Home » Cyber Security – Certificate IV » VU23225 Investigate Windows security features » Detailed Report on VU23225 Investigate Windows Security Features – Lesson 07

Detailed Report on VU23225 Investigate Windows Security Features – Lesson 07

Overview

The document titled “VU23225 Investigate Windows Security Features – Lesson 07” focuses on mitigating threats in Windows, also known as system hardening. It covers configuring disk and file encryption, implementing patching and updates, malware protection, protecting credentials, application protection, and auditing.

1. Objectives

The lesson sets out the following objectives:

  • Configure disk and file encryption (EFS and BitLocker).
  • Implement patching and updates (Windows Updates).
  • Implementing malware protection (Windows Security, Windows Defender Antivirus, Windows Defender Exploit Guard, Windows Defender SmartScreen).
  • Protecting credentials (Windows Defender Credential Guard, LAPS).
  • Protecting applications (Software Restriction Policies, AppLocker, Windows Defender Application Guard).
  • Auditing (Overview and advanced auditing).

2. Configure Disk and File Encryption

Overview of EFS (Encrypting File System):

  • Provides additional security by encrypting files locally or remotely on NTFS, FAT, and FAT32 volumes.
  • Uses symmetric encryption to protect data and public key encryption to protect the symmetric key.
  • Requires a certificate for users to use EFS, which can be self-signed or issued by a CA.
  • Data recovery agents can decrypt all files if needed.

Overview of BitLocker:

  • Encrypts whole volumes regardless of the file system, providing computer-level protection.
  • Uses TPM (Trusted Platform Module) for device authentication and integrity verification of the startup process.
  • Can be managed via Control Panel, Group Policy, PowerShell, and Microsoft BitLocker Administration and Monitoring (MBAM).

3. Implement Patching and Updates

Windows Updates:

  • Critical for security, stability, and functionality of the OS.
  • Include security patches, bug fixes, performance improvements, and new features.
  • Ensure compliance with regulations and maintain compatibility with new software and hardware.

4. Implementing Malware Protection

Windows Security Features:

  • Windows Defender Antivirus: Provides real-time protection against malware.
  • Windows Defender Application Guard: Runs untrusted websites and apps in a container to isolate them from the OS.
  • Windows Defender Exploit Guard: Includes exploit protection, attack surface reduction rules, network protection, and controlled folder access.
  • Windows Defender SmartScreen: Protects against phishing and malware websites.

5. Protecting Credentials

Principle of Least Privilege:

  • Assign minimum privileges to accounts to limit potential damage from compromised accounts.
  • Avoid over-privileged accounts and use specific accounts for administrative tasks.

Windows Defender Credential Guard:

  • Uses virtualization-based security to isolate credentials and prevent pass-the-hash or pass-the-ticket attacks.
  • Requires specific hardware and OS versions for deployment.

LAPS (Local Administrator Password Solution):

  • Manages and randomizes local administrator passwords, storing them securely in AD DS.
  • Requires Active Directory schema extension and installation of LAPS client on managed computers.

6. Protecting Applications

Software Restriction Policies (SRP):

  • Control which applications can run on a system based on criteria like file path, file hash, publisher certificate, or Internet Zone.
  • Provides default security levels and rule enforcement modes for application control.

AppLocker:

  • Available in Windows 10 Enterprise and Education editions.
  • Allows creation of rules to control the execution of applications and scripts.
  • Supports executable files, Windows Installer files, scripts, and packaged apps.
  • Provides auditing capabilities to monitor policy compliance.

Windows Defender Application Guard (WDAG):

  • Isolates untrusted content in a container using virtualization technology.
  • Protects against threats from untrusted websites, Office documents, and downloaded files.
  • Provides a disposable environment that ensures any potential malware is discarded after each session.

Microsoft Defender Application Control:

  • Formerly known as Windows Defender Device Guard.
  • Uses code integrity policies to define trusted applications and prevent unauthorized code execution.
  • Integrates with Windows Security Center and enterprise management tools like Group Policy and Microsoft Endpoint Configuration Manager.

Windows 10 Sandbox:

  • Provides a secure and disposable environment for running untrusted applications and files.
  • Utilizes hardware virtualization for secure isolation.
  • Ensures any changes made within the sandbox are discarded after the session ends.

7. Auditing

Overview of Auditing:

  • Use Windows security and system logs to track key activities and monitor for harmful behaviors.
  • Create an audit plan to decide what information to collect and avoid over-auditing or under-auditing.
  • Regularly collect and archive security logs across the organization to maintain an audit trail.

Advanced Auditing:

  • Configure advanced audit policies in Group Policy for various categories like Account Logon, Account Management, Detailed Tracking, and more.
  • Use tools like AuditPol for managing audit policies and event log forwarding.
  • PowerShell cmdlets can manage audit policies and review events, with features like transaction logging, module logging, and script block logging.

Conclusion

The document provides a comprehensive guide to hardening Windows systems by implementing various security measures, including encryption, updates, malware protection, credential protection, application control, and auditing. These practices are essential for maintaining a secure and resilient Windows environment.

 

Scroll to Top