We covered how to harden and secure Windows workstations from both the identity management and network side.This was part of TryHackme Microsoft Windows Hardening room.
The video walks through accessing services.msc
, regedit
, and Event Viewer
, as well as setting password policies in the Group Policy Editor (gpedit.msc
). The steps include modifying the user account control settings and adjusting password and lockout policies to strengthen security.
Windows hardening involves securing the system across key areas, including identity management, network management, application management, storage, and updates. These practices aim to protect against unauthorized access and data breaches.
Windows Active Directory Penetration Testing Study Notes
Windows OS Core Components
Windows Services
Services like storage, memory, and network functions run in the background and are accessible via services.msc
.
Windows Services create and manage critical functions such as network connectivity, storage, memory, sound, user credentials, and data backup and runs automatically in the background. These services are managed by the Service Control Manager panel and divided into three categories, i.e. Local, Network & System. Many applications like browsers and anti-virus software can also run their services for a seamless user experience.
Windows Registry
The Windows registry is a unified container database that stores configurational settings, essential keys and shared preferences for Windows and third-party applications. Usually, on the installation of most applications, it uses a registry editor for storing various states of the application. For example, suppose an application (malicious or normal) wants to execute itself during the computer boot-up process; In that case, it will store its entry in the Run & Run Once key.
A database storing configurations, accessible via regedit
.
Usually, a malicious program makes undesired changes in the registry editor and tries to abuse its program or service as part of system routine activities. It is always recommended to protect the registry editor by limiting its access to unauthorised users.
Event Viewer
Event Viewer is an app that shows log details about all events occurring on your computer, including driver updates, hardware failures, changes in the operating system, invalid authentication attempts and application crash logs. Event Viewer receives notifications from different services and applications running on the computer and stores them in a centralised database.
Logs events, including login attempts and system updates, which can be viewed using eventvwr
.
Hackers and malicious actors access Event Viewer to increase their attack surface and enhance the target system’s profiling. Event categories are as below:
- Application: Records events of already installed programs.
- System: Records events of system components.
- Security: Logs events related to security and authentication etc.
Windows Password Policies
One primary use of a local policy editor is to ensure complex and strong passwords for user accounts. For example, we can design password policies to maximise our security:
- Passwords must contain both uppercase and lowercase characters.
- Check passwords against leaked or already hacked databases or a dictionary of compromised passwords.
- In case of 6 failed login attempts within 15 minutes, the account will remain locked for at least 1 hour.
We can access Password policies through the Local group policy editor.
Go to Security settings > Account Policies > Password policy
Windows Defender Firewall
Windows Defender Firewall is a built-in application that protects computers from malicious attacks and blocks unauthorised traffic through inbound and outbound rules or filters. As an analogy, this is equivalent to “who is coming in and going out of your home”.
Malicious actors abuse Windows Firewall by bypassing existing rules. For example, if we have configured the firewall to allow incoming connections, hackers will try to manipulate the functionality by creating a remote connection to the victim’s computer.
You can see more details about Windows Firewall Configuration here.
We can access Windows Defender Firewall by accessing WF.msc
in the Run dialogue.
Encryption Through Windows BitLocker
Encryption of the computer is one of the most vital things to which we usually pay little attention. The worst nightmare is that someone gets unfettered access to your devices’ data. Encryption ensures that you or someone you share the recovery key with can access the stored content.
Microsoft, for its business edition of Windows, utilises the encryption tools by BitLocker. Let us have a quick look at how one can ensure to protect the data through BitLocker encryption features available on the Home Editions of Windows 10. You have already read about it here (Task 8).
Go to Start > Control Panel > System and Security > BitLocker Drive Encryption
. You can easily see if the option to BitLocker Drive Encryption is enabled or not.
Windows Telemtry
Microsoft’s data collection system, sometimes resource-intensive, for improving user experience.
Identity and Access Management
User Account Types: Only administrators perform system-level tasks, while standard accounts are restricted to daily functions.
User Account Control (UAC): Prompts for admin credentials when performing privileged tasks, reducing the risk of privilege escalation.
Group Policy Editor: Available on Pro and Enterprise versions of Windows, used to enforce strong password policies and account lockout settings.
Check out the video below for detailed explanation.
Room Answers | TryHackMe Microsoft Windows Hardening
What is the startup type of App Readiness service in the services panel?
Manual
Open Registry Editor and find the key “tryhackme”. What is the default value of the key?
{THM_REG_FLAG}
Open the Diagnosis folder and go through the various log files. Can you find the flag?
{THM_1000710}
Find the name of the Administrator Account of the attached VM.
Harden
How many atomic tests are under Atomic T1110.001 that are supported on Windows hoGo to the User Account Control Setting Panel (Control Panel > All Control Panel Items > User Accounts). What is the default level of Notification?
Always Notify
How many standard accounts are created in the VM?
0
Open Windows Firewall and click on Monitoring in the left pane – which of the following profiles is active? Domain, Private, Public?
Private
Find the IP address resolved for the website tryhack.me in the Virtual Machine as per the local hosts file.
Open the command prompt and enter arp -a. What is the Physical address for the IP address 255.255.255.255?
ff-ff-ff-ff-ff-ff
Windows Defender Antivirus is configured to exclude a particular extension from scanning. What is the extension?
.ps
A Word document is received from an unknown email address. It is best practice to open it immediately on your personal computer (yay/nay).
nay
What is the flag you received after executing the Office Hardening Batch file?
{THM_1101110}
A security engineer has misconfigured the attached VM and stored a BitLocker recovery key in the same computer. Can you read the last six digits of the recovery key?
377564
How many characters does the BitLocker recovery key have in the attached VM?
48
A backup file is placed on the Desktop of the attached VM. What is the extension of that file?
.bkf
What is the CVE score for the vulnerability CVE ID CVE-2022-32230?
7.8
Video Walkthrough | TryHackMe Microsoft Windows Hardening