Home » Cyber Security – Certificate IV » VU23225 Investigate Windows security features » Detailed Report on “VU23225 Investigate Windows Security Features – Lesson 01

Detailed Report on “VU23225 Investigate Windows Security Features”

Overview

This is an educational lesson aimed at providing comprehensive knowledge on various aspects of Windows operating system security. The content is structured into several key sections that cover the architecture of the Windows OS, its file systems, the registry, process execution, thread management, and the role of Dynamic Link Libraries (DLLs). Below is a detailed breakdown of each section.

1. Objectives

The lesson sets out the following objectives:

  • Understand the architectural structure of the Windows operating system.
  • Identify Windows file system formats and layouts.
  • Understand the purpose and structure of the Windows registry.
  • Describe Windows process execution structure and the role of threads.
  • Explain the role of Dynamic Link Libraries (DLLs) in Windows applications.

2. Windows Architecture

This section provides an in-depth look at the components and layers of the Windows operating system:

  1. User Interface (UI):
    • Shell: Provides the graphical user interface for user interaction, including the Start menu, taskbar, and desktop.
  2. Windows Services:
    • Service Control Manager: Manages system services that provide functionality to the OS.
    • Local Security Authority Subsystem Service (LSASS): Enforces security policies and authenticates users.
  3. Kernel Mode and User Mode:
    • Kernel Mode: Runs the Windows Kernel with direct access to hardware.
    • User Mode: Non-privileged mode for running user applications and services.
  4. Kernel:
    • Windows Kernel: Manages system resources, hardware access, and ensures stability and security.
    • Device Drivers: Software enabling communication between the OS and hardware devices.
  5. Executive Services:
    • Executive: Core system services managing processes, memory, and I/O operations.
    • Object Manager, Memory Manager, Process Manager, I/O Manager: Handle various aspects of system resources and operations.
  6. Security Subsystem:
    • Security Reference Monitor, Security Account Manager (SAM): Enforce security policies and manage user account information.
  7. File System:
    • File System Driver: Supports multiple file systems like NTFS, FAT32.
  8. Windows Subsystems:
    • Windows Subsystem for Linux (WSL): Provides compatibility for running different types of applications.
  9. Networking:
    • NDIS, Winsock: Standard interfaces for network communication.

3. Windows File Systems

Explores different file systems used by Windows OS:

  1. FAT (File Allocation Table):
    • FAT12, FAT16, FAT32: Different versions with varying capabilities and limitations.
  2. NTFS (New Technology File System):
    • Advanced features like file and folder permissions, compression, encryption, journaling, and support for large files and partitions.
  3. exFAT (Extended File Allocation Table):
    • Designed for flash drives and external storage with large file and partition support, better compatibility across OS.

4. Hiding Files in Windows

Techniques to hide files include:

  1. File and Folder Attributes: Using built-in attributes to hide files from File Explorer.
  2. Hidden File Extensions: Manipulating file extensions to conceal file types.
  3. Command Prompt: Changing file attributes using commands.
  4. System Attribute: Setting system attributes to hide files from casual view.
  5. Alternate Data Streams (ADS): Hiding data within files using NTFS features.

5. Windows Registry

The registry is a hierarchical database for storing configuration settings and options:

  1. Purpose:
    • Central repository for system and application settings, user preferences, and hardware configurations.
    • Critical for system initialization, user profile management, and application settings.
  2. Structure:
    • Organized into keys and subkeys, with five main root keys (HKCR, HKCU, HKLM, HKU, HKCC).

6. Windows Process Execution

Details on how Windows manages processes:

  1. Process Creation: Steps involved in creating a new process.
  2. Process Termination: Different ways a process can terminate.
  3. Process Control Block (PCB): Contains essential information about the process.
  4. Process Scheduling: Ensures fair allocation of CPU time among processes.
  5. Process Security and Access Control: Mechanisms for enforcing security policies.
  6. Process Isolation and Sandboxing: Techniques for enhancing security.
  7. Inter-Process Communication (IPC): Mechanisms for communication between processes.

7. Threads

Management of threads for concurrent execution:

  1. Thread Creation: Steps involved in creating a thread.
  2. Thread Execution: Includes CPU time allocation, context switching, and scheduling.
  3. Thread Control Block (TCB): Stores thread-specific information.
  4. Thread Synchronisation and Communication: Mechanisms for coordinating activities and sharing data.
  5. Thread Security and Access Control: Measures to ensure thread-level security.
  6. Thread Termination: Methods for terminating threads.

8. Dynamic Link Library (DLL)

Role of DLLs in code reuse, modularity, and system security:

  1. Resource Efficiency, Patching, and Updates, Address Space Isolation, Dependency Management, Secure Loading Mechanisms: Benefits and security features of DLLs.
  2. Malware Attacks: Techniques used by malware to exploit DLLs, such as DLL injection, hijacking, side-loading, and backdooring.

Conclusion

The document concludes by emphasizing the importance of understanding Windows security features for effective system management and protection against potential security threats. It highlights the necessity for developers and system administrators to follow best practices for managing dependencies, applying patches, and ensuring secure system configurations.

 

Scroll to Top