-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwindowsTHM-1
172 lines (82 loc) · 8.55 KB
/
windowsTHM-1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
## Windows Notes
The file system used in modern versions of Windows is the New Technology File System or simply NTFS.
Before NTFS, there was FAT16/FAT32 (File Allocation Table) and HPFS (High Performance File System).
You still see FAT partitions in use today. For example, you typically see FAT partitions in USB devices, MicroSD cards, etc. but traditionally not on personal Windows computers/laptops or Windows servers.
NTFS is known as a journaling file system. In case of a failure, the file system can automatically repair the folders/files on disk using information stored in a log file. This function is not possible with FAT.
NTFS addresses many of the limitations of the previous file systems; such as:
Supports files larger than 4GB
Set specific permissions on folders and files
Folder and file compression
Encryption (Encryption File System or EFS)
If you're running Windows, what is the file system your Windows installation is using? You can check the Properties (right-click) of the drive your operating system is installed on, typically the C drive (C:\).
You can read Microsoft's official documentation on FAT, HPFS, and NTFS here.
Let's speak briefly on some features that are specific to NTFS.
On NTFS volumes, you can set permissions that grant or deny access to files and folders.
The permissions are:
Full control
Modify
Read & Execute
List folder contents
Read
Write
The below image lists the meaning of each permission on how it applies to a file and a folder. (credit Microsoft)
How can you view the permissions for a file or folder?
The Windows folder (C:\Windows) is traditionally known as the folder which contains the Windows operating system.
The folder doesn't have to reside in the C drive necessarily. It can reside in any other drive and technically can reside in a different folder.
This is where environment variables, more specifically system environment variables, come into play. Even though not discussed yet, the system environment variable for the Windows directory is %windir%.
Per Microsoft, "Environment variables store information about the operating system environment. This information includes details such as the operating system path, the number of processors used by the operating system, and the location of temporary folders".
There are many folders within the 'Windows' folder. See below.
One of the many folders is System32.
The System32 folder holds the important files that are critical for the operating system.
You should proceed with extreme caution when interacting with this folder. Accidentally deleting any files or folders within System32 can render the Windows OS inoperational. Read more about this action here.
Note: Many of the tools that will be covered in the Windows Fundamentals series reside within the System32 folder.
Right-click the file or folder you want to check for permissions.
From the context menu, select Properties.
Within Properties, click on the Security tab.
In the Group or user names list, select the user, computer, or group whose permissions you want to view.
In the below image, you can see the permissions for the Users group for the Windows folder.
Refer to the Microsoft documentation to get a better understanding of the NTFS permissions for Special Permissions.
https://learn.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview
Another feature of NTFS is Alternate Data Streams (ADS).
Alternate Data Streams (ADS) is a file attribute specific to Windows NTFS (New Technology File System).
Every file has at least one data stream ($DATA), and ADS allows files to contain more than one stream of data. Natively Window Explorer doesn't display ADS to the user. There are 3rd party executables that can be used to view this data, but Powershell gives you the ability to view ADS for files.
From a security perspective, malware writers have used ADS to hide data.
Not all its uses are malicious. For example, when you download a file from the Internet, there are identifiers written to ADS to identify that the file was downloaded from the Internet.
To learn more about ADS, refer to the following link from MalwareBytes here.
https://www.malwarebytes.com/blog/101/2015/07/introduction-to-alternate-data-streams
If you click on it, a Settings window should now appear. See below.
Since you're the Administrator, you see an option to Add someone else to this PC.
Note: A Standard User will not see this option.
Click on the local user account. More options should appear: Change account type and Remove.
Click on Change account type. The value in the drop-down box (or the highlighted value if you click the drop-down) is the current account type.
When a user account is created, a profile is created for the user. The location for each user profile folder will fall under is C:\Users.
For example, the user profile folder for the user account Max will be C:\Users\Max.
The creation of the user's profile is done upon initial login. When a new user account logs in to a local system for the first time, they'll see several messages on the login screen. One of the messages, User Profile Service, sits on the login screen for a while, which is at work creating the user profile. See below.
Once logged in, the user will see a dialog box similar to the one below (again), indicating that the profile is in creation.
Each user profile will have the same folders; a few of them are:
Desktop
Documents
Downloads
Music
Pictures
Another way to access this information, and then some, is using Local User and Group Management.
Right-click on the Start Menu and click Run. Type lusrmgr.msc. See below
Note: The Run Dialog Box allows us to open items quickly.
Back to lusrmgr, you should see two folders: Users and Groups.
If you click on Groups, you see all the names of the local groups along with a brief description for each group.
Each group has permissions set to it, and users are assigned/added to groups by the Administrator. When a user is assigned to a group, the user inherits the permissions of that group. A user can be assigned to multiple groups.
Note: If you click on Add someone else to this PC from Other users, it will open Local Users and Management.
The large majority of home users are logged into their Windows systems as local administrators. Remember from the previous task that any user with administrator as the account type can make changes to the system.
A user doesn't need to run with high (elevated) privileges on the system to run tasks that don't require such privileges, such as surfing the Internet, working on a Word document, etc. This elevated privilege increases the risk of system compromise because it makes it easier for malware to infect the system. Consequently, since the user account can make changes to the system, the malware would run in the context of the logged-in user.
To protect the local user with such privileges, Microsoft introduced User Account Control (UAC). This concept was first introduced with the short-lived Windows Vista and continued with versions of Windows that followed.
Note: UAC (by default) doesn't apply for the built-in local administrator account.
How does UAC work? When a user with an account type of administrator logs into a system, the current session doesn't run with elevated permissions. When an operation requiring higher-level privileges needs to execute, the user will be prompted to confirm if they permit the operation to run.
Let's look at the program on the account you're currently logged into, the built-in administrator account—Right-click to view its Properties.
In the Security tab, we can see the users/groups and their permissions to this file. Notice that the standard user is not listed.
Log in as the standard user and try to install this program. To do this, you can remote desktop into the machine as the standard user account.
Note: You have the username and password for the standard user. It's visible in lusrmgr.msc.
Before installing the program, notice the icon. Do you see the difference? When you're logged in as the standard user, the shield icon is on the program's default icon. See below.
This shield icon is an indicator that UAC will prompt to allow higher-level privileges to install the program.
Double-click the program, and you'll see the UAC prompt. Notice that the built-in administrator account is already set as the user name and prompts the account's password. See below.
After some time, if a password is not entered, the UAC prompt disappears, and the program does not install.
This feature reduces the likelihood of malware successfully compromising your system. You can read more about UAC here.