Introduction:

Windows is one of the user friendly OS now-a-days. And it’s so important to know about
the security of the windows. Before deep diving into the security, we need to know about the
Active Directory, Group Policy Object, Work Group, SID, SAT, File System, Different Types of
Account.

Group Policy Object:

A Group Policy Object (GPO) is a virtual collection of policy settings. For example a GPO
looks more likely

There is three types of GPO:

 Local Group Policy Object
 Non-local Group Policy Objects
 Starter Group Policy Objects
GPO helps to secure a network. Administrator can run script through GPO, stops user from
access restricted files and perform tasks. Some more security measures are:
1. Limiting access to Control Panel
2. Disabling Command Prompt
3. Prevent software installations
Now in brief, say, we’ve 1000 user in our workgroup or hundreds of computer connected in a
same network sharing files and using the computation power from the server. If we want to
make changes to all of the user right and limitation, we don’t need to run the scripts in all the
consumer workstation. We just need to change the GPO or update it.
Active Directory:
Active Directory (AD) is a Microsoft technology used to manage computers and other
devices on a network. It is a primary feature of Windows Server, an operating system that runs
both local and Internet-based servers. Active Directory allows network administrators to create
and manage domains, users, and objects within a network.
Active Directory provides several different services, which fall under the umbrella of "Active
Directory Domain Services," or AD DS. These services include:
 Domain Services – stores centralized data and manages communication between users and
domains; includes login authentication and search functionality
 Certificate Services – creates, distributes, and manages secure certificates
 Lightweight Directory Services – supports directory-enabled applications using the open
(LDAP) protocol
 Directory Federation Services – provides single-sign-on (SSO) to authenticate a user in
multiple web applications in a single session
 Rights Management – protects copyrighted information by preventing unauthorized use
and distribution of digital content.

Work Group:
A workgroup is a peer-to-peer network setup using Microsoft Windows operating
system. It’s a group of computers on a local area network that share common resources
and responsibilities. You can easily create a workgroup by connecting two or more PCs
without going through a separate server computer.
 Workgroups are great for smaller networks, but they aren’t efficient for larger ones. Here’s
two reason why:

1. They don’t scale well:

If the network is small, it’s fairly easy to control a workgroup. However,
imagine a scenario in which there are more than 15 computers. It would be time-
consuming and tedious to create usernames and passwords by visiting each
computer. Now imagine a corporation with more than 5,000 computers. It would be
next to impossible to manage user accounts through a workgroup.
2. Passwords do not sync automatically:
If a user has changed their password on their own computer, the change won’t be
reflected in the other computers they may try to access on the network. When prompted
to enter their username and password when trying to access other computers, they’ll
then need to input the old username and password to gain access.

Social ID (SID):
Users (you and me) refer to accounts by the account's name, like "Shihab", but Windows
uses the SID when dealing with accounts internally. Now it’s not only a ID number, besides it’s
also contain the role of the user.
 S-1-1-0 = Everyone Group
S-1-5-11 = Authenticated User Group
S-1-5-32-544 = Local Administrator Group
S-1-5-32-547 = Power User Group

SAT (Security Access Token):

When a user logs on, Windows creates an access token for this user.
An access is a kernel data structure that consists of
 The user's SID (security identifier)
 The SIDs of the groups that the user belonged to when the user was authenticated
 The user's and groups' privileges

Now its time to discuss about the authenticator of the request. There’s to popular authenticator
used in windows one is KEROBEROS and another is NTML. Between these two
KEROBEROS is mostly used. Because it’s faster. Client can cache and reuse their respective
SAT (TOKENS) again. But here’s a little issue. If an attacker can capture the PACKETs of the
initial KEROBERO exchange then he/she can bruteforce and detect the SAT. Before windows 7,
there was no default cryptographer. But after that, MS gave an update and include bitLocker and
AES.
KEROBEROS:
Kerberos has several important advantages. For example, it:
 is very secure, preventing various types of intrusion attacks
 uses "tickets" that can be securely presented by a client or a service on the client's behalf
to a server for access to services
 permits Cross-Forest Trusts to use transitive properties and eliminate the "full mesh"
scenario; all domains in both forests establish a trust with a single Kerberos trust at the root
 permits interoperability with other Kerberos realms such as Unix; this permits non-
Windows clients to authenticate to Windows domains and gain access to resources
 provides authentication across the Internet for Web apps
There’s a proverb,
“The single most important thing any company or individual can do to improve
security is have a good backup strategy.”

Backup and Restore:

Again, deep diving into Backup and Restore we need to know about Registry, MIC, TMP,
File format etc…
File format:
CDFS, FAT32, NTFS, FAT, eFAT are common file format. NTFS is the most used one.
Having the DUAL BOOT support system and Auditing, Encryption, Compression ability and
hold up to 16 TB of data in one format. Besides, NTFS plays a vital role in the term of restore
point.
Registry:
Configuration settings for hardware, OS, application and user preference in a special
miniature database.
MIC(Mandatory Integrity Control):
Assigns a label to each securable objects. Role of MIC is:
 A process cannot kill or edit another process if the other process has lower MIC label
MIC is so important, for example, in NTFS file system you have full access over you data but if
the administrator change the MIC lebel through GPO to the client PC then he/she can not delete
or modify the MIC label file.

TMP(Trusted Platform Module):

If anyone steal your pc, and turn on the system. Then the BIOS load the username
and password to the RAM. Attacker can get in into the BIOS and pull the passwords from
the RAM by just pulling the power of the RAM.

To prevent this, TMP is being used. If the system has no TMP installed then a drive or
USB must be attached when booting the OS.
IIS Logging:
IIS logging is one type of server side logging that can be enabled on a URL group. The
IIS log file format is a fixed ASCII text-based format that cannot be customized. The IIS log
file contains the HTTP Server API kernel-mode cache hits. This type of logging can be enabled
on a URL group only; it cannot be used on the server session.
The IIS log file format records the following data. The data in the table is in the order of
occurrence in the log file.

IPsec:
IPsec, also known as the Internet Protocol Security or IP Security protocol, defines the
architecture for security services for IP network traffic. IPsec describes the framework for
providing security at the IP layer, as well as the suite of protocols designed to provide that
security, through authentication and encryption of IP network packets. Also included in IPsec
are protocols that define the cryptographic algorithms used to encrypt, decrypt and authenticate
packets, as well as the protocols needed for secure key exchange and key management.
 Firewall:
Firewall is said to be the protector of the Windows. Windows Firewall is a security software
that provides filtering mechanisms such as firewalling and packet filtering for Microsoft
Windows OS. Windows Firewall is a program included in Microsoft Windows that helps your
home network keep data secure from online threats. A firewall basically, permits or denies
communication between an external network and your computer, or between computers or
between the networks. Almost all the networks communicate by establishing a connection
between two hosts or an IP address.

 Packet filtering - Packets (small chunks of data) are analyzed against a set of filters.
Packets that make it through the filters are sent to the requesting system and all others are
discarded.
 Proxy service - Information from the Internet is retrieved by the firewall and then sent to
the requesting system and vice versa.
 Stateful inspection - A newer method that doesn't examine the contents of each packet
but instead compares certain key parts of the packet to a database of trusted information.
Information traveling from inside the firewall to the outside is monitored for specific
defining characteristics, then incoming information is compared to these characteristics.
If the comparison yields a reasonable match, the information is allowed through.
Otherwise it is discarded.
MS Powershell:
o Future of windows scripting
o Can run binaries and Scripts
o Can create COM objects
Difference Between CMD and PowerShell:

PowerShell Cmd.exe

It is object based scripting language It is text based scripting language

Cmd co mmands wor ks in Power Shell PowerShell cmdlets wo n’t work in Cmd.exe

System Ad ministratio n tasks for managing the registry to System Ad ministratio n tasks for managing the
WMI (Windo ws Management Instr umentatio n) are registry to WMI (Windo ws Management
accessible via Po werShell Instrumentatio n) are not accessible via cmd

It’s a po werful scripting environment that can be used to It is more difficult to compose co mp lex scripts
create co mplex scripts for managing Windo ws sys tems with cmd
much more easily than you could with the Co mmand
Prompt.

Equivalent co mmo n Co mmands For Ch ange a Directory : Equivalent co mmo n Co mmands For Change a
Set-Location For Rename a fille : Rename -Item Directory : cd For rename a file : rename