Cyberops – module 3

Summary and Notes

Summary

Overview of the Windows Operating System and Its History

The Windows Operating System (OS) began with the Disk Operating System (DOS), which provided a
basic file system for managing data storage on disks. Microsoft’s MS-DOS utilized a command line
interface that allowed users to execute commands to manipulate files and programs. Early Windows
versions, starting with Windows 1.0 in 1985, were built on top of MS-DOS, introducing a graphical user
interface (GUI). Modern iterations of Windows, using the New Technology (NT) architecture, provide
direct control over hardware, with the GUI enabling tasks that were previously command line driven.
Users can access a command window by typing 'cmd' in the Windows Search.

MS-DOS Commands
MS-DOS includes several commands that facilitate file management, such as: - `dir`: Lists files in the
current directory. - `cd`: Changes the directory. - `copy`: Copies files from one location to another. - `del`:
Deletes files. - `mkdir`: Creates a new directory. - `ren`: Renames a file. - `help`: Displays available
commands.

Windows Versions Overview

Since 1993, over 20 versions of Windows have been released, tailored for different user and server needs.
The 64-bit architecture introduced more efficient data handling compared to its 32-bit predecessor,
enabling backward compatibility with older software. Windows 10 has been declared the final version,
with updates provided instead of new releases. Key versions include Windows 7, 8, and 10, each available
in various editions for different user requirements.

The Windows GUI and User Experience

The Windows interface is built around the Desktop, featuring customizable elements and a Taskbar with a
Start menu for easy access to applications. The Context Menu—which appears upon right-clicking icons—
provides quick access to functions. Users can restore deleted files from the Recycle Bin. The GUI supports
multiple users, allowing for personalized experiences.

Operating System Vulnerabilities

Windows OS is susceptible to vulnerabilities due to its extensive codebase. Attackers exploit these
weaknesses to gain unauthorized access or control of computers. Effective security measures include using
updated antivirus software like Windows Defender, managing services, employing encryption, and
establishing robust security policies. Other recommendations include maintaining strong passwords,
careful management of file permissions, and reviewing firewall settings.

Windows Architecture Fundamentals

The Windows architecture includes a Hardware Abstraction Layer (HAL) that facilitates communication
between the hardware and the kernel, which is the core of the OS. The system operates in two modes: user
mode for applications and kernel mode for OS code, ensuring protection and efficient resource
management.

Windows File Systems

Windows supports several file systems, with New Technology File System (NTFS) being the most
prevalent. NTFS organizes file storage with structures like the Master File Table and supports features like
permissions and alternate data streams. Compatibility exists with other file systems such as exFAT and
HFS+, though some require additional software for full functionality on Windows.
Boot Processes in Windows
The boot process in Windows varies depending on whether the firmware is BIOS or UEFI. BIOS
initializes the system and locates the master boot record to begin the OS load, while UEFI uses EFI files
for a more secure boot process. After locating a valid installation, the Boot Configuration Database directs
the boot manager to load the appropriate files. This process ensures all drivers are signed and trusted.

Windows Startup and Shutdown Procedures

The system can be configured to start applications automatically using the registry settings found under
HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. Proper shutdown procedures are crucial for
system stability, ensuring all applications and services close appropriately. Users can shut down, restart, or
hibernate their systems using various methods.

Processes, Threads, and Services in Windows

Windows applications consist of processes, which are executing programs, and threads, subsets of
processes that represent the execution path. Each thread runs within a private address space, enhancing
system stability. Windows services run background tasks that support various functions and should be
managed carefully to avoid disrupting system operations.

Memory Management in Windows

Windows utilizes virtual memory to allocate resources to processes. Each process operates in its own
address space, which prevents interference and corruption between processes. Tools like RAMMap help
administrators visualize memory usage across different components of the system.

The Windows Registry Explained

The Windows Registry is a complex hierarchical database storing configuration settings, system policies,
user profiles, and hardware settings. Critical registry hives include HKEY_LOCAL_MACHINE,
HKEY_CURRENT_USER, and HKEY_USERS. Proper care must be taken when modifying the registry,
as incorrect changes can severely impact system functionality.

Configuration and Monitoring Tools

Administering Windows includes using various tools: - Task Manager provides information on running
applications and performance metrics. - Resource Monitor gives deeper insights into resource usage by
processes. - Command Line Interface (CLI) and PowerShell enable command execution and scripting for
task automation. - Windows Management Instrumentation (WMI) manages remote systems and collects
hardware/software data.

Networking Capabilities of Windows

Windows supports comprehensive networking features, such as the Network and Sharing Center for
managing connections and adapter settings. Users can configure settings for Ethernet or Wi-Fi, test DNS
functionality with the `nslookup` command, and utilize the `netstat` command to identify unauthorized
connections.

Windows Security Protocols

Security in Windows is bolstered by regular updates, local security policies, and built-in solutions like
Windows Defender. Establishing guidelines for password strength and account lockout policies helps
secure systems against intrusions. Firewalls and intrusion prevention measures protect the network from
malicious activities.

Windows Server Overview

Windows Server editions are designed for business infrastructure, hosting various services, including
network management (DNS, DHCP), file services (SMB), and web services. Understanding the distinct
roles of Windows Server versus desktop editions is critical for network and system administrators.

Labs for Practical Applications

Several labs focus on hands-on learning, including creating user accounts, using PowerShell functions,
exploring Task Manager functionalities, and monitoring system resources. Each lab aims to provide
practical experience in managing and configuring Windows systems effectively.
 Notes

The Windows Operating System - Disk Operating System

 The Disk Operating System (DOS) allows computers to manage data storage devices for reading
and writing files.
 MS-DOS was developed by Microsoft and primarily used a command line interface for file
manipulation, where commands appear in bold in command outputs.
 Early Windows versions, starting with Windows 1.0 in 1985, operated over MS-DOS, while
newer versions utilize Windows NT technology for direct hardware control.
 Users can access a command window to experience MS-DOS by typing 'cmd' in Windows Search
and pressing Enter.

The Windows Operating System - Windows Versions

 Windows has seen over 20 releases based on the NT operating system since 1993, with specialized
editions for various uses, including workstation and server applications.
 The transition to 64-bit architecture introduced substantial changes, allowing for a larger address
space, although compatibility with older 32-bit programs is maintained.
 Microsoft has stated that Windows 10 will be the final version, with future updates instead of new
releases.

The Windows Operating System - Windows GUI

 Windows features a Graphical User Interface (GUI) characterized by a customizable Desktop that
can hold files, folders, shortcuts, and applications.
 The Task Bar at the bottom contains the Start menu for easy access to programs, a quick launch
area, and a notification area for program statuses.
 Right-clicking icons reveals a Context Menu offering additional functions for ease of use.

The Windows Operating System - Operating System Vulnerabilities

 Operating systems, including Windows, contain thousands to millions of lines of code, which can
harbour vulnerabilities that malicious actors may exploit to gain unauthorized access or control.
 Common security recommendations include using Windows Defender for malware protection,
monitoring unknown services, implementing encryption, and enforcing a solid security policy.

The Windows Operating System - Windows Architecture and Operations

 The Hardware Abstraction Layer (HAL) facilitates communication between hardware and the
kernel, the core component of the OS managing input, output requests, and memory.
 Windows operates in two modes: user mode for applications and kernel mode for OS code,
maintaining a restricted address space for user applications to enhance security.

The Windows Architecture and Operations - Windows File Systems

 Windows supports multiple file systems, including NTFS (most commonly used), exFAT, FAT32,
and Linux's EXT, with various capabilities and attributes.
 NTFS uses structures like the Master File Table (MFT) to track files, including security and
timestamp information.
The Windows Architecture and Operations - Windows Boot Process

 The boot process involves the BIOS or UEFI firmware initializing hardware, discovering the
master boot record, and executing Bootmgr.exe to load the operating system.
 The process ensures all drivers are digitally signed for security before proceeding to initialize the
Windows kernel with Ntoskrnl.exe.

The Windows Architecture and Operations - Windows Startup

 The Windows registry, particularly HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER,

controls automatic service and application startup processes.
 The Msconfig tool can be utilized to view and modify startup options, simplifying the control of
services and applications that launch on boot.

The Windows Architecture and Operations - Windows Shutdown

 Proper shutdown of a computer is essential, allowing applications and services to close correctly
while facilitating record-saving of configuration changes.
 Different options such as Shutdown, Restart, and Hibernate cater to varied user needs for power
management.

Windows Architecture and Operations - Processes, Threads, and Services

 Each application on Windows operates as a process composed of one or more threads, which do
not share memory space across processes to prevent corruption.
 Background services support the OS and applications, providing essential functionality like
network connectivity; caution is needed when modifying service settings.

Windows Architecture and Operations - The Windows Registry

 The Windows Registry is a hierarchical database for system and application settings, divided into
main hives such as HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.
 Each key can contain subkeys and values, which define various settings and parameters across the
operating system. Tools like regedit.exe allow users to modify these settings with caution.

Windows Configuration and Monitoring

 Running applications as Administrator is advisable only when required. This can be performed
using context menus in File Explorer or Command Prompt.
 User accounts can be customized with specific permissions through local users and domain
settings, managed via the lusrmgr.msc applet, to improve administration staff management and
security.

Windows Configuration and Monitoring CLI and PowerShell

 Windows PowerShell is an environment used for scripting and automating tasks that standard
Command Line Interface (CLI) cannot perform.
 PowerShell supports the execution of various command types, including:
 Help commands in PowerShell provide structured assistance based on detail level:

Windows Management Instrumentation (WMI)

 WMI enables management and monitoring of remote computers, offering insights into hardware
and software statistics.
  Access the WMI Control via Windows Control Panel by navigating through Administrative Tools
> Computer Management > WMI Control Properties.
 WMI Control Properties contain:

The net Command

 The net command is essential for OS administration and supports various subcommands with
specific switches.
 Common net commands include:

1. net accounts: This command is used to set password and logon requirements for user accounts on the
system.

2. net session: This command lists all active sessions between the local computer and other computers on
the network, and it can also disconnect sessions.

3. net share: This command allows users to create, remove, or manage shared resources on the network.

4. net start: This command starts a specified network service or lists all currently running network services.

5. net stop: This command stops a specified network service.

6. net use: This command connects, disconnects, and displays information about shared network resources.

7. net view: This command shows a list of computers and network devices available on the network.

8. netsh - he `netsh` command is a powerful command-line utility in Windows that allows users to display
and modify the network configuration of the operating system. It can be used to configure various
networking parameters and settings, including network interfaces, firewall settings, and routing protocols

9. Netstat - - netstat: This command displays details of active network connections, which can help identify
unauthorized connections and monitor network activity.

Task Manager and Resource Monitor

 Task Manager gives an overview of running processes, software performance, and system
utilization across seven tabs.
 Tabs in Task Manager include:

Networking

 Networking is vital for connecting computers, managed primarily through the Network and
Sharing Centre.
 Network and Sharing Centre functionalities:
 The `nslookup` command tests DNS functionality, while `netstat` displays active network
connections.

Accessing Network Resources

 The Server Message Block (SMB) protocol facilitates sharing network resources.
 The Universal Naming Convention (UNC) enables access with paths like `\\servername\
sharename\file`.
 Remote Desktop Protocol (RDP) allows users to control remote computers, posing security risks.
Windows Server

 Windows Server caters to data centre needs with various services, including network services
(DNS, DHCP), file services (SMB, NFS), and management (Active Directory).
 Windows Server starts a lineage with Windows Server 2003 for server-specific operations, unlike
desktop versions.

Windows Security

 The `netstat` command checks for unauthorized network connections and active TCP connections.
 Windows Event Viewer logs application and security events, aiding in troubleshooting with
specific logs like Administrative Events.
 Regular updates are vital for security; service packs bundle necessary patches for vulnerabilities.
 Local Security Policy governs security settings for stand-alone Windows computers, including
password guidelines and account lockout policies.

Windows Defender

 Windows Defender offers built-in real-time protection against malware, including various threats
like viruses and spyware.
 It allows for manual scanning and is designed to work concurrently with other antimalware
software.
 The Windows Defender Firewall manages and denies unwanted network traffic, with settings
accessible through the Control Panel for program access controls.