ITS 3250 - Securing Systems

Security Strategies in Windows...
Chapters 5 and 6

This lesson presents an introduction to Windows and malware, as well as group policy controls. Objectives important to this lesson:

  1. Review of malware types
  2. Antivirus and anti-spyware
  3. Updating protective software
  4. Maintaining, scanning, and auditing
  5. Tools for removing malware, and best practices

  6. Group policy
  7. Group policy and security policy
  8. Group policy objects in the registry
  9. Group policy objects in active directory
  10. Creating and using group policy controls
  11. Auditing/managing group policy controls
Chapter 5

The chapter opens with a good transition. Most of the text, so far, has talked about protection from unauthorized users/hackers. This chapter is about protection from malware, software whose purpose is to do something we don't want done to our data, programs, workstations, servers, and/or network. The text tells us that malware often has one or more of three purposes:

  • disrupt operations
  • gather (sensitive) information
  • gain access to restricted resources

This list is not exhaustive, but it applies to many malware programs.

The text goes into some detail about five types of malware. The first two are there to viruses and worms.

  • viruses - A virus typically requires a carrier to infect a system, like an email, an instant message, or a program that the user runs. A virus typically has two tasks: replicate and damage. Some viruses have historically been rather benign, just displaying a message to the user. Others have been extremely destructive
  • worms - Once it is started, a worm can replicate itself across connected computer systems by itself. It does not need a carrier. A worm can attack any running computer that is connected to a network that an infected computer is on. It does not require cooperation from the user. Worms are more dangerous due to their self driven nature. Once a worm is detected in a system, each device on the network must be scanned for it, cleaned if necessary, and prevented from accessing the network until this is done. Until that cleaning is done, you run the risk of continued propagation of the worm.

The text discusses three more types that are notable for their method of hiding from a user or an investigator, and one more that hides more than itself.

  • Trojan horse - Trojan horse programs are named for the myth of a wooden horse that was used to smuggle Greek soldiers inside the walls of Troy. A program of this sort has two aspects: what we are told it does, and what it actually does. In some cases, Trojans may do what they say, but they also have a hidden malicious purpose which is what puts them in this category. A classic ploy used by Trojans is to pretend not to be a program at all. The text gives an example of a file that has a .exe extension, but the characters .docx occur in the name immediately before it. If a Windows computer is using the default (idiotic!) configuration, the actual .exe extension will be hidden from the user, and the user may think it is only a Word document.
  • rootkit - A rootkit replaces operating system files with its own. The rootkit obtains elevated privileges to carry out its stealth actions by impersonating files that run in kernel mode. By impersonating OS files, the rootkit opens a door for lots of other malware. How? Have you ever seen a movie about a robbery in which the robbers send false information to security staff (like a video loop) that shows all is well, while the robbers proceed to steal whatever they want? That's kind of what a rootkit does. The rootkit assumes the role of a trustworthy part of the operating system. It will stand between the user and security software on one side, and other malware that it loads, doing whatever it wants on the other side.
  • spyware - Spyware is typically a program that loads with another program that the user wants. It may, or may not, be a separate file. It gathers information about the user, which it reports to its home base.
  • ransomware - Ransomware hides itself, but also announces its intentions, which are to demand a payment from the user, If the payment is not made, files that the ransomware has already encrypted (which could be the entire hard drive) will be deleted, or will remain encrypted until a higher payment is made later. The user is led to believe that they have no other recourse, which may not be true, and that their computer will be restored if the ransom is paid, which also may not be true.

On page 100, the text turns to thoughts about defense. It begins with a warning that a virus can come in an email, on a memory stick, on a disc, or by any other means that adds a new file to it. Network connection is not the only way to pass a virus. This is worth remembering, as is the advice to clean everything that is or has been in contact with a computer that has been infected.

Antivirus software is highly recommended. There are many well known vendors. The text lists ten brands on page 101. A slightly different list of ten brands is reviewed in this article from PC Magazine. I have enjoyed their reviews for many years. The text explains that most antivirus products examine files and processes in memory for similarities to the code signatures of known viruses. If you buy and install an antivirus product, you typically have a one year subscription to their updated signature files which should be downloaded to your computer frequently to maintain the best protection available for that product.

Some products also feature heuristic scanning, which means that the antivirus program can look for activity in the system that matches the know activities of viruses. This is different from looking for a similarity to a known program itself. It offers a second line of defense that can be valuable.

The text also discusses anti-spyware software. This kind of software looks mainly for spyware. The text discusses products that do only this service, but it is also available as a feature of some multi-featured security products.

In both cases, these protective software products mainly guard against known threats. A new virus that exploits an unknown exploit might not be detected by such a product. The text refers to an attack from such a virus as a zero-day attack, meaning that victims, and the world in general, have had zero days of notice about the exploit. For this reason, it is best to update your antivirus and anti-adware signature files every time there is an update from your vendor. It is also important to practice safe computing: do not expose your computer to hazards that can be avoided.

  • Configure your protective software to scan new files that are added or downloaded to your computer. Your text refers to this as using the shield function of the product.
  • Run regular scans on the entire hard drive.
  • Update signature files often, but be aware that a new signature file means that a new exploit may have been attacking computers for an unspecified amount of time.
  • Review items that the protective software has placed in the vault (or quarantine) area it has set aside for detected threats. Files in this area are not trophies. They are live threats stored in a part of the hard drive where they, theoretically, cannot be executed. This area is available for examination by forensic staff who are looking for clues or data about the infection.
  • Consult the website of your vendors for data about known exploits, new updates, and new signature files to protect against recent attacks.

When there has been a successful infection of a machine under your protection or responsibility, try the procedure listed on page 106:

  1. Disconnect the affected computer from the network. This means wired and wireless connections.
  2. Use a clean computer to download a cleaning tool from a trusted vendor. Install or save it on removable media.
  3. Use the removable media to run or install the cleaning tool on the infected computer.
  4. Scan, quarantine, and clean the infected computer if all three are possible.
  5. Follow special instructions for the situation at hand. In the early days of a new virus, it is less likely that a simple scan and clean will be all you need to do.

You should review the points on page 107 about keeping your environment as clean as possible. Consider the restrictions that are recommended, and discuss them with the class.

Chapter 6

Chapter 6 begins with an introduction to Windows Group Policy. We are told that it is a feature of Windows that allows central control of users and computers. Local Group Policy applies only to the particular computer where it is set. On a network, an Active Directory Group Policy is stored in a Group Policy Object. It can apply to multiple computers and users. This is the main focus of the chapter.

We are told a computer will check for Group Policy Objects (GPOs) that relate to it when it starts Windows, and will check for updates at intervals between 90 and 120 minutes. This is a pull technology done on the computer. The text tells us, however, that Windows Server 2012 (and later) can effectively push a policy to an affected computer by running Remote Group Policy Update. It can tell affected computers about a new policy within about 10 minutes of the policy's creation, causing the computers to update themselves. The text compares this feature to the fact that older versions of Windows used associated scripts with users. These scripts were run at boot time, or when logging in to a network. Such scripts ran only the one time during a work session, but a policy can be updated during a work session, and it will be applied relatively soon.

Page 113 provides a link to a Microsoft reference file about available policy settings.
(I downloaded a copy. There are over four thousand of them. I have added a link to a copy saved in Canvas on the Reading Assignment for Modules 3 and 4 for this class.)
On the same page, there is a much more digestible list of eleven setting categories that you may find useful in administering and securing a system.

The text informs us that a GPO may be linked to an Organizational Unit, a user, or a computer to be active. It must be linked to at least one of those, or it will not apply to any object in AD. Usually, you will put computers and users in OUs that make sense for your organization, then link appropriate GPOs to them. The text also discusses how GPOs relate to security policy in your environment. It portrays security policies as rules that apply to some or all of your users and computers. It explains that some default GPO settings may meet some or all of your organization's rules. If so, there would be no immediate need to create more GPOs. On the other hand, you are likely to find that some rules must be applied to particular users, which means that those users should be placed in an appropriate OU, and that a GPO should be created and linked to that OU so that its rules can apply to the users.

To make the situation more flexible, page 115 explains that the scope of a GPO can be set at four levels:

  • local GPOs - these apply only to a local computer
  • site GPOs - these are defined in AD, and they apply to a site (probably defined as an OU)
  • domain GPOs - these are also defined in AD, and they are for rules that apply across an entire domain
  • organizational unit GPOs - defined in AD, they hold rules that apply within a particular OU

The text wants us to know that if GPOs exist at each of the above levels, they are evaluated in the order local, site, domain, then OU GPOs. GPOs at each evaluation level can override GPOs at a previous evaluation level.

To make things more complicated, Windows can (and does) save some policy settings in the Registry, its famously dangerous database. They are under HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE. Note that the user settings apply to the user, but the machine settings apply to all users who might use the computer having the setting. The text gives us some brief instructions about two editor tools for settings in the Registry.

On page 117, the text gives you instructions to open the Local Group Policy Editor, gpedit.msc. (You will probably need administrative rights to do so.) This is the recommended tool to view and edit policies that are stored in the Registry.

Local Group Policy Editor

The text also discusses editing Group Policy settings with the Registry Editor, regedit.exe. It is not as user friendly as the Group Policy Editor. In fact, the Microsoft help desk has been known to refuse service to callers who admit to having used the Registry Editor to change settings.

The text moves on to an editor with a larger scope on page 120. The Group Policy Management Console (GPMC) is run on a domain controller to set policies that are stored in Active Directory. Again, you need to do this with an ID with sufficient rights. As explained earlier, when a user logs in to a domain, the system finds GPOs that apply to that user, computer, or OU containing either, and sends them to that computer. The computer also checks for changes or new GPOs in AD at regular time intervals.

The text changes the information it gave us earlier on page 123, telling us that an AD GPO won't do anything until it is linked to a container. This is not totally accurate, but it is reasonable. You make a policy in AD to apply it to more than one object, so it makes sense to link the policy to a container that holds all of the objects you want to affect. To make things flexible again, the text mentions that a container can have multiple GPOs linked to it, and that a GPO can be linked to multiple containers. This makes sense as well, since you may want to affect the objects in several containers with one GPO, but you may want each of those containers to be controlled by a specific version of another GPO. The text explains that linking a GPO to a container is easy:

  1. In the GPMC, select a container.
  2. Right-click the container.
  3. Select "Link an Existing GPO".
  4. Find and click the desired GPO.
  5. Click OK.

On page 124, the text reminds of the order in which the four mentioned types of GPOs are applied to objects. The list is repeated, so let's vary it a bit:

  • local GPOs affect only one computer and users on it
  • site GPOs override local GPOs
  • domain GPOs override site and local GPOs
  • OU GPOs override domain, site, and local GPOs

The text cautions us to remember this because troubleshooting often involves why a GPO is not having the desired effect. Plan your AD structure to work with as few GPOs as you can.

The next concept seems to be inheritance, but it is not really about that. The text tells us that a GPO that is linked to an OU will be applied to all user and computer objects in that OU. The point is that you may want to block that GPO for some objects, so you can use a security filter to do so, but not as you might think. The text offers a process on page 125 to create a security filter for a GPO linked to an OU. The most important part of the process is the user or group you add to the filter. That is the user or group who the policy will apply to. The filter is an allow filter, not a deny filter. The lesson is clearer in this video from YouTube.

In the video, you should see that the process is simple. You should also see the lesson in the Warning box on page 125. That lesson is that there will be a group added to the filter by default. The group is Authenticated Users. This means that the GPO would apply to any user who has authenticated to AD, which is a lot more users that you probably meant to benefit from the GPO. Follow the advice in the text and the video: remove this group from the Security Filtering list.

Authenticate Users in Filter box

On page 126, the text presents another kind of filter that is more powerful than a Security Filter. A Windows Management Instrumentation (WMI) filter can check  features of devices and apply a GPO if desired feature is present. In the example in the text, we see a filter that only applies the GPO if a computer is running a particular version of Windows 7. Page 128 presents a procedure to create a WMI filter in the GPMC utility.

Page 128 also describes using the Group Policy Update tool to push new or changed GPOs when you must do so. Group Policy Update (gpupdate.exe) is a command line utility, so it is not very pretty. For more information on it, follow this link to a Microsoft article about its use.

The chapter concludes with two tools that can be used to audit the policies in a system.

  • Group Policy Inventory - This tool can be downloaded from Microsoft. Its filename is gpinventory.exe. It is meant to take an inventory of GPOs in your system. Its output can be opened in Excel.
  • Resultant Set of Policy (RSOP) - This is a utility that tells you the effect of applying a policy to a particular user. Its filename is rsop.msc.


Assignments for these chapters will be found in Canvas. We will explore that in class.