MODULE 3 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards

Question

https://snipboard.io/ySFfVb.jpg : At the bottom of the desktop is the Task Bar. The Task Bar has three areas that are used for different purposes. At the left is the Start menu. It is used to access all of the installed programs, configuration options, and the search feature. At the center of the Task Bar, users place quick launch icons that run specific programs or open specific folders when they are clicked. Finally, on the right of the Task Bar is the notification area. The notification area shows, at a glance, the functionality of many different programs and features. For example, a blinking envelope icon may indicate new email, or a network icon with a red “x” may indicate a problem with the network. Often, right-clicking an icon will bring up additional functions that can be used. This list is known as a Context Menu, shown in the figure. https://snipboard.io/l8TtC6.jpg

Answer 1

Often, right-clicking an icon will bring up additional functions that can be used. This list is known as a Context Menu, shown in the figure. https://snipboard.io/l8TtC6.jpg There are Context Menus for the icons in the notification area, for quick launch icons, system configuration icons, and for files and folders. The Context Menu provides many of the most commonly used functions by just clicking. For example, the Context Menu for a file will contain such items as copy, delete, share, and print. To open folders and manipulate files, Windows uses the Windows File Explorer.

Answer 2

Virus or malware protection : By default, Windows uses Windows Defender for malware protection. Windows Defender provides a suite of protection tools built into the system. If Windows Defender is turned off, the system becomes more vulnerable to attacks and malware.

Answer 3

Unknown or unmanaged services : There are many services that run behind the scenes. It is important to make sure that each service is identifiable and safe. With an unknown service running in the background, the computer can be vulnerable to attack.

Answer 4

Encryption : When data is not encrypted, it can easily be gathered and exploited. This is not only important for desktop computers, but especially mobile devices.

Answer 5

Security policy : A good security policy must be configured and followed. Many settings in the Windows Security Policy control can prevent attacks.

Answer 6

Firewall : By default, Windows uses Windows Firewall to limit communication with devices on the network. Over time, rules may no longer apply. For example, a port may be left open that should no longer be readily available. It is important to review firewall settings periodically to ensure that the rules are still applicable and remove any that no longer apply

Answer 7

File and share permissions : These permissions must be set correctly. It is easy to just give the “Everyone” group Full Control, but this allows all people to do what they want to all files. It is best to provide each user or group with the minimum necessary permissions for all files and folders.

Answer 8

Weak or no password : Many people choose weak passwords or do not use a password at all. It is especially important to make sure that all accounts, especially the Administrator account, have a very strong password.

Answer 9

Login as Administrator : When a user logs in as an administrator, any program that they run will have the privileges of that account. It is best to log in as a Standard User and only use the administrator password to accomplish certain tasks.

Answer 10

A hardware abstraction layer (HAL) is software that handles all of the communication between the hardware and the kernel. The kernel is the core of the operating system and has control over the entire computer. It handles all of the input and output requests, memory, and all of the peripherals connected to the computer. In some instances, the kernel still communicates with the hardware directly, so it is not completely independent of the HAL. The HAL also needs the kernel to perform some functions.

Answer 11

Kernel mode code also can reference any memory address directly. Generally reserved for the most trusted functions of the OS, crashes in code running in kernel mode stop the operation of the entire computer. Conversely, programs such as user applications, run in user mode and have no direct access to hardware or memory locations. User mode code must go through the operating system to access hardware resources. Because of the isolation provided by user mode, crashes in user mode are restricted to the application only and are recoverable. Most of the programs in Windows run in user mode. Device drivers, pieces of software that allow the operating system and a device to communicate, may run in either kernel or user mode, depending on the driver.

Answer 12

All of the code that runs in kernel mode uses the same address space. Kernel-mode drivers have no isolation from the operating system. If an error occurs with the driver running in kernel mode, and it writes to the wrong address space, the operating system or another kernel-mode driver could be adversely affected. In this respect, the driver might crash, causing the entire operating system to crash.

Answer 13

When user mode code runs, it is granted its own restricted address space by the kernel, along with a process created specifically for the application. The reason for this functionality is mainly to prevent applications from changing operating system code that is running at the same time. By having its own process, that application has its own private address space, rendering other applications unable to modify the data in it. This also helps to prevent the operating system and other applications from crashing if that application crashes.

Answer 14

exFAT : This is a simple file system supported by many different operating systems. FAT has limitations to the number of partitions, partition sizes, and file sizes that it can address, so it is not usually used for hard drives (HDs) or solid-state drives (SSDs) anymore. Both FAT16 and FAT32 are available to use, with FAT32 being the most common because it has many fewer restrictions than FAT16.

Answer 15

Hierarchical File System Plus (HFS+) : This file system is used on MAC OS X computers and allows much longer filenames, file sizes, and partition sizes than previous file systems. Although it is not supported by Windows without special software, Windows is able to read data from HFS+ partitions.

Answer 16

Extended File System (EXT) : This file system is used with Linux-based computers. Although it is not supported by Windows, Windows is able to read data from EXT partitions with special software.

Answer 17

New Technology File System (NTFS) : This is the most commonly used file system when installing Windows. All versions of Windows and Linux support NTFS. Mac-OS X computers can only read an NTFS partition. They are able to write to an NTFS partition after installing special drivers. NTFS is the most widely used file system for Windows for many reasons. NTFS supports very large files and partitions and it is very compatible with other operating systems. NTFS is also very reliable and supports recovery features. Most importantly, it supports many security features. Data access control is achieved through security descriptors. These security descriptors contain file ownership and permissions all the way down to the file level. NTFS also tracks many time stamps to track file activity. Sometimes referred to as MACE, the timestamps Modify, Access, Create, and Entry Modified are often used in forensic investigations to determine the history of a file or folder. NTFS also supports file system encryption to secure the entire storage media.

Answer 18

NTFS formatting creates important structures on the disk for file storage, and tables for recording the locations of files: -- Partition Boot Sector -- Master File Table (MFT) -- System Files -- File Area

Answer 19

Partition Boot Sector : This is the first 16 sectors of the drive. It contains the location of the Master File Table (MFT). The last 16 sectors contain a copy of the boot sector.

Answer 20

Master File Table (MFT) : This table contains the locations of all the files and directories on the partition, including file attributes such as security information and timestamps.

Answer 21

System Files : These are hidden files that store information about other volumes and file attributes.

Answer 22

File Area : The main area of the partition where files and directories are stored. Note: When formatting a partition, the previous data may still be recoverable because not all the data is completely removed. The free space can be examined, and files can be retrieved which can compromise security. It is recommended to perform a secure wipe on a drive that is being reused. The secure wipe will write data to the entire drive multiple times to ensure there is no remaining data.

Answer 23

In the NTFS file system, a file with an ADS is identified after the filename and a colon, for example, Testfile.txt:ADS. This filename indicates an ADS called ADS is associated with the file called Testfile.txt. An example of ADS is shown in the command output. https://snipboard.io/Zy2qLW.jpg In the output: The first command places the text “Alternate Data Here” into an ADS of the file Testfile.txt called “ADS”. After that, dir, shows that the file was created, but the ADS is not visible. The next command shows that there is data in the Testfile.txt:ADS data stream. The last command shows the ADS of the Testfile.txt file because the r switch was used with the dir command.

Answer 24

Two types of computer firmware exist: -- Basic Input-Output System (BIOS) -- Unified Extensible Firmware Interface (UEFI)

Answer 25

Basic Input-Output System (BIOS) : BIOS firmware was created in the early 1980s and works in the same way it did when it was created. As computers evolved, it became difficult for BIOS firmware to support all the new features requested by users.

Answer 26

Unified Extensible Firmware Interface (UEFI) : UEFI was designed to replace BIOS and support the new features.

Answer 27

The MBR contains a small program that is responsible for locating and loading the operating system. The BIOS executes this code and the operating system starts to load. In contrast to BIOS firmware, UEFI firmware has a lot of visibility into the boot process. UEFI boots by loading EFI program files, stored as .efi files in a special disk partition, known as the EFI System Partition (ESP). Note: A computer that uses UEFI stores boot code in the firmware. This helps to increase the security of the computer at boot time because the computer goes directly into protected mode.

Answer 28

Whether the firmware is BIOS or UEFI, after a valid Windows installation is located, the Bootmgr.exe file is run. Bootmgr.exe switches the system from real mode to protected mode so that all of the system memory can be used. Bootmgr.exe reads the Boot Configuration Database (BCD). The BCD contains any additional code needed to start the computer, along with an indication of whether the computer is coming out of hibernation, or if this is a cold start. If the computer is coming out of hibernation, the boot process continues with Winresume.exe. This allows the computer to read the Hiberfil.sys file which contains the state of the computer when it was put into hibernation.

Answer 29

If the computer is being booted from a cold start, then the Winload.exe file is loaded. The Winload.exe file creates a record of the hardware configuration in the registry. The registry is a record of all of the settings, options, hardware, and software the computer has. The registry will be explored in depth later in this chapter. Winload.exe also uses Kernel Mode Code Signing (KMCS) to make sure that all drivers are digitally signed. This ensures that the drivers are safe to load as the computer starts. After the drivers have been examined, Winload.exe runs Ntoskrnl.exe which starts the Windows kernel and sets up the HAL. Finally, the Session Manager Subsystem (SMSS) reads the registry to create the user environment, start the Winlogon service, and prepare each user’s desktop as they log on.

Answer 30

HKEY\_LOCAL\_MACHINE : Several aspects of Windows configuration are stored in this key, including information about services that start with each boot.

Answer 31

HKEY\_CURRENT\_USER : Several aspects related to the logged in user are stored in this key, including information about services that start only when the user logs on to the computer.

Answer 32

General : Three different startup types can be chosen here. Normal loads all drivers and services. Diagnostic loads only basic drivers and services. Selective allows the user to choose what to load on startup. https://snipboard.io/0l2CP7.jpg

Answer 33

Boot : Any installed operating system can be chosen here to start. There are also options for Safe boot, which is used to troubleshoot startup. https://snipboard.io/VwGAJt.jpg

Answer 34

Services : All the installed services are listed here so that they can be chosen to start at startup. https://snipboard.io/yhOItm.jpg

Answer 35

Startup : All the applications and services that are configured to automatically begin at startup can be enabled or disabled by opening the task manager from this tab. https://snipboard.io/81feAu.jpg

Answer 36

Tools : Many common operating system tools can be launched directly from this tab. https://snipboard.io/WlkFxY.jpg

Answer 37

During shutdown, the computer will close user mode applications first, followed by kernel mode processes. If a user mode process does not respond within a certain amount of time, the OS will display notification and allow the user to wait for the application to respond, or forcibly end the process. If a kernel mode process does not respond, the shutdown will appear to hang, and it may be necessary to shut down the computer with the power button. There are several ways to shut down a Windows computer: Start menu power options, the command line command shutdown, and using Ctrl+Alt+Delete and clicking the power icon. There are three different options from which to choose when shutting down the computer: : -- Shutdown -- Restart -- Hibernate

Answer 38

Shutdown : Turns the computer off (power off).

Answer 39

Restart : Re-boots the computer (power off and power on).

Answer 40

Hibernate : Records the current state of the computer and user environment and stores it in a file. Hibernation allows the user to pick up right where they left off very quickly with all their files and programs still open.

Answer 41

All of the threads dedicated to a process are contained within the same address space. This means that these threads may not access the address space of any other process. This prevents corruption of other processes. Because Windows multitasks, multiple threads can be executed at the same time. The amount of threads that can be executed at the same time is dependent on the number of the computer’s processors. Some of the processes that Windows runs are services. These are programs that run in the background to support the operating system and applications. They can be set to start automatically when Windows boots or they can be started manually. They can also be stopped, restarted, or disabled. Services provide long-running functionality, such as wireless or access to an FTP server. To configure Windows Services, search for services. The Windows Services control panel applet is shown in the figure. https://snipboard.io/VkSYM6.jpg Be very careful when manipulating the settings of these services. Some programs rely on one or more services to operate properly. Shutting down a service may adversely affect applications or other services.

Answer 42

Be very careful when manipulating the settings of these services. Some programs rely on one or more services to operate properly. Shutting down a service may adversely affect applications or other services.

Answer 43

Each user space process runs in a private address space, separate from other user space processes. When the user space process needs to access kernel resources, it must use a process handle. This is because the user space process is not allowed to directly access these kernel resources. The process handle provides the access needed by the user space process without a direct connection to it. A powerful tool for viewing memory allocation is RAMMap, which is shown in the figure. RAMMap is part of the Windows Sysinternals Suite of tools. It can be downloaded from Microsoft. RAMMap provides a wealth of information regarding how Windows has allocated system memory to the kernel, processes, drivers, and applications. https://snipboard.io/8STP4z.jpg

Answer 44

HKEY\_CURRENT\_USER (HKCU) : Holds information concerning the currently logged in user.

Answer 45

HKEY\_USERS (HKU) : Holds information concerning all the user accounts on the host.

Answer 46

HKEY\_CLASSES\_ROOT (HKCR) : Holds information about object linking and embedding (OLE) registrations. OLE allows users to embed objects from other applications (like a spreadsheet) into a single document (like a Word document.

Answer 47

HKEY\_LOCAL\_MACHINE (HKLM) : Holds system-related information.

Answer 48

HKEY\_CURRENT\_CONFIG (HKCC) : Holds information about the current hardware profile. New hives cannot be created. The registry keys and values in the hives can be created, modified, or deleted by an account with administrative privileges. As shown in the figure, the tool regedit.exe is used to modify the registry. Be very careful when using this tool. Minor changes to the registry can have massive or even catastrophic effects.

Answer 49

https://snipboard.io/Wnv4XB.jpg Navigation in the registry is very similar to Windows file explorer. Use the left panel to navigate the hives and the structure below it and use the right panel to see the contents of the highlighted item in the left panel. With so many keys and subkeys, the key path can become very long. The path is displayed at the bottom of the window for reference. Because each key and subkey is essentially a container, the path is represented much like a folder in a file system. The backslash (\) is used to differentiate the hierarchy of the database. Registry keys can contain either a subkey or a value. The different values that keys can contain are as follows:

Answer 50

REG\_BINARY : Numbers or Boolean values

Answer 51

REG\_DWORD : Numbers greater than 32 bits or raw data

Answer 52

REG\_SZ : String values Because the registry holds almost all the operating system and user information, it is critical to make sure that it does not become compromised. Potentially malicious applications can add registry keys so that they start when the computer is started. During a normal boot, the user will not see the program start because the entry is in the registry and the application displays no windows or indication of starting when the computer boots. A keylogger, for example, would be devastating to the security of a computer if it were to start at boot without the user’s knowledge or consent. When performing normal security audits, or remediating an infected system, review the application startup locations within the registry to ensure that each item is known and safe to run.

Answer 53

The registry also contains the activity that a user performs during normal day-to-day computer use. This includes the history of hardware devices, including all devices that have been connected to the computer including the name, manufacturer and serial number. Other information, such as what documents a user and program have opened, where they are located, and when they were accessed is stored in the registry. This is all very useful information when a forensics investigation needs to be performed.

Answer 54

Administrator : Right-click the command in the Windows File Explorer and choose Run as Administrator from the Context Menu. https://snipboard.io/i9Asvf.jpg

Answer 55

Adminisrator Command Prompt : Search for command, right-click the executable file, and choose Run as Administrator from the Context Menu. Every command that is executed from this command line will be carried out with the Administrator privileges, including installation of software. https://snipboard.io/Tp5cv3.jpg

Answer 56

As a security best practice, do not enable the Administrator account and do not give standard users administrative privileges. If a user needs to perform any function that requires administrative privileges, the system will ask for the Administrator password and allow only that task to be performed as an administrator. Requiring the administrator password protects the computer by preventing any software that is not authorized from installing, executing, or accessing files.

Answer 57

The Guests account should not be enabled. The guest account does not have a password associated with it because it is created when a computer is going to be used by many different people who do not have accounts on the computer. Each time the guest account logs on, a default environment is provided to them with limited privileges.

Answer 58

To make administration of users easier, Windows uses groups. A group will have a name and a specific set of permissions associated with it. When a user is placed into a group, the permissions of that group are given to that user. A user can be placed into multiple groups to be provided with many different permissions. When the permissions overlap, certain permissions, like “explicitly deny” will override the permission provided by a different group. There are many different user groups built into Windows that are used for specific tasks. For example, the Performance Log Users group allows members to schedule logging of performance counters and collect logs either locally or remotely. Local users and groups are managed with the lusrmgr.msc control panel applet, as shown in the figure. https://snipboard.io/1uzSOF.jpg

Answer 59

In addition to groups, Windows can also use domains to set permissions. A domain is a type of network service where all of the users, groups, computers, peripherals, and security settings are stored on and controlled by a database. This database is stored on special computers or groups of computers called domain controllers (DCs). Each user and computer on the domain must authenticate against the DC to logon and access network resources. The security settings for each user and each computer are set by the DC for each session. Any setting supplied by the DC defaults to the local computer or user account setting.

Answer 60

The prompt displays the current location within the file system. These are a few things to remember when using the CLI: The file names and paths are not case-sensitive, by default. Storage devices are assigned a letter for reference. The drive letter is followed by a colon and backslash (\). This indicates the root, or highest level, of the device. Folder and file hierarchy on the device is indicated by separating them with the backslash. For example, the path C:\Users\Jim\Desktop\file.txt refers to a file called file.txt that is in the Desktop folder within the Jim folder within the Users folder at the root of drive C:. Commands that have optional switches use the forward slash (/) to delineate between the command and the switch option. You can use the Tab key to auto-complete commands when directories or files are referenced. Windows keeps a history of the commands that were entered during a CLI session. Access previously entered commands by using the up and down arrow keys. To switch between storage devices, type the letter of the device, followed by a colon, and then press Enter.

Answer 61

cmdlets : These commands perform an action and return an output or object to the next command that will be executed.

Answer 62

PowerShell scripts : These are files with a .ps1 extension that contain PowerShell commands that are executed.

Answer 63

PowerShell functions : These are pieces of code that can be referenced in a script.

Answer 64

To see more information about Windows PowerShell and get started using it, type help in PowerShell, as shown in the command output. https://snipboard.io/SYLUQo.jpg There are four levels of help in Windows PowerShell: get-help PS command - Displays basic help for a command get-help PS command [-examples] - Displays basic help for a command with examples get-help PS command [-detailed] - Displays detailed help for a command with examples get-help PS command [-full] - Displays all help information for a command with examples in greater depth

Answer 65

The WMI Control Properties window is shown in the figure. https://snipboard.io/1k8CFj.jpg These are the four tabs in the WMI Control Properties window: General - Summary information about the local computer and WMI Backup/Restore - Allows manual backup of statistics gathered by WMI Security - Settings to configure who has access to different WMI statistics Advanced - Settings to configure the default namespace for WMI Some attacks today use WMI to connect to remote systems, modify the registry, and run commands. WMI helps them to avoid detection because it is common traffic, most often trusted by the network security devices and the remote WMI commands do not usually leave evidence on the remote host. Because of this, WMI access should be strictly limited.

Answer 66

The table lists some common net commands. : -- net accounts -- net session -- net share -- net start -- net stop -- net use -- net view

Answer 67

net accounts : Sets password and logon requirements for users

Answer 68

net session : Lists or disconnects sessions between a computer and other computers on the network

Answer 69

net share : Creates, removes, or manages shared resources

Answer 70

net start : Starts a network service or lists running network services

Answer 71

net stop : Stops a network service

Answer 72

net use : Connects, disconnects, and displays information about shared network resources

Answer 73

net view : Shows a list of computers and network devices on the network

Answer 74

Task Manager : The Task Manager, which is shown in the figure, provides a lot of information about the software that is running and the general performance of the computer. https://snipboard.io/I0lhnF.jpg

Answer 75

Processes : Lists all of the programs and processes that are currently running. Displays the CPU, memory, disk, and network utilization of each process. The properties of a process can be examined or ended if it is not behaving properly or has stalled.

Answer 76

Performance : A view of all the performance statistics provides a useful overview of the CPU, memory, disk, and network performance. Clicking each item in the left pane will show detailed statistics of that item in the right pane.

Answer 77

App history : The use of resources by application over time provides insight into applications that are consuming more resources than they should. Click Options and Show history for all processes to see the history of every process that has run since the computer was started.

Answer 78

Startup : All of the applications and services that start when the computer is booted are shown in this tab. To disable a program from starting at startup, right-click the item and choose Disable.

Answer 79

Users : All of the users that are logged on to the computer are shown in this tab. Also shown are all the resources that each user’s applications and processes are using. From this tab, an administrator can disconnect a user from the computer.

Answer 80

Details : Similar to the Processes tab, this tab provides additional management options for processes such as setting a priority to make the processor devote more or less time to a process. CPU affinity can also be set which determines which core or CPU a program will use. Also, a useful feature called Analyze wait chain shows any process for which another process is waiting. This feature helps to determine if a process is simply waiting or is stalled.

Answer 81

Services : All the services that are loaded are shown in this tab. The process ID (PID) and a short description are also shown along with the status of either Running or Stopped. At the bottom, there is a button to open the Services console which provides additional management of services.

Answer 82

When searching for the reason a computer may be acting erratically, the Resource Monitor can help to find the source of the problem. The table describes the five tabs of the Resource Monitor. -- Overview -- CPU -- Memory -- Disk -- Network

Answer 83

Overview : The tab displays the general usage for each resource. If you select a single process, it will be filtered across all of the tabs to show only that process’s statistics.

Answer 84

CPU : The PID, number of threads, which CPU the process is using, and the average CPU usage of each process is shown. Additional information about any services that the process relies on, and the associated handles and modules can be seen by expanding the lower rows.

Answer 85

Memory : All of the statistical information about how each process uses memory is shown in this tab. Also, an overview of usage of all the RAM is shown below the Processes row.

Answer 86

Disk : All of the processes that are using a disk are shown in this tab, with read/write statistics and an overview of each storage device.

Answer 87

Network : All of the processes that are using the network are shown in this tab, with read/write statistics. Most importantly, the current TCP connections are shown, along with all of the ports that are listening. This tab is very useful when trying to determine which applications and processes are communicating over the network. It makes it possible to tell if an unauthorized process is accessing the network, listening for a communication, and the address with which it is communicating.

Answer 88

Network and Sharing Center : https://snipboard.io/FSxfhk.jpg The initial view shows an overview of the active network. This view shows whether there is internet access and if the network is private, public, or guest. The type of network, either wired or wireless, is also shown. From this window, you can see the HomeGroup the computer belongs to, or create one if it is not already part of a HomeGroup. This tool can also be used to change adapter settings, change advance sharing settings, set up a new connection, or troubleshoot problems. Note that HomeGroup was removed from Windows 10 in version 1803.

Answer 89

1) Access Adapter Properties : Right-click the adapter you wish to configure and choose Properties, as shown in the figure. https://snipboard.io/aXPGhs.jpg

Answer 90

2) Acess TCP/IPv4 Properties : This connection uses the following items: Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6) depending on which version you wish to use. In the figure, IPv4 is being selected. https://snipboard.io/xijrsL.jpg

Answer 91

3) Change Settings : Click Properties to configure the adapter. In the Properties dialogue box, shown in the figure, you can choose to Obtain an address automatically if there is a DHCP server available on the network. If you wish to configure addressing manually, you can fill in the address, subnet, default gateway, and DNS servers to configure the adapter. Click OK to accept the changes. You can also use the netsh.exe tool to configure networking parameters from a command prompt. This program can display and modify the network configuration. Type netsh /? at the command prompt to see a list of all the switches that can be used with this command. https://snipboard.io/xrQzCJ.jpg

Answer 92

nslookup and netstat Domain Name System (DNS) should also be tested because it is essential to finding the address of hosts by translating it from a name, such as a URL. Use the nslookup command to test DNS. Type nslookup cisco.com at the command prompt to find the address of the Cisco webserver. When the address is returned, you know that DNS is functioning correctly. You can also check to see what ports are open, where they are connected, and what their current status is. Type netstat at the command line to see details of active network connections, as shown in the command output. https://snipboard.io/x2kvz6.jpg

Answer 93

\\servername\sharename\file In the UNC, servername is the server that is hosting the resource. This can be a DNS name, a NetBIOS name, or simply an IP address. The sharename is the root of the folder in the file system on the remote host, while the file is the resource that the local host is trying to find. The file may be deeper within the file system and this hierarchy will need to be indicated.

Answer 94

When sharing resources on the network, the area of the file system that will be shared will need to be identified. Access control can be applied to the folders and files to restrict users and groups to specific functions such as read, write, or deny. There are also special shares that are automatically created by Windows. These shares are called administrative shares. An administrative share is identified by the dollar sign ($) that comes after the share name. Each disk volume has an administrative share, represented by the volume letter and the $ such as C$, D$, or E$. The Windows installation folder is shared as admin$, the printers’ folder is shared as print$, and there are other administrative shares that can be connected. Only users with administrative privileges can access these shares.

Answer 95

The easiest way to connect to a share is to type the UNC of the share into the Windows File Explorer, in the box at the top of the screen which shows the breadcrumb listing of the current file system location. When Windows tries to connect to the share, you will be asked to provide credentials for accessing the resource. Remember that because the resource is on a remote computer, the credentials need to be for the remote computer, not the local computer.

Answer 96

Besides accessing shares on remote hosts, you can also log in to a remote host and manipulate that computer, as if it were local, to make configuration changes, install software, or troubleshoot an issue. In Windows, this feature uses the Remote Desktop Protocol (RDP). When investigating security incidents, a security analyst uses RDP often to access remote computers. To start RDP and connect to a remote computer, search for remote desktop and click the application. The Remote Desktop Connection window is shown in the figure.

Answer 97

Because RDP is designed to permit remote users to control individual hosts, it is a natural target for threat actors. Care should be taken when activating RDP, especially on unpatched legacy versions of Windows such as those that are still found in industrial control systems. Care should be taken to limit the exposure of RDP to the internet, and security approaches and access control policies, such as Zero Trust, should be used to limit access to internal hosts. The figure shows the Remote Desktop Connection client application window. https://snipboard.io/Vh7xDd.jpg

Answer 98

These are some of the services that Windows Server provides: : -- Network Services -- File Services -- Web Services -- Management

Answer 99

Network Services : DNS, DHCP, Terminal services, Network Controller, and Hyper-V Network virtualization

Answer 100

File Services : SMB, NFS, and DFS

Answer 101

Web Services : FTP, HTTP, and HTTPS

Answer 102

Management : Group policy and Active Directory domain services control

Answer 103

To make this process easier, you can link the connections to the running processes that created them in Task Manager. To do this, open a command prompt with administrative privileges and enter the netstat -abno command, as shown in the command output. https://snipboard.io/ij59X6.jpg

Answer 104

Note: If you are not in administrator mode, a “The requested operation requires elevation” message will appear. Search for Command Prompt. Right-click on Command Prompt and chose Run as administrator. By examining the active TCP connections, an analyst should be able to determine if there are any suspicious programs that are listening for incoming connections on the host. You can also trace that process to the Windows Task Manager and cancel the process. There may be more than one process listed with the same name. If this is the case, use the PID to find the correct process. Each process running on the computer has a unique PID. To display the PIDs for the processes in the Task Manager, open the Task Manager, right-click the table heading and select PID.

Answer 105

https://snipboard.io/His3qg.jpg : Windows includes two categories of event logs: Windows Logs, and Application and Services Logs. Each of these categories has multiple log types. Events that are displayed in these logs have a level: - information, - warning, - error, or critical. They also have the date and time that the event occurred, along with the source of the event and an ID which relates to that type of event.

Answer 106

It is also possible to create a custom view. This is useful when looking for certain types of events, finding events that happened during a certain time period, displaying events of a certain level, and many other criteria. There is a built-in custom view called Administrative Events that shows all critical, error, and warning events from all of the administrative logs. This is a good view to start with when trying to troubleshoot a problem. Security event logs are found under Windows Logs. They use event IDs to identify the type of event.

Answer 107

Patches are code updates that manufacturers provide to prevent a newly discovered virus or worm from making a successful attack. From time to time, manufacturers combine patches and upgrades into a comprehensive update application called a service pack. Many devastating virus attacks could have been much less severe if more users had downloaded and installed the latest service pack. It is highly desirable that enterprises utilize systems that automatically distribute, install, and track security updates.

Answer 108

Windows routinely checks the Windows Update website for high-priority updates that can help protect a computer from the latest security threats. These updates include security updates, critical updates, and service packs. Depending on the setting you choose, Windows automatically downloads and installs any high-priority updates that your computer needs or notifies you as these updates become available. To configure the settings for Windows update, search for Windows Update and click the application. Update status, shown in the figure, allows you to check for updates manually and see the update history of the computer. https://snipboard.io/or8R0g.jpg

Answer 109

There are also settings for the hours where the computer will not automatically restart, for example during regular business hours. You can also choose when to restart the computer after an update, if necessary, with the Restart options. Advanced options are also available to choose how updates are installed how other Microsoft products are updated.

Answer 110

In most networks that use Windows computers, Active Directory is configured with Domains on a Windows Server. Windows computers join the domain. The administrator configures a Domain Security Policy that applies to all computers that join the domain. Account policies are automatically set when a user logs in to a computer that is a member of a domain. Windows Local Security Policy, shown in the figure, can be used for stand-alone computers that are not part of an Active Directory domain. To open the Local Security Policy applet, search for Local Security Policy and click the program. https://snipboard.io/WcmyjO.jpg

Answer 111

Password guidelines are an important component of a security policy. Any user that must log on to a computer or connect to a network resource should be required to have a password. Passwords help prevent theft of data and malicious acts. Passwords also help to confirm that the logging of events is valid by ensuring that the user is the person that they say they are. In the Local Security Policy, Password Policy is found under Account Policies and defines the criteria for the passwords for all of the users on the local computer.

Answer 112

Use the Account Lockout Policy in Account Policies to prevent brute-force login attempts. For example, you can set the policy to allow the user to enter a wrong username and/or password five times. After five attempts, the account is locked for 30 minutes. After 30 minutes, the number of attempts is reset to zero and the user can attempt to login again.

Answer 113

It is important to make sure that computers are secure when users are away. A security policy should contain a rule about requiring a computer to lock when the screensaver starts. This will ensure that after a short time away from the computer, the screen saver will start and then the computer cannot be used until the user logs in.

Answer 114

If the Local Security Policy on every stand-alone computer is the same, then use the Export Policy feature. Save the policy with a name, such as workstation.inf. Copy the policy file to an external media or network drive to use on other stand-alone computers. This is particularly helpful if the administrator needs to configure extensive local policies for user rights and security options.

Answer 115

The Local Security Policy applet contains many other security settings that apply specifically to the local computer. You can configure User Rights, Firewall Rules, and even the ability to restrict the files that users or groups are allowed to run with the AppLocker.

Answer 116

Antivirus protection : This program continuously monitors for viruses. When a virus is detected, the user is warned, and the program attempts to quarantine or delete the virus.

Answer 117

Adware protection : This program continuously looks for programs that display advertising on your computer.

Answer 118

Phishing protection : This program blocks the IP addresses of known phishing websites and warns the user about suspicious sites.

Answer 119

Spyware protection : This program scans for keyloggers and other spyware.

Answer 120

Trusted / untrusted sources : This program warns you about unsafe programs about to be installed or unsafe websites before they are visited. It may take several different programs and multiple scans to completely remove all malicious software. Run only one malware protection program at a time. Several reputable security organizations such as McAfee, Symantec, and Kaspersky offer all-inclusive malware protection for computers and mobile devices. Windows has built-in virus and spyware protection called Windows Defender, as shown in the figure. Windows Defender is turned on by default to provide real-time protection against infection. https://snipboard.io/nKFqCj.jpg

Answer 121

To open Windows Defender, search for it and click the program. Although Windows Defender works in the background, you can perform manual scans of the computer and storage devices. You can also manually update the virus and spyware definitions in the Update tab. Also, to see all of the items that were found during previous scans, click the History tab.

Answer 122

To allow program access through the Windows Defender Firewall, search for Control Panels. Under Systems and Security, locate Windows Defender Firewall. Click Allow an app or feature through Windows Defender Firewall, as shown in the figure.

Answer 123

If you wish to use a different software firewall, you will need to disable Windows Firewall. To disable the Windows Firewall, click Turn Windows Firewall on or off. Many additional settings can be found under Advanced settings. Here you can create inbound or outbound traffic rules based on different criteria. You can also import and export policies or monitor different aspects of the firewall. https://snipboard.io/oXDqEa.jpg