INFORMATION

ASSURANCE &
SECURITY 2
 MODULE 2
WINDOWS OPERATING SYSTEM
AND LINUX OPERATING SYSTEM
OBJECTIVES
Upon completion of this module, the student would be able to:
Windows Overview
➢Explain the operation of the Windows Operating System.
➢Describe the history of the Windows Operating System.
➢Explain the architecture of Windows and its operation.

Windows Administration
➢Explain how to secure Windows endpoints.
➢Explain how to configure and monitor Windows.
➢Explain how Windows can be kept secure.
OBJECTIVES
Upon completion of this module, the student would be able to:
Linux Administration
➢Perform basic Linux administration tasks.
➢Explain how a Linux administrator locates and manipulates security log files..
➢Manage the Linux file system and permissions.

Linux Hosts
➢Perform basic security-related tasks on a Linux host.
➢Explain the basic components of the Linux GUI.
➢Use tools to detect malware on a Linux host.
OBJECTIVES
Upon completion of this module, the student would be able to:

Linux Overview, Host and Administration

➢Perform basic operations in the Linux shell.
➢Explain why Linux skills are essential for network security monitoring and
investigation.
➢Use the Linux shell to manipulate text files.
➢Explain how client-server networks function.
WINDOWS OVERVIEW AND
ADMINISTRATION
Windows History
Disk Operating System
▪ Disk Operating System (DOS) - operating
system that the computer uses to enable
data storage devices to read and write files.
▪ MS-DOS, created by Microsoft, used a
command line as the interface for people to
create programs and manipulate data files.
▪ Early versions of Windows consisted of a
Graphical User Interface (GUI) that ran
over MS-DOS
▪ In newer versions of Windows, built on NT,
the operating system itself is in direct
control of the computer and its hardware.
These are some commands that you can use:
•dir - shows a listing of all the files in the current directory (folder)
•cd directory – changes the directory to the indicated directory
•cd.. – changes the directory to the directory above the current directory
•cd\ - changes the directory to the root directory (often C:)
•copy – copies files to another location
•del – deletes one or more files
•find – searches for text in files
•mkdir – creates a new directory
•ren – renames a file
•help – displays all the commands that can be used, with a brief description
•help command – displays extensive help for the indicated command
Windows History
Windows Versions
▪ Since 1993, there have been more than 20 releases
of Windows that are based on the NT operating
system.
▪ Beginning with Windows XP, a 64-bit edition was
available.
▪ 64-bit Windows can theoretically address 16.8 million
terabytes of RAM
▪ With each subsequent release of Windows, the
operating system has become more refined by
incorporating more features.
Windows History
Windows GUI
▪ Windows has a graphical user interface (GUI) for
users to work with data files and software.
▪ Main section of the GUI is the desktop, which
contains the Task Bar
▪ Task Bar includes the Start Menu and Search, Quick
Launch items and Notifications Area.
▪ Right-clicking an icon will bring up additional list of
functions, known as a Context Menu.
▪ Windows File Explorer, is a tool used to navigate the
entire file system of a computer.
Windows History
Operating System Vulnerabilities
▪ To take advantage of an operating system vulnerability, the
attacker must use a technique or a tool to exploit the
vulnerability.

▪ Common Windows OS Security Recommendations:

• Implement virus or malware protection.
• Do not allow unknown or unmanaged services.
• Use encryption.
• Implement a strong security policy.
• Review firewall settings periodically.
• Set File and Share permissions correctly.
• Use strong passwords.
• Login as Administrator only when necessary.
Windows Architecture and Operations
Hardware Abstraction Layer
▪ A hardware abstraction layer (HAL) is code that
handles all of the communication between the
hardware and the kernel.
▪ The kernel is the core of the operating system and
has control over the entire computer.
▪ The kernel handles all of the input and output
requests, memory, and all of the peripherals
connected to the computer.
Windows Architecture and Operations
User Mode and Kernel Mode
▪ There are two different modes in which a CPU
operates when the computer has Windows
installed: the user mode and the kernel mode.
▪ Installed applications run in user mode, and
operating system code runs in kernel mode.
Windows Architecture and Operations
Windows File Systems
▪ A file system is how information is organized on storage media.
• Windows supports the following file systems:
• File Allocation Table (FAT)
• exFAT
• Hierarchical File System Plus (HFS+)
• Extended File System (EXT)
• New Technology File System (NTFS)

▪ NTFS stores files as a series of attributes, such as the name of the file, or a timestamp.
▪ The data which the file contains is stored in the attribute $DATA, and is known as a data stream.
▪ A hard drive is divided into areas called partitions.
▪ Each partition is a logical storage unit that can be formatted to store information, such as data files or
applications.
Windows Architecture and Operations
Windows Boot Process
▪ Two types of computer firmware exist: Basic
Input-Output System (BIOS) and Unified
Extended Firmware Interface (UEFI)
▪ UEFI was designed to replace BIOS and
support the new features.
▪ Whether BIOS or UEFI, after a valid Windows
installation is located, the Bootmgr.exe file is
run.
Windows Architecture and Operations
Windows Startup and Shutdown
▪ Different entries in these registry locations define which
services and applications will start, as indicated by their entry
type.
• HKEY_LOCAL_MACHINE
• HKEY_CURRENT_USER
▪ These types include Run, RunOnce, RunServices,
RunServicesOnce, and Userinit.
▪ There are five tabs which contain the configuration options:
• General
• Boot
• Services
• Startup
• Tools
▪ It is always best to perform a proper shutdown to turn off the
computer.
Windows Architecture and Operations
Processes, Threads, and Services
▪ A process is any program that is currently executing.
▪ A thread is a part of the process that can be
executed.
▪ In Windows multiple threads can be executed at the
same time.
▪ Some of the processes that Windows runs are
services - programs that run in the background to
support the operating system and applications.
Windows Architecture and Operations
Memory Allocation and Handles
▪ The virtual address space for a process is the
set of virtual addresses that the process can
use.
▪ Each process in a 32-bit Windows computer
supports a virtual address space that enables
addressing up to 4 gigabytes.
▪ Each process in a 64-bit Windows computer
supports a virtual address space of 8 terabytes.
▪ Each user space process runs in a private
address space, separate from other user space
processes.
▪ Sysinternal’s RamMap – Used to view memory
allocation.
Windows Architecture and Operations
The Windows Registry ▪ Information about hardware, applications, users, and system
settings is stored in the Windows registry.
▪ The registry is a hierarchical database where the highest level is
known as a hive, below that there are keys, followed by
subkeys.
▪ The five hives of the Windows registry:
• HKEY_CURRENT_USER (HKCU) - Holds data
concerning the currently logged in user.
• HKEY_USERS (HKU) - Holds data concerning all the
user accounts.
• HKEY_CLASSES_ROOT (HKCR) - Holds data about
object linking and embedding (OLE) registrations.
• HKEY_LOCAL_MACHINE (HKLM) - Holds system-
related data.
• HKEY_CURRENT_CONFIG (HKCC) - Holds data about
the current hardware profile.
▪ Navigation is very similar to Windows file explorer.
Windows Configuration and Monitoring
Run as Administrator
▪ Sometimes, it is necessary to run or install
software that requires the privileges of the
Administrator.
▪ Use “Run as administrator” or open an
Administrator Command Prompt.
Windows Configuration and Monitoring
Local Users and Domains
▪ Local users and groups are managed with the
lusrmgr.msc control panel applet.
▪ A group is named and has a specific set of
permissions associated with it. A user placed
into a group will have the permissions of that
group assigned to them.
▪ A domain - type of network service where all
of the users, groups, computers, peripherals,
and security settings are stored on and
controlled by a database.
• This database is stored on computers or
groups of computers called domain
controllers (DCs).
Windows Configuration and Monitoring
CLI and PowerShell
▪ The Windows command line interface (CLI) can
be used to run programs, navigate the file
system, and manage files and folders.
▪ Another environment, called the Windows
PowerShell, can be used to create scripts to
automate tasks that the regular CLI is unable to
create.
These are the types of commands that PowerShell can execute:
•Cmdlets
•PowerShell scripts
•PowerShell functions
There are four levels of help in Windows PowerShell:

•get-help PS command
•get-help PS command [-examples]
•get-help PS command [-detailed]
•get-help PS command [-full]
Windows Configuration and Monitoring
Windows Management Instrumentation
▪ Windows Management Instrumentation (WMI)
is used to manage remote computers.
▪ Some attacks today use WMI to connect to
remote systems, modify the registry, and run
commands, therefore access should be strictly
limited.
These are the four tabs in the WMI Control Properties window:

•General
•Backup/Restore
•Security
•Advanced
Windows Configuration and Monitoring
The net Command
▪ The net command supports many other commands that follow the net command and can be
combined with switches to focus on specific output.

▪ To see a list of the net commands, type net help at the command prompt.
These are some common net commands:
•net accounts
•net session
•net share
•net start
•net stop
•net use
•net view
Windows Configuration and Monitoring
Task Manager and Resource Monitor
▪ Task Manager provides a lot of information about
what is running, and general performance of the
computer.
▪ Resource Monitor is used when more detailed
information about resource usage is needed.
There are seven tabs in the Task Manager:
•Processes
•Performance
•App history
•Startup
•Users
•Details
•Services
Resource Monitor

The Resource Monitor has five tabs:

•Overview
•CPU
•Memory
•Disk
•Network
Windows Configuration and Monitoring
Networking
▪ To configure Windows networking properties and test
networking settings, the Network and Sharing Center
is used.
▪ Use the netsh.exe tool to configure networking
parameters from a command prompt.
▪ To test the network adapter, type ping 127.0.0.1 at the
command prompt.
▪ Domain Name System (DNS) should also be tested
using nslookup command.
▪ Use netstat at the command line to see details of
active network connections.
Windows Configuration and Monitoring
Accessing Network Resources
▪ Server Message Block (SMB) protocol is used to share
network resources.
▪ Universal Naming Convention (UNC) format is used to
connect to resources.
▪ An administrative share is identified by the dollar sign
($) that comes after the share name.
▪ Remote Desktop Protocol (RDP) can be used to log
onto a remote host and make configuration changes,
install software, or troubleshoot.
Windows Configuration and Monitoring
Windows Server
▪ There is another edition of Windows that is
mainly used in data centers called Windows
Server.
▪ Services that Windows Server hosts include:
• Network Services
• File Services
• Web Services
• Management
Windows Security
The netstat Command
▪ The netstat command can be used to look for
inbound or outbound connections that are not
authorized.
▪ Link the connections to the running processes
in the Task Manager by using netstat –abno
▪ To display the Process IDs for the processes in
the Task Manager, open the Task Manager,
right-click the table heading and select PID.
Windows Security
The Event Viewer
▪ Windows Event Viewer logs the history of
application, security, and system events.
▪ Windows includes two categories of event
logs: Windows Logs, and Application and
Services Logs.
▪ A built-in custom view called
Administrative Events shows all critical,
error, and warning events from all of the
administrative logs.
Windows Security
Windows Update Management
▪ To ensure the highest level of protection against
attacks, always make sure Windows is up to date
with the latest service packs and security
patches.
▪ Windows routinely checks the Windows Update
website for high-priority updates that can help
protect a computer from the latest security
threats.
▪ To configure the settings for Windows update,
search for Windows Update and click the
application.
Windows Security
Local Security policy
▪ Windows Local Security Policy can be used for
stand-alone computers that are not part of an
Active Directory domain.
▪ Password Policy is found under Account
Policies, and defines the criteria for the
passwords for all of the users on the local
computer.
▪ Use the Account Lockout Policy in Account
Policies to prevent brute-force login attempts.
▪ You can also configure User Rights and Firewall
Rules.
Windows Security
Local Security policy
▪ Windows has built-in virus and spyware
protection called Windows Defender.
▪ Windows Defender allows you to perform
manual scans of the computer and storage
devices, and update the virus and spyware
definitions in the Update tab
The following types of antimalware programs are available:
•Antivirus protection
•Adware protection
•Phishing protection
•Spyware protection
•Trusted / untrusted sources
Windows Security
Windows Firewall
▪ Firewalls generally work by opening and
closing the ports used by various
applications.
▪ Opening only the required ports on a
firewall implements a restrictive security
policy.
▪ Most devices now ship with settings as
restrictive as possible.
LINUX OVERVIEW, HOST AND
ADMINISTRATION
Linux Basics
What is Linux?
▪ Linux is an Open Source operating system created in 1991 and maintained by a community of
programmers.
▪ Open Source means the source programming files, including the kernel, shell, and applications are
available for downloading, viewing and modification.
▪ Linux was designed as a network operating system and is widely used on different platforms including
embedded systems.
▪ There are many different versions or distributions of Linux.
A distribution is defined by its kernel, as well as its programs
and software packaging.
▪ Some Linux distributions are free, like CentOS and Fedora.
Others like RedHat Enterprise Server, cost money, but include
support services.
Linux Basics
The Value of Linux
▪ Linux is an operating system of choice in Security Operations Center (SOC).
• Open source
• Allows analysts and administrators to tailor-build the OS.
• Command Line Interface (CLI) is very powerful
• Enables analysts to perform tasks directly or remotely on a terminal.
• More user control over the OS
• Root user or superuser has absolute power over the computer.
• Modify any aspect of the computer.
• Precise control over the functions of the computer.
• Better network communication control
• Great platform for creating network application.
Linux Basics
Linux in the SOC
▪ A custom security distribution of Linux can be created for the SOC with just the tools needed for the
job.
• Packet Capture (Wireshark)
• Malware Analysis Tools
• Intrusion Detection Systems (IDSs)
• Firewalls
• Log Managers
• Security Information and Event Management
(SIEM)
• Ticketing Systems
Linux Basics
Linux Tools
▪ Penetration testing tools
• Process of looking for vulnerabilities.
• Tool examples:
• Packet generators
• Port scanners
• Proof-of-concept exploits

▪ Kali Linux distribution groups many

penetration tools.
Working in the Linux Shell
The Linux Shell
▪ User communicates with the OS by using the CLI or the GUI.
▪ Terminal emulator applications provide user access to the CLI :
• terminator
• eterm
• xterm
• konsole
• gnome-terminal
Working in the Linux Shell
Basic Commands
Command Function

mv Move or rename files and directories

chmod Modify file permissions
chown Change file ownership
dd Copy data from an input device/file to an output
pwd Display the name/path of the current directory
ps List the currently running processes
su Switch the current user to another user
sudo Run a command with the privileges of the super user
Working in the Linux Shell

Basic Commands
Command Function
grep search plain-text data for lines that match a regular expression
ifconfig View or configure the settings of the network interfaces
apt-get Install software using the advanced package tool
iwconfig View or configure the network wireless settings
shutdown Logoff and shutdown the operating system
passwd Change a user password
cat Use to list the content of a text file
man Display the documentation for a specific command
Working in the Linux Shell
File and Directory Commands
Command Function

ls Display the files inside a directory

cd Changes the current directory
mkdir Creates a directory under the current directory
cp Copies files from source to destination
mv Moves files to a different directory
rm Removes files
grep Searches for specific strings of characters
cat Use to list the content of a text file
Working in the Linux Shell
Working with Text Files
▪ There are many text editors available
in Linux.
▪ Some text editors are for the CLI only,
like vi, vim, and nano.
▪ Other text editors, like gedit, are GUI-
based.
▪ CLI text editors allow system
management remotely, such as via
SSH.
Working in the Linux Shell
The Importance of Text Files in Linux
▪ In Linux, everything is treated as a
file, this includes the memory, the
disks, the monitor, the files, and the
directories.
▪ The operating system as well as most
programs are configured by editing
the configuration files which are text
files.
▪ Editing system or application
configuration files requires super
user (root) privileges. This can be
accomplished with the sudo
command.
Linux Servers and Clients
An Introduction to Client-Server Communications
▪ Servers are computers with software installed that enable them to provide services to clients.
▪ Resources, such as files, email messages, or web pages, are stored on the server.
▪ Servers can also provide services, such as log management, memory management, and disk scanning.
▪ The client software is designed to communicate with the server.
Linux Servers and Clients
Servers, Services, and Their Ports
▪ A port is a reserved network resource used by a service.
▪ An administrator can assign a port to a specific service or use the default port number.
Default Port Number Service
21 File Transfer Protocol (FTP)
22 Secure Shell (SSH)
23 Telnet remote login service
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name System (DNS)
80 Hypertext Transfer Protocol (HTTP)
110 Post Office Protocol version 3 (POP3)
123 Network Time Protocol (HTTP)
143 Internet Message Access Protocol (NTP)
161/162 Simple Network Management Protocol (SNMP)
443 HTTP Secure (HTTPS)
Linux Servers and Clients
Clients
▪ Clients are programs or applications designed to communicate with a specific server.
▪ Client applications are used for a well-defined protocol:
• File Transfer Protocol (FTP)
• Hyper Text Transfer Protocol (HTTP)
Basic Server Administration
Service Configuration Files
▪ Linux Servers are typically configured
with text-based configuration files.
▪ The configuration file defines options
for the service, such as port number,
location of hosted resources, and client
authorization details.
▪ A server configuration file often consists
of important server settings in the form
of variables in key=value pairs.
▪ A server configuration file usually has
instructions that begin with a comment
like a hash #. Comments are ignored by
the software.
Basic Server Administration
Hardening Devices
▪ Ensure physical security
▪ Minimize installed packages
▪ Disable unused services
▪ Use SSH and disable the root account login over SSH
▪ Keep the system updated
▪ Disable USB auto-detection
▪ Enforce strong passwords
▪ Force periodic password changes
▪ Keep users from re-using old passwords
▪ Review logs regularly
Basic Server Administration
Monitoring Service Logs
▪ Log files are records to keep track of important computer events.
▪ Linux has the following types of logs:
• Application Logs
• Event Logs Log Purpose
• Service Logs /var/log/messages Used to store informational and non-critical system messages
• System Logs /var/log/auth.log Stores all authentication-related events
/var/log/secure Used by RedHat and CentOS and tracks sudo logins, SSH logins, and errors
logged by SSSD

/var/log/boot.log Stores boot related messages during startup

/var/log/dmesg Contains kernel ring bugger messages
/var/log/kern.log Contains information logged by the kernel
/var/log/cron A service used for scheduling automated tasks in Linux
/var/log/mysqld.log or Logs all debug, failure and success messages related to the mysql process and
/var/log/mysql.log mysqld_safe daemon
The Linux File System
The File System Types in Linux
File System Type Description
ext2 (second extended file system) Is the file system of choice for flash-based storage media.
ext3 (third extended file system) Is an improved successor to ext2 with the additional feature of journaling of all the file system
changes.
ext4 (fourth extended file system) Is designed as a successor to ex3 with increased support file sizes and better performance than ext3.
NFS (Network File System) Is a network-based file system, allowing file access over the network.
CDFS (Compact Disc File System) Was created specifically for optical disk media.
Swap File System Is used when the system runs out of RAM.
HFS+ (Hierarchical File System Plus) Is the primary file system used by Apple in its Macintosh computers.
APFS (Apple File System) An updated file system used by Apple devices that provides strong encryption and is optimized for
flash and solid state drives.
Master Boot Record (MBR) Is located in the first sector of a partitioned computer and stores all the information about the way
the file system is organized.
The Linux File System
Linux Roles and File Permissions
In octal (3bits), per permission (i.e. 111 is a 7 for read, write and execute)
▪ User - the file owner’s permission
▪ Group - a group’s permission to a file
▪ Other – any user, non-owner’s permission to a file
▪ Read – the ability to look at a file’s contents
▪ Write – the ability to change a files contents
▪ Execute – the ability to run or launch a file (scripts and programs)
The Linux File System
Hard Links and Symbolic Links
▪ The ln command make links between files.
▪ Hard Links:
• Points to the same location as the original file.
• Changes one file, the other one also changes.
▪ Symbolic or Soft Links:
• Uses the -s option in the command to create the symbolic link.
• Delete the original file, the soft link is link to the original file that no longer exists.
▪ Advantages to symbolic link:
• Locating hard links is more difficult.
• Hard links are limited to the file system in which they are created. Symbolic links can link to a file
in another file system.
• Hard links cannot link to a directory, but symbolic links can.
Working with the Linux GUI
X Windows System
▪ X Window System is the framework for
the Linux GUI also known as X and X11.
▪ Functions for drawing and moving the
window, as well as interacting with the
mouse and keyboard.
▪ X works as a server and can send the
graphical window over a network to a
remote computer.
▪ X does not specify the user interface
or desktop. That is left to a window
manager to define the look and feel of
the GUI.
▪ Gnome and KDE are examples of
popular Linux window managers.
Working with the Linux GUI
The Linux GUI
▪ Top Menu Bar – currently running
application
▪ Launcher – serves as the application
launcher and switcher
▪ Quicklist - Right-click any application
hosted on the Launcher to access a
short list of tasks the application can
perform.
▪ Dash Search Box - holds the Search tool
and a list of recently used applications.
▪ System and Notification Menu – Can be
used to switch users, shut down your
computer, control the volume level, or
change network settings.
Working on a Linux Host
Installing and Running Applications on a Linux Host
▪ The Installation and removal of programs in Linux is simplified by using a package manager.
▪ Linux package managers maintain lists of available software and their dynamic library dependencies
and requirements.
▪ Popular package managers are APT for Debian packages (dpkg) and Yum for RedHat packages (rpm).
Working on a Linux Host
Keeping the System Up to Date
▪ apt-get update – downloads the list of available software from the distribution repository and updates
the local package database.
▪ apt-get upgrade – downloads and upgrades all of the installed software applications on the system.
Working on a Linux Host
Processes and Forks
▪ A process is a running instance of a computer program. Multitasking operating systems can execute
many processes at the same time.
▪ Forking is a method that the kernel uses to allow a process to create a copy of itself to provide process
scalability.
▪ Some commands to manage processes:
• ps – list processes running on the system
• top – list running processes dynamically
• kill – modify the behavior of a specific process, such as remove, restart or pause a process
Working on a Linux Host
Malware on a Linux Host
▪ Linux is generally considered more resistant to malware than other operating systems but it is still
not immune.
▪ A Linux server is only as secure as the programming behind its services and applications.
Working on a Linux Host
Rootkit Check
▪ Rootkits are installed into the operating system kernel
and are often used to establish hidden backdoors.
▪ chkrootkit is a program that will check for rootkits and
remove them.

▪ Rootkit removal can be complicated and

often impossible, especially in cases where
the rootkit resides in the kernel; re-
installation of the operating system is
usually the only real solution to the
problem.
Working on a Linux Host
Piping Commands
▪ Many commands can be
combined to perform more
complex tasks by a technique
known as piping.
▪ the pipe (|)
▪ Piping consists of chaining commands
together, feeding the output of one
command into the input of another.
• Diane Barrett/ Martin M. Weiss (2018).CompTIA Security+ SY0-501 Exam Cram (5th Edition)

• Emmett Dulaney and Chuck Easttom. CompTIA Security+ Study Guide: Exam SY0-501 7th Edition

• David L. Prowse (2018) Pearson. CompTIA Security+ SY0-501 Cert Guide (4th Edition)

• Cisco Networking Academy (Author).(June 25, 2018)CCNA Cybersecurity Operations Companion

Guide 1st Edition

• Omar Santos/ Joseph Muniz /Stefano De Crescenzo(June 17, 2017)CCNA Cyber Ops (SECFND #210-
250 and SECOPS #210-255)Official Cert Guide Library 1st Edition