Windows Administration and Hardening

Task Manager

Right click taskbar and select Task Manager

To end an task, select it and select End Task at the bottom right of the window

The Startup tab lists the programs that are automatically opened during startup

CMD

Windows Filesystem Structure

C:\\
├── PerfLogs\\
├── Program Files\\
├── Program Files (x86)\\
├── ProgramData\\ [hidden folder]
├── Users\\
│     └── [username]\\
│           └── Desktop\\
│           └── Documents\\
└── Windows\\
      └── System32\\
            └── Config\\
            └── Drivers\\
                    └── etc\\
                          └──hosts
                          └──networks
      └── Spool
      └── Temp

Environment Variables

Windows ENV variables are enclosed with % signs:

cd %ProgramFiles%

cd %USERPROFILE%/Desktop

Commands

CMD, unlike Bash, is case insensitive

findstr: Used to find a string into output (| can be used to pipe into it)

[command] /?: Will list information and options available for a given command

echo: Will echo the given string to the command prompt

echo hello > todo.txt

>: Redirects the output to todo.txt

>>: Appends redirection

The following will open a file with notepad:

notepad todo.txt

Windows Management Instrumentation Command (wmic)

wmic: Tool used to query system information and diagnostics, such as OS and hard disk info

It can also be used to launch, terminate, install, and uninstall processes

Syntax

wmic [global switches] [alias] [verbs] [properties]

Examples

wmic os get /value: Lists all of the available values for os

Any value listed can be passed into wmic os get to return its value:

wmic os get OSType, Status

wmic /APPEND:report.txt os get caption: Appends output of os get caption to report.txt (Redirection can also be used)

wmic logicaldisk get caption, filesystem, freespace, size, volumeserialnumber: Lists provided properties related to system disks

The following will retrieve the Caption, Command, and User properties from the startup alias:

wmic startup get caption, command, user

User and Password Policies

net: Used to manage user accounts, groups, and password policies

net user: Adds, removes, and manages users

net localgroup: Adds, removes, and manages localgroups

net accounts: Views passwords and logon requirements for users to enforce password security policies

Using net

net user [username]: Lists information pertaining to the given user

net localgroup: Lists all available localgroups

net accounts: Lists currently applied password policies

Creating Users and Setting Password Policy

net user [username] [password] /add: Creates a user with the given password

net localgroup [groupname] /add: Adds the provided group

net localgroup [groupname] [username] /add: Adds the given user to the given group

net user [username] /delete: Deletes the provided user

Editing Group Policies

gpedit is a GUI application used to manage group policies

To access a password policy, go to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

To manage a policy, double click on it’s name

Task Scheduling

Task Scheduler is a GUI tool that allows system administrators to automate the execution of scripts and applications on a Windows system

A task can be triggered by either a specified time or event:

Select Create Task… to create a new task

To set the task to run regardless if a user is logged in or not, select Run whether user is logged on or not:

Select the Triggers tab, then select New… to create a new trigger:

To create a new Action, select the Actions tab, then select New…

Powershell

Objects

Object is Microsoft’s name for every component in a system that PowerShell recognizes and interacts with

For example, ls C:\\Windows returns objects

In C:\\Documents\\Recipes\\Guacamole.doc, Guacamole.doc is the [file.name](<http://file.name>) property of the file (the object)

$_: refrences each object piped into it:

ls c:\\windows | Where-Object {$_.name -like "*system*"}

-like: Targets object(s) with the provided pattern

Powershell Commands

Verb-Nouns

Cmdlet’s follow a verb-noun syntax. For example, in set-location, set is the verb and location is the noun

Get-Command: Searches for cmdlets by their name or verb:

Get-Command -Name *Process

Get-Command -Verb Exit

Start-Process: Start a process from powershell:

Start-Process -FilePath CMD -Verb RunAs

Generating Windows Event Log Files with Parameters and Pipelines

Get-WinEvent: Used to retrieve logs

get-winevent -listlogs *: Prints all types of available logs

| Where-Object {$_.RecordCount -gt 0}: Prints log types that currently have logs

-MaxEvents 10: Will only print the last 10 events

| convertto-json: Will convert the logs into JSON Format

| out-file -filepath c:\\logs\\RecentSystemLogs.json: Will output the results to the provided file

Scripting with Powershell

$variable_name: Sets a variable:

$package="Skype"; Write-Host "The package to delete is "$package;

;: Allows multi-command lines

choco: Package manager:

$package="Skype"
choco info $package

The following will uninstall the package:

$package="Skype"
choco uninstall -y $package

A CSV file can be supplied to a script:

chocodemo.csv

name,description
itunes,"Apple music player"
vlc,"Open Source media player"

sc2.ps1

$csv=Import-CSV -Path C:\\chocodemo.csv

$csv | Get-Member # Prints available members to call on

# Print Each Line
foreach($line in $csv){
	write-host "Line is $line" 
}

# Print each Name
foreach($line in $csv){
	write-host "Name is "$line.name
}

# uninstall each package
foreach($line in $csv){
	choco uninstall -y $line.name
}

The following will check if the name contains vlc:

foreach($line in $csv){
	if ($line.name -eq "vlc"){
		write-host "This is a video player"
	}
	write-host "Name is "$line.name
}

Active Directory Domain Services

Active Directory is the central databasing and management system for enterprise-scale Windows environments

Resources: The files, networking components, and printers that users need permission to access

Security Principals: AD objects that can be authenticated, such as users and groups

It is the culmination of all the services that work together to manage authentication and authorization within a Windows Server network

Authentication: Allow users to prove their identity to prove their identity

Authorization: Provides or denies users permission to material

Objects: Users, groups, and computers, as well as the file shares, network printers, and other resources that users need to access

AD Architecture

AD Authentication

LDAP (Lightweight Directory Access Protocol): Standardized protocol for adding, deleting, and editing objects

Kerberos: A ticket-based authentication protocol, now the default authentication protocol for Windows Server Domains

Video

Creating OUs, Users, and Groups

Organizational Units: Logical groupings of an organizations assets and accounts

Example: All computers in the sales department are grouped together in the OU called GC Users > Sales. All of these computers would have the same policies, set by the group policies

To create a new OU:

To creata a subOU:

To create a new user:

To create a group:

To assign a user to a group:

To delete an OU that has Deletion Protection: https://www.xpertstec.com/you-do-not-have-sufficient-privileges-to-delete-ou-or-this-object-is-protected-from-accidental-deletion/

Group Policy Objects

Group Policy Objects: Packages of policy settings that contain one or more group policy

Example: If both complexity requirements for requirements for accounts and deploy some form of anti-malware software on next logon are needed, two policies can be combined into one GPO called Better Password and Anti-Malware Setup

To manage GPOs, select Tools > Group Policy Management

To create a GPO:

To specify the GPO’s policy:

To apply a GPO:

Leave a Reply

Your email address will not be published.