System Hardening, Auditing, and Logs

Question 1

What does a firewall do

Answer 1

Blocks network traffic based on rules

Question 2

How to bring up the Windows Firewall GUI

Answer 2

wf.msc

Question 3

Command in CMD to interact with Windows Firewall

Answer 3

netsh

Question 4

Cmdlet in Powershell to pull information about Windows Firewall

Answer 4

Get-NetFirewallRule

Question 5

Windows Firewall Service Registry Path

Answer 5

HKLM\SYSTEM\CurrentControlSet\services\MpsSvc

Question 6

Executable hosting the Windows Firewall Service

Answer 6

svchost.exe

Question 7

Windows Firewall Service hosted DLL

Answer 7

mpssvc.dll

Question 8

3 Windows Firewall Profiles

Answer 8

Private, Public, Work/Domain

Question 9

How many profiles can be active on an interface at one time?

Answer 9

Multiple

Question 10

Windows Firewall Logging is configured where?

Answer 10

Within each profile

Question 11

NTFS

Answer 11

New Technology File System

Question 12

Each file in NTFS has a what?

Answer 12

Security Descriptor

Question 13

The Security Descriptor can include?

Answer 13

SID, DACL. SACL

Question 14

SID

Answer 14

Security Identifiers

Question 15

DACL

Answer 15

Discretionary Access Control List

Question 16

Describe what a SID is

Answer 16

A Security Identifier for the owner

Question 17

Describe a DACL

Answer 17

A Discretionary Access Control List that specifies the access rights (read,write,execute,delete) allowed or denied to particular users or groups

Question 18

SACL

Answer 18

System Access Control List

Question 19

Describe a SACL

Answer 19

A system Access Control List that specifies the types of access attempts that generate audit records for the object

Question 20

How to modify permissions within the GUI

Answer 20

Right Click -> Properties -> Security

Question 21

Command to modify permissions in CMD

Answer 21

icacls

Question 22

Command to modify permissions in Powershell

Answer 22

Get-Acl

Question 23

Sysinternals tool to modify permissions

Answer 23

accesschk

Question 24

WRP

Answer 24

Windows Resource Protection

Question 25

WFP

Answer 25

Windows File Protection

Question 26

Windows Resource Protection in XP

Answer 26

Windows File Protection (WFP)

Question 27

Windows File Protection (WFP) features

Answer 27

Watched for system file overwrite attempts
Checked file signature against known good
If bad, replaced with a copy from system32/dllcache folder

Question 28

Additional features of Windows Resource Protection (WRP)

Answer 28

Will keep protected files from being installed to begin with, rather than just overwriting them
Protected Resources can only be modified by Windows Module Installer service (TrustedInstaller.exe)
Can also protect system registry keys

Question 29

Executable for Windows Module Installer service

Answer 29

TrustedInstaller.exe

Question 30

Location where WRP Backups are stored

Answer 30

%Windir%\winsxs\Backup

Question 31

WRP Security Implications

Answer 31

Unable to overwrite protected files while Windows is running
Still able to mount drive into another OS and overwrite them
Look for drivers installed by 3rd Party to compromise
With Administrator privilege, can alter the configuration to allow modification

Question 32

UAC

Answer 32

User Account Control

Question 33

What does UAC do?

Answer 33

UAC limits the privileges of user run applications, even when run as Administrator, to prevent the modification of system files, resources, or settings. Requesting elevated privileges requires explicit acknowledgement from the user.

Question 34

Does UAC apply to all executables?

Answer 34

No, there are some Windows executables that can “auto elevate” without a prompt

Question 35

Waht kinds of files does WRP not protect?

Answer 35

pdf, doc,

Question 36

UIPI

Answer 36

User Interface Privilege Isolation

Question 37

Describe UIPI

Answer 37

UIPI is part of UAC

Each process is given a privilege level

Question 38

UIPI - Explain abilities of Higher integrity level

Answer 38

Higher integrity level can send messages to lower level integrity

Question 39

UIPI - Explain abiliteis of Lower integrity level

Answer 39

Lower integrity can only read Higher

Question 40

How can UIPI be bypassed?

Answer 40

Can be bypassed by signed and trusted applications with the UIaccess manifest setting

Question 41

IA

Answer 41

Information Assurance

Question 42

What is IA?

Answer 42

IS the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes.

Question 43

IA protects what?

Answer 43

the Integrity, Availability, Authenticity, Non-Repudiation, and Confidentiality of user data

Question 44

Information Security goal

Answer 44

Preservation of Confidentiality, Integrity, and Availability of information

Question 45

CIA Triad

Answer 45

Confidentiality, Integrity, and Availability

Question 46

Information Security primary focus

Answer 46

Technical Security mechanisms

Question 47

Describe Host-based Security Products

Answer 47

Runs local on the machine, only concerned with that machine. OS dependent, version dependent. Some install as a service. Many new versions are cloud based.

Question 48

Types of Host-based Security Products

Answer 48

System Firewalls
Process Monitoring, kernel calls
Directory Monitoring
System Setting/Registry monitoring
Log monitoring
Authentication, Authorization, Accounting (AAA)
Application Whitelisting

Question 49

Describe Network Security Products

Answer 49

Monitors traffic across the wire
Can be inline or passive
Inline often modifies traffic between destination and source

Question 50

Types Network Security Products

Answer 50

Network Firewalls
Intrusion Detection System(IDS)
Intrusion Prevention System (IPS)
Web/Application Proxy
VPN Concentrator