# Basic Security

- Disable Guest Accounts
- Secure Patches and Automatic Updates
    - Windows Updates usually monthly
    - Ubuntu has unattended-upgrades
- Security Patch Notifications
    - Sign up for any security bulletins or notifications for any services you use in a system
        - Allows for zero-day fixes, must protect servers at all times

# Users and Groups

- **Users** are naive children, who cannot be trusted, which is why they are controlled in **Groups**
- Users can belong to multiple groups, which at a basic level reject or accept user actions
- All processes on a system are attached to a user, or can be accessed by certain users/groups
- Principle of Least Privelage (Good security policy)
    - Basically the principle of giving users as little privelages as possible
    - User should have a good reason to be given access to something

### Users

- Authorizing and Autheticating
    - Different meanings.  Authentication is verifying a user is legitimate (ex. username+password).
        - Usually there should be several layers of authentication due to vulnerabilities
    - Authorization involves permissions for a user, the programs and utilities available to a user
    
#### Authorization and Secure Passwords

**Basic Principles**
- Principle of least privilege
    - The less access a user has the better
    - Give access to one thing at a time, temporarily, and only with good reason
- Defense in depth
    - Have multiple levels of defenses, multiple firewalls, permissions, multi-factor authentication, etc.
- Keep it simple
    - Try to keep things as uncomplex as possible for users, to make less mistakes
- Compartmentalize
    - Keep different sections for various functions in a company in different VM's
       - If one VM is compromised, the rest of the system is safe

**Passwords**
- Setting up a secure password
    - Password length. Longer is better to avoid brute force methods.  Passphrases are effective.
        - 8 Characters: 200B permutations
        - 10 Characters: 141T permutations
        - 12 characters: 95Q permutations
    - Secure characters (e.g. minimum number of special characters/symbols)
    - Password manager (ex. lastpass), reasoning being using a company who's job is to secure your password vs. yourself
    - Resetting passwords, recycling passwords.  Minimum length of time and maximum length of time.
        - Subjective as far as time goes, but generally don't want users to have to reset password constantly/never
        - Passwords should require a cooldwon to be recycled, or should never be recyclable
- Recommended strong password settings
    - Use a passphrase with 12+ characters
    - Password requires a rotation every week
    - Passwords cannot be reused
- Password Managers
    - Doesn't require users to remember all their passwords (can use a different, difficult password for each login)
    - Program is managed by a company who's job is to secure these passwords
    - Install LastPass
        - Can use a long a difficult password since it is the only password you need to remember
        - Can follow own secure password methods above for this password
- Multi-factor Authorization
    - Something you know
        - Some kind of password/information only you know
    - Something you have
        - Some kind of physical thing only you have
            - SMS text, credit card, ID, etc.
    - Something you are
        - Biometrics
            - Fingerprints, retinal scan, etc.

**Shared Accounts/Passwords**
- Users should not have shared accounts or passwords, nor should they share that information with anyone
- Users who are fired should be escorted out of the building for data security if they are a risk

**Encryption**
- If it can be encrypted, it should be
    - ex. Confidential messages/e-mails, disk, BIOS passwords
    
**Lock the Screen**
- Always lock screen when leaving
- Can use screen locking shortcuts
- Enable for all settings, suspend/hibernation/awake

**Basic Browser Security**
- Use Chrome or Firefox for plugins and a separate application 
- HTTPS everywhere: makes sure to use https for all websites if it is available
- Adblock Plus (or some adblocking software)
    - Many adds can have unwanted scripts
- Privacy Badger
    - Blocks website tracking
- NoScript
    - Stops javascript from running on a page
    

### Groups

**Role**
- Everything within the system has a role, which different users can access
- AWS (Amazon Web Services) very role based
**Organizational**
- Different levels of authorization for different sections of an organization
**User**
- Smaller servers can be specialized for each user on the system
**Resource**
- Grouping based on giving out resources
    
# Windows

**Types of users:**
1. Administrators
    - "God mode", admin accounts have access to everything and can do anything
    - Default for first account created (aka root)
2. Power Users
    - Most permissions available (almost admin level), but cannot install new devices or access other users' files or folders without explicit permissions set.  Can edit registry and system files.
3. Users
    - Cannot edit registry or access system files or other user account files without explicit permissions set.
    - Can create groups but can only manage the groups they create.
    - Known as "standard users"
4. Guests
    - Allows access to a guest account login
    - Best practice is to disable access since most systems don't allow guests

## Managing Users
    
### Computer Management Tool
    
- Search -> **Computer Management** -> Local Users and Groups
   - Can see the users and groups folders and the accounts that have been created
   - In windows 10, may need to activate this service with the run.exe->lusrmgr.msc
        - Unavailable in windows 10 home edition

#### Creating users and groups in Computer Management

   - Right click on a folder to create a new user/group
   - To add a user to a group, go to the group and select users
        - Can choose to filter among various categories
        - Add various users to a group and apply
        - When creating a group or user, should try to make the comment descriptive
- Permissions for varoius files and folders can be set in the **Properties** tab
    - Navigate to security tab to grant permissions to various Groups or Users
    - Going to the **Advanced...** tab allows for special permissions for users and groups
        - **Inheritance**
            - Can break the inheritance of permissions from object's parent, uncheck inheritable permissions
            - Generally bad practice to disable inheritance, better to use "deny"

### CLI User and Group Management

- use 'net /?' command
    - Can search for specific groups with **'net localgroup XXXX'**
    - Create a new group with **'net localgroup _GROUPNAME_ /add /comment:"These people access XXX part of system"'**
    - Create a new user with **'net _USERNAME_ _PASSWORD_ /add'**
        - Add the user to a group with **'net group _GROUPNAME_ _USERNAME_ /add'**

### User Account Control Settings

- Can be found in the search function
    - Changes when and how users are notified when changes are being made to a computer
    - Important because most desktops and users only have one account as an admin which allows root access
        - Makes windows more easily targetable by malware
        - Should not disable alerts as it can clue you or the user in to unauthorized processes

### Local Security Policy

- Account Policies
    - Password Policy
        - This is where you can set the password settings for users
        - Things like password histories, age, length, etc.
            - Passwords should not allow for reversible encryption
    - Account Lockout Policy
        - Flags an account after a certain number of failed logins
        - Helps to prevent brute-force methods
- Local Policies
    - Audit Policies, User Rights Assignments
    - Security Options
        - Disable guest account through Security Options
        - Rename the administrator account to help stop malicious scripts
        - Can notify user to change password x days in advance
        - Disable ability to shutdown from login screen
**NTFS File System**
    - File sharing system built around user/group permissions for windows
    - Folder permissions: Full control, modify, read & execute, list folder contents, read, write
    - File permissions: full control, modify, read & execute, read, write
**Encrypting a password with keybase**
    - Make a keybase account
    - Use the **keybase encrypt -m "_PASSWORD_" _username_**
        - Save the encrypted message in a text file and maybe title the file indicating use
        - Retrieve and decrypt an encrypted message with **keybase decrypt -i _FILENAME_**

### Using icacls to change permissions

- Permissions
    - CLI permission management with **icacls** command
        - Grant
            - Equivalent to "Add" in the permissions gui
            - Using this command will add any permissions specified unless using the ':r' flag which replaces permissions
                - Example would be icacls test.txt /grant:r user115:(R)
                    - Would overwrite all permissions to user115 for file test.txt to be READ only
            - **icacls _FILENAME_ /grant _USERNAME_:(_PERMISSIONFLAGS_)**
                - Some permission flag examples that could be used here would be (RX) which would give read and execute
        - Deny
            - Will remove permissions from a user
        - icacls _FILENAME_
            - checks all users' permissions for the file
        - Can use the Everyone username to do grants/denys to all users


# Linux

- Use the **/** command to find root folder (ex. ls /)
- Can use **ls /home** to find users on a system
- Use the **man _command_** to read the manual page for commands

### Changing permissions with CLI

- Permissions
    - Can check permissions on files and folders with ls -l command
        - example output: (drwxrwxr-x 4 user123 group1 4096 Jan 1 12:59 Documents)
            - Format for above example shows permissions, number of files in the directory, the user, group, permission code, date accessed, folder name
            - For the drwxrwxrwx format the first character signifies 'd' for directory or '-' for a file
            - The following three sets of 'rwx' (read, write, execute) each control for a user, group, and everyone else, in that order
    - Change permissions with the chmod command
        - Can change permissions for all files and folders contained in a folder with **chmod -R _PERMISSIONCODE_**
        - Permission code is based on the rwx/rwx/rwx in a 4+2+1/4+2+1/4+2+1 format
            - If you want a file to be rwx/rw/r it would be **chmod 764 _FILE/FOLDERNAME_**

## Users and Groups

### Groups
- the **groups _USERNAME_** command will show all the groups a user is a part of

**Adding a Group to a User**
- Use the **usermod -aG _groupname_ _user_** command to add a group to a user

**Deleting or Adding a Group**
- Use the **groupadd** or **groupdel** commands
    
### Users

**Adding a User**
- Several options to add a user
- use the **adduser _username_** command (must be root or use sudo command)
- on a linux server will need to add the --force-badname flag (probably)
- to allow a user to create their own password use the **chage** command
    - ex. (**chage -d 0 _username_**), and from there can specify the password requires a change
- the **useradd _username*_** command will just add a user with no real settings, so shouldn't really use this
    - users added this way won't have a home folder in most versions of linux
    
**Removing a User from a Group**
- Use CLI command **sudo deluser _username_ _groupname_**

**Finding Users**
- Use the **cat /etc/passwd** command to find a full list of users
    - Can use this command to find user IDs
    - users with the /bin/bash ending cannot be logged into
    - **cat /etc/group** command shows all groups users are a part of