Windows basic
This article introduces some important concepts related to Microsoft Windows operating systems.
Windows Authentication: Local versus Centralised
Authentication is a process by which the operating system is able to verify and allow legitimate users and restrict unauthorized ones.
The most common method used for authentication is the username/password pair. (Some advanced systems allow biometric authentication as well, including fingerprint, retina scan, and so on.) It’s important to understand the various techniques Windows uses to authenticate a user.
Local Authntication
In this method, Windows stores the user credentials locally on the same system. Hence the user can log in even if he or she is not connected to any network.
Most of the systems used for individual or home use are authenticated locally. Windows makes use of Security Account Manager (SAM) for storing user credentials locally on the system.
The path where the SAM resides is <$Drive>:\windows\system32\config\SAM.
The SAM stores the passwords in a hashed format. There are tools that can dump the entire SAM database and then, using various techniques, an attacker can crack the hashes to get the passwords.
Centralize Authentication
For individual and home users, local authentication works fine. But in a corporate network with hundreds of systems, it is more efficient to use centralized authentication.
This gives better administrative control over the user accounts and helps enforce policies easily. Beginning in Windows 2000, Microsoft introduced
Active Directory (AD), is a central database that stores a lot of information about user accounts. Active Directory provides not only centralized authentication but also authorization.
And the most useful part of AD is groups. The AD admin can create groups of users based on various criteria (logical, physical, and so on) and then apply customized policies to selected groups. This facilitates fine-grained control over the user accounts.
The Windows Registry
The Windows Registry is a hierarchical database that contains critical low-level information about system hardware, applications and settings, and user account profiles.
Whenever you install or uninstall an application, the Registry is modified. When you make any changes in system settings, they are reflected
in the Registry. For any Windows system, the Registry is extremely important, and if it becomes corrupted, then the entire Windows system might fail and stall.
Most of the malware programs that can infect your system (like viruses, spyware, Trojans, and so on) also make changes to the Registry.
To access the Windows Registry, press the Windows key + R, type regedit.exe, and press Enter.
Note: Before you make any changes to the Registry, it is important to back up its current state in case anything goes wrong and you need to restore it to its original state
Read: Top Hacker’s That makes History
Backing Up and Restoring the Windows Registry
To back up the existing, current state of the Windows Registry, open the Registry and choose File ➤ Export. Then save the file in a safe location.
To back up the existing, current state of the Windows Registry, open the Registry and choose File ➤ Export. Then save the file in a safe location.
The Windows Event Viewer
Whenever a fraud or a system compromise happens, the incident response team will first request the system audit logs.
If the compromised system has maintained sufficient audit logs of all the events, then it becomes easy to trace back the incident.
If event logs are not configured and maintained, then the investigation of an incident becomes extremely difficult. The Windows operating system categorizes and stores event logs and has an application called Event Viewer to check the logs.
1.
If a hacker or an attacker compromises a system, before leaving the system they will try to clear all the event logs in order to cover their tracks. Event logs can be viewed through the Windows Event Viewer application (Figure 1-3). It can be accessed by choosing Control Panel ➤ System and Security ➤ Administrative Tools ➤ Event Viewer.
2.
In Windows 7 and above you can also directly search for Event Viewer in Windows Search.
The Event Viewer has many options to search and filter the required events and acts as a comprehensive resource for auditing information.
Also Read: Penetration Testing Teams vs Red Teams
Windows Services
A Windows service is just like any other application that you install; however, the difference is how the service functions. A service runs and performs its tasks in the background. For example, the anti-virus service starts automatically when Windows starts.
When you insert a USB drive, for example, the anti-virus service, which is running in the background, automatically initiates a virus scan on the USB drive. Some services are the result of applications that are installed explicitly, while other services run by default in a Windows system. When a system is infected, malware may be running some service in the background.
So for a system administrator, it is important to monitor all the services running and disable any unwanted ones.
Windows Processes
Unlike a Windows service, which runs in the background, a Windows process is typically an instance of a program or application.
So whenever you launch a new application, a corresponding process is spawned in the memory, and when you quit or exit the application the process is killed. To analyze in detail which
processes are currently running and how they are interacting with the outside world, you can use a program called Process Explorer.
Windows Security Policies
The Windows operating system comes with a built-in tool known as Group Policy Editor, which helps the user or administrator configure various settings, parameters, and security policies.
To get started with the tool, press the Windows key + R, type gpedit.msc, and press Enter. You can simply double-click an item in the right pane to view more details and configure it accordingly.
Using gpedit on a Domain Controller system, an administrator can enforce security policies on all the member systems.
The Windows Firewall
The Windows operating system offers a decent built-in firewall for managing and filtering inbound and outbound traffic.
It has a simple and easy-to-use Graphical User Interface (GUI), which helps you review existing rules and create new rules based on your needs.
To open Windows Firewall, press the Windows Key + R, type wf.msc, and press Enter.
In the left pane, you can see the rule categories, in the middle pane you can see the existing rules for the selected category, and in the right pane, you can filter the rules or create new rules.
If you want to know more about windows just comment we will provide it to you soon. And also want a Windows command cheat sheet to let me know.
Read more about Ethical hacking
