Journey through Cybersecurity: Security Tools, Protocols, and Practices in Windows

Journey through Cybersecurity: Security Tools, Protocols, and Practices in Windows

·

7 min read

This entry is the first in a series of my summaries of learning and reviewing materials.

Over the past two years, I have delved into the world of cybersecurity, learning both theory and practice.

I would like to summarize a few chapters of the course that I have completed and whose material I am repeating and studying again.

Today's post will cover the Windows system and its security.

My experiences and discoveries in this area are fascinating, and the knowledge I have gained is invaluable.

In this post, I would like to share what I have learned about various aspects of Windows, including command line tools, drive mapping, user account management, DNS, DHCP, GPO, SMB, NTFS, PowerShell, Active Directory, and a bit about Endpoint Security.

Command Line Tools

I started by learning about the basic Windows command line tools, such as control.exe for opening the Control Panel, sysdm.cpl for system properties, ncpa.cpl for network settings, eventvwr for viewing system events, msconfig for system configuration, and many others . These tools have allowed me to better understand and manage Windows.

However, I discovered PowerShell only here. Earlier (in technical school and college I used cmd). Managing Active Directory from this level can be a lot of fun and satisfaction!

PowerShell syntax: VERB-NOUN

$PSVersionTable # shows PowerShell version
Get-Process -Name explorer # Retrieves information about the 'explorer' process
Get-Process | Where-Object {$_.Name -eq 'explorer'} # Filters processes by name 'explorer'
Get-Service | Where-Object {$_.Status -eq 'Running'} # Lists services with status 'Running'
Get-Service | Where-Object {$PSItem.Status -ne 'Stopped'} # Lists services not stopped
Restart-Service WinRM # Restarts the Windows Remote Management service
$creds = Get-Credential # Prompts for user credentials and stores them
$sess = New-PSSession -Credential $creds -ComputerName DC1 # Creates a new PowerShell session on computer DC1
Enter-PSSession $sess # Enters into an interactive session with DC1
Invoke-Command -Session $sess -ScriptBlock {whoami; hostname} # Executes commands remotely on DC1
Get-PSSession $sess # Retrieves details of the session connected to DC1
Remove-PSSession $sess # Removes the session connected to DC1
Import-Module # Imports PowerShell modules into the session
Get-Process | ForEach-Object {Write-Host $_.name -foregroundcolor yellow} # Lists process names in yellow text

Import-Module

The "Import-Module" command is used to load modules into the current PowerShell session, which allows you to use additional commands and functions defined in the module. This is particularly useful in the case of advanced system management, task automation, or access to specialized functions and APIs. For example, if an administrator wants to manage Active Directory services, they can use ActiveDirectory Import-Module to add Active Directory-specific cmdlets to their session.

Import-Module ActiveDirectory

PowerSploit is a collection of PowerShell scripts designed to perform a variety of system penetration tasks such as network mining, intelligence gathering, privilege escalation and detection.

https://github.com/PowerShellMafia/PowerSploit

https://www.kali.org/tools/powersploit/

A simple script for adding Active Directory users from a csv file.

New-ADOrganizationalUnit -Name 'Bulk' -Path 'dc=cyber, dc=local'
New-ADGroup 'Bulk-GRP' -GroupCategory Security -GroupScope Global -Path 'ou=bulk, dc=cyber, dc=local'
$users = Import-Csv -Path 'C:\Users\Administrator\Desktop\users.csv'

foreach ($user in $users)
{
$DisplayName = $user.'First Name' + $user.'Last Name'
$UserFirsname = $user.'First Name'
$UserLastName = $user.'Last Name'
$OU = 'ou=bulk, dc=cyber, dc=local'
$SAM = $user.'SAMAccountName'
$UPN = $UserFirsname + '@' + 'cyber.local'
$Password = $user.'Password'

New-ADUser -Name $UserFirsName -DisplayName $DisplayName -SamAccountName $SAM -UserPrincipalName $UPN -GivenName $UserFirsname -Surname $UserLastName -Department 'Bulk' -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -Path $OU -ChangePasswordAtLogon $true
Add-ADGroupMember -Identity 'Bulk-GRP' -Members $SAM
}

Write-Host '---------Users in bulk----------'
Write-Host '-------------------'
Get-ADUser -Filter * -SearchBase 'ou=bulk, dc=cyber, dc=local'
Write-Host '-------------------'
Get-ADGroupMember -Identity 'Bulk-GRP'

Networks and User Management

SAM (Security Accounts Manager): A key component of the Windows operating system that stores user credentials. Understanding the role of the SAM database was an important step for me in understanding how the system manages authentication.

AD DS (Active Directory Domain Services), DC (Domain Controller), ADUC (Active Directory Users & Computers), OU (Organizational Unit): These are the backbone of identity and access management in a Windows environment. I learned how to configure domains, control access to resources and manage users in a centralized way.

PowerShell commands are used to configure a DHCP server in a Windows Server environment

Add-DhcpServerv4Scope -Name10.0.0.0-StartRange 10.0.0.11 -EndRange 10.0.0.253 -SubnetMask 255.255.255.0 # Adds a DHCP scope for the 10.0.0.0 network
Set-DhcpServerv4OptionValue -ScopeId10.0.0.0-DnServer 10.0.0.1 -DnsDomain cyber.local -Router 10.0.0.254 # Configures DHCP options for the 10.0.0.0 scope
Add-DhcpServerInDC -DnsName core1.cyber.local # Registers the DHCP server in the directory
Get-DhcpServerv4Scope | Select-Object -Property # Lists properties of DHCP scopes (property names should follow -Property)

Security and Policy Management - GPO

Group Policy Objects (GPO) allow you to centrally manage system and application settings in a domain environment. Working with GPO showed me how to effectively manage configuration and security on multiple computers at the same time.

Invoke-GPUpdate -Force # Forces a Group Policy update on the local computer

By default, Group policies are refreshed at cyclical intervals (by default, every 90 minutes with a random shift to 30 minutes) and during system startup. The Invoke-GPUpdate -Force command allows you to skip this interval and apply policy changes immediately. While playing and making changes to GPO, I use this command very often, so it's worth knowing about it and remembering it.

GPO is complex primarily for at least two reasons:

  1. Scope and detail of configuration (detailed configuration management of the operating system, client software, security policies, user and computer settings)

  2. Hierarchy and inheritance (from individual objects (computers or users), through organizational units (OU), to entire domains and forests)

For more information:
https://www.manageengine.com/products/active-directory-audit/kb/best-practices/best-group-policy-settings.html

https://www.netwrix.com/group_policy_best_practices.html

https://public.cyber.mil/stigs/gpo/

Improperly configured GPOs can inadvertently expose systems to security risks or allow users to access resources they shouldn't have access to.

Endpoint Security

  1. BitLocker

    This is a disk encryption tool available on Windows systems starting with the Professional edition. BitLocker uses advanced AES (Advanced Encryption Standard) encryption algorithms with keys of 128 or 256 bits. To provide additional security, BitLocker requires the presence of a TPM (Trusted Platform Module) on the device, which allows for secure storage of encryption keys. Disk encryption provides a protective barrier against tools such as Kon-Boot and NTPasswd, which can be used to bypass the Windows login screen.
    https://adamtheautomator.com/ntpasswd/
    https://pogostick.net/~pnh/ntpasswd/

  2. WinPE ( Preinstallation Environment )

    It is a lightweight version of Windows mainly used for Windows installation, data recovery and service tasks. It can also be used to run diagnostic and repair tools before the main operating system starts.
    https://recoverit.wondershare.com/windows-pe/what-is-windows-pe-and-how-it-works.html

  3. AppLocker

    This is an application control mechanism that allows administrators to specify which applications are allowed to run on devices on the network. This helps prevent unauthorized or potentially harmful software from running, which is an important part of your defense strategy against malware and attacks.
    https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker

  4. Windows Firewall
    This is a built-in firewall that helps protect devices from unauthorized access. The firewall allows you to filter network traffic to and from your device based on defined rules, which is a key element of protecting your network against unwanted connections.

    https://www.digitalcitizen.life/5-reasons-why-windows-firewall-one-best-firewalls/

  5. certmgr.msc
    This is a certificate management tool that allows you to view, export, import and delete certificates used by your system and applications. Certificate management is important to ensure the integrity and confidentiality of data transferred between devices and applications.

Network Protocol Solutions

  1. NetBios and LLMNR
    These are protocols used to resolve names to IP addresses on local networks. While they are convenient to use, they can also be vulnerable to attacks such as LLMNR/NetBios poisoning and SMB/LLMNR Relay, which can be used to intercept data or conduct man-in-the-middle attacks.

  2. NTLM (New Technology Lan Manager)

    This is the authentication protocol used by Windows systems. Over time, it was replaced by the more secure Kerberos protocol. NTLM is still used in some scenarios, but it is important to ensure that communications are secured with SMB Signing to prevent attacks.

  3. Kerberos
    I've already written about it here :)

    https://adrianjanula.hashnode.dev/what-is-kerberos-and-how-does-this-protocol-work

Summary

Through hands-on experience, I learned how to use system tools, manage network and security, and how to automate tasks using PowerShell. Every aspect of my learning has influenced how I view and manage IT infrastructure. Cybersecurity is not only about protecting against threats, but also about ensuring an effective and safe working environment, which is clear to me now more than ever.

Of course, I presented the part that I liked the most and contributed the most - powershell :)