19021 Block 2
2b) Windows feats contribute to confid, integrity, availabil: Methods
-Anonymous: user does not supply credentials -Basic: user supplies creds in plaintext -Digest: same as basic but hashed -Integrated (Windows): NTLM and Kerberos
2b) NT LAN Manager (NTLM)
-Applies to versions prior to 2000 -Challenge/response based authentication protocol -Username and password are hashed before sent across network
1c) Windows Key Boot Files: OS Initialization
-Kernel: Subphase starts when by Winload.exe starts (invokes) the kernel (ntroskrnl.exe) -Session: initialization subphase is managed by the session manager process Smss.exe -Winlogon: Execution of Winlogon.exe begins the Winlogon initialization subphase -Explorer: Initialization subphase begins when Explorer.exe starts
1c) Windows Key Boot Files: BIOS
-Power On: power supply tests circuitry for proper voltage -POST: Power-on Self-Test sends commands to devices to perform checks -MBR: Master Boot Record is a small bit of file system boot code that scans partition table for system partition -Bootmgr: Primary job of bootmgr is to load winload.exe
4a) Benefits of virtualization
-Reduce capital and operating costs -Minimize or eliminate downtime -Enable business continuity/disaster recovery --Migration: process of moving a virtual machine from one host/storage location to another --Cloning: copy of an existing virtual machine
1c) Windows Key Boot Files: OS Loader
-Winload.exe: readies system to load the operating system kernel by loading into memory -Hal.dll: Winload.exe loads Hal.dll to implement the HAL -System Registry: Winload.exe loads System Registry hive -Drivers: Winload.exe loads drivers
3d) Explain relationship between /etc/passwd and /etc/shadow
/etc/passwd -Text file of accounts (except password) -Two account types: System and User -Read permission for all user categories ("root" user also has write) /etc/shadow -Text file of password info (password is encrypted) -Only root can read/open
1a) Windows OS Components: Hardware Abstraction Layer (HAL) (kernel mode)
Abstracts low-level hardware details from rest of OS -Different types of hardware look the same to kernel (MAKES KERNEL's LIFE EASIER) -Contains routines to give a program access to the hardware resources -Delivers support for symmetric multiprocessing (SMP)
4d) Live Migration (Microsoft) and vMotion (VMware)
Affinity -VM/VM: Ensure certain VMs are always running on same host (ex. application and database servers) -Host/VM: Ensure certain VMs stay on certain hosts (not migrated) due to possible licensing requirements -Anti-affinity: Ensure certain VMs never reside on same host for availability (ex. domain controllers)
4d) Virtualization tech: Failover Priorities
Allows admin to define the startup order of VMs running on that cluster in case of system failure -Most important VMs start first
4d) Virtualization tech to enhance security: Snapshots
Known good state that can be used as baseline for patching/network changes -Backup of OS, not of the data
4a) Define virtualization
Process of creating a software-based (virtual) representation os something rather than a physical one -Host: System that is installed first and then "hosts" or "contains" the virtual machines
4e) Identify constraints to editing VM configuration: Permissions
Based on user and group roles, policies -Can prevent other user from seeing VMs -Allow full administration of VM
4d) Virtualization tech to enhance security: Sandboxing
Creates logically seperate test environment -Used to test patches or system upgrades
4d) Virtualization tech to enhance security: Information Security
Process of keeping computers and networks protected from theft, corruption, unwanted publication, tampering/nat disasters, while keeping info and property accessible and productive to intended users
4a) Types of hypervisors: Open Source
Provided at no cost and delivers same ability as proprietary hypervisor to run multiple VMs
4e) Identify constraints to editing VM configuration: VM Infrastructure
Cannot fully virtualize some devices (ie. Cisco) -Use basic virtual switch but does not have all functions
4d) Explain virtualization tech used to enhance security: NIC Teaming
Capability of making many physical NICs appear as if they are one -Bandwidth aggregation, better throughput; makes fat connection out of multiple connections
1a) Windows OS Components: Services (user mode)
Computer program that operates in background and provides functionality to applications -May be required for: --Normal operation (system service) --Networking (network service) -Services can: --Be started by user (manually) --Auto start at system boot --By app that uses service functions SERVICES RUN IN THE BACKGROUND
1a) Windows OS Components: Applications (user mode)
Computer program written to run in Windows 10 -Require user intervention -May have one or more associated processes
2b) Kerberos
Consists of 3 players: client, server, KDC -KDC: Authentication Service(AS)- issues TGTs for connection to TG service in own or trusted domain --*TGService: issues tickets for connection to computers in its own domain -Standard after 2000
1d) HKEY_LOCAL_MACHINE (HKLM)
Contains all data for a system's non-user configurations (devices and programs)
1a) Windows OS Components: Executive (kernel mode)
Contains base OS services: I/O manager, file system cache, object manager, plug and play manager -*Executive takes load off of kernel (in terms of processes; like "Lt Kernel")
1a) Windows OS Components: Environment Subsystems (user mode)
Layer in user mode allowing Windows to run apps written for different operating systems -Subsystems include: --POSIX: Portable OS Interface, IEEE standard, Unix --OS/2: OS created by IBM to provide alternative to Windows (1987) --WIN32: 32-bit Windows application
1d) HKEY_CURRENT_USER (HKCU)
Like HKU but contains the personalized information of the current (active) user
1d) HKEY_CLASSES_ROOT (HKCR)
Defines standard class objects used by Windows -Combination of HKCU and HKLM ("legacy" = HKCR)
4a) Types of hypervisors: Proprietary
Developed and licensed under exclusive legal right of copyright (ex. Microsoft's Hyper-V)
4a) Virtual switches
Device that controls how network traffic flows between VMs and host and how network traffic flows b/w VM and other network devices
2b) Authentication Factors
Factor: something you know/have/are -Single/multiple fac authen -Single sign-on: no reauthentication with each network resource
1a) Windows OS Components: Windows and graphics (kernel mode)
Handles GUI windowing functions -Windows component mgmnt Graphics Device Interface (GDI): draws lines and curves, renders fonts. Transmits objects to output devices
4e) Identify constraints to editing VM configuration: Add or remove devices
Hardware devices can usually be safely changed after VM creation and guest OS installation -Be wary of changing: # of CPUs, virtual hard disk, memory allocated
1d) HKEY_CURRENT_CONFIG (HKCC)
Hardware profile info used at system startup when multiple options exist in HKLM
1a) Windows OS Components: Kernel (kernel mode)
Heart (core of OS) -Manages/responsible for: Thread scheduling, process switching, communicate with hardware (user and kernel mode processes dont have direct access to hardware, must use HAL functions) memory management, multiprocessor synchronization
2a) Windows server roles: DNS
Hierarchical distributed database - Provides a service that resolves a hostname to an IP address
3e) 3 categories of vulnerabilites
High risk: Remote Code Execution (RCE), Denial of Service (DoS) Medium risk: Privilege Escalation (PE) - horizontal/vertical, Security Bypass (SB) Low risk: Information Disclosure (ID) -Attack vector: path by which adversary gains access to perform malicious activities; delivers payload (worms, Trojan horses, spyware...etc)
4a) Virtual Machine (Guest)
Machine that emulates a physical computer and is managed by a hypervisor for access to actual physical resources -VM resources --Virtual disks/storage virtualization --Virtual NICs --Virtual switches --Memory
4d) 3 connection methods of network virtualization
Microsoft (VMware) -Private(Host-only): VM/VM only; VMs cannot communicate any other way -Internal(NAT): Allows VM/VM communication and comm to host -External(Bridged): Allows VMs to comm with other VMs, host and rest of phys network (most common)
4e) Explain virtualization as it applies to available physical resources
Min reqs needed for VMs: -Server hosting, VM name -Guest OS, hostname for guest OS -File locations, storage allocation -# of processors, amt of RAM -Peripheral devices (USB, etc) --Specify hardware requirements Type 2 hv - typically cant specify more resources than host has available Type 1 hv - can overprovision storage, oversubscribe CPU cores and RAM
3e) Methods of Linux Hardening
Physical security Control user access Remove unneeded services/software Install updates Manage system logs Implement firewalls
1a) Explain facts about Windows OS Components: System Processes (user mode)
Process - Instance of running an executable (.exe) -Includes services not provided as part of kernel: -Logon Process (WINLOGON) Collects logon credentials from user. Loads user profile on logon. Lock computer -Session Manager Subsystem (SMSS) Creates environment variables. Handles Windows File Protection. Creates logon sessions via WINLOGON -Local Security Authentication Server (LSASS) Enforces security policy on system. Verifies users logging on to computer. Creates security tokens -Service Control Manager (SCM) Responsible for managing Windows services (start, stop, pause, resume)
3d) Differentiate b/w root user and administrator
Root user: has access to all commands and files on system(unlim priv/rights), more power than admin, only use when necessary, mistakes can be catastrophic (no undo)
4a) Types of hypervisors: Type 1 (Baremetal)
Runs on hosts hardware -loaded as OS -enterprise solutions -better performance than T2
4a) Types of hypervisors: Type 2 (Hosted)
Runs on hosts' OS as application -better for playing around at home -takes performance hit
2a) Server Tools: System Center Ops Manager (SCOM)
SCOM: single interface showing state, health, and performance of object (large network structures) -Generates alerts based on availability, performance, config, security -Green (healthy) Yellow (warning) Red (Possible critical issue)
2a) Server Tools: Best Practices Analyzer (BPA)
Scans server role against predefined best practices and reports findings as: Noncompliant, Compliant, Warning -Meas roles effectiveness, trustworthiness, reliability
How does Windows use Security Identfiers (SIDs)?
Security descriptors - identify the owner of an object and primary group Access control entries - identify the trustee for whom access is allowed, denied, or audited Access tokens - identify user and groups to which the user belongs
2a) Active Directory Domain Services (ADDS)
Server role allowing admins to manage and store info about resources from network and application data in database -Domain: security/admin boundary -Tree: hierarchical grouping of domains within same namespace -Forest - grouping of trees (domains) joined together -Organizational Unit (OU): container within a domain
2a) Identify Windows server roles
Set of software programs that lets computer perform specific function for multiple users or other computers within network -ADDS, DNS, DHCP, IIS
4a) Virtual NICs
Software component made up of software drivers that mimic a physical NIC -Can be configured just like a physical NIC from within the VM
1a) Windows OS Components: Device drivers (kernel mode)
Software component that lets OS communicate with hardware -Reduces kernel's memory footprint -Allows support for variety of hardware from diff vendors
4c) Describe thick(fixed) and thin(dynamic) provisioning
Thick (VMware) / Fixed (Microsoft) -Fixed amount of storage space -Reserved space Thin / Dynamic -Allocating dynamic storage space -Combined VM allocated space may exceed actual storage space --Overprovisioning --Requires monitoring
3e) Threat, vulnerability, risk
Threat: anything that can or may want to cause harm to our info/systems Vulnerability: flaw in computer system, op procedure, installed software, network config Risk: Area when threat and vulnerabil overlap
4a) Server Virtualization
Use of hypervisor to convert one physical server into multiple VM servers. Each VM acts like unique physical device capable of running its own OS -Benefits: --Consolidation: consolidate several machines into one server running multiple virtual environments --Redundancy: Running same app on multiple servers on diff hosts in case one crashes --Isolated and independent systems: create virtual server independent to all others to run/test software --Migration and Load Balancing: moving server environment from one place to another to balance the load on a host to increase network efficiency
4a) OS Virtualization
Use of software (hypervisor) to allow system hardware to run multiple instances of similar/different OSs concurrently -Purpose: Useful for apps requiring specific OS to run
4d) Explain Network Virtualization
Utilizes virtual NICs to send/receive data b/w clients and servers -Virtual switches est connection b/w virtual and phys network
4a) Memory
VMs memory can be changed as needed to support requirements
4a) Virtual disks and storage virtualization
Virtual disk is a file that represents a physical disk to the VM -Storage virtualization is place to store virtual disks
1d) HKEY_USERS (HKU)
Windows designed to support more than one user on same system -HKU stores personalized info such as desktop colors and contents for each user
3e) Linux Hardening
processes/defensive mechanisms used to eliminate as many attack vectors (security risks) as possible -Never ending process: mechanisms used today may not work tomorrow -Continuous monitoring/updates