SANS 401: Windows

Ace your homework & exams now with Quizwiz!

Windows 10 Pro for Workstations

8 Supports ReFS filesystem for large arrays of drives <6TB of RAM, <4 Intel Xeon or AMD Opteon processors

AD Domain Controllers OU, "Domain Local", SAM Database

81 Computer accounts of the conrollers of the domain, replicated throughout,

AD Users & Computers

81 Installed on Domain Controllers by Default, DNS of domain "testing.local"

Shared Folder Permissions: SMB Protocol

84 PS: New-SmbShareds, For sharing folders/files, Options: Full Control, Change, Read

Hidden and Administrative Shares ($)

87 PS: Get-SmbShare, enter full UNC path (\\ComputerName\HiddenShare$)

Combining NTFS and Share DACL's (effective permissions)

89 Final share permissions (folder)+Final NTFS permisssions (file)=Effective permission; Share:Change=NTFS:Modify

Server Editions (Plus Core & Nano)

9 Datacenter, Enterprise (only until 2012), Standard; For Small Business: Essentials, Storage

Windows Version of VMware

9 Hyper-V

RegEdit.exe

91 PS: Set-Item-Property

Remote Registry Service

92 REGSVC.EXE, Disable to prevent network access, "winreg" to control shares

REGEDIT Permissions

94 Limit these & manage with INF security templates & Group Policy

Active Directory Permissions, OU's

95 Use Delegation of Control Wizard to give permissions over OU's

AD Rights vs. Privileges

98 CMD: whoami.exe/priv, privileges listed in SAT, machine-specific, rights only logon attempts

AD Privileges List

99 CMD: NTRIGHTS.EXE

How to Disable a Service

188 Services tool, INF template, GPO, PowerShell, SC.EXE CLI

Computer Management Tool

19. CompMgt.msc (local users & groups)

NetBIOS, Do I Still Need It?

191 Disable over TCP/IP or on DHCP server,

Key Protocols & Port #'s

193

RPC (Remote Procedure Call)

193 TCP 135

SMB w/ NetBIOS

193 TCP 139

Cleartext LDAP (Global Catalog)

193 TCP 389 (TCP 3268)

SMB

193 TCP 445

SSL Encrypted LDAP (Global Catalog)

193 TCP 636 (TCP 3269)

Kerberos

193 UDP 88 (TCP 88) Change Password Port (TCP/UDP 464), A

DNS

195 TCP/UDP 53

SID Numbers

20. Everyone =S-1-1-0, AU=S-1-5-11, Local Admin Grp. S-1-5-32-544

SAT Token

21. Like ID, contains all your SID's, (Debug Programs to access raw virtual memory)

Active Directory Domains, multi-master replications

25 Each change is automatically replicated to other domain controllers, in conflict, later overrrides

RODC, RegEdit.exe, Group Policy Objects

26 Read-Only Domain Controller,

Four Parts of SAT

28 SID for user's accoutn, SID for domain groups, SID for local groups, privileges on local server

Authentication Protocols - Kerberos

29 Uses Protocols: SMB/CIFS, RPC, LDAP, HTTP, DDNS, IPsec, IKE, PowerShell Remoting

"Golden Tickets"

30 Kerberos encryption keys shared among all DC's in the domain, made with Mimikatz

NTLM v1 vs. v2

32 v1=vulnerable to sniff-and-crack (Cain), data encrypted with password hash, should deprecate ALL

Forest

33 One or more AD domains that replicate special portions of their domain databases, 2-way trans. trusts

Global Catalog Servers

33 replicate across domain boundaries taht portion of the AD database replicated everywhere

Trust

35 (SSO, Assign Permissions, Log on w/ Other Domain Account)

Cross-Forest Trusts

Group Policy Objects

38 special logon scripts that reconfigure almost anything on the computer, dl'd every 90-120 min.

End of Support Dates

48 Server 2008: 1/20, 2012: 10/23, 2016: 1/27 End of Sales, Mainstream S., Extended S.

Feature Updates

50 Large "service packs" released 2x/yr. or ~180 days; version 1709=9/2017

Quality Updates

50 Smaller "security patches" and bug fixes, released every 30 days,

Cummulative Updates/ Rollups

52 "Security Updates Guide"

Sevicing Channels

53 Semi-Annual, Windows Insider, Long-Term

Deferrals

54 Quality: 30 days on Semi-Annual (5x for Home), Feature: 365 days for Semi-Annual

"Allow Telemetry" set to 0

57 Reduces telemetry sharings, but then cannot defer Quality Updates

Long-Term Channel

58 Never gets feature updates, only Quality; Only available to Windows Enterprise

Windows Insider

59 Can choose "fast" or "slow" updates

Three Classes of Server Operating Systems

6 Client, Server, Embedded

Windows Update

Windows Server Update Service (WSUS)

62 IIS web app to control when to deploy updates to which groups, serves SQL, Exchange server, cap.>10k clients

3rd-Party Patch Management Solutions

65 IBM Endpoint Manager, Altiris, etc. Many need "agent" software to be hands-free

User Access Control

68 Windows Vista and later method of applying least privilege to SAT's

Platforms

7 32-bit=x86, 64-bit=x64 AMD or Intell vs. ARM (in phones/tablets)

Windows Work Editions

7 Business, Pro, Enterprise (AppLocker)

Windows Personal Editions

7 Starter, Home, Ultimate (AppLocker)

AGULP

79 Accounts (Jim), Global (Boston-HR), Universal (HR), Local (Users on ADP Server), Permissions(Modify)

Windows File Systems

70. NTFS, CDFS (for CD's), FAT & FAT32 (no access control or fault tol.), exFAT, ReFS (2012+ RAID array)

Script to see filesystem

71 fsutil.exe fsinfo volumeinfo C:

DACL's

72 ALWAYS enforced, view with ICACLS.exe, or PowerShell: Set-ACL

"S Mode"

8 Safe Mode where users cannot install apps not from the MS Store, only Edge, can't go back to Full Mode

Standard ACE's, Special Permissions

73 S ACE's=collection of individual ACE's; Deny overrides Allow; Inherited vs. Explicit

NTFS Owners

75 CREATOR OWNER group, configures DACL system, TAKEOWN.EXE to delete or modify

Microsoft Edge and Internet Explorer Security

157 Compatible w/ UAC; Contains SmartScreen Filter for phishing

Microsoft Edge: Windows Defender Application Guard

160 Allows Edge to run in a sandbox, so malware is trapped; no browsers or extens.

Mozilla Firefox (Many Extensions Available)

162 Profile: prefs.js stores most "about:config" settings; deploy w/ autoconfig.js or mozilla.cfg

Extensions

164 Chrome & FF use the same programming API; MFA=FIDO, Mailvelope ext. for OpenPGP

Google Chrome Browser

167 MSI package, GoogleUpdate.exe, SafeBrowsingAPI blocks malware/ph, comp w/ UAC

Adobe Reader & Acrobat

170 Secure w/ Enhanced Security options, Protected View, Disable internet access & JS

Server Core (Adminstration) Windows Admin Center (WAC)

178 Windows Firewall Snap-in MMC.exe, SCONFIG.CMD, free web-based app WAC

Server Nano (Computer Management MMC Snap-in)

180 Runs as container (only 110 MB), not patched only replaced, RDP=no desktop

Hardening Services

184 Keep to the minimum, e.g. IIS is a web server; it should not be on desktops

Server Manager

185 Roles=IIS and RDS, Features=BitLocker & telnet client

10 Second version of MS Server, supposed to have no new features

Boot Volume vs System Volume

106 OS files vs. Files used during the very beginning of boot-up process. System can't be BL-encrypted

BitLocker

106 Whole-Disk Encryption w/ AES, verifies integrity to prevent rootkits, avail on Ult & Ent & Server 2008+

FVEK

107 Full-Volume Encryption Key

TPM (+BitLocker)

108

What's Windows Server used for?

11 Domain Controller, IIS, RDS, VPN, DHCP, DNS, RADIUS servers

Emergency Recovery with BitLocker

111 Force backup BL 48-digit recovery password w/ Group Policy

UEFI Secure Boot

113 Unified Extensible Firmware Interface, replaces BIOS, stores: Allowed CA certs, Disallowed file hashes

Security Templates (.INF)

118 Edit with Microsoft Mgt Console snap-in "Security Templates", Customize Template from CIS, NIST, NSA, DoD

Windows Embedded, ARM

12. Windows IoT; Intended for appliances PoS, MIR, SCADA, Raspberry Pi, Arduinoetc.

Security Configuration and Analysis Tool (SCA Snap-In)

122 Applies templates, No undo feature

Secedit.exe

124 CL vers. of SCA: Use to create database file and import settings

Local Group Policy Object (Security Settings, Scripts, Admin Templates)

125 Use "Group Policy Object Editor", Comp. Conf. when no one, User Conf. for user's desktop

Domain Group Policy Objects (GPMC)

130 "Default Domain Policy" applies to all, checked every 90-120 minutes

GPMC-Group Policy Management Console

131 Edit GPO's on Domain Controllers

GPO Settings Checklist

132

GPO - Password Policy

136 Max Length 127, enforce custom policy w/larger required length

GPO - Account Lockout Policy

138 Min. Rec. Settings: 120 min. dur., 5 attempts, Reset counter every: 45 min.

Anonymous Access

139 Null user session=blank username & password, Do Not Allow Enumeration of SAM accounts

Kerberos and NTLM

141 Kerberos uses UDP so can be sniffed; LAN Manager Authentication Level (3 or 5)

Credential Guard

144 Protects from kernel-mode malware & Mimikatz; Requires UEFI; Ent or Ed not Pro

Protect Administrative Accounts

146 MFA/Yubikey, CredentialGuard, Kerberos or NTLMv2, Rename Admin Acct. Limit local account use...

Guest Account

148 Disable AND set random passphrase

AppLocker

149 App Whitelisting, has Audit-only mode

Workgroups

15 "workgroup" admin has separate account on each machine since each is local, <50

Controlled Folder Access

151 Blocks changes from untrusted apps; Requires Windows Defender AV

User Account Control (UAC)

153 Applies to all but admin acct.; "Run as Administrator"

Windows Sandbox for Malware Isolation

155 Container (.wsb files) can be comfigured, best to disable all networking in SB

SANS 401: Windows

Related study sets

CH. 3 Quiz

Test 1

Nervous Tissue

Finance Chapter 14: Investing in Mutual Funds, Real Estate, and Other Choices.

PSY 285WI Exam 1 (Chapters 1-4)

Marketing Chapter 7

Practice test

Business Ethics Exam 1

Psych Quiz

Definitions (MRS H GREN)

Enzymes, Proteins and Catalysts

Ch. 31 New Frontiers: The 1960's

Metals and their uses QUIZ

Ethics

Chapter 12,13,14,15 EXAMS

Audit - Ch. 13 - PPE, Depreciation and Depletion (highlighted notes from book)

Adult health exam 3

Funds Chapter 31 Hygiene

8

PRF192 - Data Types and Sizes