>Facts About Windows Configuration And Monitoring
Run as Administrator
As a security best practice, it is not advisable to log on to Windows using the Administrator account or an account with administrative privileges. This is because any program that is executed while logged on with those privileges will inherit administrative privileges. Malware that has administrative privileges has full access to all the files and folders on the computer.
Sometimes, it is necessary to run or install software that requires the privileges of the Administrator. To accomplish this, there are two different ways to install it.
Right-click the command in the Windows File Explorer and choose Run as Administrator from the Context Menu.
Local Users and Domains
When you start a new computer for the first time, or you install Windows, you will be prompted to create a user account. This is known as a local user. This account will contain all of your customization settings, access permissions, file locations, and many other user-specific data. There are also two other accounts that are present, the guest, and the administrator. Both of these accounts are disabled by default.
As a security best practice, do not enable the Administrator account and do not give standard users administrative privileges. If a user needs to perform any function that requires administrative privileges, the system will ask for the Administrator password and allow only that task to be performed as an administrator. Requiring the administrator password protects the computer by preventing any software that is not authorized from installing, executing, or accessing files.
The Guests account should not be enabled. The guest account does not have a password associated with it because it is created when a computer is going to be used by many different people who do not have accounts on the computer. Each time the guest account logs on, a default environment is provided to them with limited privileges.
To make administration of users easier, Windows uses groups. A group will have a name and a specific set of permissions associated with it. When a user is placed into a group, the permissions of that group are given to that user. A user can be placed into multiple groups to be provided with many different permissions. When the permissions overlap, certain permissions, like “explicitly deny” will override the permission provided by a different group. There are many different user groups built into Windows that are used for specific tasks. For example, the Performance Log Users group allows members to schedule logging of performance counters and collect logs either locally or remotely. Local users and groups are managed with the lusrmgr.msc control panel applet, as shown in the figure.
In addition to groups, Windows can also use domains to set permissions. A domain is a type of network service where all of the users, groups, computers, peripherals, and security settings are stored on and controlled by a database. This database is stored on special computers or groups of computers called domain controllers (DCs). Each user and computer on the domain must authenticate against the DC to logon and access network resources. The security settings for each user and each computer are set by the DC for each session. Any setting supplied by the DC defaults to the local computer or user account setting.
CLI and PowerShell
The Windows command line interface (CLI) can be used to run programs, navigate the file system, and manage files and folders. In addition, files called batch files can be created to execute multiple commands in succession, much like a basic script.
To open the Windows CLI, search for cmd.exe and click the program. Remember that right-clicking the program provides the option to Run as administrator, giving much more power to the commands that will be used.
The prompt displays the current location within the file system. These are a few things to remember when using the CLI:
- The file names and paths are not case-sensitive, by default.
- Storage devices are assigned a letter for reference. The drive letter is followed by a colon and backslash (\). This indicates the root, or highest level, of the device. The folder and file hierarchy on the device is indicated by separating them with the backslash. For example, the path C:\Users\Jim\Desktop\file.txt refers to a file called file.txt that is in the Desktop folder within the Jim folder within the Users folder at the root of drive C:.
- Commands that have optional switches use the forward-slash (/) to delineate between the command and the switch option.
- You can use the Tab key to auto-complete commands when directories or files are referenced.
- Windows keeps a history of the commands that were entered during a CLI session. Access previously entered commands by using the up and down arrow keys.
- To switch between storage devices, type the letter of the device, followed by a colon, and then press Enter.
Even though the CLI has many commands and features, it cannot work together with the core of Windows or the GUI. Another environment, called the Windows PowerShell, can be used to create scripts to automate tasks that the regular CLI is unable to create. PowerShell also provides a CLI for initiating commands. PowerShell is an integrated program within Windows and can be opened by searching for “powershell” and clicking the program. Like the CLI, PowerShell can also be run with administrative privileges.
These are the types of commands that PowerShell can execute:
- cmdlets – These commands perform an action and return an output or object to the next command that will be executed.
- PowerShell scripts – These are files with a .ps1 extension that contain PowerShell commands that are executed.
- PowerShell functions – These are pieces of code that can be referenced in a script.
To see more information about Windows PowerShell and get started using it, type help in PowerShell, as shown in the command output.
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\WINDOWS\system32> help TOPIC Windows PowerShell Help System SHORT DESCRIPTION Displays help about Windows PowerShell cmdlets and concepts. LONG DESCRIPTION Windows PowerShell Help describes Windows PowerShell cmdlets, functions, scripts, and modules, and explains concepts, including the elements of the Windows PowerShell language. Windows PowerShell does not include help files, but you can read the help topics online, or use the Update-Help cmdlet to download help files to your computer and then use the Get-Help cmdlet to display the help topics at the command line. You can also use the Update-Help cmdlet to download updated help files as they are released so that your local help content is never obsolete. Without help files, Get-Help displays auto-generated help for cmdlets, functions, and scripts. ONLINE HELP You can find help for Windows PowerShell online in the TechNet Library beginning at http://go.microsoft.com/fwlink/?LinkID=108518. To open online help for any cmdlet or function, type: Get-Help <cmdlet-name> -Online UPDATE-HELP To download and install help files on your computer: 1. Start Windows PowerShell with the "Run as administrator" option. 2. Type: Update-Help After the help files are installed, you can use the Get-Help cmdlet to display the help topics. You can also use the Update-Help cmdlet to download updated help files so that your local help files are always up-to-date. For more information about the Update-Help cmdlet, type: Get-Help Update-Help -Online -- More --
There are four levels of help in Windows PowerShell:
- get-help PS command – Displays basic help for a command
- get-help PS command [-examples] – Displays basic help for a command with examples
- get-help PS command [-detailed] – Displays detailed help for a command with examples
- get-help PS command [-full] – Displays all help information for a command with examples in greater depth
Windows Management Instrumentation
Windows Management Instrumentation (WMI) is used to manage remote computers. It can retrieve information about computer components, hardware and software statistics, and monitor the health of remote computers. To open the WMI control from the Control Panel, double-click Administrative Tools > Computer Management to open the Computer Management window, expand the Services and Applications tree and right-click the WMI Control icon > Properties.
The WMI Control Properties window is shown in the figure.
These are the four tabs in the WMI Control Properties window:
- General – Summary information about the local computer and WMI
- Backup/Restore – Allows manual backup of statistics gathered by WMI
- Security – Settings to configure who has access to different WMI statistics
- Advanced – Settings to configure the default namespace for WMI
Some attacks today use WMI to connect to remote systems, modify the registry, and run commands. WMI helps them to avoid detection because it is common traffic, most often trusted by the network security devices and the remote WMI commands do not usually leave evidence on the remote host. Because of this, WMI access should be strictly limited.
The net Command
Windows has many commands that can be entered at the command line. One important command is the net command, which is used in the administration and maintenance of the OS. The net command supports many subcommands that follow the net command and can be combined with switches to focus on specific output.
To see a list of the many net commands, type net help at the command prompt. The command output shows the commands that the net command can use. To see verbose help about any of the net commands, type C:\> net help, as shown below.
C:\> net help The syntax of this command is: NET HELP command -or- NET command /HELP Commands available are: NET ACCOUNTS NET HELPMSG NET STATISTICS NET COMPUTER NET LOCALGROUP NET STOP NET CONFIG NET PAUSE NET TIME NET CONTINUE NET SESSION NET USE NET FILE NET SHARE NET USER NET GROUP NET START NET VIEW NET HELP NET HELP NAMES explains different types of names in NET HELP syntax lines. NET HELP SERVICES lists some of the services you can start. NET HELP SYNTAX explains how to read NET HELP syntax lines. NET HELP command | MORE displays Help one screen at a time. C:\>
The table lists some common net commands.
|net accounts||Sets password and logon requirements for users|
|net session||Lists or disconnects sessions between a computer and other computers on the network|
|net share||Creates, removes, or manages shared resources|
|net start||Starts a network service or lists running network services|
|net stop||Stops a network service|
|net use||Connects, disconnects, and displays information about shared network resources|
|net view||Shows a list of computers and network devices on the network|
Task Manager and Resource Monitor
There are two very important and useful tools to help an administrator to understand the many different applications, services, and processes that are running on a Windows computer. These tools also provide insight into the performance of the computer, such as CPU, memory, and network usage. These tools are especially useful when investigating a problem where malware is suspected. When a component is not performing the way that it should be, these tools can be used to determine what the problem might be.
The Task Manager, which is shown in the figure, provides a lot of information about the software that is running and the general performance of the computer.
The table describes the seven tabs in the Task Manager.
|Task Manager Tabs||Description|
When more detailed information about resource usage is needed, you can use the Resource Monitor, as shown in the figure.
When searching for the reason a computer may be acting erratically, the Resource Monitor can help to find the source of the problem.
The table describes the five tabs of the Resource Monitor.
|Resource Monitor Tabs||Description|
|Disk||All of the processes that are using a disk are shown in this tab, with read/write statistics and an overview of each storage device.|
One of the most important features of any operating system is the ability for the computer to connect to a network. Without this feature, there is no access to network resources or the internet. To configure Windows networking properties and test networking settings, the Network and Sharing Center is used. The easiest way to run this tool is to search for it and click it. Use the Network and Sharing Center to verify or create network connections, configure network sharing, and change network adapter settings.
Network and Sharing Center
The initial view shows an overview of the active network. This view shows whether there is internet access and if the network is private, public, or guest. The type of network, either wired or wireless, is also shown. From this window, you can see the HomeGroup the computer belongs to, or create one if it is not already part of a HomeGroup. This tool can also be used to change adapter settings, change advance sharing settings, set up a new connection, or troubleshoot problems. Note that HomeGroup was removed from Windows 10 in version 1803.
Change Adapter Settings
To configure a network adapter, choose Change adapter settings in the Networking and Sharing Center to show all of the network connections that are available. Select the adapter that you want to configure. In this case, we change an Ethernet adapter to acquire its IPv4 address automatically from the network.
Right-click the adapter you wish to configure and choose Properties, as shown in the figure.
nslookup and netstat
Domain Name System (DNS) should also be tested because it is essential to finding the address of hosts by translating it from a name, such as a URL. Use the nslookup command to test DNS. Type nslookup cisco.com at the command prompt to find the address of the Cisco webserver. When the address is returned, you know that DNS is functioning correctly. You can also check to see what ports are open, where they are connected, and what their current status is. Type netstat at the command line to see details of active network connections, as shown in the command output. The netstat command will be examined further later in this module.
C:\Users\USER>netstat Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:3030 USER-VGFFA:58652 ESTABLISHED TCP 127.0.0.1:3030 USER-VGFFA:62114 ESTABLISHED TCP 127.0.0.1:3030 USER-VGFFA:62480 TIME_WAIT TCP 127.0.0.1:3030 USER-VGFFA:62481 TIME_WAIT TCP 127.0.0.1:3030 USER-VGFFA:62484 TIME_WAIT
Accessing Network Resources
Like other operating systems, Windows uses networking for many different applications such as web, email, and file services. Originally developed by IBM, Microsoft aided in the development of the Server Message Block (SMB) protocol to share network resources. SMB is mostly used for accessing files on remote hosts. The Universal Naming Convention (UNC) format is used to connect to resources, for example:
In the UNC, servername is the server that is hosting the resource. This can be a DNS name, a NetBIOS name, or simply an IP address. The sharename is the root of the folder in the file system on the remote host, while the file is the resource that the local host is trying to find. The file may be deeper within the file system and this hierarchy will need to be indicated.
When sharing resources on the network, the area of the file system that will be shared will need to be identified. Access control can be applied to the folders and files to restrict users and groups to specific functions such as read, write, or deny. There are also special shares that are automatically created by Windows. These shares are called administrative shares. An administrative share is identified by the dollar sign ($) that comes after the share name. Each disk volume has an administrative share, represented by the volume letter and the $ such as C$, D$, or E$. The Windows installation folder is shared as admin$, the printers’ folder is shared as print$, and there are other administrative shares that can be connected. Only users with administrative privileges can access these shares.
The easiest way to connect to a share is to type the UNC of the share into the Windows File Explorer, in the box at the top of the screen which shows the breadcrumb listing of the current file system location. When Windows tries to connect to the share, you will be asked to provide credentials for accessing the resource. Remember that because the resource is on a remote computer, the credentials need to be for the remote computer, not the local computer.
Besides accessing shares on remote hosts, you can also log in to a remote host and manipulate that computer, as if it were local, to make configuration changes, install software, or troubleshoot an issue. In Windows, this feature uses the Remote Desktop Protocol (RDP). When investigating security incidents, a security analyst uses RDP often to access remote computers. To start RDP and connect to a remote computer, search for remote desktop and click the application. The Remote Desktop Connection window is shown in the figure.
Because RDP is designed to permit remote users to control individual hosts, it is a natural target for threat actors. Care should be taken when activating RDP, especially on unpatched legacy versions of Windows such as those that are still found in industrial control systems. Care should be taken to limit the exposure of RDP to the internet, and security approaches and access control policies, such as Zero Trust, should be used to limit access to internal hosts.
Most Windows installations are performed as desktop installations on desktops and laptops. There is another edition of Windows that is mainly used in data centers called Windows Server. This is a family of Microsoft products that began with Windows Server 2003. Windows Server hosts many different services and can fulfill different roles within a company.
Note: Although there is a Windows Server 2000, it is considered a client version of Windows NT 5.0. Windows Server 2003 is a server based on NT 5.2 and begins a new family of Windows Server versions.
These are some of the services that Windows Server provides:
- Network Services – DNS, DHCP, Terminal services, Network Controller, and Hyper-V Network virtualization
- File Services – SMB, NFS, and DFS
- Web Services – FTP, HTTP, and HTTPS
- Management – Group policy and Active Directory domain services control
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Download Our App.
CEHNigeria On Google Playstore
GET SEOPOZ . OUTSMART YOUR BLOG COMPETITORS
Join Our Whatsapp Group
Follow Us On Twitter and I will Follow Back
Follow Us On Twitter
Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.