# Week 3 - Operating Systems

### Weekly Objectives

- Comprehensive coverage of how to setup users and groups on a single machine in both Linux & Windows Operating Systems
- Basic comfort using command line in both Windows and Linux Operating Systems
- Understanding of the basics of virtualization and knowledge of setting up a virtual lab
- Understanding of how to install VirtualBox Guest Additions to run guest operating systems w/ native like performance and screen resolution
- Ability to setup git easily in a virtual environment to commit/pull resources as needed when scripting in different operating systems


##### MAIN POINTS

- Windows User Management
    - Authorization and Authentication
    - Strong Password Policy
    - User and Group Management
        - cmd.exe
            - net localgroup
            - net users
        - Powershell
            - TBD
        - Group Policy Editor
        - ACL/ACE
        - icacls
        
- Linux Introduction and User Management
    - What is bash?
    - What is a shell?
    - What is RTFMP?
    - Basic Linux Commands
        - ls
        - cd
        - mv
        - ps
        - cp
        - mkdir
        - rm
    - User and Group Management
        - adduser/useradd
        - deluser
        - delgroup
        - usermod
        - groups
        - groupadd
        - groupmod
        - groupdel
        - /etc/passwd
            - 7 fields
                - Username
                - Password in /etc/shadow
                - UID
                - GID
                - UID comment
                - Home dir
                - Shell    
        - /etc/shadow
            - 5 fields
                - Username
                - Password
                - Last Password Change
                - Min 
                - Max
                - Warn
                - Inactive
                - Expire
        - /etc/subuid
        - /etc/group
        - /etc/gshadow
        - /etc/subgid
        - sudo
        - su
        - passwd
        
- File Permissions
    - Windows
        - icacls
    - Linux
        - chmod
            - Bit modes
        - chown
        
- Service Management
    - Windows
        - tasklist
            - tasklist | findstr chrome
        - taskkill
        - net start/stop
        - sc (Service Control)
        - Start-Service/Stop-Servive/Get-Service
        - Get-Process/Stop-Process
    - Linux
        - ps
            - ps | grep chrome
        - kill -9 8822
        - killall
        - top/htop
        
- Network Sharing Windows
    - How to setup share
    - How to see existing shares on a PC
        - Computer Management->System Tools->Shared-Folders
    - Default shares
        - Defaults for accessing hard drive remotely for administrators
        - ADMIN$
        - C$
        - Cannot delete them, Windows will re-create
        - Not visible browsing the network but can be mapped by name
        - Easily exploited by malware with Adminstrator accounts with no password
            - XP changed default to guest permissions if accessing remotely with no password

- Encrypting File System
    - Only on professional and higher versions
    - Right click on file or folder and select in Properties->General Tab->Advanved->Encrypt contents to secure data
    - File is locked by any other means of accessing the file system outside your account
    - Can also make file hidden as extra measure(not strong)
    - Not portable to other installations of Windows since it's bound to account and password. Moving to another machine will have different security ID for duplicate account
    
- Bitlocker
    - Ultimate and Enterprise versions > 8/8.1
    - Encrypts the whole drive
    - Requires TPM on motherboard

- Bitlocker to Go
    - Only applies encryption and password protection, not TPM chip

### Day 1 - Monday - 4 hours
- Lab: Get GuestAdditions installed on everyones computers (30 mins)
- Discussion: Authentication, Authorization and Best Practices for A Security Policy (30 mins)
- Hands On Lecture: Basics of User and Group Management in Windows (2 hours)
    

### Day 2 - Tuesday - 4 hours
- Lab: Look at repositories and playbooks and give feedback (30 minutes)
- Lecture: Brief coverage what is an ACL and use of icacls(20-30 mins)
    - [Intro to Windows Access Control Lists]( http://localhost:8888/notebooks/Modules/Hardware%20%26%20Operating%20Systems%20-%20Intro%20to%20Windows%20Access%20Control%20Lists.ipynb)
- Lecture: Basics of User and Group Management in Ubuntu Linux (60-90 mins)
- Lab: Decide on local security policy on each of the three main servers and implement (20 minutes)
- Lab: [Hardware & Operating Systems - Intro to User and Group Management Exercise](90-120 mins)

### Day 3 - Saturday - 9 hours
- Morning Challenge: Cyber Patriot Seinfeld Image (60-90 mins)

- Hands On Lab: Code Clean Up and Repo Maintenance (30 mins)

- Finish up Group Exercise for both Windows and Linux (1-3 hours)

- Lab: Setup Bitlocker encryption on the two main Windows servers (30-45 mins)

- Lecture: File Encryption and Bitlocker (30 mins)
     - NOTE: Windows 10 now has 600 million users, not all PCs
     - Encrypting File System
        - Only on professional and higher versions
        - Right click on file or folder and select in Properties->General Tab->Advanved->Encrypt contents to secure data
        - File is locked by any other means of accessing the file system outside your account
        - Can also make file hidden as extra measure(not strong)
        - Not portable to other installations of Windows since it's bound to account and password. Moving to another machine will have different security ID for duplicate account

    - Bitlocker
        - Ultimate and Enterprise versions > 8/8.1
        - Encrypts the whole drive
        - Requires TPM on motherboard

- Lecture: Security Hardening Fundamentals (60-90 mins)
   - What's at risk?
       - DATA
   - Basic Principles:
        - Principle of Least Privilege
        - Defense in Depth
        - Keep It Simple
        - Compartmentalization
    - Basic Password Security
        - Password length
            - 4 chars: 456,976 combinations
            - 5 chars: 11.8M
            - 6 chars: 308.9M
            - 7 chars: 8B
            - 8 chars: 200B
            - 9 chars: 5.4T
            - 10 chars: 141T
            - 12 chars: 95Q
        - Password complexity
            - Does it work?
        - Password rotation
            - Does it work?
        - Password reuse
            - Does it work?
        - Recommend passphrases & 12 character min
        - Password manager
            - Install LastPass
        - Multi-factor Auth
            - Something you know
            - Something you have
            - Something you are
    - Disable guest accounts
    - Secure Patches and Automatic Updates
        - Windows Updates
        - Ubuntu unattended-upgrades
        - Security Patch Notifications
            - Sign up for notifications for our servers
            - WE WILL BE NEEDING TO PROTECT THESE SERVERS AT ALL TIMES
        - Shared accounts and account maintenance
            - Lab: Generate an employee onboarding/exit document
    - Encryption
        - Encrypt everything
        - Disk Encryption
        - BIOS Passwords
    - Admin Workstation Hardening
        - Lock Screen
            - Always lock when you leave
            - Locking Shortcuts
            - Enable on suspend/hibernation/awake
    - Basic Browser Security
        - HTTPS Everywhere
        - Adblock Plus
        - Privacy Badger
        - NoScript(optional)
    - Windows Anti-virus

- Lecture: Set up SSH and sudo (60 mins)
    - sudo advantages
        - `/etc/sudoers`
        - no shared passwords
        - easy to remove users from privileged roles
        - sudo provides an audit trail
            - show example in `/var/log/auth.log`
        - edit with visudo `/etc/sudoers`
            - validation editor
        - grant access to groups, not users
            - can restrict access to specific executables
                - `%dbs ALL=(postgres) /usr/bin/psql`
            - can restrict access to custom scripts
                - `bob ALL=(root) /usr/local/bin/restart_nginx`
        - Try not to use NOPASSWD
    - `/etc/ssh/sshd_config`
        - Disable root login
        - Ensure you're using newer SSH protocol version 2
        - Disable password login
   
    - SSH
        - What is SSH?
            - private/public key pair
        - Make sure SSH is installed
            - `sudo apt-get install openssh-server`
        - `ssh-keygen`
        - `ssh-add/ssh-add -t`
            - Adds to RAM so you don't have to enter password multiple times
            - `ssh-add -t 10m` will add to ssh-agent for 10 minutes
        - `ssh-add -D` to delete any keys from memory

- Lecture: Setup 2FA on your server
    - `sudo apt-get install libpam-google-authenticator`
    - For user account run `google-authenticator`
    - Enable PAM:
        - /etc/pam.d/sshd
            - Add `auth required pam_google_authenticator.so`
                - OR: `auth required pam_google_authenticator.so nullok` to not force 2FA
            - Comment out `@include common-auth`
        - /etc/ssh/sshd_config
            - ChallengeResponseAuthentication yes
            - AuthenticationMethods publickey,keyboard-interactive
        
- Lecture: Windows and Linux Firewalls (30-60 mins)
    - What is a firewall?
        - Ingress traffic
        - Egress traffic
    - Windows Firewall
    - Linux Firewall
        - iptables
        - ufw
    
- Lecture: Virtualization (30 mins)
    - What is virtualization?
    - What is a hypervisor?
    - What is the cloud?
    - Qubes
        
### Resources
- [A+ Ninth Edition Study Guide](https://drive.google.com/file/d/1sBO4JPU8b43FzC03mTctugJc-ICHLZlP/view?usp=sharing)
- [A+ 220-902 Exam Study Objectives](https://drive.google.com/open?id=1iQiPuF129U91mHgp1A2SPvf-0FuR43rT)
- [Professor Messer A+ 220-902 Series](https://www.youtube.com/playlist?list=PLG49S3nxzAnmLq5TLtC0udUaXSaRiPc4v)
- [How to edit sudoers file on Ubuntu and CentOS](https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos)


### Self Study Objectives
- A+ Study Guide - Chapters 15 - Users, Groups and Permissions
- Accountability Log
- Read up on on how TPM works


### Saturday Morning Challenge
-