Windows Security

• How To Secure A Server in 4 Simple Steps

Step 1
The first thing to do is make sure that you have a secure password for your root and administrator users.
Step 2
If a group of people is going to be using it, then you probably already have a username convention that you use elsewhere.
 In windows give the user administrator access, and add the user to the Remote Desktop Users group, or if using Linux, add the user to sudoers. Log-out and then log-in as your newly created user and check that you do have sufficient administrator/root access
Step 3
Remove remote access from the default root/administrator accounts. In Linux this is simply done by editing the /etc/ssh/sshd_config file and setting PermitRootLogin to ‘no’. In windows, this is a more complicated process involving setting the local security policy to block logins by the administrator user group.
Step 4
The next step is to configure your firewall rules for remote access. For the most part, you want to only allow access to remote access services such as RDP and SSH to IPs you know trusted users are going to use.
https://www.vps.net/community/knowledgebase/display/vpsfeatures/How+To+Secure+A+Server+in+4+Simple+Steps

• The Windows Server Hardening Checklist

What     Why
1. User Configuration     Protect your credentials.
2. Network Configuration     Establish communications.
3. Features and Roles Configuration     Add what you need, remove what you don't.
4. Update Installation     Patch vulnerabilities.
5. NTP Configuraiton     Prevent clock drift.
6. Firewall Configuration     Minimize your external footprint.
7. Remote Access Configuration     Harden remote administration sessions.
8. Service Configuration     Minimize your attack surface.
9. Further Hardening     Protect the OS and other applicaitons.
10. Logging and Monitoring     Know what's happening on your system.
https://www.upguard.com/blog/the-windows-server-hardening-checklist

• How To Remotely Enable Remote Desktop (RDP) Using PsExec

3.) Just copy PsExec.exe from the extracted location into your executable path “C:\Windows\System32”.
4.) Open the prompt command line (start -> Run and type “cmd” + OK) and enter the following:
psexec -u {username} -p {password} \\{iP-Address} reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0

whereby:

{username} = Administrator (must be administrator)

{password} = Administrator’s password

{IP-Address} = System IP Address

If not already enabled, use the following commands to enable RDP traffic through the windows firewall:

psexec \\ {iP-Address} netsh firewall set service remoteadmin enable

psexec \\ {iP-Address} netsh firewall set service remotedesktop enable

http://blog.omotech.com/?p=1019

• PsExec v2.2

Utilities like Telnet and remote control programs like Symantec's PC Anywhere let you execute programs on remote systems, but they can be a pain to set up and require that you install client software on the remote systems that you wish to access. PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote system
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

• When a domain administrator logs in to a compromised workstation interactively (via keyboard, remote desktop, or command-line tools such as the PsExec utility), their password is stored in the credential cache. Using popular credential-theft tools such as Mimikatz, an attacker with local administrator privileges can dump the cache and read the password and/or its hash (which is as effective as the password, given how Windows authentication works). 

https://www.secureworks.com/blog/dcept

• 10 steps you can take to secure a laptop

1.Use a password
2.Disable booting from CD or USB
3.Encrypt your hard drive
4.Use a virtual private network (VPN)
http://www.techradar.com/news/mobile-computing/laptops/10-ways-to-secure-a-laptop-1148348/2

• LM hash (also known as LanMan hash or LAN Manager hash) is a compromised password hashing function that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords. 

The LM hash is computed as (taken from Wikipedia):

    The user’s password is converted to uppercase.
    This password is null-padded to 14 bytes.
    The “fixed-length” password is split into two 7-byte halves.
    These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a parity-bit after every seven bits. This generates the 64 bits needed for the DES key.
    Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values. The DES CipherMode should Set to ECB, and PaddingMode should set to NONE.
    These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

Firstly, passwords are limited to a maximum of only 14 characters, giving a theoretical maximum keyspace of 95 14 ≈ 2 92 {\displaystyle 95^{14}\approx 2^{92}} 95^{{14}}\approx 2^{{92}} with the 95 ASCII printable characters.
Secondly, passwords longer than 7 characters are divided into two pieces and each piece is hashed separately; this weakness allows each half of the password to be attacked separately at exponentially lower cost than the whole.
The LM hash also does not use cryptographic salt, a standard technique to prevent pre-computed dictionary attacks. A time–memory tradeoff cryptanalysis attack, such as a rainbow table, is therefore feasible. In addition, any password that is shorter than 8 characters will result in the hashing of 7 null bytes, yielding the constant value of 0xAAD3B435B51404EE, hence making it easy to identify short passwords on sight. In 2003, Ophcrack, an implementation of the rainbow table technique, was published. It specifically targets the weaknesses of LM encryption, and includes pre-computed data sufficient to crack virtually all alphanumeric LM hashes in a few seconds. Many cracking tools, e.g. RainbowCrack, L0phtCrack and Cain, now incorporate similar attacks and make cracking of LM hashes fast and trivial.
https://en.wikipedia.org/wiki/LAN_Manager

• Windows Internals Interview Questions and Answers

1. What are the most important components of Windows?

The most important components of Windows are the kernel, the device drivers, and the user interface.

The kernel is responsible for managing the system’s resources and for providing the basic services that all other components rely on

The device drivers provide the interface between the hardware and the rest of the system

the user interface provides the means by which users interact with the system.

2. Can you explain what a process is in the context of an operating system?

A process is a program that is running on a computer. 

Every process has its own memory space and can have multiple threads.

3. Can you give me some examples of the internal structure of a typical Windows process?

The internal structure of a typical Windows process is made up of a number of different objects,

a process object, 

a thread object, 

an environment block, 

a security context, 

and a number of other objects.

4. How do you think processes communicate with each other on Windows?

The most common way is through shared memory, where one process can write data to a memory location that another process can then read.

Processes can also communicate through named pipes, which are essentially virtual channels that can be used to send data back and forth

processes can also communicate through sockets, which provide a more low-level way to send data between processes

5. What’s the difference between a thread and a process?

A process is an instance of a running program, while a thread is a single sequence of execution within that process. 

6. What role does the kernel play in managing threads?

The kernel is responsible for managing threads by allocating the necessary resources for each thread, scheduling when each thread should run, and handling any synchronization between threads

7. What are semaphores?

Semaphores are a synchronization object that can be used to limit the number of threads that can have access to a resource. Semaphores can be used to implement critical sections, to protect resources that can only be used by one thread at a time.

8. What types of objects can be used for synchronization?

The types of objects that can be used for synchronization in Windows are mutexes, semaphores, events, and critical sections.

9. What is the difference between critical sections, mutexes, and semaphores?

Critical sections are a mechanism for protecting a section of code from being executed by more than one thread at a time.

A mutex is a mutual exclusion object that can be used to protect a section of code from being executed by more than one thread at a time

semaphore is a synchronization object that can be used to protect a section of code from being executed by more than one thread at a time.

10. How do you debug a deadlock condition on Windows?

Windows Debugger tool. 

This tool will allow you to see what processes are currently running and what resources they are holding. 

From there, you can try to determine which process is causing the deadlock and take steps to resolve the issue

11. Can you explain how virtual memory works?

Virtual memory is a memory management technique that is used by operating systems to provide each process with its own private address space. 

This address space is created by the operating system when the process is created, and it is destroyed when the process is terminated. 

The process can only access the memory within its own address space.

12. What is the Global Descriptor Table (GDT) and why is it necessary to use one?

The Global Descriptor Table is a data structure used by the Intel x86 architecture to define the characteristics of the various segments in a program’s address space. 

The GDT is necessary to use because it provides a way for the processor to keep track of the various segments in a program’s address space.

Without the GDT, the processor would not be able to properly handle the different segments in a program’s address space.

13. Can you explain what page tables are?

Page tables are a data structure used by the operating system to store information about the virtual memory of a process. 

This information includes the mapping of virtual addresses to physical addresses, as well as other information about the memory such as permissions and caching.

14. When might you encounter a “page fault” error message?

A page fault error message can occur when a process tries to access a page of memory that is not currently mapped to any physical memory.

This can happen if the process is trying to access a page that has been swapped out to disk,

or if the process is trying to access a page that does not exist.

15. What happens when a program tries to access a resource that it doesn’t have permission to access?

When a program tries to access a resource that it doesn’t have permission to access, Windows will generate a security exception.

This exception will be caught by the Windows kernel, which will then invoke the security subsystem.

The security subsystem will determine whether or not the program should be allowed to access the resource, and if not, will block the program from accessing it.

16. What is a Thread Control Block (TCB)?

A Thread Control Block (TCB) is a data structure in the Windows operating system that contains information about a particular thread

This information includes the thread’s identifier, its priority, its scheduling information, and its current state.

The TCB is used by the operating system to keep track of threads and to ensure that they are properly scheduled and managed

18. Can you give me some examples of different types of hard disk partitions available on Windows?

There are three main types of hard disk partitions available on Windows: primary, extended, and logical

A primary partition is the first partition on a hard drive and is typically used to store the operating system

An extended partition is a partition that can be used to store multiple logical partitions.

A logical partition is a partition that is contained within an extended partition.

19. What is the architecture of Windows file systems like NTFS or FAT32?

The Windows file system architecture is designed around the concept of a file system driver. 

This driver is responsible for providing access to the file system, and it is typically implemented as a kernel-mode device driver. 

20. What is the Registry and what is its purpose?

The Registry is a database that stores configuration settings and options for the Windows operating system and for applications that run on Windows.

https://climbtheladder.com/windows-internals-interview-questions/