Microsoft Windows – General

Group Policy

Group Policy supports the management of machines and users in an Active Directory environment.  By

creating and editing Group Policy Objects (GPOs) that contain associated policy settings and linking these

GPO's to groups of machines or users, specific configuration policy settings can be managed from a central

location. In this way, an administrator in an Active Directory environment can granularly apply settings to

potentially thousands of machines or users.

You cannot apply group policy to groups                                             

GPOLIST API called and processes machine settings.  Reads machine policy on DC, SITE, DOMAIN, OU

and MACHINE in that order. (See diagram below)

HKLM\Software\Policies\Microsoft                  New key for group policy application

HKLM\Software\Microsoft

gpupdate /force Forcefully rereads settings.  Looks for updates GUIDS and removes local cache copies.

secedit /refreshpolicy    Win 2000 Command to forcefully reread policy settings. 

Behavioural Modifiers

Ned gets No Help, No Run and No Control Panel.

Bart gets No Help, No Run and No Logon Button.

Block Inheritance

Bart now gets Help, Run and Logon Button.

No override/Enforce

In Cartoon Town group policy tab select No override

Bart now gets No Help, but gets Run and Logon Button due to Block Inheritance being selected.

Note: - No override only works on the policy applied to.  If you want to enforce must set on all

policies.

Filtering

New user Barney, new group Flanders Users, add Ned to Flanders Users

GPMC – Policy – Security Filtering add Flanders Users

Barney now has Control Panel, Ned doesn’t

Policy applies if member of OU and Group.  You can filter using groups but cannot apply policy.

Disk Management

                                                             WIN 2000 +

            BASIC                                        DYNAMIC

            Partitions Only                           Volumes Only

            4 Primary                                  Use 1MB of storage on each volume to store

            3 Primaries, 1 Extended             Configuration Data

            1 Extended, many logical           NOT on laptops

diskpart                        Command line for managing disks

diskpart>select disk 0

diskpart>select partition 2

diskpart>extend size=100 disk=0

diskpart>quit

Junction points are links to virtual drives.

Can now extend volumes.  You can extend any directory other than the root directory containing the

boot.ini file. 

Can have spanned and striped volumes.  Cannot do mirroring!!

Disk Management, Select Disk and Right click

Lose 1MB when create new disk all new disks to take into account possible conversion to Dynamic Disk later.

Permissions

Permissions are the LEAST restrictive of the two.  Bart has Full Control due to the fact that he is a member

of the Simpsons Group; however, the ACL on the file only gives Simpsons Modify so Modify is all Bart

gets.

Bart gets Modify overall, Modify from share permissions, Full Control from ACL, hnce Modify is the least

restrictive.

File Permission Inheritance

Move files on same drive          ACL’s stay the same

Copy files on same drive          ACL’s inherit from parent

Move between drives               ACL’s inherit from parent = Copy and delete

Compression

Files stored on the server uses Servers resources to uncompress when user accesses them.

Compressions is 4 times

Zipped is about 9 times

Can compress or encrypt, not both.

Secure Web Services

You attempt to set up a connection with a secure web server.  It sends you back a certificate.  Internet

Explorer has inbuilt public keys belonging to all Trusted Certificate Authorities.  Will decrypt Certificate

with embedded Trusted CA Private Key on the fly.  A session is then set up.  If a popup box appears

when trying to negotiate https access you should be wary

NTFS Encryption

XP generates a File Encryption Key (FEK) using 3 DES symmetric keys.  If you encrypt file with Barts

Public Key only Bart can decrypt.  If you also encrypt file with Homers Public Key both can share and

access this file.The Private key is stored in a users profile and encrypted with the users password. 

Should a users profile become corrupted the only way of recovering this file is to use a recovery agent

i.e. Administrator.

efsinfo - Resource Kit Tool tells you who has encrypted file and who it belongs to.

Boot Process

Tools for Recovery

Profile Editing

regedt32           Load Hive        Navigate to DC            Select User Profile and edit ntuser.dat   Unload afterwards

Recovery Console

Boot from CD

At Welcome to Setup Screen select R

Select Windows directory

Supply Admin Password

Type HELP for list of commands available

All files on cd are compressed and need to be expanded

i.e. expand halaacpi.dll_ d:\

copy d:\halaacpi.dll d:\windows\system32\hal.dll

exit

Note: - Version of XP CD must match OS trying to update files to

MSCONFIG

Diagnostic utility for changing the environment for 1 boot up only – Excellent for troubleshooting

In startup tab deselect items you do not want to boot

In boot.ini tab select /bootlog which will save the boot information (including errors) to ntbt.log

System Restore

Does not save data just system settings at time of restore.  If you install a .msi product the system will automatically

save a restore point before installing.

Strips out dll and exe files on rollback, leaves a lot of files and directories from previous installations i.e.

Office directory still present alongside 80%ish of files.

Just designed to keep the machine running.

Note: - Don’t restore before a service pack

Found in system volume information folder on root directory under _restore …..

RP0, RP1 to RPn directory numbering structure 

Win XP cd       winnt32 /cmdcons installs to c:\cmdcons

TCP/IP

Computer A and C receive IP addresses from the DHCP server.  If the RFC 1542 compliant router was

configured both sides B would also.  DHCP enabled computers not receiving address will assign

themselves a 169.254.x.y address.  This is due to Automatic Private IP addressing (APIPA) scheme.

From Windows 98 R2 DHCP is:

          Discover           Offer    Request            Acknowledge   (DORA)

Software Restrictions

gpedit.msc         Local Computer Policy          Windows Settings         Security Settings          

                                    Software Restrictions             Right Click                   Create New

Select .exe file to restrict or allow – this is done by adding a new hash rule.

You CAN circumvent these rules by using the following workaround:-

Open a command prompt: echo h >> nmap.exe or open file using notepad etc. 

May also get this to work on Windows File Protection Files by amending the SFCDisable numeric in

registry as by default all windows protected files are automatically replaced if corrupted, lost, deleted

etc.

Remote Installation Services

Second F12 press triggers TFTP server (UDP 69) which copies down Client Information Wizard (CIW)

Add/Remove programs and add in RIS

Configuration of RIS done in Active Directory

(Active Directory Users and Computers, Right Click, Properties on DC box should have a RIS tab)

Note: - DHCP server needs to be authorised in Active Directory

Note: - RIS server needs to be authorised in Active Directory

RIPREP           Strips out machine uniqueness and then asks for RIS server location and sends it to SIS on

RIS server. This is not a ghost file.  Point to Point installation only so a lot of bandwidth required.  Will not

be able to carry out integration

VPN

Phase

1          Connection established with Point to Point Protocol

2          Encrypted with Point to Point Tunnelling Protocol (MS Point to Point Encryption)

                                                 Layer 2 Tunnelling Porotocol (IPSEC)

3          Authentication               PAP     Password Authentication Protocol

                                                 SPAP   Sheva Password Authentication Protocol

                                                 CHAP  Challenge Handshake Authentication Protocol

                                                 MSCHAP        MS CHAP       (Reversible Encryption)

                                                 MSCHAPv2                            (Mutual Authentication)

                                                 EAP     Extensible Authentication Protocol

Note: - Least secure PAP to most secure EAP

Applying Security Templates via MMC

Open MMC and load Security Configuration and Analysis snap-in (SCAT)

• Right click SCAT, create a new database

• Choose a security template

• Right click SCAT choose either:

• Analyse computer against template or

• Configure computer to template

Sample templates available:      

securews.inf = Increases workstation security

hisecws.inf = Significantly increases workstation security

compatws.inf    = Reduces security settings to allow legacy applications to run

Auto completion – Windows Command Line

HKLM/SOFTWARE/MICROSOFT/COMMAND PROCESSOR

CompletionChar: REG_DWORD=9 (DEFAULT=40)

Convert FAT to NTFS

convert c: /fs:ntfs

Disable DHCP MediaSense

Windows contains the "Media Sensing" feature to detect whether a NIC is in a "link state." A "link state"

is when the NIC connecting or inserting itself on the network has a "link" light to indicate the current

connection status. Whenever Windows detects a "down" state on the media, it removes the bound

protocols from that adapter until it is detected as "up" again. There may be situations where you may

not want your network adapter to detect this state, and you can configure this by editing the registry.
 

To prevent your network adapter from detecting the link state, follow these steps.
 

1.         Use Registry Editor (Regedt32.exe) to view the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

Add the following registry value:

Value Name: DisableDHCPMediaSense
Data Type: REG_DWORD -Boolean
Value Data Range: 0, 1 (False, True) Default: 0 (False)

Description: This parameter controls DHCP Media Sense behavior. If you set this value data to 1,

DHCP, and even non-DHCP, clients ignore Media Sense events from the interface. By default, Media

Sense events trigger the DHCP client to take an action, such as attempting to obtain a lease (when a

connect event occurs), or invalidating the interface and routes (when a disconnect event occurs).

2.         Restart your computer. http://support.microsoft.com/default.aspx?scid=KB;en-us;q239924

Enable/ Disable Netbios Null Sessions (Registry)

XP Home/ Windows 2000:

HKLM/ SYSTEM/ CURRENT_CONTROL_SET/ CONTROL/ LSA/ RESTRICT_ANONYMOUS

XP Pro:

Admin Tools --> Local Security Policy --> Local Policies --> Security Options

Network Access          Do not allow enumeration of SAM Accounts (Enabled)

Network Access          Do not allow anonymous enumeration of SAM accounts and shares

(Enabled)

Windows NT4:

HKLM/SYSTEM/CURRENT_CONTROL_SET/CONTROL/LSA/RESTRICT_ANONYMOUS = 1

Integrate SP2 to XP

Download the (full) "Network Install" of the Service Pack (English version [266 MB]), and save it

to a directory (folder) on your hard drive i.e. D:\XP_SP2.

Copy your Windows XP CD to your hard drive. i.e to D:\XP-CD).

Open a Command Prompt, and go to the folder where you downloaded SP2 (cd \[FOLDER_NAME]).

Type the command: [SERVICE_PACK][FILENAME] /integrate:[DRIVE]/[PATH].

Windows XP-KB835935-SP2-ENU /integrate:D:\XP-CD.

N.B. Does not work on a Windows 2000 host.