# SEC-2: Windows Security Settings Status: not started Domain: - 2.0 Security Objective alignment: - 2.2 Windows security settings ## What You Need To Know Windows security questions often ask where to configure or verify a protection. Core areas: - Microsoft Defender Antivirus - Windows Defender Firewall - Windows Security app - Local, Microsoft, and domain accounts - Users and groups - Login options and Windows Hello - UAC and Run as administrator - NTFS vs. share permissions - BitLocker and BitLocker To Go - EFS - Active Directory basics - Group Policy basics ## Memory Trick Use **A-F-U-P-E-D-G**: - **A**ntivirus: Defender - **F**irewall: network profiles and exceptions - **U**sers: local/Microsoft/domain accounts - **P**ermissions: NTFS/share - **E**ncryption: BitLocker/EFS - **D**irectory: Active Directory - **G**roup Policy: centralized settings Encryption shortcut: - **BitLocker = whole volume** - **BitLocker To Go = removable drive** - **EFS = individual files/folders on NTFS** ## Defender Antivirus Microsoft Defender Antivirus: - Built into Windows. - Managed from Windows Security > Virus & threat protection. - Uses real-time protection. - Needs updated definitions/signatures. Exam clue: - If the task is scan/update/check Windows antivirus, go to Windows Security or Defender. ## Windows Defender Firewall Windows Defender Firewall: - Should normally remain enabled. - Has separate profiles such as Public and Private. - Can allow an app, allow/block a port, use predefined rules, or create custom rules. Exam clue: - If an app cannot receive network traffic, check firewall exception/rule. - Public profile should be stricter than Private. ## Windows Accounts Local account: - Exists only on one Windows computer. Microsoft account: - Cloud-linked personal/work account. - Can sync settings and integrate with Microsoft services. Domain account: - Centrally managed by Active Directory. - Used in business environments. User types/groups: - Administrator: elevated control. - Standard user: normal daily use. - Guest: limited access. - Groups simplify permissions. ## Login Options Common options: - Password - PIN - Fingerprint - Facial recognition - Security key - Windows Hello - Domain/SSO login Passwordless authentication: - Uses methods such as biometrics, PIN, or security key instead of a traditional password. ## UAC and Run As Administrator UAC: - User Account Control. - Limits automatic administrative access. - Prompts before elevated actions. Run as administrator: - Starts an app with elevated permissions. - Needed for tasks like installing services, changing system files, or editing protected settings. Memory trick: - **Admin account is not always elevated. UAC asks before elevation.** ## NTFS vs. Share Permissions NTFS permissions: - Apply locally and over the network. - Stored on NTFS volumes. Share permissions: - Apply only when accessing through a network share. Rule: - The most restrictive effective permission wins. - Deny usually overrides allow. Inheritance: - Permissions can flow from parent folder to child files/folders. Explicit permissions: - Set directly on the object. ## BitLocker vs. EFS BitLocker: - Encrypts an entire volume. - Protects data if a device or drive is stolen. BitLocker To Go: - Encrypts removable drives such as USB flash drives. EFS: - Encrypting File System. - Encrypts individual files/folders on NTFS. - Tied to user credentials/certificates. - Password reset problems can make EFS files inaccessible if recovery is not planned. ## Active Directory and Group Policy Active Directory: - Central database of users, computers, groups, printers, shares, and other objects. - Domain controllers store/manage the domain database. Domain: - Group of managed users, computers, and resources. OU: - Organizational Unit. - Container used to organize AD objects and apply policies. Group Policy: - Centralized settings for users/computers. - Can configure security settings, login scripts, folder redirection, and more. Security groups: - Assign permissions to a group, then add users to the group. Folder redirection: - Redirects folders such as Desktop/Documents to a network location. ## Commands To Enter Windows: ```powershell windowsdefender: ``` What it does: - Opens Windows Security. ```powershell firewall.cpl ``` What it does: - Opens Windows Defender Firewall. ```powershell wf.msc ``` What it does: - Opens Windows Defender Firewall with Advanced Security. ```powershell whoami ``` What it does: - Shows current user. ```powershell whoami /groups ``` What it does: - Shows group membership for the current user. ```powershell net user ``` What it does: - Lists local users. ```powershell net localgroup administrators ``` What it does: - Lists local Administrators group members. ```powershell gpupdate /force ``` What it does: - Forces Group Policy refresh. - Most useful on domain-joined systems. ```powershell gpresult /r ``` What it does: - Shows applied Group Policy summary. ```powershell manage-bde -status ``` What it does: - Shows BitLocker status. ```powershell cipher /? ``` What it does: - Shows help for the `cipher` command used with EFS and encryption-related tasks. Linux comparison: ```bash whoami id groups ``` What it does: - Shows current user and group identity. macOS comparison, if available: ```bash fdesetup status ``` What it does: - Shows FileVault disk encryption status on macOS. ## Mini Lab Goal: - Identify Windows security status and account privilege context. Windows: 1. Run `windowsdefender:`. 2. Open Virus & threat protection and find protection update status. 3. Run `firewall.cpl`. 4. Identify active firewall profiles. 5. Run `wf.msc`. 6. Locate inbound and outbound rules. 7. Run `whoami`. 8. Run `whoami /groups`. 9. Run `net localgroup administrators`. 10. Run `manage-bde -status`. 11. Run `gpresult /r`. Record: - Defender protection status: - Defender update status: - Firewall profile active: - Current user: - Admin group membership: - BitLocker status: - Group Policy result available: Permissions scenario: 1. Create a test folder. 2. Right-click > Properties > Security. 3. View permissions only. 4. Do not remove permissions. Record: - One user/group listed: - One permission listed: - Whether permissions are inherited: ## Quick Check Before Quiz You are ready for the SEC-2 quiz when you can answer these without looking: - What is the difference between NTFS and share permissions? - Which encryption protects an entire Windows volume? - Which encryption protects individual NTFS files/folders? - What does UAC do? - What does `gpupdate /force` do? - Where do you check Defender status?