Comptia A+ Comptia A+ Core 2: 220-1002

1.0 Operating Systems

Core 2 1002
Software
A bunch of aggregated study information condensed into my notes (but not a
dump!) from various sources.
There may be mispells, typos here and there. But its only 3$ 😉 Buy me a stick
of chewing gum!
Enumerated upon every objective but may not have enumerated on some
smaller topics as they were intuitive to understand at the time.
Welcome to leave feedback. Thank you
1.1 Compare/Contrast  32bit vs. 64bit
OS types and their o RAM limitations
purposes  32-bit: 4 GB
 64-bit: 17 billion GB
o Software compatibility
 Hardware drivers are specific to the OS version (32 (x86)/64 bit
(x64))
 32-bit OS cannot run 64-bit apps, but 64-bit OS can run 32-bit apps
 Apps in 64-bit Windows Installation directory:
o \Program Files (x86) (32-bit apps)
o \Program Files (64-bit apps)
 Workstation operating systems
o Microsoft Windows
 Large industry support
 Broad selection of OS options
 Wide variety of software support
 Install base is target for security exploits
 Challenging integrating exercises with diverse range of hardware
 Backslashes ‘\’ for paths
o Apple Macintosh OS
 Desktop OS running on Apple hardware
 Ease of use
 Compatibility at cost of high hardware cost
 Relatively fewer security concerns
 Less industry support
o Linux
 Free Unix-like system with many different distributions
 Extensive usage in server environments
 Limited driver support (especially with laptops), limited support
 Root denoted by ‘/’
 Cell phone/tablet operating systems
o Microsoft Windows
 Fully-featured tablets
 Windows Mobile no longer in active development, no support after
December 2019
o Android
 Open handset Alliance
 Open-source OS based on Linux
 Supported on many different manufacturers devices
 Apps developed with Android SDK
o IOS
 Apple Iphone/Ipad

 Vendor-specific limitations
 Compatibility concerns between operating systems
1.2 Compare/Contrast  Windows 7
Features of Micrisoft
Windows versions
 Based on Unix
 Closed source
 Exclusive to apple products
 Apps are created with iOS SDK on macOS
 Apps must be approved by Apple before release on Apple App
store
o Chrome OS
 Google’s OS based on Linux, centers around chrome web browser
 Designed for small-factor PCs, laptops, tablets, mobile devices
 Relies on the cloud, internet connectivity
o End-of-life
 Software that no longer receives vendor support
o Update limitations
 Chrome OS updates automatically
 IOS, Android, Windows 10 prompt for updates
o Media sharing
o Little direct application compatibility, some data files can be moved across
systems
o Cross-platform compatibility allows data files created on one OS to be
seamlessly read and modified on another
o Web-based apps overcome compatibility concerns
o Released 10/22/2009
o Extended support until 1/14/2020
o Same hardware/software as Windows Vista with improved performance
o Libraries, HomeGroup, Pinned Taskbar
o Minimum Hardware Requirements 32bit vs. 64bit
 1 GHz processor for both
 RAM:1 GB 32bit, 2 GB 64bit
 Free Disk Space: 16 GB 32bit, 20 GB 64bit
 DirectX 9 Graphics device w/ WDDM 1.0 or higher driver
 Windows 7 Starter:
o For netbooks (predecessor to tablets)
o No DVD playback/Windows Media Center
o No Windows Aero
o No Internet Connection Sharing (ICS)
o No IIS Web server
o No enterprise technologies (Domain connection,
Bitlocker, EFS)
o Only 32-bit version w/ max 2 GB ram
 Home Basic
o Consumer Edition
o Windows Aero
o Internet Connection Sharing
o IIS Web server
o No enterprise technologies
o X64 version available with support up to 16 GB
RAM, 2 CPUs
 Home Premium
o Complete functionality
o Domain support, Remote Desktop, EFS
o All enterprise technologies, including Bitlocker
 o X64 version supports 192 GB RAM
o Same features as Windows 7 Enterprise but for
home users
 Ultimate
o Same features as enterprise
 Professional
o Same features as home premium
o Can connect to Windows domain
o Supports Remote Desktop Host, EFS
o Missing enterprise technologies
o X64 version supports 192 GB RAM
 Enterprise
o Sold only with volume licensing
o Multilinguial User Interface packages
o Bitlocker Drive Encryption
 Windows 8
o 10/26/2012
o User interface w/o start button
 Windows 8.1
o 10/17/2013
o Free update (not upgrade) to Windows 8
o Extended support 1/10/2023
o Core
 Home, x84, x64
 Microsoft Account integration
 Windows defender
 Windows Media Player to play CDs/DVDs
o Pro
 Similar to Win7 Pro/Ult
 Full support
 Windows Domain Support
 Group Policy Support
 X64 version supports 512 GB RAM

o Enterprise
 ‘Software Assurance” LVL customers
 Applocker
 Windows To Go
 Direct Access
 Branch Cache
 X64 version supports 512 GB RAM
o Same requirements as Windows 7 save for Processor Requirements
 PAE: Allows a 32-bit processor use more than 4GB memory
 NX Processor Bit: Protect against Malicious Software
 SSE2 (Streaming SIMD Extensions 2): Allows Third-party
application developers to use standard processor instruction set (for
drivers)
 Windows 10
o Released 7/29/2015
o Single-platform for Desktops, laptops, tablets, phones, etc
o “Service”, periodic updates to OS
o Home
 Microsoft account integration w/ OneDrive
  Windows Defender
 Cortana
o Pro

Remote Desktop Host

Bitlocker

Windows Domain Support
 Group Policy Support
 X64 version supports 2048 GB RAM
o Windows 10 Education/Enterprise
 Volume Licensing
 Minor differences
 Applocker: Control what applications can run
 BranchCache: Remote site file caching
 Granular User Experience (UX) control
 Define user environment
 Kiosk/Workstation customization
 Same requirements as Windows 8/8.1, including Processor
Requirements
 X64 version supports 2048 GB RAM
o
 Corporate vs. personal needs
o Domain access
 Active Directory Domain Services
 Large database containing user information, system
information, and network information
o User accounts, servers, volumes, printers
o Authentication and Centralized management
o BitLocker
 Data confidentiality
 Full disk encryption, including OS
o Media center
 Central portal for home entertainment video, music, television
 TV tuner
 Discontinued w/ W10
o BranchCache
 Bandwidth optimization feature that branch offices can utilize to
host cached content
 Distributed cache: Content cache at branch office is
distributed among client computers
 Hosted cache:Content cache at branch office is hosted on
hosted cache servers
o EFS
 Encrypting File System (built-in NTFS file system)
 Protect individual files/folders
 Desktop styles/user interface
1.3 General OS  Boot methods
installation o Optical disc(CDROM, DVD, Bluray)
considerations and  Common media
upgrade methods o External drive/flash drive (USB/eSATA)
 USB must be bootable
 Computer must support booting from USB interface
o Network boot (PXE)
 Remote network installation through central server
 Computer must support booting with PXE
 NetBoot is MacOS-exclusive PXE
  Monitor the network during install
o External/hot swappable drive
 Boot from USB
 External drives can mount ISO image (DVD-ROM image)
o Internal hard drive (partition)
 Install and boot from separate partition on same physical drive,
installing the OS separate partition
 Type of installations
o Unattended installation
 Requires Answer questions in file (unattend.xml)
 No installation interrupts
o Inplace upgrade
 Maintain existing applications and data, keeping files in place
 Save hours of time by keeping user data intact and
avoiding application reinstall
 Launch setup from inside OS
 Cannot upgrade/downgrade from x86 to x64 and vice versa, need
to migrate instead
o Clean install
 Wipe slate clean and reinstall
 Boot from installation media
 Migration tools can copy programs/files from previous installation
o Repair installation
 Fix problems with Windows OS, without modifying user files and
configuration settings
o Multiboot
 Run 2 or more OS from within single computer
o Remote network installation
 PXe
o Image deployment
 Deploy clone on every computer
o Recovery partition
 Hidden partition with installation files
o Refresh/restore
 Windows 8/10 feature that requires a recovery partition to perform
installation
 Partitioning
o Windows Partitioning – Storage Types
 Dynamic
 All modern Windows
 Span multiple disks to create a large volume
 Split data across physical disks (striping)
 Duplicate data across physical disks (mirroring)
 Basic
 DOS/Windows
 Primary/extended partitions, logical drives
 Basic disk partitions can’t span separate physical disks
o MBR partitioning scheme
 Primary:
 MBR partitioning scheme specifies that these are
Bootable Partitions
o Limited to 4 primary partitions on a single disk,
one of these partitions that can be marked active or
be marked as a extended partition
 Extended:
  MBR partitioning scheme specifies that these are used
for extending maximum number of partitions
o Can be subdivided into logical partitions, which
can be formatted with a file system, but are non-
bootable
o GPT partitioning scheme
 Globally Unique Identifier Partition Table/GUID scheme has
replaced MBR, offering several advantages
 Up to 128 GPT partitions per device
 One universal partition type – no primary logical, extended
partitions
 Redundant copies of partition tables in first/last sectors of
disk
o Performs CRC of partition tables to verify integrity
 Assignment of unique IDs for each storage device &
partition
 Requires UEFI BIOS or BIOS-compatibility mode
 Up to 128 bootable (primary) partitions for single device without
need for extended/logical partitions
 Option to use all of drive for single partition
 File system types/formatting: Must be specified before data can written to partition
o ExFAT
 Microsoft Flash Drive File System
 File size larger than 4 GB
o FAT32
 2 TB volume sizes
 Max file size of 4 GB
 No individual partitions for files
o NTFS
 Quotas, file compression, encryption, symbolic links, large file
support, security, recoverability
 File permissions are saved during backup
 Windows machines primarily use; NTFS-formatted drives are often
a prerequisite for certain features
o CDFS
 CD/DVD ROM drive; ISO 9660 standard
 All OSs can read the CD/DVD
o NFS
 Access files across network as if they were local
 Clients available across many OSs
o ext3, ext4
 Common linux file systems
 ext3 supports journaling (recording of transactions before
commitment)
 ext4 includes features of ext2 & ext3, in addition to
 Max file size 16 TB
 Disk size up to 1 EB
 Max 4 billion files
 Checksums to verify journal integrity
 Efficiency in storing small files compared to most
filesystems
o HFS/HFS Plus
 Mac OS Extended
 Replaced by Apple File System in macOS High Sierra 10.13
o Swap partition
  Memory management; Frees memory by moving unused pages
onto disk, copies back to RAM when needed
 For performance boost, configure on a Fast drive or SSD
o Quick format vs. full format
 Quick format creates a new file table (looks like data erased but is
not), without additional checks
 Windows 7, 8/8.1, 10
 diskpart (win)/fdisk(linux) for full format
 Convert dynamic disk to basic disk or create partition;
Writes zeroes to whole disk to format, checks disk for bad
sectors
 Time-consuming
 Load alternate third-party drivers when necessary
o Disk controller drivers
 Workgroup vs. Domain setup
o In a workgroup, all systems must be in the same subnet, but in a Domain,
they can be on different subnets
o
o In a domain setup, designate a server computer as the domain controller,
which replicates network resources or objects (user accounts, computers,
printers, security policies, etc) that exist in a centralized database (i.e.,
Windows Active Directory) and join client computers to the domain
 Time/date/region/language settings
 Driver installation, software, and Windows updates
o Load video drivers, install apps, update OS
 Factory recovery partition
o
 Properly formatted boot drive with the correct partitions/format
o Drive/partition configuration, license keys
 Prerequisites/hardware compatibility
o Meet Minimum/Recommended OS requirements
o Windows 10 Upgrade Checker automatically checks hardware
 Application compatibility
o
 OS compatibility/upgrade path
o Windows 7 to Windows 10
Windows 7 Windows 10 Windows 10 Windows 10
Version Home Pro Enterprise

In-place In-place
Home Basic Clean Install
upgrade upgrade

In-place In-place
Home Premium Clean Install
upgrade upgrade

In-place In-place
Professional In-place upgrade
upgrade upgrade

In-place In-place
Ultimate In-place upgrade
upgrade upgrade

Enterprise Clean Install Clean Install In-place upgrade

 o Windows 8.1 to Windows 10
Current Windows Windows 10 Windows Windows 10
8.1 Version Home 10 Pro Enterprise

In-place In-place
Basic Clean Install
upgrade upgrade

In-place In-place In-place

Professional
upgrade upgrade upgrade

In-place
Enterprise Clean Install Clean Install
upgrade

o Windows 10 downgrades
From
From From
Windows
Downgrade to OS Windows Windows
10
10 Home 10 Pro
Enterprise

Windows Professional Y No No
7

Ultimate Y No No

Windows Pro (Student,

Y No No
8.1 WMC)

Windows Pro No No Y
10

Education No No Y


1.4 Microsoft CLI tools  Navigation
o Dir list files and directories in current folder
o cd change working directory
 Use backslash \ to specify volume/folder name
o .. Specify previous directory; the Folder above the current folder
o [command] ?
o help [command] shows syntax/options and brief description of given
command
 No options shows all available system commands
 [command] /?
o Shutdown forces full shutdown (and reboot if applicable) of Windows
local/remote host
 /s /t nn wait nn seconds and shutdown
 /r /t nn shutdown and reboot after nn seconds
 /a abort shutdown
 dism (Deployment Image Servicing and Management Tool) tool for preparing,
modifying, managing Windows Imaging Format (WIM) files. You also can update
 applications, manage drivers, manage updates, mount an image, and fix corrupted
system setups (i.e., corrupt user profiles) without reinstallation (see the /online
switch)
o /image:
o /get-packages
o /online specifies the current running image on the local machine
o /add-package
o /packagepath= path
o /commit-image
o /discard
o /mountdir points to the image file
o /unmount image
o /mount-image
o /Get-WIMInfo /WimFile:[Location] Get info about image
o /cleanup-image
 CheckHealth find errors within image
 ScanHealth scan image, provide detailed info
 RestoreHealth repair image
 Cleanup-Mountpoints scan & repair image if it becomes
corrupted via servicing with DISM
o I barely scratched the surface of all available commands. See
https://docs.microsoft.com/en-us/windows-
hardware/manufacture/desktop/deployment-image-servicing-and-
management--dism--command-line-options
 sfc
o Scan for corrupted/incorrect system files
 /scannow Scan and repairs files with problems when possible
 chkdsk CLI utility for checking file system and disk status
o /f perform logical file system check & fixes errors on disk
o /r performs logical file system check & fixes errors on disk then locates
bad sectors and recovers readable info
 If volume is locked, run during startup
 diskpart
o Text-based partitioning utility
 tasklist, taskkill
o tasklist displays list of currently running processes on local/remote host
o taskkill displays list of currently running processes on local/remote host
 Terminate tasks by PID (taskill/ pid #) or executable name (taskill
/ im example.exe)
 gpupdate
o Allows for updating multiple Group Policy settings
 Force update option
 /target:{computer|user} /force
 gpresult
o Displays Group Policy information for a machine/user
o /gpresult /r compile information about group policy
o gpresult /user {domain}
 format
o Formats disk so user can later configure partition w/ desired filesystem
 copy
o Copies one or more files from one location to another
o /v verifies new files are written correctly
o /y suppresses confirmation prompt displayed when Windows requests to
overwrite contents of an existing file
  xcopy
o Copies multiple files or entire directory trees
 robocopy
o Better Xcopy included with Win7 onward
 Ability to resume interrupted file transfers making it an ideal
choice for data transfers over low/unreliable bandwidth links
 Network Troubleshooting Utilities
o ipconfig
 Ping local router/gateway
 /all Display TCP/IP configuration parameters- IP address, subnet
mask, default gateway, MAC address and other info - DNS servers,
DHCP servers
 /registerdns Registers computer’s DNS host name with DNS
server
 /displaydns displays contents of computer’s DNS cache
 /renew renews client’s DHCP lease
 /release release client’s DHCP lease
 /showclassid displays DHCP class ID assigned to client computer
 /setclassid configure DHCP class ID assigned to client computer

o ping
 Test communications with a host by using ICMP echo packets (4
ping w/o options)

o tracert
 Determine route a packet takes to destination using ICMP TTL to
count number of hops
 Every router along way decreases TTL by 1
 TTL Exceeded once TTL comes to 0
 Use when ping fails
o netstat
 Display Active TCP/IP inbound/outbound connections and
network protocol statistics on local computer
 -a show all active connections and listening ports
 -b requires elevated privileges, show name of application/binary
involved in creating each connection/listening port
 -n display addresses/port numbers in numerical form
o nslookup
 Query DNS server to view DNS server entries and resolve IP
addresses into hostnames and vice versa
 Non-authoritative answer
 Canonical names, IP addresses, cache timers
o shutdown
o net session used for listing a computer’s connections to shared resources
 net view view network resources
 \\<servername>
o net use
 Map network share to a drive letter
 <drive letter> \\<servername>\<sharename>
o net user
 View user account info, reset passwords
 Commands available with standard privileges vs. administrative privileges
o
1.5 Microsoft OS  Administrative
features/tools o Computer Management (mmc.exe)
  Build your own MMC: Device Manager, Disk Management, Event
Viewer
 Predefined mix of plugins
 Add/Remove ‘Snap-ins’
 Save Console
 Control Panel / Administrative Tools
 Events, User Account, Storage Management, Services
 Aggregated Utilities
o Device Manager (devmgmt.msc)
 View Device Drivers & their status
 Exclamation point indicator indicates no proper driver
installed
 Down arrow indicator indicates device is disabled
 Computer Management snap-in
o Local Users and Groups
 Computer Management Snap-in
 Allows system administrators to enable/disable user accounts, and
create and manage users and groups stored locally on computer-
Administrator, Regular Users, Guests (Limited Access)
o Local Security Policy
 Administrative tool used by system administrators to modify
account and local policies, public key policies and IP security
policies for a local host
 Stand-alone PCs aren’t managed through Active Directory Group
Policies but rather Local Policies
o Performance Monitor
 Gather-long term statistics, set alerts and configure automatic
actions, store statistics and build detailed reports
 OS Metrics: Disk, memory, CPU
 Control Panel > Administrative Tools
o Services
 Background process – File indexing, anti-virus, network browsing
 Most startup automatically, useful when troubleshooting startup
process
 net start, net stop
 Control Panel > Administrative Tools > Services
 services.msc
o System Configuration (msconfig.exe)
 Administrative Tools > System Configuration
o Task Scheduler
 Administrative Tools applet to schedule execution of
application/batch file at predefined schedules or specified intervals
 Organize tasks into folders
 Control Panel > Administrative Tools > Task Scheduler
 i.e., can use to have a destination computer automatically wakeup
to perform a scheduled backup
o Component Services (dcomcnfg.exe)
 Microsoft COM+ (Component Object Model), model for
systemadministrators and application developers to build object-
oriented distributed Enterprise applications for Windows
 Device COM+ Management
 Event Viewer
 Services
o Data Sources
 ODBC (Open Database Connectivity) allows developers to write
 applications without concern for backend database type
 Enable Windows application access to an SQL database
 Control Panel > Administrative Tools > ODBC Data Sources
o Print Management
 Share printers from one central console or Add/Manage printer
drivers
 Administering print devices
 Prior to Windows 7: Printers applet in Control Panel
 Windows 7/8/8.1/10: Devices and printers applet in
Control Panel
 Print Management utility in Administrative Tools Folder
o Not in Home editions
o Windows Memory Diagnostics mdsched.exe
 Administrative tools applet that checks multiple passes for
individual memory modules to find bad RAM chip/memory
modules
 Control Panel > Administrative Tools > Windows Memory
Diagnostics
o Windows Defender Firewall
 Integrated into OS, Control Panel > Windows Firewall
 Allows applications to send/receive traffic
 No scope- all traffic applies
 No connection security rules (i.e., can’t encrypt with IPsec
tunnels)
 Advanced Security
 Found in Windows Firewall (Control Panel Applet) >
Advanced Settings
 Detailed control over inbound and outbound traffic rules,
as well as connection security rules, and granular rules
(Program, port, predefined services, custom variables like
protocol/port, scope, action, profile)
o Event Viewer
 Central event consolidation
 Application, Security, Setup, System
 Events broken into priority levels: Information, Warning, Error,
Critical, Successful Audit, Failure Audit
o User Account Management
 MSConfig (System Configuration)
o Control Panel > Administrative Tools > System Configuration
o Administrative Tools Folder > System Configuration
o Provides means of managing startup resources such as number of
processors, memory, debug options, etc, so system admins can isolate
issues that prevent correct OS startup
o General
 Lists options for startup configuration modes: Normal, Diagnostic,
Selective Startup
o Boot
 Manage boot location, boot logging, default OS and amount of
hardware resources (# processors or RAM amount) to load in
multiboot environment, diagnostic boot options like safe boot,
remote GUI, boot log, base video, OS boot information (show
drivers as they load), set timeout for booting
o Services
 Contains list of background applications (services) to
enable/disable during startup
  Easier management then Services applet
o Startup
 Toggle which applications start w/ a Windows login
 Contained list of user applications to be enabled/disabled during
system boot prior to Windows 8; this utility in Windows 8/8.1/10
moved to Task Manager > Startup
o Tools
 Lists and provides ability to launch individual MMC snap-ins and
administrative tools like UAC settings, system information,
computer management
 System Information
o BIOS version
 Task Manager
o Launch with CTRL+SHIFT+ESC, CTRL+ALT+DEL (Task Manager),
Right clicking Taskbar and selecting task manager, command prompt/run
window (as w/ all utilities)
o Applications (Windows 7 and below)
 User-interactive applications in use
 Administratively control apps: end task, start new task
 Combined with Processes tabs from 8 onward
o Processes
 Interactive and system tray apps
 View processes from other accounts
 Move columns, add metrics
o Performance
 Examines (in real time and by collecting log data) how programs
that are run affect system performance
 CPU, memory, disk, Bluetooth, network utilization
o Networking
 Separate tab in 7, view utilization, link speeds, interface connection
state
 Integrated into Performance tab from 8 onward
o Users
 See connected users
 7: User list, disconnect, logoff, send message
 8 onwards: Detailed process information for individual users,
performance statistics
 Disk Management
o GUI utility for managing Disks
o Access via Computer Management, Run, or Quick Access Menu (right-
click on Start Button)
o Computer Management > Storage > Disk Management
 Some tasks can erase data
o Enable newly added disk in File Explorer by
 Initializing disk
 Assigning disk a drive letter
 Mounting disk as a folder
o Volume Types
 Striped Volume: RAID 0
 Simple Volume/Spanned Volume/Striped Volume: No fault
tolerance
 RAID 5:Striped with Parity Volume
o Drive status (Healthy = Online)
 Healthy/Online: Disk ready for I/O operations
 Healthy/Online (Errors/At Risk): Drive has experienced I/O errors
 and may be failing
 Foreign: Dynamic disk moved from another computer and found
by host
 Offline/Missing
 Offline disk is not available b/c corruption, drive failure,
I/O errors
 Missing disk is powered down, corrupted, disconnected
 Initializing: Normal startup message
 Failed: Basic/Dynamic Volume cannot be started automatically, is
damaged/contains corrupt file system
 Failed Redundancy: Data on RAID 1/5 array no longer fault
tolerant as a result of a disk not being online
 RAID 1: Resynching the data between drives
 RAID 5: Regenerating the data based on parity
o Mounting
 Assigning mount point folder path to drive enables newly added
drive to show up in File Explorer
 Extend available storage space; mount separate storage device as
empty NTFS folder or assign Drive Letter
o Initializing
 Prepares newly added disk for use by Windows
o Extending partitions
 Right click on partition > Extend Volume to extent partition size
into adjacent/unallocated space on same disk
o Splitting partitions
 Must do manually; Shrink volume. then create new simple volume
from adjacent unallocated space
o Shrink partitions
 Disk Management
 Right click drive, select ‘Shrink Volume’ from context menu
o Assigning/changing drive letters
 Disk Management
 Right click drive, select ‘Change Drive Letter and Paths’ from
context menu
o Adding drives
 Diskpart > Add
o Adding arrays
 Storage Spaces/Disk Management utilities
 Right click on disk and Select ‘Array type; from context menu
o Storage spaces
 Virtualization technology enabling organization of multiple
physical disks into logical volumes similar to RAID levels
 Storage for data centers, cloud infrastructures w/ multiple tiers,
types of administrative control
 Storage pool: Grouped storage devices; easily add/remove
space in pool
 Allocate virtual disks from available space in pool,
including options for mirroring and parity
 Hot spare ability
 System utilities
o Regedit (regedit, regedt32)
 Hierarchical database containing system configuration info used by
Kernel/Device drivers, Services, Security Account Manager, User
Interface and Applications
 Only Administrators can make changes
  Back-up Registry by exporting before making changes; Revert
Registry information by importing
 Create system restore point or backup Registry settings
manually
 Hives
 HKEY_Classes_Root
 HKEY_Current_Config
o Software/OS configuration info
 HKEY_Local_Machine
o Hardware/software registry
 HKEY_Users
o User Account Information
 HKEY_Current_User
o cmd
 Command Interpreter Utility
o Services (Services.msc)
 Control Panel / Administrative Tools / Services
 Administrative Tools folder applet for managing background
applications
 Check dependencies between applications
 Restart,Stop,Start, Pause, Resume services
 Change Startup Type of a service: Disable, Auto, Manual
o MMC
 Build your own management framework from a list of snap-ins
o MSTSC
 Microsoft Terminal Services Client (Remote Desktop Connection)
 Initiate Remote Desktop Access, kicking the user off of
their session,
o Not to be confused with Windows Remote
Assistance, which has the Helper request control
of the device
o Notepad
 View/Edit text files
 Default Powershell execution policies have Powershell scripts
(.ps1) files opening in notepad since .ps1 scripts are such a
common attack vector
o Explorer
 File management utility
 View, copy, launch files
 Access to Shares
 Specify UNC path
o Msinfo32 ‘System Information’ summary
 Windows System Info: OS Name, Version, System Name
(DESKTOP-xxxxxx), Architecture, Processor, BIOS version
RAM, Page file
 Hardware Resources: Memory, DMA, IRQ, conflicts
 Components
 Storage Drives: See size
 Software Enviornment
 System Drivers, Enviornment Variables, Print Jobs, Etc
o DxDiag
 DirectX Diagnostic Tool
 Multimedia API: 3D graphics, Audio, Input options
 Generic way to troubleshoot A/V
o Disk Defragmenter

1.6 Microsoft Control  Internet Options -> Applies only to IE
Panel Utilities
 Display/Display Settings
 User Accounts
 Moves file fragments so they are contiguous, improving read/write
time for HDDs
 No option for SSDs
 Requires elevated permissions when running at CMD
 defrag <volume>
o System Restore
 Manually generate System Restore points to revert OS
Configuration (applications, system files. windows updates, device
drivers) to previous known good setting
 Generated when installing new application, driver, or
Windows update
 DOESN’T affect end user data
 Not reccomended for removing malware
 Not enabled by default
 Only for NTFS-formatted drives
 Control Panel > Recovery OR F8: Advanced Boot Options >
Repair
 Booting from Installation Media doesn’t allow you to undo
System Restore
o Windows Update
 Automatic installation
 Defer Updates for non-Home users
o Bi-annual Feature Updates: Up to a year
o Cumulative Quality Updates: Up to 30 days
 ‘Windows Update Database Error’ or ‘Windows Update cannot
currently check for updates because the service is not running’
 Restart Windows update service
 Run DISM
o Connections
 VPN and Proxy settings
o Security
 Different access based on site location
o General
 Delete temporary internet files, cookies, browsing history, form
data, password
o Privacy
 Cookies, pop-up blocker, InPrivate browsing
o Programs
 Default Browser, ad-ons, file associations
o Content
 Certificates and Auto-complete
o Advanced
 Detailed configuration settings and Reset
o Resolution
o Color depth
o Refresh rate
o Not to be confused with ease of access utilities, which allow you to toggle
color filters, high-contrast, text size, mouse pointer and so on
o Right Click Windows Icon > Personalize > Display OR Right Click
Desktop > Display Settings
o Local user accounts: account name/type, change password, change picture,
 and certificate information
o Allows system administrators to enable/disable user accounts
 Folder Options
o View hidden files
 Protected .dll files
o Hide extensions
o General options
o View options
 System
o Performance (virtual memory)
 Visual effects, Data Execution Prevention
o Remote settings
o System protection
 Windows Firewall
o Configure Firewall settings based on network profile (Private, Public, or
Domain network?)
 Allow applications through firewall
 Any inbound traffic initiated from external sources is blocked by
default unless you define an exception
o Advanced Security allows you to create rules based on protocols, ports,
addresses, authentication
 Power Options
o In order of consuming the most to least power
 Working (S0)
 All devices run at full power
 Modern Standby (50 low-power idle)
 System idles and wakes up very quickly
 Sleep State (51, 52, 53)
 Maintains power to RAM to allow quick resume, may
drain battery
 S1: CPU stopped, RAM is running
 S2: CPU no power, RAM running
 S3: CPU no power, RAM running slower, PSU reduces
power to all devices
 Hibernation (S4)
 Write RAM contents to HDD, CPU, HDD, keyboard,
monitor powers down completely
 Uses no battery power at cost of taking longer than coming
out of sleep
o a fine option to protect oneself from data loss in
event of battery failure
 Power button to wakeup
 Soft Off (S5)
 Reboot state
 Mechanical Off (G3)
 Shut down state
o Power plans
 Power Saver: Sacrifice hardware performance in favor of longer
battery life
 Balanced: Default plan, system performance and battery life
balanced
 High Performance Plan: Sacrifice battery to get most performance
o Sleep/suspend
 Sleep/Standby
  Standby powers down HDD and LCD; CPU and keyboard
lie dormant w/ lower power consumption
o Wakeup by pressing keyboard key, mouse button
or movement
 Open apps stored in memory, saving power and allowing
for quick startup
 Credential Manager
o Control panel applet used to manage Web & Windows credentials
 Auto-connect to local resources, i.e., network shares
 Programs and features
o Uninstall or Change Program
o Toggle Windows Features ON/OFF i.e., Hyper-V
o Uninstall ‘Remove’ updates
 HomeGroup
o Removed from W.10 v.1803
 Devices and Printers
o Add/remove devices and printers, troubleshoot, and see device properties
(device function summary)
 Sound
o Adjust volume, Nuff said.
 Troubleshooting
o Troubleshoot by Category: Programs, Hardware & Sound, Network &
Internet, System and Security
 Network and Sharing Center
o View Active Networks
 Check Connections (Adapters) to see status of connection
o Setup new connections & Networks
 Device Manager
o Provides option to rollback drivers in case of device failure after update
 BitLocker
o Encrypts all data on volume
 Utilize TPM to facilitate moving of disk to another computer OR
use combination USB startup key & system volume password to
boot system
 Boot files are not encrypted without TPM
 Sync Center
o Allows users to automatically sync documents upon restoration of network
connection
1.7 Application  System requirements
installation/configuration o Drive space, RAM, OS requirements will be among the most looked-at
requirements to satisfy
 Methods of installation and deployment
o Local (CD/USB) or Network-based
 Local user permissions
o Does the user have folder/file access for installation?
 On Windows, a standard user account may be met with a UAC
prompt for administrative credentials
 Security considerations
o Impact to device
 Malicious applications can delete files, slowdown systsem
o Impact to network
 Malicious applications can access internal services and manage
permissions to file shares
 What ports is the application opening in the firewall?
1.8 Configuring  HomeGroup vs. Workgroup
Windows networking o HomeGroup works on a single private network and allows trusted
clients computers to share files, printers, between devices
 Windows 7, 8/8.1, no longer on Windows 10 v.1803
 Network profile must be set to "Home"
 Enable HomeGroup: Single shared single password for access
o WorkGroup allows creation of logical groups of network devices where
each is a peer that can access shared network resources
 Designed for small departments
 Each computer in a workgroup keeps track of its own user accounts
and security settings; there is no centralization
 Manage in Control Panel / System
 Domain setup
o Designate server computer as domain controller and configure user
accounts
o Only client computers that use Windows Pro or above can join a domain.
No Windows Home host is able to domain join.
o Join a client to a domain via Control Panel > System and Security > System
> Computer name, domain, workgroup settings > Change Settings >
Member of > Domain, Enter name of domain you wish the system to join
 Administrative privleges necessary
 Network shares/administrative shares/mapping drives
o Remote shares may be password-protected, which prompts the user for
credentials on the remote system (unless there is a local account with those
same credentials)
o Hidden shares are designated by ending with a $
o Sharing Methods
 Windows Explorer: Assign/Map drive letter to share
 Reconnect automatically upon reboot
 Tools > Computer Management
 Right-click on folder > ‘Give Access to’
 Shrpubw.exe (Create A Shared Folder Wizard)
 Command Prompt
 net share Name=<path> /grant:User,Permission
 net use list current connected shared folders/drive letters
o driveletter path maps specified drive letter to
shared folder
o /persistent:yes reconnect connection at
subsequent login
o Access Methods
 Specifying full UNC path to access the share
 Printer sharing vs. network printer mapping
o Printer sharing allows for locally connected printers to be shared on a
network, like sharing a folder
 Host system must be powered on to use the printer
 Available for all users on the local system
o Network printer mapping
 Network printers are available for the user that installed it
 Establish networking connections
o Control Panel > Network and Sharing Center > Set up a network
connection/network
o VPN
 Encrypted tunnel between (external) VPN concentrator and your
device to a device on external network
 Integrate smart card for authentication
  Supply Internet address, destination name
 Connect from network status icon, provide credentials to use VPN
concentrator
o Dialups
 Supply Authentication, Phone Number
 Connect/Disconnect with network status icon
o Wireless
 Supply Network name (SSID), Security Type (Encryption
Method), Encryption Type (TKIP/AES), Security Key
o Wired
 Direct connection with Ethernet cable
o WWAN (Cellular)
 WWAN Adapter necessary, Tether or use phone as wireless
hotspot
o Proxy settings
 Control Panel > Internet Options > Connections > Change LAN
settings > Proxy Server
o Remote Desktop Connection
 Non-home editions only
 Allows connection to remote Windows host for full control of GUI
 Local authentication options
 May require port forwarding for remote desktop traffic
o Remote Assistance
 Allows remote desktop connection, requiring request to connect
 Home editions
 One-time remote access
 Single-use password
 Chat, diagnostics, NAT transversal
o Home vs. Work vs. Public network settings
 Home: Network is trusted
 Every system in network will be able to communicate w/o
any restriction to device
 Work:
 See other devices, cannot join a HomeGroup
 Public Network:
 You are invisible; block any external connections
o Profiles for Windows 8/8.1/10
 Private: Sharing/Connections to devices
 Public: No sharing or connectivity
 Network/Internet Status > Change Connection Properties
 Choose profile, modify firewall/security for profile,
customize
 Firewall settings
o Exceptions
 'Block all incoming connections' ignores the exception list and
ensures no incoming traffic
 Exception Types
 Allow/disallow specific applications
 Allow/disallow traffic based on port number
 Predefined exceptions
 Custom Rules
o Configuration: Manually configure to allow/deny applications and network
ports. By default, windows implicitly denies inbound traffic initiated by
external hosts to the local system
o Enabling/disabling Windows Firewall
  Requires elevated permissions
 Configuring an alternative IP address in Windows
o IP addressing: Should always be in same subnet as other hosts and
gateway
o Subnet mask: Should always match between all devices in a subnet
o DNS: Name resolution server, in home use cases this is provided to you by
your ISP
o Gateway: Router that forwards network traffic from local machine to other
remote networks, should be on same subnet as the local host
 Network Adapter properties
o Link Speed & Duplex
 Half duplex: Device can send/receive in only one direction at a
time
 Full duplex: Device can send/receive at the same time
 Auto: Link tries to negotiate Full Duplex. Otherwise, Half duplex
is chosen.
 Both sides of connection must match
o Speed
 Auto: Fastest speed supported by network
o WakeonLAN
 Computer can wake from sleep with special frame;
 Late-night software updates
 QoS
o Prioritize network traffic
o Infrastructure must support QoS
 Differentiated Services Code Points (DSCP) field in IP header
allows admins to assign priorities to different types of traffic
 IPv4: Type of Service (ToS) field
 IPv6: Traffic class octet
 Manage through local computer policy or group policy
 Computer Configuration > Windows Settings > Policy-
Based QoS
 BIOS (onboard NIC)
o Enable/disable network adapters
1.9 Features/Tools of  MacOS Best practices
MacOS and Linux o Scheduled backups
clients  Time Machine: Used to automatically back up all system files
(documents, music, pictures, etc) and restore files from backup if
original files are ever corrupted/deleted or the storage device is
erased/replaced
 Deletes oldest data when disk is full
o Scheduled disk maintenance
 Disk Utility
 First Aid: Similar to chkdsk
 Partition, Erase, Restore
o System updates/App Store
 Centralized updates and OS patch management in the App store
application’s “Updates”
 Automatic/Manual
o Driver/firmware updates
 System Information > Hardware: Detailed hardware list
 View only; no configuration
o Antivirus/Antimalware updates
 Third party providers
  Automate your signature updates hourly/daily
 MacOS Tools
o Backup/Time Machine
 Finder UI to restore backups
o Restore/Snapshot
 Snapshots taken if Time Machine Storage isn’t available
o Image recovery
 Disk Utility to build Apple Disk Image (.dmg) files
 Mount on any macOS system; appears as normal file system
 Restore feature in disk utility restores disk image to volume
o Disk maintenance utilities
 Disk Utility
 First Aid
 Modify Partitions
 Create, Convert, and Restore disk images
o Shell/Terminal
 Run scripts, manage files
 Configure OS/application settings
o Screen sharing
 Integrated into OS w/ Screen sharing
 View with VNC (Virtual Network Computing)
 Available devices appear in Finder, or access by IP
address/hostname
o Force Quit
 Stop application from executing
 Command+Option+Escape
 Hold option key while right-clicking app icon in dock
 MacOS Features
o Multiple desktops/Mission Control & Spaces
 Mission Control: Quick-spread of running applications
 Swipe upwards with 3 fingers or control+up arrow
 Spaces: Create multiple logical desktops

o Key Chain
 Centralized password management utility
 Passwords, notes, certificates
 Encrypted with 3DES
 Login password is default key
o Spot Light
 Find files, apps, images
 Magnifying Glass or Command+Space
 System Preferences > Spotlight: Configure Categories
o iCloud
 Integrate macOS with iOS technologies
 Share calendars, photos, documents, contacts
 Backup iOS devices
 Store files in iCloud drive
o Gestures
 Extended trackpad capabilities
 System Preferences > Trackpad for Customization
o Finder
 File manager: Launch, delete, rename
 File servers, remote storage, screen sharing
o Remote Disc
 Use an optical drive from another computer across network
  Designed for copying files from DVD-ROMS (not for audio
CDs/video DVDs)
 Setup sharing in System Preferences > Sharing Options; Appears in
Finder
o Dock
 Fast access to quick launch programs
 View running applications: dot underneath icon
 Move dock to different sides of screen
o Boot Camp
 Dual-boot into Windows on Mac Hardware
 Requires Apple Device Drivers: Run Windows on Apple’s Intel
CPU architecture
 Boot Camp Assistant builds boot camp partition
 Linux Best practices
o Scheduled backups
 tar
 Tape Archive
 Easy to script into backup schedule
 rsync
 Syncrhonize data between devices
 Instant or scheduled synchronization
o Scheduled disk maintenance
 Check File system
 Ensure partition isn’t mounted
 Done automatically after X number of reboots
 sudo touch /forcefsck
 Cleanup log space in /var/log
o System updates/App Store
 apt-get, yum
 Software Updater
 Patch management: Schedule updates
 Linux Software Center
o Patch management
o Driver/firmware updates
 Many drivers integrated into kernel, update when kernel updates
 Software updates/command line
o Antivirus/Antimalware updates
 ClamAV
 Always update signature database, always use real-time scanning
 Linux Tools
o Backup
 Graphical utilities, rsync CLI utility
o Restore/Snapshot
o
o Image recovery
 dd converts and copy a file; allows for imaging, backup/restore of
partition
 GNU parted, Clonezilla can image drives
o Disk maintenance utilities
 Clean up /var/log regularly with a cron job
 File System Check done automatically every X number of reboots
 Force after reboot with sudo touch /forcefsck
o Shell
 OS maintenance, run scripts, manage files
o Screen sharing
  UltraVNC, Remmina may be included with
o Force Quit
o
 Linux Features
o Multiple desktops/Mission Control
o Key Chain
o Spot Light
o iCloud
o Gestures
o Finder
o Remote Disc
o Dock
o Boot Camp
 Basic Linux commands
o ls List names of files and directory contents
 -a displays all files and directories, including hidden content
 -l displays extended information, including the owner, modified
data, size, permissions
 -R recursively displays the contents of a directory and all of its
subdirectories
 -d displays only directories
 -s sorts files by size
 -X sorts by extension
 -r reverses the sort order
 Options
 q/Ctrl-c to exit
o grep searches through files for a specified character string
 Syntax: grep string [file]
 grep failed auth.log
 grep Warning install.log
o cd changes directories
 cd .. changes to the parent directory
 cd ../.. changes two levels up in the directory
 cd / changes to the root directory
o shutdown Shutdown system
 -r reboot
 -c cancel shutdown
 -h halt system
 +m [min] -h|-r message set time to delay shutdown, where
m is time delay in minutes
o pwd vs. passwd
 pwd “print working directory” displays currently working
directory
 -L uses pwd from environment, even if it contains slinks
 -P avoid all symlinks
 --help display this help and exit
 --version output version information and exit
 passwd assigns or changes a password for a user
 no options changes current user’s password
 -S username displays the status of the user account
o LK indicates that the user account is locked
o PS indicates that the user account has a password
 -l disables (locks) an account, inserting a !! before the
password in the /etc/shadow file
  -u enables (unlocks) an account
 -d removes the password from an account
 -n sets the minimum number of days a password exists
before it can be changed
 -x sets the number of days before a user must change the
password (password expiration time)
 -w sets the number of days before the password expires
that the user is warned
 -i sets the number of days following the password
expiration that the account will be disabled
o mv moves/renames directories by erasing the source directory and copying
it to the destination
 -f overwrites a directory that already exists in the destination
directory without prompting
 -i prompts before overwriting a directory in the destination
directory
 -n never overwrites files in the destination directory
o cp copies files/directories, leaving the source intact
 -R recursively copy subdirectories/files within the directory
 -f overwrites files that already exist in the destination directory
 -i prompts before overwriting a file in the destination directory
o rm removes a file/directory from the file system, making it inaccessible
 Only deletes file/directory inodes, but doesn’t delete data- use
shred instead
 -i prompts before removing
 -r recursively removes directories, subdirectories, and files within
them
 -f eliminates prompt for read-only files and avoids an exit code
error if a file doesn’t exist
o chmod ‘change mode’ permissions for specified file
 must be owner of object or be logged in as root to use
 entity+permission adds permission for user, group, or other to
object
 chmod g+w project_design.odt
 chmod g+w /hr/* adds write group permission to all files in
/gr directory
 entity-permission removes permission for user, group, or other to
object
 entity=permission sets permission equal to permission specified for
user, group, or other to object
 chmod u=rw, g=r, o=r project_design.odt
 Do not get tripped up by this syntax; ‘o’ does not represent
owner, but others. ‘u’ represents owner.
 ‘x’ if you want to manipulate execute permission
 decimal_value sets permissions for the file according to the
numbers represented for each mode entity
 -R sets permissions recursively
 can use numerical syntax with chmod command to represent entire
mode
 chmod 660 project_design.odt
o chown change ownership’ of a file or directory
 -R changes ownership of the file recursively thoughout directory
tree
 user changes the file ownership early
 user.group changes the user/group ownership of the file
  .group changes the group ownership early
 chown pmaxwell.sales /sales/report makes pmaxwell user and
sales group the owners of the file
o iwconfig/ifconfig
 iwconfig Displays and changes the parameters of the wireless
network interfaces
 ifconfig configure network interfaces or display status of currently
active interfaces
o ps Show currently running processes, displayed statically
 -A show all
 -a show processes in current session owned by current user
 -f show detailed output
 -u show processes by UID
 -l show in long format
 -x show processes not attached to terminal
o su/sudo switches users in shell prompt; sudo switches to the root user
o aptget downloads and installs packages
 automatically resolves package dependencies when installing,
updating, and removing packages
 gets information about application repositories from
/etc/apt/sources.list
 Syntax: apt-get options command package_name
o vi: starts vi text editor when used without options, or when used with
[file_name], immediately begins working on named file
o dd used to copy/covert data using records/blocks (exact copy), great for
non-traditional file copying such as:
 backup and restoring the entire disk/partition
 dd if=device_file of=output_file
 backup the MBR (Master Boot Records)
 dd if=device_file of=output_file bs=512 count =1
 copy/convert magnetic tape format
 convert between ASCII/EBCDIC format
 convert lowercase to uppercase
o kill terminates a process using a PID and specific kill signal
 -l lists all signals available for the kill command
 The most commonly used options:
 sighup (1) ‘signal hang up’ tells process to restart with
exactly the same PID number
 sigint (2) stops a process as if the Ctrl+c combination has
been used; recommended as a first choice when a process
won’t stop with its exit function or init script
 sigkill (9) brutely forces a process to stop when
unresponsive to other options for exiting/killing it
o Does not give the process an opportunity to clean
up any resources it is using, such as memory
o Use as a last resort
 sigterm (15) stops process cleanly by giving it a chance to
release the resources allocated to it
o Default signal used by kill command if no signal
specified
o Can be tried if -2 option fails to kill process
2.0 Security
2.1 Physical Security  Access control vestibule (Mantrap)
Measures o One door open, other door locked
 Security guard
 o Validates identification of existing employees and provides guest access
 May be in charge of entry control roster, ID card distribution
 Door lock
o Deadbolt
o Electronic (PIN)
o Hardware tokens: Key fobs, RFID chips, Smart cards
o Biometric readers
 Cable locks
o Tether hardware devices to stations
o Not designed for long-term protection
 Server locks
o Prevent access to server system
 USB locks
o Prevent access to USB interfaces
 Privacy screen
o Prevents shoulder surfing
2.2 Logical Security  Active Directory
Concepts o Centralize logins via user objects and security principles, which are
configured on the domain controller
o Login script
 Map network drives
 Update security software signatures
 Update application software
o Group Policy/Updates
 Define specific policies
 Password complexity
 Login restrictions
o Organizational Units
 Active directory database often separated into organizational units
(departments, locations)
o Assign a network share as the user’s home
o Folder redirection
 Software tokens
o Something-you-have authentication
o Software tokens are device-specific and can’t be duplicated
 MDM policies
o Manage company-owned and user-owned mobile devices by setting
policies on apps, data, camera, etc or ensuring access control policies are
followed (screen locks, PINs)
 Require devices to meet certain OS version, have certain
applications installed, have certain antivirus/firewall configurations
 Port security
o Prevent unauthorized users from connecting to switch interface
 Alert/disable port upon activation
 Set unique rules for interface
o Based on source MAC address
 MAC address filtering
o Limit access through physical hardware address, allowing administrator to
keep list of allowed MAC address on network
 Spoofs circumvent filter “Security through obscurity”
 Certificates
o Digitally signed document which verifies the identity of an entity
o Issued by certificate authorities (CA) (GoDaddy, Verisign, etc) who serve
as verifiers for the organization’s/individual’s identity; the CA digitally
 signs the certificate, and the certificate is verified with the authority’s
public key
 Common implementation: Windows may issue warnings when
attempting to install unsigned apps from a website
 Antivirus/Antimalware
o Antivirus signatures must be updated frequently; Large organizations need
enterprise management and additional management for BYOD
 Track updates, push updates, confirm updates, manage engine
updates
 Firewalls
o Host-based firewalls can stop unauthorized network access statefully or
block traffic by application
o Network-based firewalls filter traffic by port number, inbound/outbound
traffic must traverse firewall
 Traffic may be blocked by application
 Can encrypt traffic into/out of network to protect traffic between
site
 Can proxy traffic
o Layer 3 devices (routing/NAT)
 User authentication/strong passwords
o Unique identifier assigned to a login
 Windows: Every account has a SID security identifier
 Credentials are used to authenticate user
 Password, smart card, PIN code, etc
o Passwords need complexity and constant refresh
 Multifactor authentication
o Something you are, something you have, something you know, somewhere
you are, something you do
 Directory permissions
o Dictate who can access, modify, and administer files
 NTFS provides much more flexibility than FAT
 Lock-down access w/ granular controls
 Prevent accidental modification/deletion
o User permissions
 Frequent audits to ensure users have correct permissions
 VPN
o Encrypt (private) data traversing a network
o Concentrator: Encryption/decryption access device
 DLP
o Data Loss Prevention software is designed to detect and prevent data
leakage (whether intentional or unintentional) via common transmission
sources like email, IM, and proceeds to block sensitive data while in use, in
motion, and at rest
 Prevent employees from revealing TMI
 Access control lists
o Composed of access control entries that target a particular system resource
and specify access rights allowed, denied, or audited for a trustee
 Seen in Firewalls, which Filter inbound and traffic and determine if
data should be blocked/forwarded based on configured rules
o Will always include an implicit DENY ANY statement at the end of the list
or until new rules are added
 Smart card
o Physical card can authenticate to system/network/etc
 Digital certificate
o Multi-factor authentication
  Email filtering
 Trusted/untrusted software
 Principle of Least Privlege
2.3 Compare/Contrast  Protocols and encryption
Wireless security
protocols, authentication
methods
 Authentication
o Necessary implementation, can be in the form of an Email Gateway that
sits on the edge of a network to prevent phishing/spam emails from
reaching users’ inbox
o What designates software as ‘trusted’ or ‘untrusted’ may often times
depend on the application’s digital certificate status
o Grant only privleges to information and resources necessary for a user’s
role and function.
 Though it may seem tempting, Generally very insecure to
configure all users on a system as administrators. When users run
tasks as administrators, they invoke the tasks with administrative
privleges. Administrative privleges offer extended control over the
system- Malware takes advantage of administrative privleges
extensively
o WEP
o WPA
 Replacement for WEP’s cryptographic vulnerabilities
 RC4 with TKIP integrity protocol
 IV vector is larger with encrypted hash
 Every packet gets 128-bit encryption key
o WPA2
 AES with CCMP block cypher mode
 128-bit key and 128-bit block size
 Authentication and access control
 WPA2-PSK (Personal)
 Pre-shared key, everyone uses same 256-bit key
 WPA2-802.1x (Enterprise)
 Authenticates users individually with centralized
authentication server (RADIUS, TACACS+)
o TKIP
 Mixing of secret root key with IV
 Add a sequence counter, prevents replay attacks
 64-bit Message Integrity Check to protect against tampering
 Deprecated in 2012
o AES
 Encryption; for data confidentiality
o Singlefactor
o Multifactor
 Something you are
 Something you know
 Something you have
 Somewhere you are
 Something you do
o RADIUS
 AAA protocol; centralizes authentication for users
 Switches, VPN concentrators, WAPs, firewalls, switches
communicate/authenticate w/ RADIUS protocol
 802.1x

o TACACS+
 Remote authentication protocol

2.4 Detect, remove,  Malware
prevent malware with
appropriate
tools/methods
 Tools and methods
 More authentication requests and response codes
o Ransomware
 Fake-messages
 Cryto-malware: Data encrypted until user provides ransom for
decryption key
o Trojan
 Software that pretends to be another application
o Keylogger
 Keystroke, clipboard, screen, IM, search engine query logging
o Rootkit
 Modifies OS kernel (invisible)
 Wont provide any footprint- not even in task manager
o Virus
 Malware that spreads with user intervention
 Can reproduce through executables, file systems, or
network
o Boot sector viruses
o Script viruses
o Macro viruses
o Botnet
 Collections of compromised systems used in DDOS attacks
o Worm
 Malware that self-replicates without need for human intervention,
using network as transmission medium
 Can be used to accelerate DDoS/DoS infection
 Firewalls and IDS/IPS
o Spyware
 Browse monitoring
 Keyloggers
 Trick into installing other malware
o Antivirus/Antimalware
 Identify malicious software in memory
 Real-time, on demand scans
 Doesn’t require exact signature
o Recovery console
 Complete control over OS
 Remove malicious software
 Repair file boot sector/master boot record
 Enable/disable service startup
 Boot from installation media or select from F8 advanced boot
menu
 Troubleshoot > Advanced Options > Command Prompt
o Backup/restore
 Image backup built into Windows
o End user education
 Feedback: Login messages
 Personal training
o Software firewalls
 Monitor outbound/inbound traffic and prevent malware
communication
 Runs by default
o DNS configuration
 External/Hosted DNS security service
  Block harmful domains & websites
 Avoid DNS cache poisoning attacks
2.5 Compare and  Social engineering
contrast social o Phishing
engineering, threats,  Attacker sends fake email to steal info from target
vulnerabilities o Spear phishing
 Attack that leverages highly targeted information
o Whaling
 Attack on highly powerful individuals (CIOs, CEOs, etc)
o Impersonation
o Shoulder surfing
o Tailgating
 Attacker follows trusted employee inside area of access where they
shouldn’t be
o Dumpster diving
 DDoS
o uses many compromised hosts to perform an attack to overwhelm a server
to the point of preventing it from being able serve to end users
 DoS
o usually performed from single systems; uses a host to perform an attack to
overwhelm a server to the point of preventing it from being able to serve
end users
 Zeroday Exploits
o Difficult to defend against since these attacks exploit very recently
discovered vulnerabilities; should be adressed via layer of security which
doesn’t rely on vulnerability patching (firewalls)
 Onpath attack (previously known as maninthemiddle attack)
o Attacker intercepts transmissions between 2 devices; sits in-between a
communication session for the purpose of capturing data or modifying
data-in-transit
 IP, DNS,HTTPS spoofing, SSL & Email hijacking, Browser
Session Hijacking
 Brute force
o Attacker utilizes program to input every known combination of [common]
passwords
 Dictionary
o Attacker utilizes program to input known dictionary words as passwords;
type of brute-force attack
 Rainbow table
o Table of passwords and thier generated hashes that attackers use to match
hashes instead of the actual password
 Spoofing
o Associated w/ man-in-the-middle attacks
 Noncompliant systems
o [Often] Third party devices brought into an organization’s network that
violate or do not meet current security standards
 Likely unpatched with the latest updates; serve as a gateway for
potential attackers to break into the organization’s network
 Zombie
o Malware-infected devices that perform DDoS/DoS attacks
2.6 Compare and  User and groups
contrast Windows o Administrator
security settings  Every Windows installation has one
 Full control of files, directories, serivces, resources on local system
 o Power user
 In W7 above, exist for legacy purposes and are configured to be the
same as standard users unless explicitly assigned additional rights
 Ability to Run legacy applications, install programs that don’t
modify system files/services, customize control panel resources
create/manage local users & groups, stop/start system services
o Guest
 Allows users to use system without being able to change PC
settings, install apps, access private files
 Best practice is to disable as by default it has blank
password
o Standard user
 Prevented from making system-wide changes
 NTFS vs. share permissions
o Allow vs. deny
 NTFS permission precedence is as follows
 Explicit Deny
 Explicit Allow
 Inherited Deny
 Inherited Allow
 Deny permissions assigned to individual users overrides allow
permissions assigned to groups
o Moving vs. copying files
 Copying/Moving files to non-NTFS partitions: All permissions are
removed
 Copying/Moving files to different NTFS partitions: File inherits
permissions assigned to parent partitions and folders, but explicit
permissions are removed
 Moving files to different folder on same NTFS partition: Explicit
permissions are kept
 Copying files to different folder on same NTFS partition: Explicit
permissions are removed
 Maintain NTFS permisisons with xcopy, robocopy
o File attributes
 Behavior modifiers for individiual files/folders in filesystem
 Every object on NTFS has a DACL that specifies 1) who can or
cant access 2) what level of access
 Permissions are inherited by default, but can be blocked-
either convert or remove
o NTFS Permission Levels
 Full Control
 Modify
 Read and Execute
 List Folder Contents
 Read
 Write
o Share Permission Levels
 Read
 Change (add/delete)
 Full control (modify share level)
 Shared files and folders
o Administrative shares vs. local shares
 Shares can’t be renamed
 Administrative shares are designed to be accessed remotely by
network administrators; hidden network share
  Local shares allow access to the folder being actively shared ‘i.e.,
‘Pictures’
 Either read only or full access permissions
 Prereq: Enable Network discovery and file and printer
sharing
o Permission propagation
 Shared permissions run alongside NTFS permissions; the most
effective permissions are the most restrictive, hence typical
implementations have the least restrictive share permisions applied
combined with the most restrictive NTFS permissions
 Shared folder permissions apply to users who connect to
the share VIA THE NETWORK; in other words, denying
access to users via shared permissions has no effect on
their ability to access files locally
 Basic Share Wizard sets matching NTFS permissions
 Advanced Sharing requires you to configure NTFS
seperately
 When combined with NTFS permissions, the most
restrictive policy is always chosen
o Inheritance
 Shared permissions are inherited at the folder level
 User authentication
o Single signon, KerberOS, TLS/SSL, PKU2U, etc.
 Run as administrator vs. standard user
o Follow principle of least privilege by running applications as standard user
(unless absolutely necessary)
 BitLocker
o Encrypts all data on volume, utilizing TPM chip to facilitate moving of
disk to another computer
 BitLocker To Go
o Removable encrypted storage; decrypt with smart card or password
 EFS
o System-level encryption for volumes formatted with NTFS; EFS files can
be opened by EFS keyholders i.e., user who encrypted them
 Green file names
2.7 Implement security  Password best practices
best practices on o Setting strong passwords
workstation o Password expiration
o Screensaver required password
o BIOS/UEFI passwords
o Requiring passwords
 Account management
o Restricting user permissions
o Logon time restrictions
o Disabling guest account
o Failed attempts lockout
o Timeout/screen lock
o Change default admin user account/password
 Basic Active Directory functions
o Account creation
o Account deletion
o Password reset/unlock account
 Disable account
o Disable Guest Accounts
  Disable autorun
 Data encryption
 Patch/update management
2.8 Implement methods  Screen locks
for securing mobile o Fingerprint lock
devices  Most secure
o Face lock: Facial recognition
o Swipe lock: Pattern
o Passcode lock: PIN
 Remote wipes
o Wipe phone
 Locator applications
o GPS
o Find phone on map, control from afar
 Remote backup applications
o Automatic backups to cloud
 Failed login attempts restrictions
o iOS: Erase after 10 failed attempts
o Android: Lock device and require Google login
 Antivirus/Antimalware
 Patching/OS updates
o Security updates
o OS updates: Stability, new features, bug fixes
 Biometric authentication
o Can be circumvented
 Full device encryption
o iOS: Personal data is encrypted with passcode
 Multifactor authentication
o Third-party email clients may not be compatible with multi-factor
authentication
 Invalid credentials
 Authenticator applications
o Token generators
 Trusted sources vs. untrusted sources
o Android apps can be sideloaded- point of malware to enter
 Firewalls
o Most activity is outbound, not inbound
o Enterprise enviornment firewall
 Policies and procedures
o BYOD vs. corporateowned
 Mobile Device Manager (MDM) to maintain integrity of personal
and corporate data
 Centralized management
2.9 Implement  Physical destruction
appropriate data o Shredder
destruction and disposal o Drill/hammer
methods o Degaussing
 Remove magnetic field to destroy drive data/electronics
 Does NOT affect SSDs
o Incineration
 Totally destroys SSD data
o Certificate of destruction
 Verifies asset destruction, listing serial numbers of involved
 devices and describing destruction method, specifies location (on-
site/off-site), witnesses
 Recycling or repurposing best practices
o Low-level format vs. standard format
 High-level format (Quick Format): Sets up file system, installs
boot sector, deleting index (master file table) of files but doesn’t
erase disk data
 Low-level format (Standard format): Prevents data recovery by
overwriting sectors with zeros
o Overwrite
 File level overwriting: Sdelete (Sysinternals)
o Drive wipe
 Whole drive wipe: DBAN
2.10 Configure security  Wireless specific
on SOHO wireless and o Change default SSID
wired networks o Setting encryption
 Pre-shared passphrase or user-specific; only those with credentials
can utilize network
o Disabling SSID broadcast
 Security-through-obscurity
o Antenna and access point placement
 Prevent war driving
 Place in centralized location, one that allows most coverage to
devices
o Radio power levels
 Prevent War driving
 Prevent others from picking up on on unreasonably high radio
levels and attempting to gain access, while at the same time, having
radio power levels high enough to ensure sufficient coverage to
devices within your organization
o WPS (Wi-Fi Protected Setup)
 Allows easy setup of devices to existing network without long
passwords
 Pin design flaw- only 11k combinations, attackers could
brute force
 Or Push a button available on router and device to
establish connection
 Change default usernames and passwords on WAP
o Default usernames/passwords for routers are documented extensively
online.
 Enable MAC filtering
o Allow/disallow access based on MAC address
o Security-through-obscurity
 Assign static IP addresses
o Disable DHCP (which is almost always on by default on a SOHO router),
manually assign static IP addresses
 Firewall settings
o Filter specific traffic
o Inbound traffic defines what traffic comes in to the local network
o Outbound traffic defines what traffic comes out of local network
 Port forwarding/mapping
o Allows specific types of traffic traffic from the WAN (internet) to a server
with a private IP address, keeping firewall protections in place
 Maps external port number to IP address and port number on
 internal network
o Should be disabled if you’re not hosting any services within your network
o Commonly used to host web server on internal private network
 Disabling ports
o Disable uneccesary ports to reduce attack surface
 Content filtering/parental controls
o Block websites by URL or other criterion
 Update firmware
o Should be done routinely as most exploits take advantage of outdated
firmware
 Physical security
o Limit excess interfaces that may allow access to the network, if necessary
3.0 Software Troubleshooting
Troubleshoot Windows  Common symptoms
Issues o Slow performance
 Task Manager
 High CPU utilization, I/O
 Windows Update
 Update drivers and applications to latest version
 Check Disk Space
 Defrag
 Laptops throttle CPU in power-saving mode
 Run Antivirus Scan
o Limited connectivity
 Yellow Triangle with Exclamation point
 Local issues
 Check physical connection
 Check IP address configuration
 Reboot network subsystem
 External issues
 Router rebooted/turned off
 Ping default gateway and external IP
o Ping each hop around the name
o Failure to boot
 Can’t find OS
 Multiple OSs installed, Windows is missing and only
option is to use other OS(s)
o Boot loader has been replaced/changed; run
bootrec from recovery console
 Check boot drives; remove any media
 Startup Repair
 Missing NT-LDR (Main Windows bootloader)
o Run startup repair or replace manually w/ bootrec
and reboot
o Disconnect removable media
 Missing OS
o Boot configuration data may be incorrect
o Run startup repair or manually configure BCD
store
 Boots to Safe Mode
o Run startup repair
 /bootrec can be used to resolve startup issues from the Windows Recovery
Enviornment (WinRE)
 /fixmbr Fix MBR on corrupt system partition without overwriting
 existing partition table, for ‘OS not found’, ‘Error loading OS’,
‘Missing OS’, ‘Invalid Partition table’ error msgs
 /fixboot Rewrite system parition boot sectors, for ‘BOOTMGR is
missing’ error messages
 /scanos list potential fixes and scan disks for Windows
Installations
 /rebuildbcd Allow user to choose which OS instance to add to a
boot configuration store to make windows bootable, for ‘Could not
read from the selected boot disk..’, use to rebuild the BCD store
 such error messages indicate system can’t find partition
specified in BCD database where OS files are located
o Operating System not Found
 Boot.ini file correct
 Incompatible partition is marked as active
o No boot device available
 Hard drive not recognized
o Application crashes
 During Installation (Drivers)
 User needs elevated permission
 Check Event Log
 Check Reliability Monitor
 View application problem history over a timeframe
o Blue screens (Windows Stop Error)
 Reboot system
 Bad hardware, bad drivers, bad application
 Use last known good, System Restore, or Rollback Driver
 Try Safe mode
 Reseat/Remove hardware
 Run hardware diagnostics
 Provided by manufacturer
 BIOS
o Blank screens
 No login dialog or desktop
 Driver corruption, OS file corruption
 Start in VGA mode to start with generic video drivers
 F8 for startup options
 Run SFC from recovery console
 Update driver in Safe Mode
 Repair/Refresh or recover from backup
o Printing issues
 Print/scan test page in printer properties to separate Windows and
Manufacturers drivers
o Services fail to start
 Check Device Manager (hardware) and Event Viewer
 Often a bad driver: remove/replace driver
 “One or more services failed to start”
 Bad/incorrect driver, bad hardware
 Start manually
 Check account permissions for service
 Check service dependencies
 Windows Service? Check executables
 Application Service? Reinstall application
o Slow bootup
 Manage Startup Apps in Task Manager
 Disable applications, enable one at a time
 o Slow profile load
 Roaming user profile
 Stores local configurations, synchronizes them on
centralized servers
 Network latency to domain controller slows login script
transfers
o Client workstation picks remote domain controller
instead of local DC
 Issue w/ local infrastructure
 Common solutions
o Defragment the hard drive
 Move file fragments contiguously to improve read/write time
 CMD > defrag
 Weekly Schedule Control Panel > Administrative Tools > Task
Scheduler
 Spinning HDDs only
 Speed up a computer that takes a long time to bootup
o Reboot
 Router software bug
 Application uses too many resources
 Memory leak slowly consumes available RAM
o Kill tasks
 Task Manager > Processes
o Restart services
 Similar issues to interactive applications; restart/stop services
o Update network settings
 Configuration mismatch can cause significant network slowdowns
and errors
 Auto-negotiation for speed/duplex can fail
 Event Viewer to see negotiated value
 Device should match switch; both sides identical
o Reimage/reload OS
 Windows 8/8.1/10: Settings > Update & Security > Recovery >
Reset PC (Keep files, remove everything)
o Roll back updates
 Restore points to revert system to previous configuration w/o
erasing work
 If hardware malfunction is a recent issue, rollback updates
 Application updates can prompt auto-creation of restore point
o Roll back devices drivers
 Rollback from Windows Start Menu F8
o Apply updates
 Windows Update: Centralized OS/driver updates
 Download App updates manually/within application
o Repair application
 Fix corrupted/missing files, registry entries, update/reconfigure
drivers
o Update boot order
o Disable Windows services/applications
 Disable all startup apps/services then gradually enable one at a
time
o Disable application startup
o Safe boot
 Windows 7/8.1 “Safe Mode” -> F8 > Advanced Boot Options >
Safe Mode
  Only necessary drivers to get started
 Fast Startup may disable F8; if on desktop:
o Shift + Restart
o Settings / Update & Security / Recovery /
Advanced Startup / Restart now
o System Configuration (msconfig)
 Interrupt boot process three times if not booting to
windows
o Rebuild Windows profiles
 User Profiles on domains can get corrupted
 User Profile Service failed the login
 User Profile cannot be loaded
 User documents missing
 Recreate profile
 Delete profile from user’s computer w/ adminsitrative
rights
 Rename \Users\name folder
 Backup user’s registry
o HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Profile List
o Right-click > Export
 Delete registry entry (you have the backup)
 Restart computer
 Logon to computer w/ user’s standard domain login
o Profile rebuilt
o Recreate \Users\Name folder
 Login as Domain Administrator and copy over backup user
folder files into the newly recreated user profile folder
o Do not copy entire profile
o Troubleshoot Updates via Windows Update Troubleshooter, Powershell,
WSUS
3.2 Troubleshoot PC  Common symptoms
security issues  Popups
 Malware infection
 Update browser and check pop-up block feature
 Scan for malware
 Rebuild from scratch or known good backup to guarantee
removal
 Browser redirection
 Malware infection intercepts search queries/results
 Scan for malware
 Rebuild from scratch or known good backup to guarantee
removal
 Security alerts, Invalid Certificates
 Check certificate details (lock icon)
 Date may be expired or show different domain name
 Certificate may not be properly signed (untrusted
certificate authority)
 Browsers obtain certificates and compare the local system’s date &
time against what the certificate says; if invalid match, you will
likely get an invalid certificate error
 Set correct date & time
 Slow performance
 Could be signs of a malware infection
 Internet connectivity issues
 Internet pages load slowly or not at all
 Perform ping tests to local router
 Verify browser settings
 PC/OS lockup
 Check Caps Lock and Num Lock status lights to see if response
registers
 Task Manager
 Check logs when rebooting after lockup
 Perform virus/malware scan
 Perform hardware diagnostic
 Application crash
 Check Event Log
 Check Reliability Monitor
 Reinstall Application
 OS updates failures
 Lookup error number associated with failed update (best point of
diagnosis- narrow things down)
 Visit vendor website to see if any issues exist with the
specified update
 Check Event Viewer for logs on the update failures (incl.
error number)
 Malware infection
 Rebuild from scratch or known good backup to guarantee
removal
 Rogue antivirus
 Misleads users into believing a a virus is on their computer when
it’s a hoax in actuality, purpose is to extort money from victim or
get them to download malicious malware removal software
 Spam
 Unsolicited email messages, including advertisements, phishing
attacks, viruses
 Spam filers
 Hijacked email
 Infected computers become email spammers; may receive replies
from other users regarding spam or receive automated replies form
unknown sent email
 Renamed system files, Disappearing files, File permission changes
 Malware infection
 Rebuild from scratch or known good backup to guarantee
removal
 Access denied on Network Shares
 May be due to Administrative share permissions (User denied
write/delete permissions), Group Policy Hours Restrictions
 On Windows, consider Mapped drives: Users need to remap
network drive letters to new file paths if data is moved from one
network share to another; existing drive mappings may no longer
be pointing to the intended destination
 Invalid certificate errors
 Experiencing the ‘ERR_CERT_DATE_INVALID’ error message
on a website usually means an issue with the Date and Time on
local system and validity period of website’s certificate
 Expired root certificates on a systemcan result in the user not being
able to access any web resources
 Proxy server configurations can cause these issues with single
 users
 Analyze & verify installed certificate via Certificate Manager
 Analyze Security log in Event Viewer for events concerning
invalid certificate
 Delete, revoke, modify invalid vertificates, import new ones
 System/application log errors
 Event Viewer
 Improper/Failed logins
 Unexpected application use
3.3 Best practice 1. Identify and research malware symptoms.
procedures for malware a. Slow system performance
removal i. Boot, Application slowdown
b. Application failures, Security Alerts, Odd Error Messages
2. Quarantine the infected systems.
a. Disconnect PC from network to keep malware from spreading. Remember,
always better to stop the spread than to keep it going just to gather evidence
b. Isolate removable media
c. Don’t transfer files, don’t make a backup post-malware
3. Disable System Restore (in Windows).
a. Malware infects everything- evem restore points
b. Disabling System Protection
i. Delete all System Restore Points
4. Remediate the infected systems.
a. Update the antimalware software.
i. Automatic Signature and engine updates
1. Copy Antivirus installation to infected machine if Malware
prevents Antimalware updates/installation
b. Scan and use removal techniques (safe mode, preinstallation environment).
i. Boot from
1. Safe Mode
2. Pre-installation environment (WinPE): Used for installing,
deploying, repairing Windows 10
a. Build-your-own Windows Assessment and
Deployment Kit (ADK)
b. Recovery Console
i. Repair boot sectors
5. Schedule scans and run updates.
a. Again, Automatic Signature and engine updates!
b. Task Scheduler to perform scans
c. OS updates
6. Enable System Restore and create a restore point (in Windows).
a. Now that you’re clean, you can enable System Restore
b. Create restore point to start populating again
7. Educate the end user
a. Without educating them; expect for them to return with only the same
symptoms to reappear
3.4 Troubleshoot mobile  Common symptoms
OS and application o Dim display
issues  Brightness settings
 Replace bad display (backlight issue)
o Intermittent wireless
 Move closer to AP or try different AP
o No wireless connectivity
 Check/Enable WiFi
 Check security key configuration
 Hard reset to restart wireless subsystem in device
o No Bluetooth connectivity
 Check/Enable Bluetooth
 Check/Pair Bluetooth Component
 Hard reset to Bluetooth subsystem
o Cannot broadcast to external monitor
 Check app requirements
 All devices must be on same wireless SSID
 Signal strength should be strong, between phone/monitor and the
monitor/internet
o Touchscreen nonresponsive
 Apple iOS restart
 Soft Reset
 Hard Reset: Hold down power button and Home|Volume
for 10 seconds
 Android iOS restart
 Remove battery, put back in, power on
o Apps not loading
 Restart phone
 Restart app
 Update App
 Update OS
o Slow performance
o Unable to decrypt email
 Must have private key on mobile device to decrypt info
 Mobile Device Manager should install individual private
keys
o Extremely short battery life
 Bad reception: Disable radios
 Check application battery usage: Settings/Battery
 Aging battery
o Overheating
 Phone will automatically shut down
 Caused by Charging/Discharging battery, CPU usage, display light,
direct sunglight
o Frozen system
 Soft reset
 Hard reset
 iOS: Hold down power and Home|Volume for 10 seconds
 Android: Combinations of power, home, volume
 Factory reset
o No sound from speakers
 No found from particular app
 Check volume settings for app, device
 Bad app: delete and reload
 Try headphones to see if speakers are issue
 Sound starts then stops
 Dueling apps: Try keeping an app in foreground
 No sound from any app
 OS update
 Factory reset
o Inaccurate touch screen response
 Close apps: Low memory causes resource contention w/ digitizer
 Restart device: Soft or hard Reset
 Replace digitizer or reseat cables
o System lockout

3.5 Troubleshoot mobile Common symptoms
OS and application
security issues
 Too many unlock attempts
o App log errors
 Developer tools needed to view system logs
 iOS: Xcode
 Android: Logcat
 Signal drop/weak signal
 Signals are Location-dependent
 Run speed test w/ carriers network, Cell tower analyzer
 Power drain
 Heavy application use
 Increased network activity
 High resource utilization
 DoS
 Slow data speeds
 Unusual network activity
 Data transmission over limit
 WiFi analyzer can check network connection
 Speed check/cell tower analyzer can check overall network
speed/data you send to provider
 Examine running apps for unusual acitivty (constant activity, large
transfers)
 Unintended WiFi connection
 Malicious hotspots take advantage of the fact that devices will
access wireless connections based on signal strength by default
 Configure device to ask before connection (disable automatic
connection), turn off-wifi radio when not in use
 Unintended Bluetooth pairing
 Disable bluetooth radio when not in use
 Remove bluetooth device
 Run antimalware scan
 Leaked personal files/data
 Perform malware scan
 Data transmission over limit
 Rarely due to malware since so many different factors contribute to
high data transmission. Malware scans would be one of the last
resorts
 Heavy use of Resource-intensive applications that phone home
regularly (i.e., GPS, hotspot, etc) will likely lead to data
transmission going over limit and the mobile provider throttling
your data speeds
 Unauthorized account access
 Determine cause of data breach
 App/malware scan
 Factory reset and clean install
 Unauthorized location tracking
 Often times isn’t unauthorized, just caused by end user failing to
check permissions of the downloaded app
 Run antimalware scan
 Check apps with offline app scanner
 Factory reset
 Unauthorized camera/microphone activation
 Often times isn’t unauthorized, just caused by end user failing to
check permissions of the downloaded app
 Perform malware scan
  Check apps with offline app scanner
 Factory reset
 High resource utilization
4.0 Operational Procedures
4.1 Compare/contrast  Network topology diagrams
best practices associated o Logical diagram
with types of  Knowledge base/articles
documentation o Help desk ticket may automatically bring up knowledge base
 Incident documentation
o Documentation can change quickly
 Regulatory and compliance policy
o Compliance: Meeting standards of laws, policies, regulations.
 Industry-specific
o Scope: Domestic/International requirements
 Acceptable use policy
o Specifies acceptable use of company assets
o Used to limit legal liability
 Password policy
o Complexity requirements, expiration requirements
 Critical systems change every 15 days/weekly
 Change 30, 60, 90 days
o Disabling accounts initially
 Inventory management
o Asset tags
o Barcodes
4.2 Implement change  Documented business processes
management best  Purpose of the change
practices  Scope the change
o Determine scope and effect of the change
 Multiple applications, Internet Connectivity, Remote site access,
External customer access
o Determine how long the change will take
 Downtime for end users?
 Risk analysis
o Determine risk value
 Does a fix break something else?
 Data corruption, OS failures
o Determine the risk with NOT making the change
 Failing to implement security/application patches can leave your
systems vulnerable
 Are 3rd party services dependent on the change?
 Plan for change
o Technical process described for other technical people
o Scheduling
 Include completion timeframes
o Process document submitted for project approval
 End-user acceptance
o End users should be aware of downtime; try scheduling downtime when all
are offline i.e., off work hours
 Change board
o Approvals
 Change control committee properly schedules changes
 Backout plan
o Plan for worst possible scenario; always have a way to revert your changes
 o Process document submitted for project approval
 Document changes
o Help desk documentations
 Version numbers, network diagram, new server names
o Track changes over time to cross-reference against help desk tickets
4.3 Implement disaster  Backup and recovery
prevention and recovery o Image level
methods  Bare metal backup with images
 Take separate server with no OS and apply image to
provide fully functional system
 OS volume snapshots/Hypervisor snapshots
o File level
 Copy important files w/o OS
o Critical applications
 Application data, Databases, other data storage
 Backup testing
o Setup alerts to be notified when backups fail (prevalent usage in cloud
systems)
o Perform periodic audits
 UPS
o Grounding wire required for consumer protection or to provide return
reference for signal
o Mitigate intermittent power loss
o Short-term backup power
o Protection from blackouts, brownouts, surges
o Offline/Standby
 Switch from line
o Line-interactive UPS
 Brownouts
o Online/Double-conversion UPS
 Always run from battery; Mainline refreshes battery
 No delay/switchover
o Auto-shutdown, battery capacity, outlets, phone line suppression
 Surge protector
o Protect against power spikes and line noise, sending to electrical grounds
 Higher Db is better filter in surge suppressor
 Backup sites
o Hot site: Duplicate of primary site with real-time data synchronization
 Best practice (albeit expensive)
 Hours to resume business as normal
o Warm site: Houses only critical hardware and data; may not be 1:1
duplicate of primary site
 Days to resume business as normal
o Cold site: Alternate building without power, hardware, or data backups
 At least a week to resume business as normal, longer
 Cloud storage vs. local storage backups
o Cloud storage
 Best practice
 Data available anytime, anywhere on device
 No offsite storage processing
 Data is not under correct control
 Strong encryption is essential
 Account recovery options
o Windows Domain
 o MFA validation
o Authentication databases
o RADIUS/TACACS
o Avoid local accounts; best to centralize management
4.4 Explain common  Equipment grounding
safety procedures o Divert electrical faults to ground
o Never connect yourself to an electrical ground/any source with voltage on
it
o Always unplug power source
 Proper component handling and storage
o Antistatic bags
 Safely move/ship components
o ESD straps
 Must be grounded-alligator clip should clip onto bare metal
o ESD mats
 For standing/sitting
o Selfgrounding
 Use hand to self ground (touch metal chasis) equalizing
electrostatic potential
 Touch outside edges of cards- don’t touch contacts directly
o Maintain 60% Humidity or above as most effective practice to control ESD
 Toxic waste handling
o Batteries
 Hazardous waste facilities
o Toner
 Recycle box
o CRT
 Glass contains lead, Hazardous waste facilities
o Cell phones/Tablets
 Wipe data
 Recycling program
 Hazardous waste facilities
 Personal safety
o Disconnect power before repairing PC
o Remove jewelry, lanyards (unless breakaway)
o Lifting techniques
 Lift with legs, keep your back straight
 Don’t carry overweight items
 Lifting equipment
o Weight limitations
o Electrical fire safety
 Carbon dioxide, FM-200, Dry chemicals
 Remove power source
o Cable management
 Avoid trip hazards
o Safety goggles
 Use when working with batteries (acid), printer repair, toner
o Air filter mask
 Toner spill
 Compliance with government regulations
o Health and safety laws
o Building codes: Fire prevention, Electrical codes
o Environmental Regulation
4.5 Explain  MSDS documentation for handling and disposal
environmental impacts o OSHA
and appropriate controls o Download from manufacturer’s website
o Provides info for hazardous devices
 Composition, Hazard info, Product/company info, First aid,
firefighting
 Batteries, chemical solvents/cans, toner/ink cartridges
o Sometimes called an SDS
 Temperature, humidity level awareness, and proper ventilation
o High humidity = condensation; Low humidity = static discharge, 50%
o Proper ventilation keeps systems running
 Power surges, undervoltage events, and power loss
o Battery backup (UPS)
 Provides power to connected circuits when main power source
goes offline
 Not for long-term usage
 UPS protects against blackouts, brownouts, surges
 Standby UPS
 Line-interactive UPS
 Online UPS
 Auto-shutdown, battery capacity, outlets, phone line
suppression
o Surge suppressor
 Protect equipment against damage from spikes but does not
provide backup power to devices in event of blackout
 Joule: Measures surge absorption
 600 joules of protection ideal
 Surge Amp ratings
 Higher is better
 UL 1449 Voltage let-through ratings
 Lower amount of voltage is better
 500, 400, 300 volts
 Protection from airborne particles
o Enclosures
 Protect from dust, oil, smoke
o Air filters/mask
 Prevent from inhaling laser printer toner particles
 Dust and debris
o Neutral detergents
o ISP-Alchohol is good for cleaning connectors, do not use on outside of
cases
o No ammonia-based cleaning liquids
o Compressed air
 Compressed air pump
o Vacuums
 Minimize static electricity
 Compliance to government regulations
o Hazardous waste, batteries, even paper disposal
4.6 Explain processes for  Incident response
addressing prohibited o First response
content, activity,  Containment; often times controlling damage is best done
privacy, licensing, policy regardless even if your interest is to preserve evidence
concepts o Identify
 Logs, in person, monitoring data
 Identify key entities involved and determine relationships among
 entities
o Report through proper channels
 Concerns criminal cases
o Data/device preservation
 Document what you found
 Documentation should be available to everyone
o Use of documentation/documentation changes
 Wiki model
o Chain of custody
 Maintain integrity
o Tracking of evidence/documenting process
 Avoid tampering with evidence
 Hashes
 Label/catalog everything
 ROM Media
 Digital Signatures
 Licensing/DRM/EULA
o Opensource vs. commercial license
 Commercial license: source code is private, end user gets compiled
executable
 Open Source: source code is freely available, end user may
compile own executable
 End user licensing Agreement determines how software can be
used
 DRM ensures user follows EULA
o Personal license vs. enterprise licenses
 Personal license
 single-access device used at home
 perpetual license
 Enterprise license
 Per-seat license/site license
 Annual renewals
 Regulated data
o PII
 Regulated data that identifies an individual
 Documented in Privacy Policy
 Common in enterprise enviornments
o PCI DSS (Payment Card Industry Data Security Standard)
 Standard compliance vendors must meet if they accept credit cards;
12 major requirements for network design, data access security
policies
o GDPR
 Protection of EU PII- Right to be forgotten, applies to any
companies with personal data of EU citizen or any companies
doing business in EU
o PHI (Protected Health Info)
 Medical history records
 Data between providers must maintain similar requirements
 HIPPA
 Follow all policies and security best practices
o Standard IT guidelines that provides the processes for handling important
technology decisions
4.7 Use proper  Use proper language and avoid jargon, acronyms, and slang, when applicable
communication o Consider that even most easily understandable jargon i.e., RAM may leave
techniques and a non-techie completely clueless.
professionalism  Maintain a positive attitude/project confidence
 Actively listen (taking notes) and avoid interrupting the customer
 Be culturally sensitive
 Be on time (if late, contact the customer)
 Avoid distractions
 Dealing with difficult customers or situations
o Do not argue with customers and/or be defensive
o Avoid dismissing customer problems
o Avoid being judgmental
o Clarify customer statements (ask open ended questions to narrow the scope
of the problem, restate the issue, or question to verify understanding)
o Do not disclose experiences via social media outlets
 Set and meet expectations/timeline and communicate status with the customer
o When unable to fulfill a request [be it because you a matter of
similar/higher importance], ask another technician to take the call
o Offer different repair/replacement options, if applicable
o Provide proper documentation on the services provided
o Follow up with customer/user at a later date to verify satisfaction
 Deal appropriately with customers’ confidential and private materials
4.8 Identify basics of  Script file types
scripting o .bat
 Windows CMD scripting
 DOS & OS/2
o .ps1
 Windows Powershell scripting
 Win 8/8.1/10
 Extend CMD functions (cmdlets)
 Standalone executables
o .vbs
 VBScript, Visualbasis script
 General purpose Windows Scripting – commonly seen in office
o .sh
 Scripting Unix/Linux shell
 Automate and extend command line
 #! Signifies everything after is script
o .py
 General-purpose scripting language
o .js
 Scripting inside browser, adds interactivity to HTML/CSS
 Not ‘Java’; different use, developers, operations
 Environment variables
o Describes OS enviornment
 i.e., on Windows, EVs specify the location of a windows
installation, search path, name of computer, drive letter and path of
home directory
 Comment syntax
o Annotate code
 Basic script constructs
o Basic loops
o Variables
 Basic data types
o Integers
o Strings
4.9 Use remote access  RDP
technologies o TCP/3389
o Connect to entire desktop or application
o Clients for different platforms, not just Windows
 Telnet
o TCP/23
o Console access without encryption; deprecated and shouldn’t be used
 SSH
o TCP/22
o Console access with encryption
 Thirdparty tools
o Screen share feature
 VNC Virtual Network Computing
 Remote Frame Buffer RFB protocol to view remote desktop on
system
o File share
 Transfer files to/from remote device
 Security considerations of each access method
o Telnet is insecure; use SSH instead