Detailed Report on “VU23225 Investigate Windows Security Features – Lesson 02

Overview

The document titled “VU23225 Investigate Windows Security Features – Lesson 02” focuses on the management of system and user accounts, monitoring, logging mechanisms, and scheduling tasks within the Windows operating system. The content aims to provide a comprehensive understanding of these features to enhance security and administrative efficiency.

1. Objectives

The lesson sets out the following objectives:

• Explain Windows user accounts.
• Explain Administrator privileges and administering a Windows OS.
• Describe the role of WMI (Windows Management Instrumentation) in remotely managing Windows systems.
• Describe Windows monitoring and logging mechanisms.
• Describe the role of the Windows Task Scheduler.

2. Managing Windows User Accounts

This section provides a detailed overview of the default user accounts in Windows, the methods to manage and create user accounts, and guidelines for secure account management.

Default Accounts in Windows:

• Administrator: Holds the highest level of privileges with complete control over the system. It should be renamed and used sparingly.
• Guest: Designed for temporary users with limited access. Disabled by default due to security concerns.
• Default User: Template for creating new user profiles with default settings.
• WDAGUtilityAccount: Used for Windows Defender Application Guard.
• LocalService and NetworkService: Used by Windows services to run with limited privileges.

Tips for Default Accounts:

• Rename and secure the Administrator account.
• Disable the Guest account unless necessary.
• Ensure strong password policies for all accounts.

Methods to Manage and Create User Accounts:

1. GUI Method: Using Control Panel to add or manage user accounts.
2. Command Line Method: Using net user and net localgroup commands in Command Prompt.
3. PowerShell Method: Using New-LocalUser and Add-LocalGroupMember
4. Computer Management Console: Using the console to create and manage accounts.

Active Directory User Accounts:

• Unique within the domain, case insensitive, and require complex passwords by default.
• Important attributes include full name, logon names, and password policies.
• Commands for enabling and disabling accounts using PowerShell and other tools.

3. Administrator Privileges

Describes different administration privilege levels and their associated risks:

Types of Privileges:

5. Administrator Privileges: Full control over the system. Risks include malware installation, system setting modifications, and accidental damage.
6. Power User Privileges: More than standard users but less than administrators. Can install applications and manage user accounts within scope.
7. Standard User Privileges: Most limited, cannot install software or modify system settings, enhancing security against malware and unauthorized access.

Managing User Accounts in Active Directory:

• Domain Administrator: Highest access within a domain. Risks include potential domain-wide compromises and privilege escalation.
• Enterprise Administrator: Extends control across multiple domains within a forest, with increased risks due to broader impact.
• Group Policy Administrator: Manages GPOs with risks of misconfigurations and unauthorized policy changes.
• Account Operators: Manage user accounts with risks of unauthorized modifications and data leakage.

4. Windows Management Instrumentation (WMI)

WMI is a component of Windows that provides a standardized way for applications and scripts to retrieve management information and perform system administration tasks.

Components of WMI:

• WMI Namespace: Logical containers for management information.
• WMI Classes: Represent different types of managed objects with properties and methods.
• WMI Query Language (WQL): SQL-like language for querying WMI data.
• WMI Providers: Supply management information to WMI.
• WMI Scripting: Accessed through PowerShell, VBScript, and C# for automation and management tasks.
• MI Repository: Centralized database storing metadata and configuration information.

Security Risks and Mitigations:

• Unauthorized Access, Code Execution, Remote Code Injection: Risks can be mitigated by implementing proper access controls, secure configurations, and regular updates.

5. Windows Logging

Describes the event logging mechanism in Windows, crucial for monitoring and managing system activities.

Event Types:

• Informational Events: Indicate successful operations.
• Warning Events: Potential issues requiring attention.
• Error Events: Critical problems needing immediate action.

Event Logs:

• Application Log: Events from applications.
• System Log: Events related to the operating system.
• Security Log: Events related to security activities.

Management and Tools:

• Event Viewer, PowerShell, Windows Event Log API, Third-Party SIEM Solutions: Tools for monitoring and managing events.
• Event Channels, Event IDs, Log Retention, and Security: Further categorize and manage event logs.

Event Log Retention and Clearing:

• Binary files (.evt, .evtx): Log files stored with specific extensions.
• Configuring log retention settings: Ensures optimal performance and storage management.

Event Log Security:

• Access control lists (ACLs), cryptographic hashes: Ensure log integrity and security.

Event Log Subscription and Forwarding:

• Centralized event collection: Useful in large-scale environments for consolidated monitoring.

6. Task Scheduler

The Task Scheduler allows scheduling and automation of tasks, enhancing system security by ensuring regular maintenance and monitoring.

Functions of Task Scheduler:

8. Scheduled Security Scans: Automate antivirus scans.
9. System Updates: Schedule automatic updates.
10. User Account Control (UAC): Create prompts for specific tasks.
11. Log Management: Schedule backups of event logs.
12. System Monitoring: Schedule monitoring tasks.
13. Secure Backup and Recovery: Automate data backups.
14. System Maintenance: Schedule routine tasks like disk clean-up and defragmentation.

Security Issues:

• Misconfigured permissions, task impersonation, malicious task creation: Mitigated by proper configuration, validation, and monitoring.

By leveraging these Windows features effectively, administrators can enhance system security, ensure efficient management, and mitigate potential risks.