ITS 3250 - Securing Systems

Security Strategies in Windows...
Chapters 7 and 8

This lesson presents an introduction to Windows security tools and backup features. Objectives important to this lesson:

  1. Profiling security
  2. Microsoft Baseline Security Analyzer
  3. Shavlik security analyzers
  4. Secunia analyzers
  5. Windows audit tools

  6. OS and application backup
  7. Backup techniques
  8. Backup and recovery for business continuity
  9. Backup and restore utility
  10. Total restores and VMs
Concepts:
Chapter 7

The chapter opens with a repetition of the CIA message, then it transitions to a new topic that requires two new words.

  • baselining - A baseline, in the context of this chapter, is a summary of the configuration of a computer. The process of recording the various settings is baselining.
  • profiling - The text points out that it is useful to have a baseline for a secure computer, and another one for an insecure (unsecured?) computer, and that each can be compared to the current baseline of computer you suspect to have problems. Making comparisons of this type is what the text calls profiling.
The text recommends using profiling as a means to find differences between systems, which can lead to finding problems with the systems that are different from normal baselines or similar to compromised baselines.

So, assuming we have a baseline of one type or the other, the text recommends using Microsoft's Security Configuration and Analysis (SCA) tool. You can use it to compare the settings on a server to the settings stored in a security template. You can also push the settings in a template onto the server where you are running the SCA tool.

That's cool, but you can't really do any profiling unless you have a baseline. The text tells us that the tool we will use for profiling expects the base line to be saved in a text file called a security template. Okay, where are those hidden? Windows server used to come with some, but not any more, so you need to make your own, which is not a bad thing. A template based on Microsoft's definitions would probably not match the way you run a server, so you are meant to make your own template.

    1. Open the MMC console on your server.
    2. Add the Security Templates snap-in and the Security Configuration and Analysis snap-in to the Microsoft Management Console on your server.
    3. Still in the MMC console, open the Security Templates object. Select the folder that appears. It will be the folder where you will keep baseline files.
    4. Right click the folder and select New Template.
    5. Name the new template file. It will appear in the Console of MMC, and it will have several nested objects inside it. It should look like the illustration on page 139. The video below shows how to do this and how to use the SCA tool to compare the settings on a running computer to those saved in the template you select. Watch the video, and run through the exercise in it.



So, assuming we have a baseline of one type or the other (a good one or a bad one), the text recommends using Microsoft's Security Configuration and Analysis (SCA) tool to profile the computer (typically a server). Compare the instructions on page 139 to those in the video above. Note that both have you create a database of settings that correspond to the settings of the running computer. This is different from the settings saved in a template: you can manipulate the settings in the database while you are comparing it to a template, and you can push the settings currently in the database to the live computer.

On page 142, the text discusses another tool, the Microsoft Baseline Security Analyzer (MBSA), The text is a bit out of date. There is a newer version of the program than the one discussed, one that covers Windows 8 and Server 2012. It has a promising name, but it has a limited focus. Its purpose is only to scan a computer to see if it is missing one of three kinds of updates:security updates, service packs, and update rollups. The link in the previous sentence goes to a page in Wikipedia that explains that the tool is no longer supported by Microsoft, and has not been updated for current versions of Windows or Server. That makes the material on pages 142 through 147 a waste of time.

The section on Shavlik tools is also dated. The company was purchased by a company that was purchased by another company. At this time (late September, 2018) the products described in the text belong to Ivanti. Follow the link above to see their offerings, which seem to be concerned with patch management, like the Shavlik products described in the text. There does not appear to be a home version at this time nor a free one.

The section of the text on Secunia products is also obsolete. This article from April of 2018 explains that the Flexera company bought Secunia and discontinued their products. That is too bad. The point of their products was to find updates for your applications as well as for your operating system. The article provides a better view of current choices to replace Secunia Personal Software Inspector (PSI). Two are recommended, however, there are problems.

  • The free version of SUMo found only 36 updates out of the 96 that PSI found on the tester's system, and it does not perform updates.
  • The only other competitor the tester mentions is Patch My PC Home Updater, which found only 16 of the updates that PSI found. It will update the programs for you, but it did not do a very good job of identifying necessary updates in the test.

That takes us to the Microsoft Windows Security Audit section starting on page 155. The first two pages are a pep talk about checking whether your security settings are in keeping with your security policy. The text talks about setting a baseline, comparing the current state to it, and taking action as needed. On page 157, we see a list of programs that can be useful to do this.

  • The first two items in the list are just SCA again.
  • The third and fourth items are the discontinued MBSA.
  • The rest of the items are not much help. We will have a short assignment this week to find and share something about this topic with the class.
Chapter 8

Chapter 8 addresses the topics of backup and recovery in terms of tools that can be used to perform those tasks. It refers to the programs and data you are actively using as your primary copies of those objects, and your backup copies of them as your secondary copies. The word "copy" in the case of the primary copy does not mean a duplicate, since it is your original, working version.

Page 163 begins a list of errors and incidents that would cause you to restore from a copy of your software or your data. Among them are hardware and software errors, viruses and malware, user errors, hacker actions, and environmental disasters. The text proposes that you have two alternatives when data is lost: reconstruction or recovery. Reconstruction generally means reentry of data from paper records, or reentry from save transaction records. Neither is often available as a choice in current systems, so recovery from a backup becomes the best and only choice.

Planning a backup strategy is introduced on page 165, where the text asks some questions that may not have occurred to you.

  • What are we going to back up? A set of files and folders whose name we know? The contents of defined volumes? A list that changes every time, due to our changing data storage?
  • Where are the backup copies written, stored, and located? What format are they stored in? Are we using media that have to be attended in order to make the backup or to perform the restore?
  • What is the naming protocol for the backups? Do the names incorporate dates? Dates of the backup, or dates related to the data?
  • How will you protect the CIA concepts regarding the stored backups?
  • How often will backups be created? How long will a backup be stored before it is erased/overwritten?
  • Will you create backups that goes back days, weeks, or months? What are the physical requirements to meet your goals?

Regarding recoveries/restorations, the text offers some considerations as well.

  • How long will it take to restore everything, in the case of a total loss?
  • How long will it take to restore only a selection of files?
  • What will be lost if we restore some things or everything?
  • Is the restored material useful as is, or must it be considered just historical data?
  • How much data are we comfortable losing, as we expect to happen if we do not back up everything all the time?

The text discusses some options for backing up workstations and servers. In Windows, there are built-in options on both platforms.

  • Workstations - The text only discusses doing backups for Windows 7 workstations. The good news is that the utility to do that went away in Windows 8, but it returned in Windows 10. This article discusses using both the Windows 7 and Windows 10 utilities, as well as other Windows features that the text does not cover. This PC World article from July 2018 reviews several products that are available from other vendors.
  • Servers - The text makes a good point that the nature of a server (e.g. file server, web server, database server) makes a difference in the actual material you will want to back up from it. The nature of the OS version also makes a difference in what utilities will be available/included in with that OS. The text offers short procedures in installing and running the Windows Server Backup program on Server 2008 (page 173). This article covers the same topics for Server 2016. A web search will show you any number of vendors proclaiming that their solution is better, faster, easier to use than Microsoft's solution.

The text also discusses using network drives and cloud drives as the media for your regular backups. A cloud service, or an Internet service (is there a difference?), raises the question considered above: are the elements of CIA being observed by the vendor holding our data?

On page 178, the text begins discussing the use of backup copies as part of a disaster recovery method. For this discussion, the difference between a hot site, a warm site, and a cold site is the currency of the data available at that site and how long it will take to make that data available.

Page 180 introduces using the Windows Backup and Restore utility to perform a restoration. Most often, this will be done for a selection of files, not for a full restore. Likewise, the Windows Server Recovery Utility shown on page 181 considers what to do for a server needing only a partial restore.

Page 183 describes a situation in which you have backups of data, but your hardware died, causing you to obtain new hardware and install Windows before the backup can be of any use. The suggested steps, after installing the new hardware are:

  1. Install the OS, including patches. This assumes you will have access to the Internet or media containing those patches.
  2. Configure the OS to match the baseline you were using. This may be done in step 1.
  3. Install software needed to perform the restore, and software needed to use the data you will be restoring.
  4. Restore the data.

Other options exist to create a backup that includes all the software and data on a device. The student should explore that option. Installing from an image file created in that way is a lot like installing an OS on a virtual machine. It will often include various applications that the actual OS does not contain.

.Assignments

Assignments for these chapters will be found in Canvas. We will explore that in class.