Facts About Windows Configuration And Monitoring

Windows Configuration And Monitoring
>Facts About Windows Configuration And Monitoring

 

 

 

In this article, I want to talk about some of the Windows configuration and tools that you need to be aware of. Follow me as we are going to look at that in this article. 

Run as Administrator

As a security best practice, it is not advisable to log on to Windows using the Administrator account or an account with administrative privileges. This is because any program that is executed while logged on with those privileges will inherit administrative privileges. Malware that has administrative privileges has full access to all the files and folders on the computer.

Sometimes, it is necessary to run or install software that requires the privileges of the Administrator. To accomplish this, there are two different ways to install it.

Administrator
Administrator Command Prompt

Right-click the command in the Windows File Explorer and choose Run as Administrator from the Context Menu.

The figure shows the Run as administrator option for opening a program by right+clicking on a file, and choosing the Run as administrator sub-menu option.
3.3.2

Local Users and Domains

When you start a new computer for the first time, or you install Windows, you will be prompted to create a user account. This is known as a local user. This account will contain all of your customization settings, access permissions, file locations, and many other user-specific data. There are also two other accounts that are present, the guest, and the administrator. Both of these accounts are disabled by default.

As a security best practice, do not enable the Administrator account and do not give standard users administrative privileges. If a user needs to perform any function that requires administrative privileges, the system will ask for the Administrator password and allow only that task to be performed as an administrator. Requiring the administrator password protects the computer by preventing any software that is not authorized from installing, executing, or accessing files.

The Guests account should not be enabled. The guest account does not have a password associated with it because it is created when a computer is going to be used by many different people who do not have accounts on the computer. Each time the guest account logs on, a default environment is provided to them with limited privileges.

To make administration of users easier, Windows uses groups. A group will have a name and a specific set of permissions associated with it. When a user is placed into a group, the permissions of that group are given to that user. A user can be placed into multiple groups to be provided with many different permissions. When the permissions overlap, certain permissions, like “explicitly deny” will override the permission provided by a different group. There are many different user groups built into Windows that are used for specific tasks. For example, the Performance Log Users group allows members to schedule logging of performance counters and collect logs either locally or remotely. Local users and groups are managed with the lusrmgr.msc control panel applet, as shown in the figure.

The figure shows the graphical interface for lusrmgr.msc, the Local User and Groups Microsoft management console utility.

In addition to groups, Windows can also use domains to set permissions. A domain is a type of network service where all of the users, groups, computers, peripherals, and security settings are stored on and controlled by a database. This database is stored on special computers or groups of computers called domain controllers (DCs). Each user and computer on the domain must authenticate against the DC to logon and access network resources. The security settings for each user and each computer are set by the DC for each session. Any setting supplied by the DC defaults to the local computer or user account setting.

3.3.3

CLI and PowerShell

The Windows command line interface (CLI) can be used to run programs, navigate the file system, and manage files and folders. In addition, files called batch files can be created to execute multiple commands in succession, much like a basic script.

To open the Windows CLI, search for cmd.exe and click the program. Remember that right-clicking the program provides the option to Run as administrator, giving much more power to the commands that will be used.

The prompt displays the current location within the file system. These are a few things to remember when using the CLI:

  • The file names and paths are not case-sensitive, by default.
  • Storage devices are assigned a letter for reference. The drive letter is followed by a colon and backslash (\). This indicates the root, or highest level, of the device. The folder and file hierarchy on the device is indicated by separating them with the backslash. For example, the path C:\Users\Jim\Desktop\file.txt refers to a file called file.txt that is in the Desktop folder within the Jim folder within the Users folder at the root of drive C:.
  • Commands that have optional switches use the forward-slash (/) to delineate between the command and the switch option.
  • You can use the Tab key to auto-complete commands when directories or files are referenced.
  • Windows keeps a history of the commands that were entered during a CLI session. Access previously entered commands by using the up and down arrow keys.
  • To switch between storage devices, type the letter of the device, followed by a colon, and then press Enter.

Even though the CLI has many commands and features, it cannot work together with the core of Windows or the GUI. Another environment, called the Windows PowerShell, can be used to create scripts to automate tasks that the regular CLI is unable to create. PowerShell also provides a CLI for initiating commands. PowerShell is an integrated program within Windows and can be opened by searching for “powershell” and clicking the program. Like the CLI, PowerShell can also be run with administrative privileges.

These are the types of commands that PowerShell can execute:

  • cmdlets – These commands perform an action and return an output or object to the next command that will be executed.
  • PowerShell scripts – These are files with a .ps1 extension that contain PowerShell commands that are executed.
  • PowerShell functions – These are pieces of code that can be referenced in a script.

To see more information about Windows PowerShell and get started using it, type help in PowerShell, as shown in the command output.

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\WINDOWS\system32> help
TOPIC
    Windows PowerShell Help System
SHORT DESCRIPTION
    Displays help about Windows PowerShell cmdlets and concepts.
LONG DESCRIPTION
    Windows PowerShell Help describes Windows PowerShell cmdlets,
    functions, scripts, and modules, and explains concepts, including
    the elements of the Windows PowerShell language.
    Windows PowerShell does not include help files, but you can read the
    help topics online, or use the Update-Help cmdlet to download help files
    to your computer and then use the Get-Help cmdlet to display the help
    topics at the command line.
    You can also use the Update-Help cmdlet to download updated help files
    as they are released so that your local help content is never obsolete.
    Without help files, Get-Help displays auto-generated help for cmdlets,
    functions, and scripts.
  ONLINE HELP
    You can find help for Windows PowerShell online in the TechNet Library
    beginning at http://go.microsoft.com/fwlink/?LinkID=108518.
    To open online help for any cmdlet or function, type:
        Get-Help <cmdlet-name> -Online
  UPDATE-HELP
    To download and install help files on your computer:
       1. Start Windows PowerShell with the "Run as administrator" option.
       2. Type:
          Update-Help
    After the help files are installed, you can use the Get-Help cmdlet to
    display the help topics. You can also use the Update-Help cmdlet to
    download updated help files so that your local help files are always
    up-to-date.
    For more information about the Update-Help cmdlet, type:
       Get-Help Update-Help -Online
-- More  --

There are four levels of help in Windows PowerShell:

  • get-help PS command – Displays basic help for a command
  • get-help PS command [-examples] – Displays basic help for a command with examples
  • get-help PS command [-detailed] – Displays detailed help for a command with examples
  • get-help PS command [-full] – Displays all help information for a command with examples in greater depth

Windows Management Instrumentation

Windows Management Instrumentation (WMI) is used to manage remote computers. It can retrieve information about computer components, hardware and software statistics, and monitor the health of remote computers. To open the WMI control from the Control Panel, double-click Administrative Tools > Computer Management to open the Computer Management window, expand the Services and Applications tree and right-click the WMI Control icon > Properties.

The WMI Control Properties window is shown in the figure.

The figure shows the WMI Control Properties window within the Computer Management > Services and Applications control panel applet.

These are the four tabs in the WMI Control Properties window:

  • General – Summary information about the local computer and WMI
  • Backup/Restore – Allows manual backup of statistics gathered by WMI
  • Security – Settings to configure who has access to different WMI statistics
  • Advanced – Settings to configure the default namespace for WMI

Some attacks today use WMI to connect to remote systems, modify the registry, and run commands. WMI helps them to avoid detection because it is common traffic, most often trusted by the network security devices and the remote WMI commands do not usually leave evidence on the remote host. Because of this, WMI access should be strictly limited.

The net Command

Windows has many commands that can be entered at the command line. One important command is the net command, which is used in the administration and maintenance of the OS. The net command supports many subcommands that follow the net command and can be combined with switches to focus on specific output.

To see a list of the many net commands, type net help at the command prompt. The command output shows the commands that the net command can use. To see verbose help about any of the net commands, type C:\> net help, as shown below.

C:\> net help
The syntax of this command is:
NET HELP
command
     -or-
NET command /HELP
  Commands available are:
  NET ACCOUNTS             NET HELPMSG              NET STATISTICS
  NET COMPUTER             NET LOCALGROUP           NET STOP
  NET CONFIG               NET PAUSE                NET TIME
  NET CONTINUE             NET SESSION              NET USE
  NET FILE                 NET SHARE                NET USER
  NET GROUP                NET START                NET VIEW
  NET HELP
  NET HELP NAMES explains different types of names in NET HELP syntax lines.
  NET HELP SERVICES lists some of the services you can start.
  NET HELP SYNTAX explains how to read NET HELP syntax lines.
  NET HELP command | MORE displays Help one screen at a time.
C:\>

The table lists some common net commands.

Command Description
net accounts Sets password and logon requirements for users
net session Lists or disconnects sessions between a computer and other computers on the network
net share Creates, removes, or manages shared resources
net start Starts a network service or lists running network services
net stop Stops a network service
net use Connects, disconnects, and displays information about shared network resources
net view Shows a list of computers and network devices on the network

Task Manager and Resource Monitor

There are two very important and useful tools to help an administrator to understand the many different applications, services, and processes that are running on a Windows computer. These tools also provide insight into the performance of the computer, such as CPU, memory, and network usage. These tools are especially useful when investigating a problem where malware is suspected. When a component is not performing the way that it should be, these tools can be used to determine what the problem might be.

Task Manager

The Task Manager, which is shown in the figure, provides a lot of information about the software that is running and the general performance of the computer.

The figure shows the Windows Task Manager graphical interface.

The table describes the seven tabs in the Task Manager.

Task Manager Tabs Description
Processes
  • Lists all of the programs and processes that are currently running.
  • Displays the CPU, memory, disk, and network utilization of each process.
  • The properties of a process can be examined or ended if it is not behaving properly or has stalled.
Performance
  • A view of all the performance statistics provides a useful overview of the CPU, memory, disk, and network performance.
  • Clicking each item in the left pane will show detailed statistics of that item in the right pane.
App history
  • The use of resources by application over time provides insight into applications that are consuming more resources than they should.
  • Click Options and Show history for all processes to see the history of every process that has run since the computer was started.
Startup
  • All of the applications and services that start when the computer is booted are shown in this tab.
  • To disable a program from starting at startup, right-click the item and choose Disable.
Users
  • All of the users that are logged on to the computer are shown in this tab.
  • Also shown are all the resources that each user’s applications and processes are using.
  • From this tab, an administrator can disconnect a user from the computer.
Details
  • Similar to the Processes tab, this tab provides additional management options for processes such as setting a priority to make the processor devote more or less time to a process.
  • CPU affinity can also be set which determines which core or CPU a program will use.
  • Also, a useful feature called Analyze wait chain shows any process for which another process is waiting.
  • This feature helps to determine if a process is simply waiting or is stalled.
Services
  • All the services that are loaded are shown in this tab.
  • The process ID (PID) and a short description are also shown along with the status of either Running or Stopped.
  • At the bottom, there is a button to open the Services console which provides additional management of services.

Resource Monitor

When more detailed information about resource usage is needed, you can use the Resource Monitor, as shown in the figure.

The figure shows the Windows Resource Monitor graphical interface.

When searching for the reason a computer may be acting erratically, the Resource Monitor can help to find the source of the problem.

The table describes the five tabs of the Resource Monitor.

Resource Monitor Tabs Description
Overview
  • The tab displays the general usage for each resource.
  • If you select a single process, it will be filtered across all of the tabs to show only that process’s statistics.
CPU
  • The PID, number of threads, which CPU the process is using, and the average CPU usage of each process is shown.
  • Additional information about any services that the process relies on, and the associated handles and modules can be seen by expanding the lower rows.
Memory
  • All of the statistical information about how each process uses memory is shown in this tab.
  • Also, an overview of usage of all the RAM is shown below the Processes row.
Disk All of the processes that are using a disk are shown in this tab, with read/write statistics and an overview of each storage device.
Network
  • All of the processes that are using the network are shown in this tab, with read/write statistics.
  • Most importantly, the current TCP connections are shown, along with all of the ports that are listening.
  • This tab is very useful when trying to determine which applications and processes are communicating over the network.
  • It makes it possible to tell if an unauthorized process is accessing the network, listening for a communication, and the address with which it is communicating.
3.3.7

Networking

One of the most important features of any operating system is the ability for the computer to connect to a network. Without this feature, there is no access to network resources or the internet. To configure Windows networking properties and test networking settings, the Network and Sharing Center is used. The easiest way to run this tool is to search for it and click it. Use the Network and Sharing Center to verify or create network connections, configure network sharing, and change network adapter settings.

Network and Sharing Center

The figure shows the Network and Sharing Center control panel utility graphical interface.

The initial view shows an overview of the active network. This view shows whether there is internet access and if the network is private, public, or guest. The type of network, either wired or wireless, is also shown. From this window, you can see the HomeGroup the computer belongs to, or create one if it is not already part of a HomeGroup. This tool can also be used to change adapter settings, change advance sharing settings, set up a new connection, or troubleshoot problems. Note that HomeGroup was removed from Windows 10 in version 1803.

Change Adapter Settings

To configure a network adapter, choose Change adapter settings in the Networking and Sharing Center to show all of the network connections that are available. Select the adapter that you want to configure. In this case, we change an Ethernet adapter to acquire its IPv4 address automatically from the network.

1. Access Adapter Properties
2. Access TCP/IPv4 properties
3. Change settings

Right-click the adapter you wish to configure and choose Properties, as shown in the figure.

The figure shows how to access network adapter properties by right+clicking on an Ethernet network interface within the Network Connections control panel utility.

nslookup and netstat

Domain Name System (DNS) should also be tested because it is essential to finding the address of hosts by translating it from a name, such as a URL. Use the nslookup command to test DNS. Type nslookup cisco.com at the command prompt to find the address of the Cisco webserver. When the address is returned, you know that DNS is functioning correctly. You can also check to see what ports are open, where they are connected, and what their current status is. Type netstat at the command line to see details of active network connections, as shown in the command output. The netstat command will be examined further later in this module.

C:\Users\USER>netstat

Active Connections

  Proto  Local Address          Foreign Address      State
  TCP    127.0.0.1:3030         USER-VGFFA:58652   ESTABLISHED
  TCP    127.0.0.1:3030         USER-VGFFA:62114   ESTABLISHED
  TCP    127.0.0.1:3030         USER-VGFFA:62480   TIME_WAIT
  TCP    127.0.0.1:3030         USER-VGFFA:62481   TIME_WAIT
  TCP    127.0.0.1:3030         USER-VGFFA:62484   TIME_WAIT
3.3.8

Accessing Network Resources

Like other operating systems, Windows uses networking for many different applications such as web, email, and file services. Originally developed by IBM, Microsoft aided in the development of the Server Message Block (SMB) protocol to share network resources. SMB is mostly used for accessing files on remote hosts. The Universal Naming Convention (UNC) format is used to connect to resources, for example:

\\servername\sharename\file

In the UNC, servername is the server that is hosting the resource. This can be a DNS name, a NetBIOS name, or simply an IP address. The sharename is the root of the folder in the file system on the remote host, while the file is the resource that the local host is trying to find. The file may be deeper within the file system and this hierarchy will need to be indicated.

When sharing resources on the network, the area of the file system that will be shared will need to be identified. Access control can be applied to the folders and files to restrict users and groups to specific functions such as read, write, or deny. There are also special shares that are automatically created by Windows. These shares are called administrative shares. An administrative share is identified by the dollar sign ($) that comes after the share name. Each disk volume has an administrative share, represented by the volume letter and the $ such as C$, D$, or E$. The Windows installation folder is shared as admin$, the printers’ folder is shared as print$, and there are other administrative shares that can be connected. Only users with administrative privileges can access these shares.

The easiest way to connect to a share is to type the UNC of the share into the Windows File Explorer, in the box at the top of the screen which shows the breadcrumb listing of the current file system location. When Windows tries to connect to the share, you will be asked to provide credentials for accessing the resource. Remember that because the resource is on a remote computer, the credentials need to be for the remote computer, not the local computer.

Besides accessing shares on remote hosts, you can also log in to a remote host and manipulate that computer, as if it were local, to make configuration changes, install software, or troubleshoot an issue. In Windows, this feature uses the Remote Desktop Protocol (RDP). When investigating security incidents, a security analyst uses RDP often to access remote computers. To start RDP and connect to a remote computer, search for remote desktop and click the application. The Remote Desktop Connection window is shown in the figure.

Because RDP is designed to permit remote users to control individual hosts, it is a natural target for threat actors. Care should be taken when activating RDP, especially on unpatched legacy versions of Windows such as those that are still found in industrial control systems. Care should be taken to limit the exposure of RDP to the internet, and security approaches and access control policies, such as Zero Trust, should be used to limit access to internal hosts.

The figure shows the Remote Desktop Connection client application window.

Windows Server

Most Windows installations are performed as desktop installations on desktops and laptops. There is another edition of Windows that is mainly used in data centers called Windows Server. This is a family of Microsoft products that began with Windows Server 2003. Windows Server hosts many different services and can fulfill different roles within a company.

Note: Although there is a Windows Server 2000, it is considered a client version of Windows NT 5.0. Windows Server 2003 is a server based on NT 5.2 and begins a new family of Windows Server versions.

These are some of the services that Windows Server provides:

  • Network Services – DNS, DHCP, Terminal services, Network Controller, and Hyper-V Network virtualization
  • File Services – SMB, NFS, and DFS
  • Web Services – FTP, HTTP, and HTTPS
  • Management – Group policy and Active Directory domain services control

Action Point

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Download Our App.

Follow Us On Telegram
       
CEHNigeria On Google Playstore
     

 

GET SEOPOZ . OUTSMART YOUR BLOG COMPETITORS
            

 

Join Our Whatsapp Group

Follow Us On Twitter and I will Follow Back

             

Follow Us On Twitter

Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.

About Adeniyi Salau 734 Articles
I am an IT enthusiast and a man of many parts. I am a Certified Digital Marketer, Project Manager and a Real Estate Consultant. I love writing because that's what keeps me going. I am running this blog to share what I know with others. I am also a Superlife Stem Cell Distributor. Our Stem Cell Products can cure many ailments.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


CommentLuv badge