Network Security Infrastructure PDF

Module 6: Network Security Infrastructure Endpoint Security (ESec) Module Objectives Module Title: Network Security Infrastructure Module Objective: Explain how devices and services are used to enhance network security. Topic Title Topic Objective Security Devices Explain how specialized devices are used to enhance network security. Security Services Explain how network services enhance network security. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 6.1 Security Devices © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Security Devices Firewalls A firewall is a system, or group of systems, that enforces an access control policy between networks. Common Firewall Properties: Firewalls are resistant to network attacks. Firewalls are the only transit point between internal corporate networks and external networks because all traffic flows through the firewall. Firewalls enforce the access control policy. Firewall Benefits: They prevent the exposure of sensitive hosts, resources, and applications to untrusted users. They sanitize protocol flow, which prevents the exploitation of protocol flaws. They block malicious data from servers and clients. They reduce security management complexity by off-loading most of the network access control to a few firewalls in the network. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Security Devices Firewalls (Cont.) A firewall is a system, or group of systems, that enforces an access control policy between networks. Firewall Limitations: A misconfigured firewall can have serious consequences for the network, such as becoming a single point of failure. The data from many applications cannot be passed over firewalls securely. Users might proactively search for ways around the firewall to receive blocked material, which exposes the network to potential attack. Network performance can slow down. Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Security Devices Common Security Architectures Firewall design is primarily about device interfaces permitting or denying traffic based on the source, the destination, and the type of traffic. Three common firewall designs are: Private and Public The public network (or outside network) is untrusted, and the private network (or inside network) is trusted. Typically, a firewall with two interfaces is configured as follows: Traffic originating from the private network is permitted and inspected as it travels toward the public network. Inspected traffic returning from the public network and associated with traffic that originated from the private network is permitted. Traffic originating from the public network and traveling to the private network is generally blocked. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Security Devices Common Security Architectures (Cont.) Demilitarized Zone (DMZ) A firewall design where there is typically one inside interface connected to the private network, one outside interface connected to the public network, and one DMZ interface. Typical firewall DMZ configuration: Traffic originating from the private network is permitted and inspected as it travels toward the public network. Inspected traffic returning from the public network and associated with traffic that originated from the private network is permitted. Traffic originating from the public network and traveling to the private network is generally blocked. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Security Devices Common Security Architectures (Cont.) Zone-Based Policy Firewalls (ZPFs) ZPFs use zones to provide additional flexibility. A zone is a group of one or more interfaces that have similar functions or features. Zones are used to specify where a Cisco IOS firewall rule or policy should be applied. Security policies for LAN 1 and LAN 2 are similar and can be grouped into a zone for firewall. The traffic between interfaces in the same zone is not subject to any policy and passes freely. All zone-to-zone traffic is blocked and to permit traffic between zones, a policy allowing or inspecting traffic must be configured. The only exception to this default deny any policy is the router self-zone. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Security Devices Firewall Type Descriptions Four common types of firewalls are: Firewall Type Firewall Features Packet filtering firewalls are usually part of a router firewall, which Packet Filtering (Stateless) Firewall permits or denies traffic based on Layer 3 and Layer 4 information. They are stateless firewalls. Stateful firewalls provide stateful packet filtering by using connection Stateful Firewall information maintained in a state table. It analyzes traffic at OSI Layer 3 through 5. An application gateway firewall (proxy firewall) filters information at Application Gateway Firewall Layers 3, 4, 5, and 7 of the OSI model. Most of the firewall control and filtering is done in software. Next-generation firewalls (NGFW) go beyond stateful firewalls by providing integrated intrusion prevention, application awareness and Next Generation Firewalls control, upgrade paths to include future information feeds, and techniques to address evolving security threats. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Security Devices Firewall Type Descriptions (Cont.) Other methods of implementing firewalls include: Host-based (server and personal) firewall - A PC or server with firewall software running on it. Transparent firewall - Filters IP traffic between a pair of bridged interfaces. Hybrid firewall - A combination of the various firewall types. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Security Devices Intrusion Prevention and Detection Devices Common Characteristics of intrusion detection system (IDS) and intrusion prevention system (IPS): Both technologies are deployed as sensors in the form of several different devices: A router configured with Cisco IOS IPS software A device specifically designed to provide dedicated IDS or IPS services A network module installed in an adaptive security appliance (ASA), switch, or router Both technologies use signatures to detect patterns of misuse in network traffic. A signature is a set of rules that an IDS or IPS uses to detect malicious activity. Both can detect atomic patterns (single-packet) or composite patterns (multi-packet). © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Security Devices Advantages and Disadvantages of IDS and IPS Solution Advantages Disadvantages Response action cannot stop trigger packets No Impact on network (latency, jitter) Correct tuning required for response actions IDS No Network impact if there is a sensor failure More vulnerable to network security evasion No network impact if there is sensor overload techniques Sensor issues might affect network traffic Stops trigger packets IPS Sensor overloading impacts the network Can use stream normalization techniques Some impact on network (latency, jitter) Deployment Considerations: Both an IPS and an IDS can be deployed; they can complement each other. Deciding which implementation to use is based on the security goals of the organization as stated in their network security policy. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Security Devices Types of IPS There are two primary kinds of IPS available: host-based IPS (HIPS) and network-based IPS. Host-based IPS (HIPS) HIPS is Software installed on a host to monitor and analyze suspicious activity. HIPS can monitor abnormal activity and prevent the host from executing commands that do not match typical behavior. Network traffic can also be monitored to prevent the host from participating in a denial-of-service (DoS) attack or being part of an illicit FTP session. HIPS Advantages HIPS Disadvantages Provides protection specific to a host operating Operating system dependent system Must be installed on all hosts Provides operating system and application-level protection Protects the host after the message is decrypted © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Security Devices Types of IPS (Cont.) There are two primary kinds of IPS available: host-based IPS (HIPS) and network-based IPS. Network-based IPS A network-based IPS can be implemented using a dedicated or non-dedicated IPS device. Network-based IPS implementations are a critical component of intrusion prevention. There are host-based IDS/IPS solutions, but these must be integrated with a network-based IPS implementation to ensure a robust security architecture. Sensors detect malicious and unauthorized activity in real-time and can act when required. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Security Devices Specialized Security Appliances There are a variety of specialized security appliances available. Three examples are: Appliance Explanation An enterprise-class advanced malware analysis and protection solution Cisco Advanced Provides comprehensive malware protection for organizations before, during, and Malware after an attack Protection (AMP) Accesses the collective security intelligence of the Cisco Talos Security Intelligence and Research Group A secure web gateway that combines leading protections to help organizations address the growing challenges of securing and controlling web traffic Cisco Web Protects the network by automatically blocking risky sites and testing unknown sites Security Appliance before allowing users to access them (WSA) Provides malware protection, application visibility and control, acceptable use policy controls, insightful reporting, and secure mobility Defends mission-critical email systems Cisco Email Constantly updated by real-time feeds from the Cisco Talos Security Appliance Features include spam blocking, advanced malware protection, and outbound (ESA) message control © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 6.2 Security Services © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Security Services Traffic Control with ACLs An Access Control List (ACL) is a series of commands that control whether a device forwards or drops packets based on information found in the packet header. ACLs perform the following tasks: They limit network traffic to increase network performance. They provide traffic flow control. They provide a basic level of security for network access. They filter traffic based on traffic type They screen hosts to permit or deny access to network services. In addition to either permitting or denying traffic, ACLs can be used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Security Services ACLs: Important Features Two types of Cisco IPv4 ACLs are standard and extended. Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated. Extended ACLs filter IPv4 packets based on several attributes that include: Protocol type Source IPv4 address Destination IPv4 address Source TCP or UDP ports Destination TCP or UDP ports Optional protocol type information for finer control © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Security Services ACLs: Important Features (Cont.) Standard and extended ACLs can be created using either a number or a name to identify the ACL and its list of statements. By configuring ACL logging, an ACL message can be generated and logged when traffic meets the permit or deny criteria defined in the ACL. Cisco ACLs can also be configured to only allow TCP traffic that has an ACK or RST bit set, so that only traffic from an established TCP session is permitted. This can be used to deny any TCP traffic from outside the network that is trying to establish a new TCP session. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Security Services SNMP Simple Network Management Protocol (SNMP) allows administrators to manage end devices such as servers, workstations, routers, switches, and security appliances, on an IP network. It enables network administrators to monitor and manage network performance, find and solve network problems, and plan for network growth. The SNMP system consists of two elements: SNMP manager that runs SNMP management software SNMP agents which are the nodes being monitored and managed The Management Information Base (MIB) is a database on the agents that stores data and operational statistics about the device. The SNMP manager is part of a network management system (NMS). The SNMP manager can collect information from an SNMP agent by using the “get” action and can change configurations on an agent by using the “set” action. In addition, SNMP agents can forward information directly to a network manager by using “traps”. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Security Services NetFlow A Cisco IOS technology that provides statistics on packets flowing through a Cisco router or multilayer switch. NetFlow provides data to enable network and security monitoring, network planning, traffic analysis to include identification of network bottlenecks, and IP accounting for billing purposes. NetFlow technology distinguishes packet flows using a combination of seven fields: Source IP address Destination IP address Source port number Destination port number Layer 3 protocol type Type of Service (ToS) marking Input logical interface © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Security Services Port Mirroring Packet analyzer (packet sniffer or traffic sniffer) limitation - because network switches can isolate traffic, traffic sniffers or other network monitors, such as IDS, cannot access all the traffic on a network segment. Port mirroring is a feature that allows a switch to make duplicate copies of traffic passing through a switch, and then send it out a port with a network monitor attached. The original traffic is forwarded in the usual manner. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Security Services Syslog Servers When certain events occur on a network, networking devices have trusted mechanisms to notify the administrator with detailed system messages. Network administrators have a variety of options for storing, interpreting, and displaying these messages, and for being alerted to those messages. Syslog protocol is the most common method of accessing system messages. The syslog logging service provides three primary functions: The ability to gather logging information for monitoring and troubleshooting The ability to select the type of logging information that is captured The ability to specify the destination of captured syslog messages © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Security Services NTP Network Time Protocol (NTP) is important to synchronize the time across all devices on the network. When the time is not synchronized between devices, it will be impossible to determine the order of the events that have occurred in different parts of the network. As a network grows, it becomes difficult to ensure that all infrastructure devices are operating with synchronized time. A solution to keep time setting synchronized is configuring the Network Time Protocol (NTP). NTP protocol allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Security Services NTP (Cont.) NTP networks use a hierarchical system of time sources. Each level in this hierarchical system is called a stratum. NTP servers are arranged in three levels known as strata: Stratum 0 - An NTP network gets the time from authoritative time sources. These authoritative time sources, also referred to as stratum 0 devices, are high-precision timekeeping devices assumed to be accurate and with little or no delay associated with them. Stratum 1 -The stratum 1 devices are directly connected to the authoritative time sources. They act as the primary network time standard. Stratum 2 and lower strata - The stratum 2 servers are connected to stratum 1 devices through network connections. Stratum 2 devices, such as NTP clients, synchronize their time using the NTP packets from stratum 1 servers. They could also act as servers for stratum 3 devices. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Security Services AAA Servers Three independent security functions provided by the AAA architectural framework are authentication, authorization, and accounting. AAA Provides Description Users and administrators must prove that they are who they say they are. Authentication can be established using username and password combinations, Authentication challenge and response questions, token cards, and other methods. AAA authentication provides a centralized way to control access to the network. After the user is authenticated, authorization services determine which resources Authorization the user can access and which operations the user is allowed to perform. Accounting records what the user does, including what is accessed, the amount Accounting of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Security Services AAA Servers (Cont.) Terminal Access Controller Access-Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS) are both authentication protocols used to communicate with AAA servers. TACACS+ RADIUS Combines authentication and authorization but Separates AAA according to the AAA architecture, Functionality separates accounting, allowing less flexibility in allowing modularity of the security server implementation implementation than TACACS+ Standard Mostly Cisco supported Open/RFC standard Transport TCP UDP Bidirectional challenge and response as used in Unidirectional challenge and response from the Protocol CHAP Challenge Handshake Authentication Protocol (CHAP) RADIUS security server to the RADIUS client Confidentiality Entire packet encrypted Password encrypted Provides authorization of router commands on a per-user Has no option to authorize router commands on Customization or per-group basis a per-user or per-group basis Accounting Limited Extensive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Security Services VPN A virtual private network (VPN) is a private network that is created over a public network, usually the internet. VPN uses virtual connections that are routed through the internet from the organization to the remote site. A VPN connects two endpoints, such as a remote office to a central office, over a public network, to form a logical connection. The logical connections can be made at either Layer 2 or Layer 3. A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network. Common examples of Layer 3 VPNs are GRE, Multiprotocol Label Switching (MPLS), and IPsec. Layer 3 VPNs can be point-to-point site connections, such as GRE and IPsec, or they can establish any-to-any connectivity to many sites using MPLS. VPNs are commonly deployed in a site-to-site topology to securely connect central sites with remote locations. They are also deployed in a remote-access topology to provide secure remote access to external users travelling or working from home. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 6.3 Network Security Infrastructure Summary © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Network Security Infrastructure Summary What Did I Learn in this Module? Security Devices There are several different types of firewalls include packet filtering (stateless), stateful inspection firewall, application gateway (proxy), and next-generation firewalls. Firewall design is primarily about device interfaces permitting or denying traffic based on the source, the destination, and the type of traffic. Intrusion prevention systems (IPS) and intrusion detection systems (IDS) are used to detect potential security risks and alert/stop unsafe traffic. IDS/IPS can be implemented as host-based or network based. Specialized security appliances include Cisco Advanced Malware Protection (AMP), Cisco Web Security Appliance (WSA), and Cisco Email Security Appliance (WSA). These security appliances utilize the services of the Cisco Talos Security Intelligence and Research Group. Talos detects and correlates threats in real-time using the largest threat-detection network in the world. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Network Security Infrastructure Summary What Did I Learn in this Module? (Cont.) Security Services ACLs are a series of statements that control whether a device forwards or drops packets based on information found in the packet header. NTP synchronizes the system time across all devices on the network to ensure accurate and consistent timestamping of system messages. Syslog servers compile and provide access to the system messages generated by networking devices. SNMP enables network administrators to monitor and manage network performance, find and solve network problems, and plan for network growth. NetFlow provides statistics on packets that are flowing through a Cisco router or multilayer switch. Port mirroring is a feature that allows a switch to make duplicate copies of traffic that is passing through the switch, and then send it out a port that has a network monitor attached. AAA is a framework for configuring user authentication, authorization, and accounting services. AAA typically uses a TACACS+ or RADIUS server for this purpose. VPNs are private networks that are created between two endpoints across a public network. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Module 12: The Windows Operating System Endpoint Security (ESec) Module Objectives Module Title: The Windows Operating System Module Objective: Use Windows administrative tools. Topic Title Topic Objective Windows History Describe the history of the Windows Operating System. Windows Architecture and Explain the architecture of Windows and its operation. Operations Windows Configuration and Use Windows administrative tools to configure, monitor, and Monitoring manage system resources. Windows Security Explain how Windows can be kept secure. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 7.1 Windows History © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Windows History Disk Operating System The first computers did not have modern storage devices such as hard drives, optical drives, or flash storage. The first storage methods used punch cards, paper tape, magnetic tape, and even audio cassettes. Floppy disk and hard disk storage require software to read from, write to, and manage the data that they store. The Disk Operating System (DOS) is an operating system that the computer uses to enable these data storage devices to read and write files. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Windows History Disk Operating System (Cont.) Microsoft bought DOS and developed MS-DOS. With MS-DOS, the computer had a basic working knowledge of how to access the disk drive and load the operating system files directly from disk as part of the boot process. Early versions of Windows consisted of a Graphical User Interface (GUI) that ran over MS-DOS. To experience a little of what it was like to work in MS-DOS, open a command window by typing cmd in Windows Search and pressing Enter. The table lists some commands that you can use. Enter help followed by the command to learn more about the command. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Windows History Disk Operating System (Cont.) MS-DOS Command Description dir Shows a listing of all the files in the current directory (folder) cd directory Changes the directory to the indicated directory cd.. Changes the directory to the directory above the current directory cd \ Changes the directory to the root directory (often C:) copy source destination Copies files to another location del filename Deletes one or more files find Searches for text in files mkdir directory Creates a new directory ren oldname newname Renames a file help Displays all the commands that can be used, with a brief description help command Displays extensive help for the indicated command © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Windows History Windows Versions Since 1993, there have been more than 20 releases of Windows that are based on the NT operating system. Most of these versions were for use by the public and businesses because of the file security offered by the file system that was used by the NT OS. Beginning with Windows XP, a 64-bit edition was available. It had a 64-bit address space instead of a 32-bit address space. In general, 64-bit computers and operating systems are backward-compatible with older 32-bit programs, but 64-bit programs cannot be run on older 32-bit hardware. With each subsequent release of Windows, the operating system has become more refined by incorporating more features. Windows 7 was offered with six different editions, Windows 8 with as many as five, and Windows 10 with eight different editions! © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Windows History Windows Versions (Cont.) OS Versions Windows 7 Starter, Home Basic, Home Premium, Professional, Enterprise, Ultimate Windows Server 2008 R2 Foundation, Standard, Enterprise, Datacenter, Web Server, HPC Server, Itanium-Based Systems Windows Home Server 2011 None Windows 8 Windows 8, Windows 8 Pro, Windows 8 Enterprise, Windows RT Windows Server 2012 Foundation, Essentials, Standard, Datacenter Windows 8.1 Windows 8.1, Windows 8.1 Pro, Windows 8.1 Enterprise, Windows RT 8.1 Windows Server 2012 R2 Foundation, Essentials, Standard, Datacenter Windows 10 Home, Pro, Pro Education, Enterprise, Education, loT Core, Mobile, Mobile Enterprise Windows Server 2016 Essentials, Standard, Datacenter, Multipoint Premium Server, Storage Server, Hyper-V Server © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Windows History Windows GUI Windows has a graphical user interface (GUI) for users to work with data files and software. The GUI has a main area that is known as the Desktop, shown in the figure. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Windows History Windows GUI (Cont.) The Desktop can be customized with various colors and background images. Windows supports multiple users, so each user can customize the Desktop to their liking. The Desktop can store files, folders, shortcuts to locations and programs, and applications. The Desktop also has a recycle bin icon, where files are stored when the user deletes them. Files can be restored from the recycle bin or the recycle bin can be emptied of files, which truly deletes them. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Windows History Windows GUI (Cont.) The Task Bar has three areas that are used for different purposes. Start menu - used to access all the installed programs, configuration options, and the search feature. Task Bar - users place quick launch icons that run specific programs or open specific folders when they are clicked. Notification area – shows the functionality of many different programs and features. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Windows History Windows GUI (Cont.) Right-clicking an icon will bring up additional functions that can be used. This list is known as a Context Menu, shown in the figure. There are Context Menus for the icons in the notification area, for quick launch icons, system configuration icons, and for files and folders. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Windows History Operating System Vulnerabilities Operating systems consist of millions of lines of code. Installed software can also contain millions of lines of code. With all this code comes vulnerabilities. A vulnerability is some flaw or weakness that can be exploited by an attacker to reduce the viability of a computer’s information. To take advantage of an operating system vulnerability, the attacker must use a technique or a tool to exploit the vulnerability. The attacker can then use the vulnerability to get the computer to act in a fashion outside of its intended design. In general, the goal is to gain unauthorized control of the computer, change permissions, or to manipulate or steal data. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Windows History Operating System Vulnerabilities (Cont.) Some common Windows OS security recommendations include: Recommendation Description Virus or malware By default, Windows uses Windows Defender for malware protection. protection Windows Defender provides a suite of protection tools built into the system. If Windows Defender is turned off, the system becomes more vulnerable to attacks and malware. Unknown or unmanaged There are many services that run behind the scenes. services It is important to make sure that each service is identifiable and safe. With an unknown service running in the background, the computer can be vulnerable to attack. Encryption When data is not encrypted, it can easily be gathered and exploited. This is not only important for desktop computers, but especially mobile devices. Security policy A good security policy must be configured and followed. Many settings in the Windows Security Policy control can prevent attacks. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Windows History Operating System Vulnerabilities (Cont.) Some common Windows OS security recommendations include: Recommendation Description Firewall By default, Windows uses Windows Firewall to limit communication with devices on the network. Over time, rules may no longer apply. For example, a port may be left open that should no longer be readily available. It is important to review firewall settings periodically to ensure that the rules are still applicable and remove any that no longer apply. File and share These permissions must be set correctly. permissions It is easy to just give the “Everyone” group Full Control, but this allows all people to do what they want to all files. It is best to provide each user or group with the minimum necessary permissions for all files and folders. Weak or no Many people choose weak passwords or do not use a password at all. password It is especially important to make sure that all accounts, especially the Administrator account, have a very strong password. Login as When a user logs in as an administrator, any program they run will have the privileges of that account. Administrator It is best to log in as a Standard User and only use the administrator password to accomplish certain tasks. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 7.2 Windows Architecture and Operations © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Windows Architecture and Operations Hardware Abstraction Layer Windows computers use many different types of hardware. The operating system can be installed on a purchased computer or on a computer that is assembled by the user. When the operating system is installed, it must be isolated from differences in hardware. The basic Windows architecture is shown in the figure. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Windows Architecture and Operations © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Windows Architecture and Operations Hardware Abstraction Layer (Cont.) A hardware abstraction layer (HAL) is software that handles all the communication between the hardware and the kernel. The kernel is the core of the operating system and has control over the entire computer. It handles all the input and output requests, memory, and peripherals connected to the computer. In some instances, the kernel still communicates with the hardware directly, so it is not completely independent of the HAL. The HAL also needs the kernel to perform some functions. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Windows Architecture and Operations User Mode and Kernel Mode As identified in the figure, there are two different modes in which a CPU operates when the computer has Windows installed: the user mode and the kernel mode. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Windows Architecture and Operations User Mode and Kernel Mode (Cont.) Installed applications run in user mode, and operating system code runs in kernel mode. Code that is executing in kernel mode has unrestricted access to the underlying hardware and can execute any CPU instruction. Kernel mode code also can reference any memory address directly. The code that runs in kernel mode uses the same address space and have no isolation from the operating system. When user mode code runs, it is granted its own restricted address space by the kernel, along with a process created specifically for the application. The reason for this functionality is mainly to prevent applications from changing operating system code that is running at the same time. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Windows Architecture and Operations Windows File Systems Windows File System Description exFAT This is a simple file system supported by many different operating systems. FAT has limitations to the number of partitions, partition sizes, and file sizes that it can address, so it is not usually used for hard drives (HDs) or solid-state drives (SSDs) anymore. Both FAT16 and FAT32 are available to use, with FAT32 being the most common because it has many fewer restrictions than FAT16. Hierarchical File System Plus This file system is used on MAC OS X computers and allows much longer filenames, file (HFS+) sizes, and partition sizes than previous file systems. Although it is not supported by Windows without special software, Windows is able to read data from HFS+ partitions. Extended File System (EXT) This file system is used with Linux-based computers. Although it is not supported by Windows, Windows is able to read data from EXT partitions with special software. New Technology File System This is the most commonly used file system when installing Windows. All versions of (NTFS) Windows and Linux support NTFS. Mac-OS X computers can only read an NTFS partition. They are able to write to an NTFS partition after installing special drivers. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Windows Architecture and Operations Windows File Systems (Cont.) NTFS is the most widely used file system for Windows for many reasons. Supports very large files and partitions and is very compatible with other operating systems Very reliable and supports recovery features Supports many security features Before a storage device such as a disk can be used, it must be formatted with a file system. In turn, before a file system can be put into place on a storage device, the device needs to be partitioned. A hard drive is divided into areas called partitions. Each partition is a logical storage unit that can be formatted to store information, such as data files or applications. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Windows Architecture and Operations Windows File Systems (Cont.) NTFS formatting creates important structures on the disk for file storage, and tables for recording the locations of files: Partition Boot Sector - This is the first 16 sectors of the drive. It contains the location of the Master File Table (MFT). The last 16 sectors contain a copy of the boot sector. Master File Table (MFT) - This table contains the locations of all the files and directories on the partition, including file attributes such as security information and timestamps. System Files - These are hidden files that store information about other volumes and file attributes. File Area - The main area of the partition where files and directories are stored. Note: When formatting a partition, the previous data may still be recoverable because not all the data is completely removed. The free space can be examined, and files can be retrieved which can compromise security. It is recommended to perform a secure wipe on a drive that is being reused. The secure wipe will write data to the entire drive multiple times to ensure there is no remaining data. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Windows Architecture and Operations Alternate Data Streams NTFS stores files as a series of attributes, such as the name of the file, or a timestamp. The data which the file contains is stored in the attribute $DATA and is known as a data stream. By using NTFS, you can connect Alternate Data Streams (ADSs) to the file. In the NTFS file system, a file with an ADS is identified after the filename and a colon, for example, Testfile.txt:ADS. This filename indicates an ADS is associated with the file called Testfile.txt. An example of an ADS is shown in the command output. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Windows Architecture and Operations Windows Boot Process Many actions occur between the time that the computer power button is pressed, and Windows is fully loaded, as shown in the figure. This is known as the Windows Boot process. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Windows Architecture and Operations Windows Boot Process (Cont.) Two types of computer firmware exist: Basic Input-Output System (BIOS): BIOS firmware was created in the early 1980s and works in the same way it did when it was created. As computers evolved, it became difficult for BIOS firmware to support all the new features requested by users. Unified Extensible Firmware Interface (UEFI): UEFI was designed to replace BIOS and support the new features. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Windows Architecture and Operations Windows Boot Process (Cont.) BIOS firmware boot process: The process begins with the BIOS initialization phase - this is when hardware devices are initialized and a power on self-test (POST) is performed to make sure these devices are communicating. When the system disk is discovered, the POST ends. The last instruction in the POST is to look for the master boot record (MBR). The MBR contains a small program that is responsible for locating and loading the operating system. The BIOS executes this code, and the operating system starts to load. UEFI firmware boot process: UEFI boots by loading EFI program files, stored as.efi files in a special disk partition, known as the EFI System Partition (ESP). © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Windows Architecture and Operations Windows Boot Process (Cont.) Boot process for BIOS or UEFI after a valid windows installation is located: The Bootmgr.exe file is run. Bootmgr.exe reads the Boot Configuration Database (BCD) The BCD contains any additional code needed to start the computer, along with an indication of whether the computer is coming out of hibernation, or if this is a cold start. If the computer is coming out of hibernation, the boot process continues with Winresume.exe. This allows the computer to read the Hiberfil.sys file which contains the state of the computer when it was put into hibernation. If the computer is being booted from a cold start, then the Winload.exe file is loaded. The Winload.exe file creates a record of the hardware configuration in the registry. The registry is a record of the settings, options, hardware, and software the computer has. After the drivers have been examined, Winload.exe runs Ntoskrnl.exe which starts the Windows kernel and sets up the HAL. The Session Manager Subsystem (SMSS) reads the registry to create the user environment, start the Winlogon service, and prepare each user’s desktop as they log on. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Windows Architecture and Operations Windows Startup There are two important registry items that are used to automatically start applications and services: HKEY_LOCAL_MACHINE - Several aspects of Windows configuration are stored in this key, including information about services that start with each boot. HKEY_CURRENT_USER - Several aspects related to the logged in user are stored in this key, including information about services that start only when the user logs on to the computer. Different entries in these registry locations define which services and applications will start, as indicated by their entry type. These types include Run, RunOnce, RunServices, RunServicesOnce, and Userinit. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Windows Architecture and Operations Windows Startup (Cont.) The Msconfig tool opens the System Configuration window. There are five tabs which contain the configuration options: General, Boot, Services, Startup, and Tools. General: Three different startup types can be chosen here. Normal loads all drivers and services. Diagnostic loads only basic drivers and services. Selective allows the user to choose what to load on startup. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Windows Architecture and Operations Windows Startup (Cont.) Boot: Any installed operating system can be chosen here to start. There are also options for Safe boot, which is used to troubleshoot startup. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Windows Architecture and Operations Windows Startup (Cont.) Services: All the installed services are listed here so that they can be chosen to start at startup. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Windows Architecture and Operations Windows Startup (Cont.) Startup: All the applications and services that are configured to automatically begin at startup can be enabled or disabled by opening the task manager from this tab. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Windows Architecture and Operations Windows Startup (Cont.) Tools: Many common operating system tools can be launched directly from this tab. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Windows Architecture and Operations Windows Shutdown It is always best to perform a proper shutdown to turn off the computer. Files that are left open, services that are closed out of order, and applications that hang can all be damaged if the power is turned off without first informing the operating system. During shutdown, the computer will close user mode applications first, followed by kernel mode processes. There are several ways to shut down a Windows computer: Start menu power options, the command line command shutdown, and using Ctrl+Alt+Delete then clicking the power icon. Three options for shutting down the computer include: Shutdown - Turns the computer off (power off). Restart - Re-boots the computer (power off then power on). Hibernate - Records the current state of the computer and user environment and stores it in a file. Hibernation allows users to pick up right where they left off very quickly with all their files and programs still open. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Windows Architecture and Operations Processes, Threads, and Services A Windows application is made up of processes. The application can have one or many processes dedicated to it. A process is any program that is currently executing. Each process that runs is made up of at least one thread. A thread is a part of the process that can be executed. The processor performs calculations on the thread. To configure Windows processes, search for Task Manager. The Processes tab of the Task Manager is shown in the figure. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Windows Architecture and Operations Processes, Threads, and Services (Cont.) The threads dedicated to a process are contained within the same address space. This prevents the corruption of other processes. Because Windows multitasks, multiple threads can be executed at the same time. Some of the processes that Windows runs are services. Services provide long-running functionality, such as wireless or access to an FTP server. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Windows Architecture and Operations Memory Allocation and Handles A computer works by storing instructions in RAM until the CPU processes them. The virtual address space for a process is the set of virtual addresses that the process can use. Each process in a 32-bit Windows computer supports a virtual address space that enables addressing up to 4 gigabytes. Each process in a 64-bit Windows computer supports a virtual address space of 8 terabytes. Each user space process runs in a private address space, separate from other user space processes. When the user space process needs to access kernel resources, it must use a process handle. The process handle provides the access needed by the user space process without a direct connection to kernel resource. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 Windows Architecture and Operations Memory Allocation and Handles (Cont.) A powerful tool for viewing memory allocation is RAMMap, which is shown in the figure. RAMMap provides a wealth of information regarding how Windows has allocated system memory to the kernel, processes, drivers, and applications. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 Windows Architecture and Operations The Windows Registry Windows stores the information about hardware, applications, users, and system settings in a large database known as the registry. The ways that these objects interact are also recorded, such as what files an application opens and the property details of folders and applications. The registry is a hierarchical database where the highest level is known as a hive, below that there are keys, followed by subkeys. Values store data and are stored in the keys and subkeys. A registry key can be up to 512 levels deep. Registry Hive Description HKEY_CURRENT_USER (HKCU) Holds information concerning the currently logged in user. HKEY_USERS (HKU) Holds information concerning all the user accounts on the host. HKEY_CLASSES_ROOT (HKCR) Holds information about object linking and embedding (OLE) registrations. OLE allows users to embed objects from other applications (like a spreadsheet) into a single document (like a Word document). HKEY_LOCAL_MACHINE (HKLM) Holds system-related information. HKEY_CURRENT_CONFIG Holds information about the current hardware profile. (HKCC) © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 Windows Architecture and Operations The Windows Registry (Cont.) New hives cannot be created. The registry keys and values in the hives can be created, modified, or deleted by an account with administrative privileges. As shown in the figure, the tool regedit.exe is used to modify the registry. Be very careful when using this tool. Minor changes to the registry can have massive or even catastrophic effects. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 Windows Architecture and Operations The Windows Registry (Cont.) Use the left panel to navigate the hives and the structure below it and use the right panel to see the contents of the highlighted item in the left panel. Registry keys can contain either a subkey or a value. The different values that keys can contain are as follows: REG_BINARY - Numbers or Boolean values REG_DWORD - Numbers greater than 32 bits or raw data REG_SZ - String values Because the registry holds almost all the operating system and user information, it is critical to make sure that it does not become compromised. Potentially malicious applications can add registry keys so that they start when the computer is started. Registry contains activity that a user performs during normal day-to-day computer use. This includes the history of hardware devices, all devices that have been connected to the computer, name, manufacturer, and serial number. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 7.3 Windows Configuration and Monitoring © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 Windows Configuration and Monitoring Run as Administrator As a security best practice, it is not advisable to log on to Windows using the Administrator account or an account with administrative privileges. Any program that is executed while logged on with those privileges will inherit administrative privileges. Malware that has administrative privileges has full access to all the files and folders on the computer. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 Windows Configuration and Monitoring Run as Administrator (Cont.) Sometimes, it is necessary to run or install software that requires the privileges of the Administrator. To accomplish this, there are two different ways to install it. Administrator: Right-click the command in the Windows File Explorer and choose Run as Administrator from the Context Menu. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 Windows Configuration and Monitoring Run as Administrator (Cont.) Administrator Command Prompt: Right-click the command in the Windows File Explorer and choose Run as Administrator from the Context Menu. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 Windows Configuration and Monitoring Local Users and Domains When you start a new computer for the first time, or you install Windows, you will be prompted to create a user account (local user). This contains your customization settings, access permissions, file locations, and many other user-specific data. As a security best practice, do not enable the Administrator account and do not give standard users administrative privileges. The Guests account should not be enabled. To make administration of users easier, Windows uses groups. A group will have a name and a specific set of permissions associated with it. When a user is placed into a group, the permissions of that group are given to that user. Windows can also use domains to set permissions. A domain is a type of network service where the users, groups, computers, peripherals, and security settings are stored on and controlled by a database. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 Windows Configuration and Monitoring CLI and PowerShell The Windows command line interface (CLI) can be used to run programs, navigate the file system, and manage files and folders. To open the Windows CLI, search for cmd.exe and click the program. The prompt displays the current location within the file system. A few things to remember: The file names and paths are not case-sensitive, by default. Storage devices are assigned a letter for reference. The drive letter is followed by a colon and backslash (∖). This indicates the root, or highest level, of the device. Commands that have optional switches use the forward slash (/) to delineate between the command and the switch option. You can use the Tab key to auto-complete commands when directories or files are referenced. Windows keeps a history of the commands that were entered during a CLI session. Access previously entered commands by using the up and down arrow keys. To switch between storage devices, type the letter of the device, followed by a colon, and then press Enter. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49 Windows Configuration and Monitoring CLI and PowerShell (Cont.) CLI cannot work together with the core of Windows or the GUI. Windows PowerShell can be used to create scripts to automate tasks that the regular CLI is unable to create. These are the types of commands that PowerShell can execute: cmdlets - These commands perform an action and return an output or object to the next command that will be executed. PowerShell scripts - These are files with a.ps1 extension that contain PowerShell commands that are executed. PowerShell functions - These are pieces of code that can be referenced in a script. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 Windows Configuration and Monitoring CLI and PowerShell (Cont.) There are four levels of help in Windows PowerShell: get-help PS command - Displays basic help for a command get-help PS command [-examples] - Displays basic help for a command with examples get-help PS command [-detailed] - Displays detailed help for a command with examples get-help PS command [-full] - Displays all help information for a command with examples in greater depth © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51 Windows Configuration and Monitoring Windows Management Instrumentation Windows Management Instrumentation (WMI) is used to manage remote computers. It can retrieve information about computer components, hardware and software statistics, and monitor the health of remote computers. To open the WMI control from the Control Panel, double-click Administrative Tools > Computer Management to open the Computer Management window, expand the Services and Applications tree and right-click the WMI Control icon > Properties. The WMI Control Properties window is shown in the figure. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52 Windows Configuration and Monitoring Windows Management Instrumentation (Cont.) These are the four tabs in the WMI Control Properties window: General - Summary information about the local computer and WMI Backup/Restore - Allows manual backup of statistics gathered by WMI Security - Settings to configure who has access to different WMI statistics Advanced - Settings to configure the default namespace for WMI Some attacks today use WMI to connect to remote systems, modify the registry, and run commands. WMI helps them to avoid detection because it is common traffic, most often trusted by the network security devices and the remote WMI commands do not usually leave evidence on the remote host. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 Windows Configuration and Monitoring The net Command One important command is the net command, which is used in the administration and maintenance of the OS. The net command supports many subcommands that follow the net command and can be combined with switches to focus on specific output. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 Windows Configuration and Monitoring The net Command (Cont.) Common net commands: Command Description net accounts Sets password and logon requirements for users net session Lists or disconnects sessions between a computer and other computers on the network net share Creates, removes, or manages shared resources net start Starts a network service or lists running network services net stop Stops a network service net use Connects, disconnects, and displays information about shared network resources net view Shows a list of computers and network devices on the network © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55 Windows Configuration and Monitoring Task Manager and Resource Monitor There are two very important and useful tools to help an administrator to understand the many different applications, services, and processes that are running on a Windows computer. Task Manager The Task Manager, which is shown in the figure, provides a lot of information about the software that is running and the general performance of the computer. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56 Windows Configuration and Monitoring Task Manager and Resource Monitor (Cont.) Task Manager Description Tabs Processes Lists all the programs and processes that are currently running. Displays the CPU, memory, disk, and network utilization of each process. The properties of a process can be examined or ended if it is not behaving properly or has stalled. Performance A view of all the performance statistics provides a useful overview of the CPU, memory, disk, and network performance. Clicking each item in the left pane will show detailed statistics of that item in the right pane. App history The use of resources by application over time provides insight into applications that are consuming more resources than they should. Click Options and Show history for all processes to see the history of every process that has run since the computer was started. Startup All the applications and services that start when the computer is booted are shown in this tab. To disable a program from starting at startup, right-click the item and choose Disable. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57 Windows Configuration and Monitoring Task Manager and Resource Monitor (Cont.) Task Manager Description Tabs Users All the users that are logged on to the computer are shown in this tab. Also shown are all the resources that each user’s applications and processes are using. From this tab, an administrator can disconnect a user from the computer. Details Similar to the Processes tab, this tab provides additional management options for processes such as setting a priority to make the processor devote more or less time to a process. CPU affinity can also be set which determines which core or CPU a program will use. Also, a useful feature called Analyze wait chain shows any process for which another process is waiting. This feature helps to determine if a process is simply waiting or is stalled. Services All the services that are loaded are shown in this tab. The process ID (PID) and a short description are also shown along with the status of either Running or Stopped. At the bottom, there is a button to open the Services console which provides additional management of services. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58 Windows Configuration and Monitoring Task Manager and Resource Monitor (Cont.) When more detailed information about resource usage is needed, you can use the Resource Monitor, as shown in the figure. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59 Windows Configuration and Monitoring Task Manager and Resource Monitor (Cont.) Resource Monitor can help find the source of the problem when your computer is acting erratically. Resource Monitor Tabs Description Overview The tab displays the general usage for each resource. CPU The PID, number of threads, which CPU the process is using, and the average CPU usage of each process is shown. Additional information about any services that the process relies on, and the associated handles and modules can be seen by expanding the lower rows. Memory All the statistical information about how each process uses memory is shown in this tab. Also, an overview of usage of all the RAM is shown below the Processes row. Disk All the processes that are using a disk are shown in this tab, with read/write statistics and an overview of each storage device. Network All the processes that are using the network are shown in this tab, with read/write statistics. Most importantly, the current TCP connections are shown, along with all of the ports that are listening. This tab is very useful when trying to determine which applications and processes are communicating over the network. It makes it possible to tell if an unauthorized process is accessing the network, listening for a communication, and the address with which it is communicating. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60 Windows Configuration and Monitoring Networking One of the most important features of any operating system is the ability for the computer to connect to a network Without this feature, there is no access to network resources or the internet To configure Windows networking properties and test networking settings, the Network and Sharing Center is used This view shows whether there is internet access and if the network is private, public, or guest. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61 Windows Configuration and Monitoring Networking (Cont.) Change Adapter Settings To configure a network adapter, choose Change adapter settings in the Networking and Sharing Center to show the network connections that are available. Select the adapter that you want to configure. In this case, we change an Ethernet adapter to acquire its IPv4 address automatically from the network. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62 Windows Configuration and Monitoring Networking (Cont.) Access Adapter Properties: Right-click the adapter you wish to configure and choose Properties, as shown in the figure. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63 Windows Configuration and Monitoring Networking (Cont.) Access TCP/IPV4 Properties: This connection uses the following items: Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6) depending on which version you wish to use. In the figure, IPv4 is being selected. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64 Windows Configuration and Monitoring Networking (Cont.) nslookup and netstat Domain Name System (DNS) should also be tested because it is essential to finding the address of hosts by translating it from a name, such as a URL. Use the nslookup command to test DNS. Type nslookup cisco.com at the command prompt to find the address of the Cisco webserver. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65 Windows Configuration and Monitoring Accessing Network Resources Windows uses networking for many different applications such as web, email, and file services. Microsoft aided in the development of the Server Message Block (SMB) protocol to share network resources. SMB is mostly used for accessing files on remote hosts The Universal Naming Convention (UNC) format is used to connect to resources, for example: ∖∖servername∖sharename∖file servername is the server that is hosting the resource sharename is the root of the folder in the file system on the remote host file is the resource that the local host is trying to find When sharing resources on the network, the area of the file system that will be shared will need to be identified. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66 Windows Configuration and Monitoring Accessing Network Resources (Cont.) To connect to a share, type the UNC of the share into the Windows File Explorer You will be asked to provide credentials for accessing the resource. You can log in to a remote host to make configuration changes, install software, or troubleshoot an issue. In Windows, this feature uses the Remote Desktop Protocol (RDP). To start RDP and connect to a remote computer, search for remote desktop and click the application. The Remote Desktop Connection window is shown in the figure. RDP is designed to permit remote users to control individual hosts, therefore, it is a natural target for threat actors. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67 Windows Configuration and Monitoring Windows Server Most Windows installations are performed as desktop installations on desktops and laptops. There is another edition of Windows that is mainly used in data centers called Windows Server. This is a family of Microsoft products that began with Windows Server 2003. Windows Server hosts many different services and can fulfill different roles within a company. These are some of the services that Windows Server provides: Network Services - DNS, DHCP, Terminal services, Network Controller, and Hyper-V Network virtualization File Services - SMB, NFS, and DFS Web Services - FTP, HTTP, and HTTPS Management - Group policy and Active Directory domain services control © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68 7.4 Windows Security © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69 Windows Security The netstat Command When malware is present in a computer, it will often open communication ports on the host to send and receive data. The netstat command can be used to look for inbound or outbound connections that are not authorized. When used on its own, the netstat command will display all the active TCP connections. By examining these connections, it is possible to determine which of the programs are listening for connections that are not authorized. When a program is suspected of being malware, a little research can be performed to determine its legitimacy. From there, the process can be shut down with Task Manager, and malware removal software can be used to clean the computer. To make this process easier, you can link the connections to the running processes that created them in Task Manager. To do this, open a command prompt with administrative privileges and enter the netstat -abno command, as shown in the command output in the next slide. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70 Windows Security The netstat Command (Cont.) Examining the active TCP connections, an analyst should be able to determine if there are any suspicious programs listening for incoming connections on the host. The process can be traced to the Windows Task Manager and cancelled. If more than one process is listed with the same name, use the PID to find the correct process. To display the PIDs for the processes in the Task Manager, open the Task Manager, right-click the table heading and select PID. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71 Windows Security Event Viewer Windows Event Viewer logs the history of application, security, and system events. These log files are a valuable troubleshooting tool because they provide information necessary to identify a problem. To open the Event Viewer, search for it and click the program icon, as shown in the figure. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72 Windows Security Event Viewer (Cont.) Windows includes two categories of event logs: Windows Logs Application and Services Logs Events that are displayed in these logs have data of: level: information, warning, error, or critical date and time that the event occurred source of the event and an ID which relates to that type of event Security event logs are found under Windows Logs. They use event IDs to identify the type of event. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73 Windows Security Windows Update Management Attackers are constantly producing new ways to compromise computers and exploit bad code. Microsoft is always trying to stay ahead of the attackers, so always make sure Windows is up to date with the latest service packs and security patches. Patches are code updates that manufacturers provide to prevent a newly discovered virus or worm from making a successful attack. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74 Windows Security Windows Update Management (Cont.) Windows routinely checks the Windows Update website for high-priority updates that can help protect a computer from the latest security threats. These updates include security updates, critical updates, and service packs. Update status, shown in the figure, allows you to check for updates manually and see the update history of the computer. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75 Windows Security Local Security Policy A security policy is a set of objectives that ensures the security of a network, the data, and the computer systems in an organization. The security policy is a constantly evolving document based on changes in technology, business, and employee requirements. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76 Windows Security Local Security Policy (Cont.) Active Directory is configured with Domains on a Windows Server. The admin configures a Domain Security Policy that applies to all computers that join the domain. Account policies are automatically set when a user logs in to a computer that is a member of a domain. Windows Local Security Policy, shown in the figure, can be used for stand-alone computers that are not part of an Active Directory domain. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77 Windows Security Local Security Policy (Cont.) Password guidelines are an important component of a security policy. Passwords help prevent theft of data and malicious acts. Use the Account Lockout Policy in Account Policies to prevent brute-force login attempts. A security policy should contain a rule about requiring a computer to lock when the screensaver starts. If the Local Security Policy on every stand-alone computer is the same, then use the Export Policy feature. The Local Security Policy applet contains many other security settings that apply specifically to the local computer. You can configure User Rights, Firewall Rules, and even the ability to restrict the files that users or groups are allowed to run with the AppLocker. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78 Windows Security Windows Defender Malware includes viruses, worms, Trojan horses, keyloggers, spyware, and adware. These are designed to invade privacy, steal information, damage the computer, or corrupt data. It is important that you protect computers and mobile devices using reputable antimalware software. The following types of antimalware programs are available: Antimalware Programs Description This program continuously monitors for viruses. When a virus is detected, the user is warned, and Antivirus protection the program attempts to quarantine or delete the virus. Adware protection This program continuously looks for programs that display advertising on your computer. Phishing protection This program blocks the IP addresses of known phishing websites and warns the user about suspicious sites. Spyware protection This program scans for keyloggers and other spyware. Trusted/untrusted sourc This program warns you about unsafe programs about to be installed or unsafe websites before es they are visited. It may take several different programs and multiple scans to completely remove all malicious software. Run only one malware protection program at a time. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79 Windows Security Windows Defender (Cont.) Several reputable security organizations such as McAfee, Symantec, and Kaspersky offer all-inclusive malware protection for computers and mobile devices. Windows has built-in virus and spyware protection called Windows Defender, as shown in the figure. Windows Defender is turned on by default to provide real-time protection against infection. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80 Windows Security Windows Defender Firewall A firewall selectively denies traffic to a computer or network segment. Firewalls generally work by opening and closing the ports used by various applications. By opening only the required ports on a firewall, you are implementing a restrictive security policy. Any packet not explicitly permitted is denied. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81 Windows Security Windows Defender Firewall (Cont.) To allow program access through the Windows Defender Firewall, search for Control Panels. Under Systems and Security, locate Windows Defender Firewall. Click Allow an app or feature through Windows Defender Firewall, as shown in the figure. To use a different software firewall, you will need to disable Windows Firewall. To disable the Windows Firewall, click Turn Windows Firewall

Network Security Infrastructure PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue