Intro to Windows - TryHackMe Room
The link for this lab is located here: https://tryhackme.com/room/intro2windows
In this room, we will look at an introduction to Windows OS including a little history, authentication processes, types of servers and GPOs.
Task 1 - A Little History
On November 20 1985, Microsoft announce its OS named Windows which was a graphical operating system shell as a response to growing GUIs. At the moment Windows dominates the world of computers with around 90% market share and it overtook Apple which was introduced in 1984.
Some Windows versions are:
Windows 1
Windows 2
Windows 2.x
Windows 3.x
Windows 95
Windows 98
Windows NT
Windows XP
Windows Vista
Windows 7
Windows 8.x
Windows 10
Some Windows Server versions include:
Windows Server 2003
Windows Server 2008
Windows Server 2012 / 2012 R2
Windows Server 2016
Windows Server 2019
Questions
Q2: When was Windows announced?
A: November 20 1985Q3: Which is the latest version of Windows?
A: Windows 10Q4: Which is the latest version of Windows Server?
A: Windows Server 2019
Task 2 - Windows File System and Permissions Explained
The “file system” is the method and data structure that an OS uses to keep track of files on a disk or partition. Without a file system, the information saved in a storage media would be one large body of data with no way to tell where the information begins and ends.
The Windows file system structure is:
Logical drives (Ex: Local Disk C)
Folders (these are the folders that come by default. Ex: Documents, Downloads, Music)
Files
The folders located on the C drive are:
PerfLogs - stores the system issues and other reports regarding performance
Program Files - location where programs install by default
Program Files (x86) - location where programs install by default
Users - users that are created are stored here, also stores users generated data (saving file on Desktop)
Windows - folder which contains the code to run the OS and some utility tools
Files permissions can be set by an administrator or a privileged account. These permissiosn can be applied to:
Users
Groups
Permissions that can be set are:
Full control - allows the user/users/group/groups to set the ownership of the folder, set permissions for others, modify, read, write and execute files
Modify - allows the user/users/group/groups to modify, read, write and execute files
Read and execute - allows the user/users/group/groups to read and execute files
List folders content - allows the user/users/group/groups to list the contents of a folder
Read - only allows the user/users/group/groups to read files
Write - allows the user/users/group/groups to write data to the specified folder
Special permissions
To set permissions for a file or folder, right click on the file and select “Properties”. Go to the “Security” tab and click on the “Edit” button.
A tool you can use to check the files or folder permissions is “icacls”.
To explain what each letter means:
I - permission inherited from the parent container
F - Full acess (full control)
M - Modify right/access
OI - Object inherity
IO - Inherit only
CI - Container inherit
RX - Read and execute
AD - append data (add subdirectories)
WD - write data and add files
You can use icacls to check permissions, set ownership of the folder, set, remove or deny permissions. An example would be setting the ownership of the folder to Users.
To check if that applied, you can right click on the folder and select “Properties”, go to the “Security” tab and click on “Advanced”. There, you should see who the owner is.
Questions
Q2: In which folder are users profiles stored?
A: Users
Task 3 - Understanding the Authentication Process
Authentication is the process for verifying the identity of a person (or an object or service). When you authenticate a person, the goal is to verify the person is NOT an imposter.
Local Authentication is done using the Local Security Authority (LSA). LSA is a protected subsystem that keeps tracks of the security policies and the accounts that are on a computer. It also maintains information about all aspects of local security on a computer.
There are two types of Active Directory:
On-Premise Active Directory (AD)
Azure Active Directory (AAD)
On-premise AD has a record of all users, PCs and Servers and authenticates the users signing in (the network logon). Once signed in, Active Directory also governs what the users are, are are NOT allowed to or access (authorization).
In an on-premise AD environment, the authentication can be made using the following protocols:
NTLM
LDAP/LDAPS
KERBEROS
NTLM/NTLM 2
NTLM uses a challenge-response sequence of messages between a client and a server system. NTLM provides authentication based on a challenge-response authentication scheme. It does NOT provide data integrity or data confidentiality protection for the authenticated network connection.
LDAP/LDAPS
The main difference between LDAP and LDAPS is that LDAPS support encryption and therefore the credentials are NOT sent in plain text across the network. Another thing is that the DC (Domain Controller) can be considered a database of users, groups, computers and so on (contains information about objects).
Using LDAP/LDAPS the user’s workstation sends the credentials using an API to the DC in order to validate them and be able to log in. The procedure is similiar to the image below:
KERBEROS
Another way to authenticate is using Kerberos which uses symmetric-key cryptography and requires trusted third-party authorization to verify user identities. The authentication process is similiar to below:
Azure Active Directory is a secure online authentication store, which can contain users and groups. Users have a username and a password which are used when you sign in to an application that uses Azure Active Directory for authentication. For example, all Microsoft Cloud services use Azure Active Directory for authentication.
Azure Active Directory supports the following authentication methods:
SAML (Security Assertion Markup Language)
OAUTH 2.0
OpenID Connect
SAML
SAML is a type of SSO standard. It defines a set of rules/protocols that allow users to access web applications with a single login. This is possible because those apps (referred to as Service Providers) all trust the system that verify user’s identities (referred to as Identity Providers)
Service Providers - systems and applications that users access throughout the day.
Identity Providers - would be the system that performs user authentication
OAUTH 2.0
OAuth 2.0 is a standard that apps use to provide client apps with access. OAuth 2.0 spec has four important roles:
The authorization server, which is the server that issues the access token
The resource owner, normally your application’s end-user that grants permission to access the resource server with an access token
The client, which is the application that requests the access token and then passes it to the resource server
The resource server, which accepts the access token and must verify that it is valid. In this case, this is your application.
OpenID Connect
OpenID Connect is an authentication standard built on top of OAuth 2.0. It adds an additional token called an ID token. For that, it uses simple JSON Web Tokens (JWT). While OAuth 2.0 is about resource access and sharing, OIDC is all about user authentication.
Questions
Q2: Which Active Directory is cloud based?
A: Azure Active DirectoryQ3: Which authentication method does not provide data integrity?
A: NTLMQ4: Which authentication method assigns a ticket in order for a user to login?
A: KerberosQ5: Which authenticatiooon method allow users to access applications with a single login (short name)?
A: SAMLQ6: Authentication method that uses JSON Web Tokens?
A: OpenID Connect
Task 4 - Utility Tools
Windows comes with a variety of utility tools. Some of them are:
Computer Management
Local Security Policy
Disk Cleanup
Registry Editor
Command-line Tools
Registry Editor (Regedit)
Computer Management contains more tools such as:
Task Scheduler
Event Viewer
Shared Folders
Local Users & Computers
Performance Monitor
Disk Management
Services & Applications
Task Scheduler allows predefined actions to be automatically executed whenever a certain set of conditions is met.
Event Viewer logs events that happen across the device. It’s important because it can be used to forward the events to a SIEM which helps the IT team of a company determine possible malicious activities.
Shared Folders is a directory that can be shared across the network and can be accessed by multiple users.
Local users and groups allow you to create users, add them to different built-in groups and they can be given different levels of access.
Performance Monitor monitors the different activities across the device such as CPU usage, memory, etc…
Disk Management allows you to shrink, expand and create new partions and format them.
Services & Applications allows you to check the running services and you have the ability to start, stop and restart them.
Local Security Policy
This is a group of settings you can configured to strengthen the computer security. Can set the minimum password length, password complexity level, disable guest and local admin accounts and more.
Disk Cleanup
With this, you can cleanup files that are no longer needed by the system and are just taking up space. Running it as admin allows it to clean system files.
Registry Editor
The registry database stores many important OS system settings. For example, it contains entries with information about what should happen when double-clicking a particular file type or how wide the taskbar should be.
Built-in and inserted hardware also stores information in the registry when the driver is installed.
Command-Line Tools
Windows comes equipped with two command line tools and one can be installed:
CMD
PowerShell
Windows Terminal
CMD is the command line interpreter for MS Windows OS used to automate various system related tasks using scripts and batch files. Users can interact with the OS directly using text based commands. It emulates most of the command line abilities available in MS-DOS through a CLI.
PowerShell is mainly used by sysadmins to manage the network and domain they handle, as well as computers and other devices that are part of it. It can interpret batch commands and PS commands.
The Windows Terminal can be used instead of both and can be installed.
Registry Editor
The Regedit can be considered a database that contains low level settings for Windows settings and apps. The registries are structured as follows:
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
A feature of PowerShell is that you can browse registries using the “cd <REG DB>” command. Windows also has a built in tool named “reg” that can be used from the CLI to add, remove, query, import, export, etc… registry keys.
Task 5 - Types of Servers
A server is a piece of hardware or software equipment that provides functionality for other softwares or devices. Servers can be used for a variety of actions or things. The most common ones are:
Domain Controller - important server in AD or AAD infrastructure, can control users, groups, restrict actions, improve security, and many more of other computers and server
File Server - provides a way to share files across devices on a network
Web Server - serves static or dynamic content to a web browser by loading a file from a disk and serving it across the network
FTP Server - makes it possible moving one or more files securely between computers while providing security and organization as well as transfer control
Mail Server - move and store mail over corporate networks and across the internet
Database Server - provides other computers with services related to accessing and retrieving data from one or multiple databases
Proxy Server - usually sits between a client program and an external server to filter requests, improve performance and share connections
Application Server - usually used to connect the database servers and the users
Questions
Q2: Which can be considered the most important server?
A: Domain ControllerQ2: Which server can store emails?
A: Mail Server
Task 6 - Users and Group Management
In AD, user management is done using the Active Directory Users and Computers. To access it go to Tools > Active Directory Users and Computers
Before any other action, enabled Advanced Features which adds additional features when looking at an object properties - done by going to View > Advanced Features
By double clicking the name, the AD tree is presented
Next, create an OU where to store the users. To do that right click on the domain name and go to New > Organizational Unit then give it a name.
Create two more OUs inside the newly create OU. In one OU, we will store users and in the second one, we will store Groups. To create the OUs repeat the steps above by right clicking on LAB OU > New > Organizational Unit
Next, create some users and groups by right clicking on the Users OU and go to New > User and fill in the information required
Click Next and set a password. Do this for 2 more users - you should have 3 users at the end
To create a group, right click on the Groups OU and hit New > Group.
Once again, there should be 3 groups - Admins, RDP Access and No RDP Access.
Finally, to assign a user to a group, you can either right click the user and choose “Add to a group” or by double clicking a group, clicking on Members tab and hitting Add. Using the first method, add Einstein to the Admins group, Carrey to RDP Access and Bolt to No RDP Access.
To add the Admins group to the Domain Admins group, right click on Admins group > Add to a group and search for Domain Admins
Then, add the other two groups to the Remote Desktop Users Group.
Task 7 - Creating Your First GPO
A GPO (Group Policy Object) is a feature of AD that adds additional controls to user accounts and computers. Group Policy settings including local settings, site-wide settings, domain-level settings and settings applied to organizational units.
To create a GPO we need to go to Tools > Group Policy Management inside Server Manager
Then, right click on “Group Policy Objects” and create a new object. To edit the GPO, right click and hit Edit
For this demo, we will set different permissions for the groups recently created. First, let users authenticate using RDP. To do so, go to Policies > Windows Settings > Security Settings > Local Policies > Users Right Assignment and double click on “Allow log on through Remote Desktop Services”
Select “Define these policy settings > Add user or group > Browse”
Search for “Admins” and RDP Access groups and click OK > OK to add them
To block a user or a group to login using RDP, we can do that by double clicking “Deny log on through Remote Desktop Services” and adding No RDP Access group in there
Finally, close the editor and go back to Group Policy Management. In order to make the policy apply, we have to link the GPO to the root of the domain. To do that, right click on Domain Controllers OU > Link an existing GPO and select the GPO you created
To apply the GPO, open the command prompt and type the following - gpudate /force - and wait for the policy to apply.
To test it, try to RDP into the machine using each user and see the different levels of access. The first user should have Domain Admin rights and the logon should work.
Next, use the account in the RDP Access group. Once again, you should be able to connect but when opening a CMD it will ask for admin credentials.
Lastly, try logging in with the account added to the No RDP Access. You will get an error.
This happens because even though No RDP Access group has been added to the Remote Desktop Users group using the GPO earlier created, we have blocked RDP access to the users that are in that group.
