MODULE 2

DESKTOP AND SERVER SECURITY

UNIT 1: WINDOWS SECURITY
 INTRODUCTION TO OPERATING
SYSTEM
• Operating System is a program that controls
the execution of application programs. It is an
interface between applications and hardware.
• Operating systems that create a link between
users and the applications form the core of
computer systems.
 DIFFERENT TYPES OF OPERATING
SYSTEMS
• Real-time Operating System- It’s a
multitasking operating system that aims at
executing real-time applications. Which use
specialized scheduling algorithms so that they
can achieve a deterministic nature of behavior.
They have quick and predictable response to
events. They either have an event-driven or a
timesharing design.
 DIFFERENT TYPES OF OPERATING
SYSTEMS
• Multi-user and Single-user Operating Systems
– in multiple user, multiple users to access a
computer system concurrently. Single-user
operating systems, as opposed to a multi-user
operating system, are usable by a single user
at a time.
Ex: unix supports multi-user
 DIFFERENT TYPES OF OPERATING
SYSTEMS
• Multi-tasking and Single-tasking Operating
Systems – multi-tasking is whereby the
operating system allows the execution of
multiple tasks at one time whereas single-
tasking is whereby a single program is allowed
to run at a time.
 DIFFERENT TYPES OF OPERATING
SYSTEMS
• Distributed Operating System - manages a
group of independent computers and makes
them appear to be a single computer.
• Embedded System - designed for being used
in embedded computer systems are known as
embedded operating systems. They are
designed to operate on small machines like
PDAs with less autonomy.
 WINDOWS EDITION
• Windows has evolved a lot since its
development from windows 1.0 upto the
current windows 10.
• Refer to this link for evolution of Microsoft
windows operating system.
https://en.wikipedia.org/wiki/Microsoft_Windo
ws_version_history
 COMPARISON BETWEEN WINDOWS 8
AND 10
• Windows 8 had the Start Screen with live tiles. Windows 10 brings
back the Start Menu, with the classic options on the left and live
tiles on the right. START MENU
• The Windows 10 Store brings together the functionality of
Windows 8 and the ease of using Windows 7. Legacy Apps are now
available in the Store giving users many more app options.
• Windows 8 has two versions of Internet Explorer. Windows 10
features IE and the new browser Edge – ideal for annotating,
reading, and saving web pages and articles.
• The organizational strategy of Windows 8 focused on single space
usage. Windows 10 combines a more sophisticated approach,
including Task View, snap assist, and virtual desktops for more
efficient use of your workspace.
 WINDOWS DESKTOP SECURITY
• There are plenty of settings that Windows
desktops, provide that will help you achieve
your goals. The following is a list of settings,
that you will want to set to secure Windows
desktop.
 USER ACCOUNT CONTROL (UAC) – its set
considering whether the user is an Admin or a
standard user. Set it to require administrative
password for any user to run any application.
 WINDOWS DESKTOP SECURITY
 INTERNET EXPLORER - The version of IE that
ships with Windows 7 provides some amazing
security when you are browsing the Internet. The
option of Protected Mode in IE 8 (also in IE 7 that
ships with Windows Vista) can help protect you
from malware, adware, viruses, etc when you are
browsing the Internet.
 WINDOWS FIREWALL - Windows Firewall comes
by default already set up and configured with
rules.
 WINDOWS DESKTOP SECURITY
 SERVICES - establish a list of approved and
denied services using Group Policy Preferences to
list what should run and what should not run.
 INSTALLATION OF REMOVABLE STORAGE
DEVICES - control the use of external USB
storage devices.
 BITLOCKER – it’s a drive encryption technology.
The technology is simple and easy to configure.
 DESKTOPS: LOCAL RIGHTS AND
PRIVILEGES
 User rights - these are ―per computer
configurations that control what a user (or group
of users preferably) can do to a computer.
 Permissions - these are what you configure for
resource access. A resource is a file, folder,
Registry key, printer, or Active Directory object (if
on a Domain Controller). Permissions are what
you configure on the Access Control List (ACL).
Permissions define ―who can do what to a
resource. Examples might be Read, Modify,
Delete, etc.
 DESKTOPS: LOCAL RIGHTS AND
PRIVILEGES
• You can access these and all other user rights
using Group Policy. Locally on a desktop you
can access the Local Group Policy by typing
gpedit.msc at the Run command, which will
open up the local Group Policy editor
 REGISTRY
• Its a hierarchical database that stores
configuration settings and options on
Microsoft Windows operating systems. It
contains settings for low-level operating
system components as well as the applications
running on the platform: the kernel, device
drivers, services, SAM, user interface and third
party applications all make use of the Registry.
 REGISTRY STRUCTURE
• Registry contains two basic elements:
 Keys
 Values
• There are five Root Keys –
 HKEY_CLASSES_ROOT
 HKEY_CURRENT_USER
 HKEY_LOCAL_MACHINE
 HKEY_USERS
 HKEY_CURRENT_CONFIG
NB/ USE regedit to access them.
REGISTRY STRUCTURE
 HKEY_CLASSES_ROOT (HKCR)
• stores information about registered
applications,
 HKEY_CURRENT_USER (HKCU)
• Stores settings that are specific to the
currently logged-in user.
 HKEY_LOCAL_MACHINE (HKLM)
• Stores settings that are specific to the local
computer. HKLM contains four subkeys, SAM,
SECURITY, SOFTWARE and SYSTEM, that are
found within their respective files located in
the %SystemRoot%\System32\config folder. A
fifth subkey, HARDWARE, is volatile and is
created dynamically, and as such is not stored
in a file.
 HKEY_USERS (HKU)
• Contains subkeys corresponding to the
HKEY_CURRENT_USER keys for each user
profile actively loaded on the machine,
though user hives are usually only loaded for
currently logged-in users.
 HKEY_CURRENT_CONFIG
• Contains information gathered at runtime;
information stored in this key is not
permanently stored on disk, but rather
regenerated at the boot time.
 REGISTRY EDITING
• Registry can be edited by running the
following on the command prompt:
• Regedit.exe
• Press windows key plus R, then type
Regedit.exe
REGISTRY EDITING
 COMMAND LINE EDITING
Step 1. Go to run
Step 2. Type cmd & ok
 COMMAND LINE EDITING
Step 3. Type regedit.exe at command prompt
 COMMAND LINE EDITING
Step 4.Enter press & registry editor comes

Step 5. Do the changes

 Windows logon process
• Users must log on to a Windows NT machine in order to use
that NT based machine or network.
• The logon process itself cannot be bypassed, it is
mandatory.
• Once the user has logged on, an access token is created
which contains user specific security information, such as:
security identifier, group identifiers, user rights and
permissions.
• The first step in the WinLogon process is something we are
all familiar with, CTRL+ALT+DEL which is default Security
Attention Sequence (SAS)
• This SAS is a signal to the operating system that someone is
trying to logon.
 Windows logon process
• After the SAS is triggered, all user mode applications pause
until the security operation completes or is cancelled.
• SAS is not just a logon operation; this same key
combination can be used for logging on, logging off,
changing a password or locking the workstation.
• The pausing, or closing, of all user mode applications
during SAS is a security feature that most people take for
granted and don‘t understand.
• Due to this pausing of applications, logon related Trojan
viruses are stopped; key loggers (programs that run in
memory, keeping track of keystrokes, therefore recording
someone‘s password) are stopped as well.
 Windows logon process
• After typing in your information and clicking OK (or pressing enter),
the Win Logon process supplies the information to the security
subsystem, which in turn compares the information to the Security
Accounts Manager (SAM).
• If the information is compliant with the information in the SAM, an
access token is created for the user.
• The Win Logon takes the access token and passes it onto the Win32
subsystem, which in turn starts the operating systems shell. The
token is also used for auditing and logging features to track user
usage and access of network resources.
• All of the options for the WinLogon process are contained in the :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVe
rsion\Winlogon area.
• You can also fine tune the process by using the Policy Editor.
 SECURITY ARCHITECTURE
COMPONENTS
• They include:
1. Local Security Authority (LSA): Also known as the
security subsystem. It handles local security policies
and user authentication. The LSA also handles
generating and logging audit messages.
2. Security Accounts Manager (SAM): The SAM handles
user and group accounts, and provides user
authentication for the LSA.
3. Security Reference Monitor (SRM): The SRM is in
charge of enforcing and assuring access validation and
auditing for the LSA. It references user account
information as the user attempts to access resources.
 DETERMINING IF YOU ARE ACTIVELY
BEING COMPROMISED
• Do you know what ports you‘re communicating on? One of
the biggest fears for any systems administrator is that
his/her machine has been compromised.
• Few of the things you can do to find out if someone else is
hanging around your system Include:
1. listing open connections
2. Sniffing the wire
3. Siphoning through log files
4. Using process monitor to examine the registry and
running processes.
5. Looking for new user accounts
6. Windows security features
 LISTING OPEN CONNECTIONS
• Output a list of the open connections to your
system.
• Use netstat command
Example : netstat -nao at a command prompt to
output a list of listening UDP and TCP ports.
LISTING OPEN CONNECTIONS
 SNIFFING THE WIRE
• In order to sniff packets quickly I recommend
Wireshark OR TCPDUMP, the world‘s most
popular packet sniffing application.
• When doing this make sure you turn off any
services that may be utilizing the network as
to not cloud your results
 SIPHONING THROUGH LOG FILES
• Log files are the bread and butter of any systems
administrator, software developer, or intrusion
analyst.
• The quickest way to access the event viewer on
your Windows system is to type eventvwr.msc
from the run dialog or command line.
• From here you will want to examine all of the log
files for activity that looks inconsistent with your
daily activities.
 SIPHONING THROUGH LOG FILES
Some events that I look for include:
• A large number of failed login attempts. This
can indicate someone attempting to guess or
brute force an account password.
• The event log service being stopped.
• Unusual services starting. Any service that you
don‘t recognize is worth investigating as it
could be malicious.
 PROCESS MONITOR TO EXAMINE THE
REGISTRY AND RUNNING PROCESSES
• Two of the most important areas to look at when
attempting to determine if a system has been compromised
are the system registry and the running processes.
• Any change to a system is reflected in the registry and
every task that occurs on a system is done with some kind
of process.
• Windows Sysinternals provides the Process Monitor tool.
Using Process Monitor you can view changes to the registry
as they are actively happening and view active processes
and detailed information associated with them.
• Download Process Monitor from Microsoft.
 LOOKING FOR NEW USER ACCOUNTS
• It‘s incredibly common for an attacker to
compromise a system and then create a new
user account on it for eased reentry back into
the system.
• You can view the user accounts on your
system by going to the start menu, right
clicking Computer, clicking Manage, and
browsing the Users and Groups heading
 WINDOWS SECURITY TOOLS
• Microsoft have been hardening the “out of the
box” experience for some time and with the
new Firewall and User Account Control
features that come preconfigured.
 CLIENT –SERVER ARCHITECTURE
• Client–server characteristic describes the
relationship of cooperating programs in an
application.
• The server component provides a function or
service to one or many clients, which initiate
requests for such services.
• Functions such as email exchange, web access
and database access, are built on the client–
server model.
ELEMENTS OF C-S COMPUTING
 ELEMENTS OF C-S COMPUTING
• In CS Relationship ―most of the application
processing is done on a computer (client side),
which obtains application services (such as
database services) from another computer
(server side) in a master slave configuration.
• Examples of clients include web browsers, email
clients, and online chat clients.
• Examples of f servers include web servers, ftp
servers, application servers, database servers,
name servers, mail servers, file servers and print
servers.
 ELEMENTS OF C-S COMPUTING
• A server is a host that provides one or more
services for other hosts over a network as a
primary function. Example: A file server
provides file sharing services so that users can
access, modify, store, and delete files and a
database server that provides database
services for Web applications on Web servers.
 BASIC SERVER SECURITY STEPS
• Plan the installation and deployment of the operating
system (OS) and other components for the server.
• Install, configure, and secure the underlying OS.
• Install, configure, and secure the server software.
• Employ appropriate network protection mechanisms
(e.g., firewall, packet filtering router, and proxy).
• Employ secure administration and maintenance
processes, including application of patches and
upgrades, monitoring of logs, backups of data and OS,
and periodic security testing
 SERVER SECURITY PRINCIPLES
• Simplicity - Complexity is at the root of many
security issues.
• Fail-Safe -If a failure occurs, the system should
fail in a secure manner, i.e., security controls
and settings remain in effect and are enforced.
• Complete Mediation -Common examples of
mediators include file system permissions,
proxies, firewalls, and mail gateways.
 SERVER SECURITY PRINCIPLES
• Work Factor - Organizations should
understand what it would take to break the
system or network‘s security features.
• Separation of Privilege - e. In the case of
system operators and users, roles should be as
separate as possible.
 SECURING THE SERVER OPERATING
SYSTEM
• Patch and update the OS
• Harden and configure the OS to address security
adequately.
• Install and configure additional security controls,
if needed.
• Test the security of the OS to ensure that the
previous steps adequately addressed all security
issues.
• The combined result of these steps should be a
reasonable level of protection for the server‘s OS.
 LINUX SECURITY
• Linux is a generic term referring to the family
of Unix-like computer operating systems that
use the Linux kernel.
• A Linux-based system is a modular Unix-like
operating system. It derives much of its basic
design from principles established in Unix
during the 1970s and 1980s.
 LINUX SECURITY
• Security is a process, not a permanent state.
To ensure continued security, regularly do the
following:
 Keep current with patches
 Monitor Log files
 Audit Password Strength
 Check your binaries
 Check for Remote Vulnerabilities
 LINUX LAYERS
• LINUX/UNIX has three most important parts.
They are Kernel, Shell and File System
 LINUX DIRECTORY STRUCTURE
• The linux file system structure is organized in
directories which include:
 / – Root
 /bin – User Binaries
 /sbin – System Binaries
 /etc – Configuration Files
 /dev – Device Files
 LINUX DIRECTORY STRUCTURE
/proc – Process Information
/var – Variable Files
 /tmp – Temporary Files
 /usr – User Programs
 /home – Home Directories
 /boot – Boot Loader Files
 /lib – System Libraries
 LINUX DIRECTORY STRUCTURE
 /opt – Optional add-on Applications
 /mnt – Mount Directory
 /media – Removable Media Devices
 /srv – Service Data
NB
To access these directories use cd command to navigate
in to each and list contents using ls command
EXAMPLE:
#cd /etc
#ls
 BENEFITS OF LINUX
• Dozens of excellent, free, general-interest
desktop applications.
• Advanced graphical user interface.
• A modern, very stable, multi-user,
multitasking environment on your inexpensive
PC hardware, at no (or almost no) monetary
cost for the software.
 BENEFITS OF LINUX
• Thousands of free applets, tools, and smaller
programs
• State-of-the-art development platform with
many best-of-the-kind programming languages
and tools coming free with the operating system.
• Freedom from viruses, "backdoors" to your
computer, software manufacturer "features,"
invasion of privacy, forced upgrades, proprietary
file formats, licensing and marketing schemes,
product registration, high software prices, and
pirating.
 LINUX INSTALLATION
• USEFUL LINKS
https://www.hackingarticles.in/how-to-install-
kali-linux-step-by-step-guide/
https://www.hackingarticles.in/multiple-ways-
to-install-kali/
LINUX INSTALLATION
 LINUX SHADOW & PASSWORD FILES
• SHADOW FILE
 It’s used to increase the security level of
passwords by restricting all but highly privileged
users' access to hashed password data. Data is
kept in files owned by and accessible only by the
super user.
• PASSWD FILE
 It’s a text file that contains the attributes of each
user or account on a computer running Linux or
another Unix-like operating system.
 LINUX SHADOW & PASSWORD FILES
• Accessing the two files:
• Use any text editor to open both files
• EXAMPLE:
• #cat /etc/passwd
• #cat /etc/shadow
 LINUX SHADOW & PASSWORD FILES
• USEFUL LINKS:
https://www.2daygeek.com/understanding-
linux-etc-shadow-file-format/
 SETTING UP FIREWALL IN LINUX
• IPTABLES is used to set up firewall in Linux
systems. IPTables is a packet filter for kernels
2.4 and above. It provides enhanced features
such as stateful packet filtering, Network
Address Translation and MAC Address
filtering.
 SETTING UP FIREWALL IN LINUX
• USEFUL LINKS
https://www.lisenet.com/2014/configure-
iptables-firewall-on-a-debian-wheezy-pc/
https://upcloud.com/community/tutorials/co
nfigure-iptables-debian/