Activity 1.2: Explore Windows Registry

This activity will take you on a quick review of the Windows Registry, focusing on software keys like VirtualBox. By completing this exercise, you will learn how to locate specific registry keys, interpret their values, and compare registry data with application details, which can be helpful in troubleshooting or forensic analysis. Through this exercise, you will learn how to locate specific registry keys, interpret their values, and compare registry data with application details, which can be helpful in troubleshooting or forensic analysis. You will be using regedit.msc, which is found by default on Windows machines.

The following steps will show you how to access and navigate the Windows Registry:

1. Figure 1.22 shows how to open the Registry Editor using the Windows search box. On a Windows system where you have administrator privileges, click on the magnifying glass in the start bar and type regedit. Then, open the Registry Editor app. You will need to select Yes in the User Account Control box.

Figure 1.22: Starting Windows Registry Editor

2. Click around through the main Registry hives to explore them. Observe keys, their values, and data.
3. Find the version for your VirtualBox application. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox and record the version you see. Figure 1.23 shows how these keys will appear after you navigate to them. Your screen should look similar and allow you to find the version keys with the application version details.

Figure 1.23: Windows Registry VirtualBox keys

4. If it is not already open, open VirtualBox up. In the top navigation bar, click the Help menu and select About VirtualBox…. This menu and option is shown in Figure 1.24. Make a note of the version you see and compare it with what you found in the Registry.

Figure 1.24: About VirtualBox option

Figure 1.25 shows the screen that will open up after you select the About VirtualBox… option. On this screen, you can see information on the installed version in the bottom-right corner.

Figure 1.25: VirtualBox installed version

5. If you use VMware for your VM installs, you can explore its keys at HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.. Figure 1.25 shows how the keys may appear on your system. The key name for finding the version is called vmci.status. An example of this is also shown in Figure 1.26. You will have to read the version from the middle of the value string.

Figure 1.26: Windows Registry VMware keys

You can also look at other software installed and review the associated key values. The version is not always a standard key.

File Structure

Understanding file structure is crucial for managing and securing an OS effectively. This section discusses the types and structures of filesystems in both Windows and Linux environments.

For Windows, you will explore the New Technology Filesystem (NTFS) and the File Allocation Table (FAT) system. You will learn how these systems organize data, manage disk space, and handle file permissions. The section will also cover the hierarchical structure of directories and files within these systems.

For Linux, you will examine the Extended (ext) filesystem and X Filesystem (XFS). You will study how these filesystems manage data, support large files, and ensure data integrity. Additionally, you will understand the Linux filesystem hierarchy, including essential directories such as /home, /etc, and /var.

The section will provide a comprehensive understanding of various filesystem types and structures in both Windows and Linux. This knowledge will enable you to manage filesystems more effectively and enhance overall system security.

Windows

While you explore OS file structure concepts, you should also learn about filesystem types. They are important because they influence data organization, compatibility, performance, integrity, and security for the OS. There are a few filesystem types that are specific to the Windows OS. FAT was used in earlier versions of Windows, including FAT12, FAT16, and FAT32. Earlier versions of FAT limited filename length; FAT32 extended it to 255 characters but still with a 4 GB individual file max size limit. exFAT added additional features and capabilities over FAT, including larger than 4 GB sizes. NTFS is the most modern Windows filesystem type; it was introduced by Windows NT 3.1 in 1993, adding numerous additional features, including many security-based features missing from earlier filesystem types. Some examples are file and folder permissions, compression and encryption, fault tolerance and recovery, and links. FAT and exFAT are still being used today for specific use cases, such as for simple systems that do not need all the features provided by NTFS. They can offer slight performance improvements over NTFS. Also, they provide intersystem compatibility, such as for flash drives, between Windows, macOS, and Linux. This makes them still important to be aware of.

Windows uses several structure components, such as drives letters, folders, subfolders, filenames, and extensions, to organize the filesystem. Drive letters, such as C:, D:, and E:, are used to define storage devices. File paths are hierarchical, starting with the drive letter or network location. They can contain folders and subfolders to hold files and extensions. The file extension allows Windows to link a file to a program to properly interact with it.

An example of a file path is C:\Users\Username\Documents\File.txt. Here, C: is the drive letter for the storage device. \Users\Username\Documents\ is the file path of folders and subfolders to hold the file. File.txt is the file. The .txt part is the extension that tells Windows this is a text file and to open it with the associated text editor program.

Some essential directories include the following:

• C:\Users: This directory contains the home directories of all the users on the system. Each user has a subdirectory within C:\Users, typically named after their username. This is where users store their personal files, configuration settings, and directories.
• C:\Windows\System32: This directory contains system-wide configuration files, executable files, and libraries essential for the OS’s operation. It holds many of the core components and configuration settings for the Windows OS.
• C:\ProgramData: This directory is used for application data that is accessible to all users on the system. It includes configuration files, application data, and other files that programs need to access.
• C:\Windows\Logs: These are system log files.
• C:\Windows\Temp: These are temporary files used by the system and applications.
• C:\Users\[username]\AppData\Local\Temp: These are user-specific temporary files.

Libraries, user profiles, and the recycle bin are some additional organizational elements of the Windows filesystem.

Linux

There are several common Linux filesystem types still in use today. ext3 is an early version of the ext filesystem that added several enhancements over previous versions, including journaling, file sizes up to 2 terabytes (TB), and volume sizes up to 32 TB. ext4 is the latest version of ext, supporting file sizes up to 16 TB, a volume size of up to 1 exabyte (EB), reduced fragmentation, improved read/write performance, faster fsck, and optimization for high-performance computing. fsck (File System Consistency Check) is a command-line utility used in Unix-like OSs to check and repair filesystem inconsistencies on storage devices. XFS contains many of the ext4 features but increases support for even larger sizes, up to 16 EB. This makes it more widely used in large-scale storage systems.

Most Linux file structure components are different from Windows. They are organized hierarchically. The structure starts from the root directory (/) and directories and subdirectories are found from that point, such as /bin. File types can be regular files, directories, symbolic links, devices, or special files. Filesystems are mounted onto directories for access. Each file type has permissions at the owner/user and group level.

Some essential directories include the following:

• /home: This directory contains the home directories of all the users on the system. Each user has a subdirectory within /home, typically named after their username. This is where users store their personal files, configuration settings, and directories.
• /etc: This directory is used to store all system-wide configuration files and shell scripts used to boot and initialize system settings.
• /var: This directory holds variable data files. These include logs, spool files, and temporary files. For example, system log files are typically found in /var/log.

Configuration File Locations

Understanding the location and structure of configuration files is central to effective system administration and security. Configuration files, which store settings and preferences for OSs, applications, and services, play a pivotal role in the functionality and stability of a system. These files enable customization and control over various system behaviors and features, making them an essential aspect of both Windows and Linux environments.

In Windows, configuration settings are often stored in the Windows Registry, a centralized hierarchical database. However, many applications also use configuration files that are typically found in specific directories. Key locations include C:\Windows\System32 for system-wide configurations and C:\ProgramData for application-specific settings accessible to all users.

In contrast, Linux employs a more distributed approach, with configuration files scattered across multiple directories. The /etc directory is the primary location for system-wide configuration files and scripts, essential for booting and initializing system settings. User-specific configurations are usually found within their home directories, often in hidden files or subdirectories.

Windows

As previously discussed, the Registry is the main configuration file for Windows. However, there are some additional files to be aware of bootmgr and Boot Configuration Data (BCD) contain information about the OS and its boot configuration. The host file, found in C:\Windows\System32\drivers\etc, allows local network configuration that is a manual DNS bypass. This same directory also holds additional network-related configuration files. Additional application-specific configurations can be found in C:\ProgramData and C:\Program Files. Also, some additional user-specific settings are stored within C:\Users\<Username> and the AppData subdirectory.

Group Policy Objects (GPOs) are a set of rules and configurations that can be centrally managed by the organization and then pushed out to specific machines within an Active Directory environment. An Organizational Unit (OU) is a logical container within Active Directory used to group users, computers, or other resources for easier management and policy application. GPOs can be applied at different levels, including local GPOs (specific to a single computer), domain GPOs (affecting all computers and users in a domain), and OU-specific GPOs (targeted to a specific OU). In some situations, this can override or replace local settings, even found within the Registry. They allow consistent settings to be set across the organization to maintain the security, stability, and functionality of a Windows environment.

Figure 1.27 shows a local policy view and some of the security options settings. Depending on the type of setup, these can be defined at the domain or local level.

Figure 1.27: Local Group Policy Editor

Figure 1.28 shows the domain group policy definition and some example GPO settings for password policies.

Figure 1.28: Group Policy Management

The local group policy editor can be accessed with administrative privileges via the gpedit.msc snap-in. The group policy management editor is accessible on the domain controller with the gpmc.msc snap-in or from a client machine with the remote server administrator tools feature installed.

Linux

Linux uses numerous files to define configurations. The /etc directory is used to store system-wide configuration files. Some examples are as follows:

• /etc/passwd: User account information
• /etc/fstab: Filesystem table for defining disk drives and partitions
• /etc/hosts: Local DNS resolution
• /etc/network: A folder with network configuration files

The /etc directory also stores application configurations for ssh, package managers, Apache, Samba, and others. There are also user-specific settings stored in the user’s home directory under environment shell files such as ~/.bashrc and ~/.bash_profile. Each shell used on the system, such as zsh or sh, would also have these same files.

System Processes

All OSs create one or more processes when running a program. System processes are the main processes running the OS. They can vary between OS types and versions but generally serve the same main purposes of controlling and directing the function of the OS. Each system process will be assigned a process identifier (PID). This is a unique number for each running process. For the CySA+ test, you need not memorize all the process names and functions but must be aware of their overall functions and importance. Attackers will often target system processes to hide and obfuscate their actions, such as running a false svchost process in Windows. They also can target them to gain additional higher levels of access to the system.

Windows

Here are some examples of common Windows system processes:

• ntoskrnl.exe: Also known as the system process, always assigned PID 4, the core system process running the OS.
• scvhost.exe: Usually, a system will have multiple instances running, hosting different services. It is often used by attackers to hide their processes among others.
• explorer.exe: Manages the desktop, taskbar, and file management.
• lsass.exe: Security-related, user authentication, managing the Windows Security Account Manager (SAM) database, and enforcing security policies.
• services.exe: Responsible for starting, stopping, and interacting with system services.

This list is not exhaustive as there are a large number of system processes that run regularly on a Windows system.

Linux

Here are some examples of common Linux system processes:

• init or system: Initializes the system and manages system services; always PID 1
• sshd: Daemon allowing SSH access to the system
• cron and crond: Manages scheduled tasks and automated jobs
• syslogd or rsyslogd: Main logging process for system messages and events
• ntpd or chronyd: Manage Network Time Protocol (NTP) for time synchronization
• httpd: Apache web service to host websites

This list is not exhaustive as there are many system processes that run regularly on a Linux system.

System Hardening

System hardening is a crucial component in a secure design as it significantly enhances the overall security posture of a system. It uses established best practice procedures for hardening hardware, networks, software, and services. By following the best practices and eliminating potential entry points for attackers, organizations can protect sensitive data, ensure the integrity of their operations, and maintain the trust of their customers. Some general system hardening items include disabling unnecessary service and network components, implementing least privilege and strong passwords, applying security updates and patches, and implementing security software. These items, and the effort of system hardening, serve to reduce the attack surface and opportunities for attackers to take advantage of.

The Center for Internet Security (CIS) has hardening guides and system benchmarks for numerous OS versions and software applications. For example, they have guides about various versions of Windows Desktop and Server, Red Hat Linux, AIX, Oracle database, Apache web server, and even iOS. You can find the benchmark for the popular web server software Apache here: https://www.cisecurity.org/benchmark/apache_http_server.

Another system-hardening resource is Security Technical Implementation Guides (STIGs) developed by the Defense Information Systems Agency (DISA) in the US. They provide detailed instructions and recommendations to secure computer systems, networks, and infrastructure effectively. The primary goals of STIGs are to enhance the security posture of information systems, reduce vulnerabilities, and standardize security configurations across various technologies used within the US Department of Defense (DoD) and other government agencies. Many non-government agencies also use these as best practices to configure their systems in secure ways.

A downloaded STIG file will come in a ZIP archive. In this archive, you will generally find several PDF files and the base STIG files. The PDFs explain how to understand and use the STIG files. They also include notes about updates, revisions, and an overview of the specific file. For the actual STIG requirements, you will review an *xccdf.xml file. This can be opened with the STIG Viewer application. There are three categories of items in STIGs to help prioritize settings and fixes: CAT I (High), CAT II (Medium), and CAT III (Low). They go from immediate impact to potential impact, and degradation of measures for protection. Figure 1.29 shows an example of Windows 11 STIG open in the STIG Viewer application.

Figure 1.29: Windows 11 STIG opened in STIG Viewer

The left-hand side of the figure shows a list and grouping of best practice items as defined by DISA. The right frame is a more detailed version of the same items.

Each specific STIG item has a general organization details section with several IDs, a severity, and a classification. They also have Rule Title, Discussion, Check Text, Fix Text, and References sections. Figure 1.30 shows these items for a Windows 11 firmware rule.

Figure 1.30: Example STIG item details

Figure 1.31 shows the References section, which is found at the bottom of the STIG rule item details. This provides a reference to other best practice documents (for this example, the NIST SP 800-53 document) that form the basis for this STIG’s best practice rule settings.

Figure 1.31: Example STIG item details, References

The Check Text section, as shown in Figure 1.29, defines the process to complete manual checks to verify whether this STIG has been implemented. In the example from the figures, an analyst can run System Information and review the System Summary section for the BIOS Mode setting to display UEFI; if it does not, it is considered a finding. Also, many commercial vulnerability scanning tools include STIG checks (which are actively updated as STIGs are updated) to perform these checks in an automated fashion. You can then utilize Fix Text to correct any issues found. Fix Text can also be referenced for the initial system setup to make it more secure.

Implementing any of these measures should be implemented with planning and care. They have the potential to impact systems, causing them to act in unexpected ways depending on system usage and setup. Some examples include impacting legacy systems needing SMBv1, audit settings causing higher memory and CPU usage, and application failures when necessary ports or protocols are turned off. Ideally, they should be tailored to meet the needs of the organization implementing them. The organizations can choose not to use some settings or alter suggested settings as per their requirements. It is important to test these settings before production implementation and analyze any potential exceptions to determine why they cause an impact. Any deviations from STIGs or CIS benchmarks should be done with a risk-based approach in mind. It is also important to monitor these settings periodically to ensure they do not get unintentionally altered, which is commonly done as part of vulnerability monitoring programs. The benchmarks and STIGs should also be monitored for new updates to evaluate and apply any new settings.

This section covered essential OS concepts, including hardware architecture, Registry management, and file structures. You examined configuration file locations and system processes for both Windows and Linux, along with system hardening practices to enhance security. With a solid understanding of these foundational elements, you are now prepared to explore how logs are managed and utilized in the next section.