through Windows Defender Anti Virus Windows Defender primarily offers four main functionalities:
    • Real-time protection - Enables periodic scanning of the computer.
    • Browser integration - Enables safe browsing by scanning all downloaded files, etc.
    • Application Guard Allows complete web session sandboxing to block malicious websites or sessions to make changes in the computer.
    • Controlled Folder Access - Protect memory areas and folders from unwanted applications.
  • Microsoft Office Hardening
    • Microsoft Office Suite is one of the most widely used application suites in all sectors, including financial, telecom, education, etc. Malicious actors abuse its functionality through macros, Flash applets, object linking etc., to achieve Remote Code Execution. 
  • Hardening of Microsoft Office may vary from person to person as legitimate functionality of Microsoft Office is exploited to gain access. For example, disabling macros in a University may be helpful as no one uses it; however, banks cannot disable macros as they heavily rely on complex invoices and formulas through macros. 
  • AppLocker: AppLocker is a recently introduced feature that allows users to block specific executables, scripts, and installers from execution through a set of rules. We can easily configure them on a single PC or network through a GUI by the following method: Local Group Policy Editor > Windows Settings > Security Settings > Application Control Policies > Applocker, Then add a rule through AppLocker to block a file based on its publisher name.
  • Browser (MS Edge) Microsoft Edge is a built-in browser available on Windows machines based on Chromium, inline with Google Chrome and Brave. The browser often acts as an entry point to a system for further pivoting and lateral movement. It is therefore of utmost importance to block and mitigate critical attacks carried out through a browser that include ransomware, ads, unsigned application downloads and trojans. 
  • Protecting the Browser through Microsoft Smart Screen Microsoft SmartScreen helps to protect you from phishing/malware sites and software when using Microsoft Edge. It helps to make informed decisions for downloads and lets you browse safely in Microsoft Edge by:
    • Displaying an alert if you are visiting any suspicious web pages.
    • Vetting downloads by checking their hash, signature etc against a malicious software database.
    • Protecting against phishing and malicious sites by checking visited websites against a threat intelligence database.
  • Protecting the Browser through Microsoft Smart Screen
    • To turn on the Smart Screen, go to Settings > Windows Security > App and Browser Control > Reputation-based Protection. Scroll down and turn on the SmartScreen option.
    • Open Microsoft Edge, go to Settings and then click “Privacy, Search and Services” - Set "Tracking prevention" to Strict to avoid tracking through ads, cookies etc.
    • Data Encryption Through BitLocker Encryption of the computer is one of the most vital things to which we usually pay little attention. The worst nightmare is that someone gets unfettered access to your devices' data. Encryption ensures that you or someone you share the recovery key with can access the stored content.Microsoft, for its business edition of Windows, utilises the encryption tools by BitLocker.
  • Data Encryption Through BitLocker
    Go to Start > Control Panel > System and Security > BitLocker Drive Encryption. You can easily see if the option to BitLocker Drive Encryption is enabled or not. 
    • A trusted Platform Module chip TPM is one of the basic requirements to support BitLocker device encryption. Keeping the BitLocker recovery key in a secure place (preferably not on the same computer) is imperative.