Dr Feras Zen Alden

Windows Security

1
Computers are equipped with a layer of software called the operating
system, whose job is to provide user programs with a better, simpler,
cleaner, model of the computer and to handle managing all the
resources.

Operating System
 Operating systems differ from user (i.e.,
application) programs in ways other than
where they reside. In particular, they are
What is OS? huge, complex, and long-lived.
The source code of the heart of an operating
system like Linux or Windows is on the order
of five million lines of code or more.
 It should be clear now why operating systems
live a long time—they are very hard to write,
and having written one, the owner is loath to
throw it out and start again. Instead, such
systems evolve over long periods of time.
Windows 95/98/Me was basically one
operating system and Windows
What is OS? NT/2000/XP/Vista/Windows 7 is a different
one. They look similar to the users because
Microsoft made very sure that the user
interface of Windows
2000/XP/Vista/Windows 7 was quite similar
to that of the system it was replacing, mostly
Windows 98. Nevertheless, there were very
good reasons why Microsoft got rid of
Windows 98.
 The architecture (instruction set, memory
organization, I/O, and bus structure) of
most computers at the machine-language
level is primitive and awkward to program,
especially for input/output. To make this
point more concrete, consider modern
SATA (Serial ATA) hard disks used on most
computers.
What is OS?

Operating systems turn ugly hardware into

beautiful abstractions.
 Most computers have two modes of operation: kernel mode
and user mode.

Kernel mode The operating system, the most fundamental piece of

software, runs in kernel mode (also called supervisor mode).
and user In this mode it has complete access to all the hardware and
can execute any instruction the machine is capable of
mode executing. The rest of the software runs in user mode, in
which only a subset of the machine instructions is available.

In particular, those instructions that affect control of the

machine or do I/O )Input/Output" are forbidden to user-
mode programs. It plays a crucial role in how operating
systems work.
Security Architecture And
Components
•Kernel mode:
• Security Reference Monitor: ACL verification

•User mode:
• Log-on process (winlogon): user logon
• Local Security Authority (LSA): password
verification and change, access tokens, audit
logs (MS04-11 buffer overflow: Sasser worm!)
• Security Accounts Manager (SAM): accounts
database, password encryption
• User Account Control (UAC, Vista): enforcement
of limited user privileges

7
Kernel mode and user mode
The user interface program, shell or GUI, is
the lowest level of user-mode software, and
allows the user to start other programs, such
as a Web browser, email reader, or music
player. These programs, too, make heavy use
of the operating system.
•A hierarchical database containing critical
system information
•Key-value pairs, subkeys, 11 values types
•A registry hive IS a group of keys, subkeys,
and values
•Security-related registry hives:
•HKEY_LOCAL_MACHINE \ SAM: SAM
database
•HKEY_LOCAL_MACHINE \ Security:
security logs, etc
•HKEY_LOCAL_MACHINE \ Software: paths 9
to programs!

Registry
 Providing abstractions to application
programs is a top-down view. An alternative,
bottom-up, view holds that the operating
system is there to manage all the pieces of a
complex system.
OS as a Modern computers consist of processors,
Resource memories, timers, disks, mice, network
Manager interfaces, printers, and a wide variety of
other devices. In the bottom-up view, the job
of the operating system is to provide for an
orderly and controlled allocation of the
processors, memories, and I/O devices
among the various programs wanting them.
OS as a Resource
Manager
Resource management includes multiplexing
(sharing) resources in two different ways: in
time and in space. When a resource is time
multiplexed, different programs or users take
turns using it. First one of them gets to use
the resource, then another, and so on.
The other kind of multiplexing is space
multiplexing. Instead of the customers taking
turns, each one gets part of the resource.
 https://www.youtube.com/watch?v=AkFi90lZ
Online Link mXA&ab_channel=TED-Ed
Introduction
Security is an important concern for operating systems.
An operating system (OS) is responsible for managing
hardware resources, software applications, and user
data.
It also provides mechanisms to ensure the security and
integrity of the system.
Security in an OS involves protecting the system
against unauthorized access, data loss, malware, and
other security threats.
An operating system plays a crucial role in
managing security. It provides various security
mechanisms to ensure the integrity and
confidentiality of the system. The role
of an
The operating system is responsible for managing
user accounts and permissions, file permissions,
operating
and network access control.
system in
The OS also provides authentication and
managing
encryption services to ensure secure
communication between different entities in the
system. Moreover, the operating system
security
maintains logs and audits to track system
activities and detect any suspicious activities.
Types of security
Security in an operating system can be
classified into three types:
◦ physical security
◦ network security
◦ data security.
Types of security: physical
security

Physical security involves protecting the hardware and

physical resources of the system.

Physical security measures include securing the physical

location of the system, restricting access to the system, and
ensuring the safety of hardware components.
Types of security: network
security

Network security involves protecting the system from

external threats such as unauthorized access, malware,
and hacking attacks.

Network security measures include firewalls, intrusion

detection and prevention systems, and virtual private
networks (VPNs).
Types of security: data security

Data security involves protecting the data stored in the

system from unauthorized access, modification, and
deletion.

Data security measures include access control,

encryption, and backups.
Domains A domain is a collection of machines sharing
user accounts and security policies.
Domain authentication is carried out by a
domain controller (DC).
To avoid a single point of failure, a DC may be
replicated

19
Active
Active directory introduced in Windows 2000 is an LDAP-like
directory service for organization of system resources:
Users and groups
Directory Security credentials and certificates
System resources (desktops, servers, printers)
Security policies
DNS service
Trust management

20
 Security in an operating system works by
implementing various security mechanisms
How security to protect the system against different
security threats. Some of the security
works in an mechanisms are:
operating ◦ Authentication
system ◦ Authorization
◦ Encryption
◦ Firewall
 Authentication is the process of
verifying the identity of a user or
entity.

Authentication
The operating system uses
various authentication
mechanisms such as passwords,
biometric authentication, and
smart cards to authenticate
users.
 Authorization is the process
of granting or denying
access to resources based
on user permissions.
Authorization
The operating system uses
access control lists (ACLs)
and permissions to control
access to resources.
 Encryption is the process
of converting data into a
coded language to prevent
unauthorized access.
Encryption

The operating system uses

encryption algorithms to
encrypt data.
 A firewall is a security
mechanism that controls
network traffic between
different entities in the
system.
Firewall
The operating system
controls the firewall by
implementing firewall rules
that specify which traffic
should be allowed or blocked.
 The operating system controls the
firewall by implementing firewall
rules that specify which traffic
should be allowed or blocked.

operating
system Firewall rules can be based on IP
controls addresses, ports, protocols, and
applications.
firewall

The operating system also provides

a user interface to configure firewall
rules and monitor firewall activities.
 Users play a crucial role in protecting the
device. Users should follow best practices
such as:
◦ Using strong passwords: Users should use
The role of strong passwords that are difficult to guess or
crack.
users in ◦ Updating software: Users should regularly
protecting update software to ensure that security
vulnerabilities are patched.
the device ◦ Installing antivirus software: Users should
install antivirus software to protect the system
from malware and other security threats.
◦ Backing up data: Users should regularly back up
their data to protect against data loss.
Threats type
 Concerned with having secret data remain
secret.
If the owner of some data has decided that
these data are to be made available only to
certain people and no others, the system
Confidentiality should guarantee that release of the data to
unauthorized people never occurs.
The owner should be able to specify who can
see what, and the system should enforce
these specifications, which ideally should be
per file.
 Exposure of data can pose various threats to
individuals and organizations.
When data is exposed, it means that sensitive
or confidential information is made available
to unauthorized parties, either intentionally
or unintentionally.
Can pose serious threats to individuals and
Exposure of organizations. It is important to take steps to
data protect sensitive information, such as
implementing strong security measures and
following best practices for data handling and
storage.
It is important to have a plan in place for
responding to data breaches or security
incidents to minimize the damage caused by
data exposure.
 Identity theft: Exposure of personal information
such as social security numbers, names,
addresses, and dates of birth can be used by
cybercriminals to commit identity theft. This can
result in financial loss, damage to credit scores,
and reputation damage.
Financial fraud: Exposure of financial information
such as bank account details, credit card numbers,
Exposure of and transaction history can lead to financial fraud.
Cybercriminals can use this information to
data conduct unauthorized transactions, make
unauthorized purchases, and withdraw funds
from bank accounts.
Corporate espionage: Exposure of business
information such as trade secrets, product
designs, and confidential financial information can
be used by competitors or cybercriminals for
corporate espionage. This can result in loss of
competitive advantage and financial loss.
 Data breaches: Exposure of data can also
result in data breaches, where cybercriminals
gain unauthorized access to sensitive
information. This can result in data loss,
reputational damage, and financial loss.
Exposure of Legal and regulatory violations: Exposure of
data can result in legal and regulatory
data violations. For example, organizations that
handle sensitive data such as healthcare data
or financial data are subject to various
regulations such as HIPAA and PCI-DSS.
Failure to comply with these regulations can
result in penalties, fines, and legal action.
 Unauthorized users should not be able to
modify any data without the owner’s
permission.
Data modification in this context includes not
only changing the data, but also removing
Integrity data and adding false data.
If a system cannot guarantee that data
deposited in it remain unchanged until the
owner decides to change them, it is not
worth much for data storage.
Integrity: Tampering with data
Tampering with data refers to the unauthorized
modification, alteration, or destruction of data.
This can pose various threats to individuals and
organizations.
Can pose serious threats to individuals and
organizations.
Take steps to protect sensitive information, such
as implementing strong security measures and
following best practices for data handling and
storage.
Have a plan in place for responding to data
breaches or security incidents to minimize the
damage caused by data tampering.
 Data integrity: Tampering with data can compromise its
integrity, making it inaccurate, incomplete, or
unreliable. This can lead to errors in decision-making,
financial loss, and reputational damage.

Security breaches: Tampering with data can also result

Integrity: in security breaches, where cybercriminals gain
unauthorized access to sensitive information. This can
Tampering result in data loss, reputational damage, and financial
loss.
with data
Legal and regulatory violations: Tampering with data
can result in legal and regulatory violations. For
example, organizations that handle sensitive data such
as healthcare data or financial data are subject to
various regulations such as HIPAA and PCI-DSS.
Tampering with data can result in penalties, fines, and
legal action.
Integrity:
Tampering
with data MISLEADING INFORMATION: TAMPERING
WITH DATA CAN ALSO LEAD TO
MISLEADING INFORMATION, WHICH CAN BE
USED TO DECEIVE OR MANIPULATE
INDIVIDUALS OR ORGANIZATIONS. THIS CAN
RESULT IN FINANCIAL LOSS, REPUTATIONAL
DAMAGE, AND LEGAL CONSEQUENCES.
OPERATIONAL DISRUPTIONS: TAMPERING
WITH DATA CAN ALSO RESULT IN
OPERATIONAL DISRUPTIONS, WHERE
BUSINESS PROCESSES AND OPERATIONS
ARE DISRUPTED OR HALTED. THIS CAN
RESULT IN FINANCIAL LOSS, REPUTATIONAL
DAMAGE, AND DECREASED PRODUCTIVITY.
 Nobody can disturb
the system to make it
unusable.
Availability
Such denial-of-service
attacks are
increasingly common.
 Denial of Service (DoS) is a type of cyberattack
that aims to disrupt the availability of a website
or online service by overwhelming it with traffic
or other requests.

This can pose various threats to individuals and

organizations.
Threat by
Denial of
service Denial of Service attacks can pose serious threats
to individuals and organizations.

Plan in place for responding to Denial of Service

attacks to minimize the damage caused by these
types of cyberattacks.
 Loss of revenue: Denial of Service attacks can
disrupt online services and websites, preventing
users from accessing them. This can result in loss
of revenue for businesses that rely on online
transactions or services.

Threat by Damage to reputation: Denial of Service attacks

Denial of can also damage the reputation of organizations.
Users may perceive them as unreliable or insecure,
service which can lead to decreased trust and loyalty.

Disruption of operations: Denial of Service attacks

can disrupt the operations of organizations,
preventing employees from accessing critical
systems and data. This can result in decreased
productivity and financial loss.
 Damage to hardware: Some Denial of
Service attacks can also cause physical
damage to hardware. For example,
overloading a system with requests can
cause it to overheat, leading to
Threat by hardware failure.
Denial of
service Data loss or theft: Denial of Service
attacks can be used as a diversionary
tactic to distract security personnel
while other attacks are carried out. This
can result in data loss or theft, which
can have serious consequences for
individuals and organizations.
 If a computer is an Internet server, sending a
flood of requests to it may cripple it by
eating up all of its CPU time just examining
and discarding incoming requests.

If it takes, say, 100 μ sec to process an

Example incoming request to read a Web page, then
anyone who manages to send 10,000
requests/sec can wipe it out.

Reasonable models and technology for

dealing with attacks on confidentiality and
integrity are available; foiling denial-of-
service attacks is much harder.
 If a computer is an Internet server, sending a
flood of requests to it may cripple it by
eating up all of its CPU time just examining
and discarding incoming requests.

If it takes, say, 100 μ sec to process an

Example incoming request to read a Web page, then
anyone who manages to send 10,000
requests/sec can wipe it out.

Reasonable models and technology for

dealing with attacks on confidentiality and
integrity are available; foiling denial-of-
service attacks is much harder.
 A hacker is a person who is skilled in
computer programming and has a deep
understanding of computer systems and
networks. Hackers use their knowledge and
expertise to improve or modify existing
systems, develop new software, and solve
complex problems. They often work to find
vulnerabilities in systems in order to fix them
Hacker vs and make them more secure.
Cracker A cracker is a person who uses their
computer skills for malicious purposes, such
as gaining unauthorized access to systems or
networks, stealing data, or causing damage to
computer systems. Crackers are often
associated with illegal activities and are
sometimes referred to as "black hat" hackers.
A hacker uses their skills for constructive purposes, while a cracker uses
their skills for destructive or malicious purposes.

Hacker vs Cracker
Online Link
https://support.microsoft.com/en-
us/windows/stay-protected-with-windows-
security-2ae0363d-0ada-c064-8b56-
6a39afb6a963

45