Security Strategies in Windows...
Chapters 5 and 6
This lesson presents an introduction to Windows and
malware, as well as group policy controls. Objectives important to this
Review of malware types
Antivirus and anti-spyware
Updating protective software
Maintaining, scanning, and auditing
Tools for removing malware, and best practices
Group policy and security policy
Group policy objects in the registry
Group policy objects in active directory
Creating and using group policy controls
Auditing/managing group policy controls
The chapter opens with a good transition. Most of the text, so
far, has talked about protection from unauthorized users/hackers. This
chapter is about protection from malware, software whose
purpose is to do something we don't want done to our data, programs,
workstations, servers, and/or network. The text tells us that malware
often has one or more of three purposes:
gather (sensitive) information
gain access to restricted resources
This list is not exhaustive, but it applies to many malware
The text goes into some detail about five types of malware.
The first two are there to viruses and worms.
viruses - A virus typically
requires a carrier to infect a system, like an email, an instant
message, or a program that the user runs. A virus typically has two
tasks: replicate and damage. Some viruses have historically been rather
benign, just displaying a message to the user. Others have been
worms - Once it is started, a worm can replicate
itself across connected computer systems by itself. It does not
need a carrier. A worm can attack any running computer that is
connected to a network that an infected computer is on. It does not
require cooperation from the user. Worms are more dangerous due to
their self driven nature. Once a worm is detected in a system, each
device on the network must be scanned for it, cleaned if necessary, and
prevented from accessing the network until this is done. Until that
cleaning is done, you run the risk of continued propagation of the worm.
The text discusses three more
types that are notable for their method of hiding from a user or an
investigator, and one more that hides more than itself.
Trojan horse - Trojan horse
programs are named for the myth of a wooden horse
that was used to smuggle Greek soldiers inside the walls of Troy. A
program of this sort has two aspects: what we are told it does, and
what it actually does. In some cases, Trojans may do
what they say, but they also have a hidden malicious purpose which is
what puts them in this category. A classic ploy used by Trojans is to
pretend not to be a program at all. The text gives an example of a file
that has a .exe extension, but the characters .docx occur in the name
immediately before it. If a Windows computer is using the default
(idiotic!) configuration, the actual .exe extension will be hidden
from the user, and the user may think it is only a Word document.
rootkit - A rootkit replaces operating system files
with its own. The rootkit obtains elevated privileges
to carry out its stealth actions by impersonating
files that run in kernel mode. By impersonating OS files, the rootkit
opens a door for lots of other malware. How? Have you
ever seen a movie about a robbery in which the robbers send false
information to security staff (like a video loop) that shows
all is well, while the robbers proceed to steal whatever they want?
That's kind of what a rootkit does. The rootkit assumes the role of a
trustworthy part of the operating system. It will stand between the user
and security software on one side, and other malware
that it loads, doing whatever it wants on the other side.
spyware - Spyware is typically a program that loads
with another program that the user wants. It may, or may not, be a
separate file. It gathers information about the user, which it reports
to its home base.
ransomware - Ransomware hides itself, but also
announces its intentions, which are to demand a payment from the user,
If the payment is not made, files that the ransomware has already
encrypted (which could be the entire hard drive) will be deleted, or
will remain encrypted until a higher payment is made later. The user is
led to believe that they have no other recourse, which may not be true,
and that their computer will be restored if the ransom is paid, which
also may not be true.
On page 100, the text turns to thoughts about defense. It
begins with a warning that a virus can come in an email, on a memory
stick, on a disc, or by any other means that adds a new file to it.
Network connection is not the only way to pass a virus. This is worth
remembering, as is the advice to clean everything that is or has been
in contact with a computer that has been infected.
Antivirus software is highly recommended. There are
many well known vendors. The text lists ten brands on page 101. A
slightly different list of ten brands is reviewed in this
article from PC Magazine. I have enjoyed their reviews for many
years. The text explains that most antivirus products examine files and
processes in memory for similarities to the code signatures of
known viruses. If you buy and install an antivirus product, you
typically have a one year subscription to their updated signature files
which should be downloaded to your computer frequently to maintain the
best protection available for that product.
Some products also feature heuristic scanning, which means
that the antivirus program can look for activity in the system that
matches the know activities of viruses. This is different from looking
for a similarity to a known program itself. It offers a second line of
defense that can be valuable.
The text also discusses anti-spyware software. This
kind of software looks mainly for spyware. The text discusses products
that do only this service, but it is also available as a feature of
some multi-featured security products.
In both cases, these protective software products mainly guard
against known threats. A new virus that exploits an
unknown exploit might not be detected by such a product. The text
refers to an attack from such a virus as a zero-day attack,
meaning that victims, and the world in general, have had zero days of
notice about the exploit. For this reason, it is best to update your
antivirus and anti-adware signature files every time there is an update
from your vendor. It is also important to practice safe computing:
do not expose your computer to hazards that can be avoided.
Configure your protective software to scan new files that
are added or downloaded to your computer. Your text refers to this as
using the shield function of the product.
Run regular scans on the entire hard drive.
Update signature files often, but be aware that a
new signature file means that a new exploit may have been attacking
computers for an unspecified amount of time.
Review items that the protective software has placed in the
vault (or quarantine) area it has set aside
for detected threats. Files in this area are not trophies. They are
live threats stored in a part of the hard drive where they,
theoretically, cannot be executed. This area is available for
examination by forensic staff who are looking for clues or data about
Consult the website of your vendors for data about known
exploits, new updates, and new signature files to protect against
When there has been a successful infection of a machine under
your protection or responsibility, try the procedure listed on page 106:
Disconnect the affected computer from the network.
This means wired and wireless connections.
Use a clean computer to download a cleaning tool
from a trusted vendor. Install or save it on
Use the removable media to run or install
the cleaning tool on the infected computer.
Scan, quarantine, and clean the
infected computer if all three are possible.
Follow special instructions for the situation at
hand. In the early days of a new virus, it is less likely that a simple
scan and clean will be all you need to do.
You should review the points on page 107 about keeping your
environment as clean as possible. Consider the restrictions that are
recommended, and discuss them with the class.
Chapter 6 begins with an introduction to Windows Group
Policy. We are told that it is a feature of Windows that allows
central control of users and computers. Local Group Policy
applies only to the particular computer where it is set. On a network,
an Active Directory Group Policy is stored in a Group
Policy Object. It can apply to multiple computers and users. This
is the main focus of the chapter.
We are told a computer will check for Group Policy Objects
(GPOs) that relate to it when it starts Windows, and will check for
updates at intervals between 90 and 120 minutes. This is a pull
technology done on the computer. The text tells us, however, that
Windows Server 2012 (and later) can effectively push a policy
to an affected computer by running Remote Group Policy Update.
It can tell affected computers about a new policy within about 10
minutes of the policy's creation, causing the computers to update
themselves. The text compares this feature to the fact that older
versions of Windows used associated scripts with users. These scripts
were run at boot time, or when logging in to a network. Such scripts
ran only the one time during a work session, but a policy can be
updated during a work session, and it will be applied relatively soon.
Page 113 provides a link to a Microsoft reference file about
available policy settings.
(I downloaded a copy. There are over four thousand of them. I have
added a link to a copy saved in Canvas on the Reading Assignment for
Modules 3 and 4 for this class.)
On the same page, there is a much more digestible list of eleven
setting categories that you may find useful in administering and
securing a system.
The text informs us that a GPO may be linked to an Organizational Unit, a user, or a computer to be active. It must be
linked to at least one of those, or it will not apply to any object in
AD. Usually, you will put computers and users in OUs that make sense
for your organization, then link appropriate GPOs to them. The text
also discusses how GPOs relate to security policy in your environment.
It portrays security policies as rules that apply to some or all of
your users and computers. It explains that some default GPO settings
may meet some or all of your organization's rules. If so, there would
be no immediate need to create more GPOs. On the other hand, you are
likely to find that some rules must be applied to particular users,
which means that those users should be placed in an appropriate OU, and
that a GPO should be created and linked to that OU so that its rules
can apply to the users.
To make the situation more flexible, page 115 explains that
the scope of a GPO can be set at four levels:
local GPOs - these
apply only to a local computer
site GPOs - these
are defined in AD, and they apply to a
site (probably defined as an OU)
domain GPOs - these
are also defined in AD, and they are
for rules that apply across an entire domain
GPOs - defined in AD, they hold rules
that apply within a particular OU
The text wants us to know that if GPOs exist at each of the
above levels, they are evaluated in the order local, site, domain, then OU GPOs. GPOs at each evaluation
level can override GPOs at a previous evaluation level.
To make things more complicated, Windows can (and does) save
some policy settings in the Registry,
its famously dangerous database. They are under HKEY_CURRENT_USER or
HKEY_LOCAL_MACHINE. Note that the user settings apply to the user, but
the machine settings apply to all users who might use the computer
having the setting. The text gives us some brief instructions about two
editor tools for settings in the Registry.
On page 117, the text gives you instructions to open the Local Group Policy Editor,
gpedit.msc. (You will probably need administrative rights to do so.)
This is the recommended tool
to view and edit policies that are stored in the Registry.
The text also discusses editing Group Policy settings with the Registry Editor,
regedit.exe. It is not as user friendly as the Group Policy Editor. In
fact, the Microsoft help desk has been known to refuse service to
callers who admit to having used the Registry Editor to change
The text moves on to an editor with
a larger scope on page 120. The Group
Policy Management Console (GPMC)
is run on a domain controller to set policies that are stored in Active
Directory. Again, you need to do this with an ID with sufficient
rights. As explained earlier, when a user logs in to a domain, the
system finds GPOs that apply to that user, computer, or OU containing
either, and sends them to that computer. The computer also checks for
changes or new GPOs in AD at regular time intervals.
The text changes the information it
gave us earlier on page 123, telling us that an AD GPO won't do
anything until it is linked to a container.
This is not totally accurate, but it is reasonable. You make a policy
in AD to apply it to more than one object, so it makes sense to link
the policy to a container that holds all of the objects you want to
affect. To make things flexible again, the text mentions that a
container can have multiple GPOs linked to it, and that a GPO can be
linked to multiple containers. This makes sense as well, since you may
want to affect the objects in several containers with one GPO, but you
may want each of those containers to be controlled by a specific
version of another GPO. The text explains that linking a GPO to a
container is easy:
In the GPMC,
select a container.
Select "Link an Existing
Find and click the desired GPO.
On page 124, the text reminds of the order in which the four
mentioned types of GPOs are applied to objects. The list is repeated,
so let's vary it a bit:
local GPOs affect
only one computer and users on it
site GPOs override local GPOs
override site and local GPOs
OU GPOs override domain, site, and local GPOs
The text cautions us to remember this because troubleshooting
often involves why a GPO is not having the desired effect. Plan your AD
structure to work with as few GPOs as you can.
The next concept seems to be inheritance, but it is not really
about that. The text tells us that a GPO that is linked to an OU will
be applied to all user and
computer objects in that OU. The point is that you may want to block
that GPO for some objects, so you can use a security filter to do so, but not as
you might think. The text offers a process on page 125 to create a
security filter for a GPO linked to an OU. The most important part of
the process is the user or group you add to the filter. That is the
user or group who the policy will
apply to. The filter is an allow
filter, not a deny filter. The lesson is clearer in this video from
In the video, you should see that the process is simple. You
should also see the lesson in the Warning
box on page 125. That lesson is that there will be a group added
to the filter by default. The group is Authenticated
Users. This means that the GPO would apply to any user who has
authenticated to AD, which is a lot more users that you probably meant
to benefit from the GPO. Follow the advice in the text and the video:
remove this group from the Security Filtering list.
On page 126, the text presents another kind of filter that is more
powerful than a Security Filter. A Windows Management Instrumentation
(WMI) filter can check features of devices and apply a GPO if
desired feature is present. In the example in the text, we see a filter
that only applies the GPO if a computer is running a particular version
of Windows 7. Page 128 presents a procedure to create a WMI filter in
the GPMC utility.
Page 128 also describes using the Group Policy Update
tool to push new or changed GPOs when you must do so. Group Policy
Update (gpupdate.exe) is a command line utility, so it is not very
pretty. For more information on it, follow this link to a Microsoft article about its use.
The chapter concludes with two tools that can be used to audit the policies in a system.
Group Policy Inventory - This tool can be downloaded from Microsoft. Its filename is gpinventory.exe. It is meant to take an inventory of GPOs in your system. Its output can be opened in Excel.
Resultant Set of Policy (RSOP) - This is a utility that
tells you the effect of applying a policy to a particular user. Its
filename is rsop.msc.
Assignments for these chapters will be found in Canvas. We will explore
that in class.