Security Strategies in Windows...
Chapters 7 and 8
This lesson presents an introduction to Windows security tools and
backup features. Objectives important to this lesson:
Microsoft Baseline Security Analyzer
Shavlik security analyzers
Windows audit tools
OS and application backup
Backup and recovery for business continuity
Backup and restore utility
Total restores and VMs
The chapter opens with a repetition of the CIA message, then it transitions
to a new topic that requires two new words.
baselining - A baseline,
in the context of this chapter, is a summary of the configuration of
a computer. The process of recording the various settings is baselining.
profiling - The text points out that it is useful to have a baseline
for a secure computer, and another
one for an insecure (unsecured?)
computer, and that each can be compared to the current baseline of computer
you suspect to have problems. Making comparisons of this type is what
the text calls profiling.
The text recommends using profiling as a means to find differences between
systems, which can lead to finding problems with the systems that are different
from normal baselines or similar to compromised baselines.
So, assuming we have a baseline of one type or the other, the text recommends
using Microsoft's Security Configuration
and Analysis (SCA) tool.
You can use it to compare the settings on a server to the settings stored
in a security template. You can
also push the settings in a template onto the server where you are running
the SCA tool.
That's cool, but you can't really do any profiling unless you have a
baseline. The text tells us that the tool we will use for profiling expects
the base line to be saved in a text file called a security
template. Okay, where are those hidden? Windows server used to
come with some, but not any more, so you need to make your own, which
is not a bad thing. A template based on Microsoft's definitions would
probably not match the way you run a server, so you are meant to make
your own template.
Still in the MMC console, open the Security Templates object.
Select the folder that appears. It will be the folder where
you will keep baseline files.
Right click the folder and select New Template.
Name the new template file. It will appear in the Console
of MMC, and it will have several nested objects inside it. It should
look like the illustration on page 139. The video below shows how
to do this and how to use the SCA tool to compare the settings on
a running computer to those saved in the template you select. Watch
the video, and run through the exercise in it.
So, assuming we have a baseline of one type or the other (a good one
or a bad one), the text recommends using Microsoft's Security
Configuration and Analysis (SCA)
tool to profile the computer (typically a server). Compare the instructions
on page 139 to those in the video above. Note that both have you create
a database of settings that correspond to the settings of the running
computer. This is different from the settings saved in a template: you
can manipulate the settings in the database while you are comparing
it to a template, and you can push the settings currently in the
database to the live computer.
On page 142, the text discusses another tool, the Microsoft
Baseline Security Analyzer (MBSA),
The text is a bit out of date. There is a newer
version of the program than the one discussed, one that covers
Windows 8 and Server 2012. It has a promising name, but it has a limited
focus. Its purpose is only to scan a computer to see if it is missing
one of three kinds of updates:security updates,
service packs, and update rollups. The link in the previous sentence
goes to a page in Wikipedia that explains that the tool is no longer supported
by Microsoft, and has not been updated for current versions of Windows
or Server. That makes the material on pages 142 through 147 a waste of
The section on Shavlik tools is also dated. The company was purchased
by a company that was purchased by another company. At this time (late
September, 2018) the products described in the text belong to Ivanti.
Follow the link above to see their offerings, which seem to be concerned
with patch management, like the Shavlik products described in the text.
There does not appear to be a home version at this time nor a free one.
The section of the text on Secunia products is also obsolete. This
article from April of 2018 explains that the Flexera company
bought Secunia and discontinued their products. That is too bad.
The point of their products was to find updates for your applications
as well as for your operating system. The article provides a better view
of current choices to replace Secunia Personal Software Inspector (PSI).
Two are recommended, however, there are problems.
The free version of SUMo
found only 36 updates out of the 96 that PSI found on the tester's system,
and it does not perform updates.
The only other competitor the tester mentions is Patch
My PC Home Updater, which found only 16 of the updates that
PSI found. It will update the programs for you, but it did not do a
very good job of identifying necessary updates in the test.
That takes us to the Microsoft Windows Security Audit section starting
on page 155. The first two pages are a pep talk about checking whether
your security settings are in keeping with your security policy. The text
talks about setting a baseline, comparing the current state to it, and
taking action as needed. On page 157, we see a list of programs that can
be useful to do this.
The first two items in the list are just SCA again.
The third and fourth items are the discontinued MBSA.
The rest of the items are not much help. We will have a short assignment
this week to find and share something about this topic with the class.
Chapter 8 addresses the topics of backup and recovery in
terms of tools that can be used to perform those tasks. It refers to the
programs and data you are actively using as your primary copies
of those objects, and your backup copies of them as your secondary
copies. The word "copy" in the case of the primary copy
does not mean a duplicate, since it is your original, working version.
Page 163 begins a list of errors and incidents that would cause you to
restore from a copy of your software or your data. Among them are hardware
and software errors, viruses and malware, user
errors, hacker actions, and environmental disasters. The
text proposes that you have two alternatives when data is lost: reconstruction
or recovery. Reconstruction generally means reentry of data from paper
records, or reentry from save transaction records. Neither is often available
as a choice in current systems, so recovery from a backup becomes the
best and only choice.
Planning a backup strategy is introduced on page 165, where the
text asks some questions that may not have occurred to you.
What are we going to back up? A set of files and folders
whose name we know? The contents of defined volumes? A list that
changes every time, due to our changing data storage?
Where are the backup copies written, stored, and located? What
format are they stored in? Are we using media that have to be
attended in order to make the backup or to perform the restore?
What is the naming protocol for the backups? Do the names incorporate
dates? Dates of the backup, or dates related to the data?
How will you protect the CIA concepts regarding the
How often will backups be created? How long will a backup
be stored before it is erased/overwritten?
Will you create backups that goes back days, weeks, or months? What
are the physical requirements to meet your goals?
Regarding recoveries/restorations, the text offers some
considerations as well.
How long will it take to restore everything, in the case of
a total loss?
How long will it take to restore only a selection of files?
What will be lost if we restore some things or everything?
Is the restored material useful as is, or must it be considered
just historical data?
How much data are we comfortable losing, as we expect to happen
if we do not back up everything all the time?
The text discusses some options for backing up workstations and servers.
In Windows, there are built-in options on both platforms.
Workstations - The text only discusses doing backups for Windows
7 workstations. The good news is that the utility to do that went away
in Windows 8, but it returned in Windows 10. This
article discusses using both the Windows 7 and Windows 10 utilities,
as well as other Windows features that the text does not cover. This
PC World article from July 2018 reviews several products
that are available from other vendors.
Servers - The text makes a good point that the nature of a
server (e.g. file server, web server, database server) makes a difference
in the actual material you will want to back up from it. The nature
of the OS version also makes a difference in what utilities will be
available/included in with that OS. The text offers short procedures
in installing and running the Windows Server Backup program on Server
2008 (page 173). This
article covers the same topics for Server 2016. A web search
will show you any number of vendors proclaiming that their solution
is better, faster, easier to use than Microsoft's solution.
The text also discusses using network drives and cloud
drives as the media for your regular backups. A cloud service,
or an Internet service (is there a difference?), raises the question
considered above: are the elements of CIA being observed by the vendor
holding our data?
On page 178, the text begins discussing the use of backup copies as part
of a disaster recovery method. For this discussion, the difference between
a hot site, a warm site, and a cold site is the currency of the data available
at that site and how long it will take to make that data available.
Page 180 introduces using the Windows Backup and Restore utility to perform
a restoration. Most often, this will be done for a selection of files,
not for a full restore. Likewise, the Windows Server Recovery Utility
shown on page 181 considers what to do for a server needing only a partial
Page 183 describes a situation in which you have backups of data, but
your hardware died, causing you to obtain new hardware and install Windows
before the backup can be of any use. The suggested steps, after installing
the new hardware are:
Install the OS, including patches. This assumes you will have access
to the Internet or media containing those patches.
Configure the OS to match the baseline you were using. This may be
done in step 1.
Install software needed to perform the restore, and software needed
to use the data you will be restoring.
Restore the data.
Other options exist to create a backup that includes all the software
and data on a device. The student should explore that option. Installing
from an image file created in that way is a lot like installing an OS
on a virtual machine. It will often include various applications that
the actual OS does not contain.
Assignments for these chapters will be found in Canvas. We will explore
that in class.