Section 4.1 Operating System Concepts

As you study this section, answer the following questions:

  • What are three ways you can access and manage Windows services?
  • How can you start or stop FTP services running on a Linux system?
  • What are some best practice system hardening configurations?
  • What is a hive composed of in a Registry database?
  • Where are configuration settings stored in a Linux system?

In this section, you will learn to:

  • Manage Linux services
  • Enable and disable Linux services
  • Disable Windows services
  • View process information

The key terms for this section include:

Term Definition
Windows servicesApplications that start when a computer is booted or when a designated event occurs. They run quietly in the background until shutdown or until manually stopped.
Linux servicesServe a similar purpose to Windows services. In Linux, these are also called daemons.
FTP serviceA protocol for transferring files over the internet.
DaemonA background process that is not tied to a running shell or terminal.
System hardeningThe process of reducing security risks to hardware, software, applications, networks, and processes through security policies and tools.
Windows RegistryA database for storing operating system, device, and software application configuration information.

This section helps you prepare for the following certification exam objectives:

Exam Objective
CompTIA CySA+ CS0-0031.1 Explain the importance of system and network architecture concepts in security operations.
  • Operating system (OS) concepts
    • Windows Registry
    • System hardening
    • File structure
      • Configuration file locations
    • System processes
    • Hardware architecture

1.2 Given a scenario, analyze indicators of potentially malicious activity

  • Network-related
    • Scans/sweep

2.1 Given a scenario, implement vulnerability scanning methods and concepts

  • Industry framework
    • Center for Internet Security (CIS) benchmarks

2.2 Given a scenario, analyze output from vulnerability assessment tools

  • Tools
    • Multipurpose
      • Nmap
TestOut CyberDefense Pro1.2 Monitor software and systems
  • Analyze executable processes
  • Review web application security

3.2 Implement system hardening

  • Disable unnecessary services
  • Check service configuration

4.3 Analyze indicators of compromise

  • Inspect systems for any signs of compromise

4.1.1 View Windows Services

Click one of the buttons to take you to that part of the video.

View Windows Services 00:00-01:35 In this demonstration, we're going to spend some time learning how to troubleshoot services on a Windows system. Services are special applications that run on Windows. They run in the background without a user interface. For example, if I were to come over here and launch Notepad, I see a user interface that I can use to interact with it.

If I go in to Task Manager, under Apps I see my Notepad executable. Notice down here that there's a lot of other software running on this system, but I see only Notepad on the Desktop.

We can see the same thing over here on the Details tab. These are all services. They run in the background. They don't provide a user interface like Notepad does, but they do provide us with critical services that are required for Windows to run. From time to time, these services have problems and you'll need to be able to troubleshoot them.

For example, on this system, I use a special piece of software to establish a remote connection with another computer over the internet. It allows me to communicate with that other computer so that I can provide tech support. Let's close these Windows and take a look at this software.

When I tried to establish this remote connection, I got an error message indicating that the service isn't responding. It's not that I can't contact the remote computer or that I have incorrect credentials. I can't even get the application to run properly.

So in this case, we need to do troubleshooting. The name of the application that I'm using here to establish the connection is TeamViewer. That gives me a good clue as to what service I need to look for to troubleshoot the problem. Let's go ahead and close this.

Use Services Desktop App 01:35-03:23 You troubleshoot services on a Windows system using the Services app. If you search for services.msc, you can click it from the search results and the app opens. Here, I see a list of all the services that are currently running on this system.

We see a list of each service. We see a description of what that service does. We see its current status; whether it's running or not. We see how it is started. Is it automatically when the system boots or does it have to be started manually? And we see the name of the user account that the system runs as on the system.

In this situation, I'm having trouble with my TeamViewer service. I scroll down and, sure enough, there is my TeamViewer service. If I look in the status column, I note right away that I've got a problem. Its startup type is set to Disabled. That gives me a clue right away that the service for whatever reason was not started when the system booted up.

I'll double-click the service and here I can configure various things. For example, notice here under startup type, it's been set to Disabled. That's why it's stopped.

If I click this drop-down list, I can now decide whether I want it to start manually, meaning I have to come in to the Services desktop app and start the service whenever I want to use it. Or, I can set it to automatic, in which case it'll automatically be started every time the system boots. That's what I want to do. I use this service frequently enough that I want it loaded when the computer starts. Click Apply.

If the service does not start, I have two things I can do. I can over here and click Start. Or, I can reboot the system. It says that the service is running, so I should be good to go. Click OK.

Here I can see TeamViewer is now set to Automatic and the Status is Running. If for some reason I needed to stop the service or restart it, I could come back here and do so. I'll close this Window.

Use Task Manager 03:23-04:10 Before we end, I want to show you that you can manage services a few more ways, the first being Task Manager.

Now, you can't do nearly as much in Task Manager as you can in the Services desktop app. But it still can be a useful tool. Let's go to the Services tab in Task Manager. You can see that all of the same services we just looked at are listed here as well.

For example, here's my TeamViewer service. Here is its current status; it's running. Within Task Manager, I can right-click the service and when I do, I can perform some basic management tasks such as restarting the service or stopping it.

If I right-click again, we can also go to Details. In that case, the process associated with that service is highlighted and I can see some information about that process listed here. Let's close Task Manager.

Use Msconfig 04:10-04:50 Be aware that you can also use the system configuration tool to manage services on the system. Let's come down, type msconfig, press Enter and then click Services. Here, you can enable or disable particular services at startup in this interface by checking these boxes.

Now that being said, as you go through this list of services, you probably won't recognize very many of these. You won't know whether a service is necessary or not. So be very careful before you go through here and start disabling services. Before you do that, go ahead and go on the internet and search the name of that service to find out what it is, what it does, and if it's necessary for the system to run or not.

Summary 04:50-05:11 That's it for this demonstration. In this demo we talked about troubleshooting services. We discussed what a service is, we practiced using the Services desktop app to troubleshoot services. We explained how to use Task Manager to troubleshoot services and we optimized services using the system configuration utility.

4.1.2 View Linux Services

Click one of the buttons to take you to that part of the video.

View Linux Services 00:00-00:30 During the information gathering phase of a penetration test, you'll probably collect information about services running on different systems. You may have used nmap or other tools to discover services, and now you need to actually work with them. It's important to know many things about services: how to start them, see if they're running, stop them, restart them, enable them, and disable them. For this demo, we're going to work with an Ubuntu Linux system and practice working with some services.

View Services Using the systemctl Command 00:30-01:23 I'm already logged on to the system, and I'll start the terminal. I have a shortcut here, but you can also go here, to Show Applications, and then search for 'terminal' in the search box.

We are going to use the systemctl command to view all running daemons. Services on Linux are usually run as daemons. A daemon is a background process that isn't tied to a running shell or terminal. Using the 'systemctl list-units --type=service' command, we get a list of running service daemons. The output is stopped at the pages end, meaning we have to scroll down with the arrow keys or press the space bar to see the next page. I'll press the space bar once, then again, and note the various running daemons.

We have a ssh daemon waiting for incoming connections. Here, there's an FTP service. On this system, there's no reason to have FTP running, so let's see how we can stop it.

I'll clear my screen.

Start and Stop FTP Services 01:23-02:45 To manage the services, I'm going to use the 'systemctl' command again.

Let's look at my FTP server. First, I want to see its status. So, let's type 'sudo systemctl status vsftpd' and press Enter. It says it's enabled, but it's currently stopped.

I'm going to use my up arrow to get to the last command, change it from status to 'start', and press Enter. Now I'll arrow up until I see status and press Enter again.

I can see that it's running along with some statistics, such as how long it's been up. I can also see the process ID, or PID, right here. Let's clear the screen.

Now I'm going to use my up arrow to go back to my last command. I'm going to backspace here, get rid of the word start and type in 'stop' to stop the FTP service.

I'll type 'clear' to clean up the screen. Now let's arrow up to status again, press Enter, and see what's going on. This last line says it's stopped.

I'll press Ctrl+C to exit this command and then type 'clear'.

Now, what if I made changes to my FTP server, and I need to restart the service? I can just do a restart. Let's up arrow to the last command, backspace here, type in 'restart', and press Enter. Arrow up to the last command, backspace, and change this to 'status'. Press Enter, and you can see my service restarted. I'll clear the screen again.

Enable and Disable FTP Services 02:45-03:49 So far, we've stopped and started our FTP service. But what if I want to have it start at system startup? Or, perhaps, not start when the system starts up?

First, let's see if the service is enabled or not. I can do that with the 'is-enabled' command. I'll arrow up to the last command and change this part to 'is-enabled'. Press Enter, and right here, it says that it's enabled.

What if you want to have your service start every time your system starts? You can do that by changing this to 'enable' and pressing Enter. Now you can see the status is enabled.

If I don't want the service to start, I'll arrow up and change this to 'disable'. Press Enter, and that'll tell this system not to start FTP at startup. I'll arrow up and change this to 'status', and you can see that, up here, it says disabled. So when the system boots, FTP won't start. Note that the service is still running at the moment because all we did was keep it from running at startup; we didn't stop it from running at this moment.

Summary 03:49-04:06 That's it for this demo. In this demo, we worked with system services. First, we viewed the services to see what was on our system. Then we practiced stopping, starting, enabling, and disabling services.

4.1.3 System Hardening and Configuration Files

This lesson covers the following topics:

  • System hardening
  • Windows Registry and file system
  • Configuration files
  • System processes
  • Hardware architecture

System Hardening

System hardening enhances the security of an operating system, application, device, or service by reducing its attack surface. Hardening involves enabling or disabling specific features and restricting access to sensitive areas of the system, such as protected operating system files, Windows Registry, configuration files, and logs. Hardening includes disabling unnecessary services, limiting user privileges, patching the operating system, and many other changes.

Best-practice hardening configurations can be very complex. Examples of best-practice hardening guides include DoD STIGs ( https://public.cyber.mil/stigs/ ) and CIS Benchmarks™ ( https://www.cisecurity.org/cis-benchmarks/ ). Version 1.0.0 of the CIS Microsoft Windows 11 Enterprise Benchmark contains over 1,200 pages of recommendations.

A screenshot of the C I S benchmark website listing several downloadable benchmarks for the Microsoft Windows operating system.

A screenshot of the CIS Benchmarks™ website. (Screenshot courtesy of Center for Internet Security® and CIS Benchmarks™.)

Windows Registry and File System

The Windows Registry is a database for storing operating system, device, and software application configuration information. The Registry is comprised of a set of five root keys that contain computer and user databases.

  • The HKEY_LOCAL_MACHINE (HKLM) database governs system-wide settings.
  • The HKEY_USERS database includes settings that apply to individual user profiles, such as desktop personalization.
  • HKEY_CURRENT_USER is a subset of HKEY_USERS with the settings for a logged-in user.

The Registry database is stored in binary files called hives. A hive comprises:

  • A single file (with no extension)
  • A .LOG file (containing a transaction log)
  • A .SAV file (a copy of the key as it was at the end of setup)
  • An .ALT backup file

Most of these files are stored in the C:\Windows\System32\Config folder, but the hive file for each user profile (NTUSER.DAT) is stored in the folder holding the user's profile.

Windows Registry Files stored in C:\Windows\System32\Config
Subkey Name Description
SAM (Security Accounts Manager)Stores username information for accounts used on the current computer.
SECURITYLinked to the security database of the domain the current user is logged onto.
SOFTWAREContains settings for software and the Windows operating system.
SYSTEMContains settings for drivers and file systems.
DEFAULTContains settings for the LocalSystem account profile.

Configuration Files

Linux does not have a Registry database like Windows. All configuration settings are stored in text files saved in the file system. As a general rule, all configuration files are contained within subdirectories of the /etc directory but are also often located in /usr, /opt, /var, among others.

Software applications and operating systems (including Windows) use configuration files extensively. They allow the operating system and applications running on it to be configured and depend upon different formatting standards.

Some common configuration file format standards include the following:

  • Initialization file (INI) - Uses key-value pairs associated using an equal sign (Example: MicroscopeType=3DMic9).
  • eXtensible Markup Language (XML) - Uses tag formatting similar to HTML and is often used by APIs to exchange information.
  • Yet Another Markup Language (YAML) - YAML files use a colon (Example: first_name: Adam) and careful indentation to associate groups of settings and are an increasingly popular format.
  • JavaScript Object Notation (JSON) - Similar formatting to YAML with the addition of {} and [] brackets to group settings. Typically, associated applications are written using JavaScript.

System Processes

System processes are background tasks that run on a computer without user interaction and often without the user's knowledge. System processes, such as the operating system kernel and other system services, are essential for the operating system to manage system resources, such as memory, network connections, and hardware devices. System processes can also be used to launch applications and perform other tasks. Examples of system processes include antivirus scans, disk defragmentation, user authentication, printing, and system updates.

Hardware Architecture

Hardware architecture describes the underlying technology used by a device to perform computational tasks. Operating systems and applications are designed to run on a specific hardware architecture. Different architectures emphasize different characteristics, such as scalability, raw processing power, power management, and other features. ARM and x86 architectures are common, with x86 dominating desktops, laptops, and server computers, and ARM architectures dominant in smartphones, tablets, and single-board computers like the Raspberry Pi. Software designed to run on one architecture cannot run on another without using an emulator.

4.1.4 Scanning and Terminating Processes

Click one of the buttons to take you to that part of the video.

Scanning and Terminating Processes 00:00-01:01 In this demonstration, I'm going to show you how to scan for and terminate processes running on a Linux system. Before we do that that, keep in mind that you should always try to cleanly exit a process running on your Linux system.

For example, if I open gedit, you see I can cleanly exit this program and its associated processes using the X button. Likewise, if I have a daemon running on the system, then I should use the systemctl command to shut down that service. But there may be times when these options don't work, and you'll need to find and kill a running process from the command line. You might have a process running on your system that's hung, and using the traditional interface to close it isn't working. Or maybe you've found a process started by an attacker, such as in a zombie attack, and you want to kill it immediately.

Regardless of the need, there are several different commands you can use to manually terminate that process. Let's look at three of them: kill, killall, and pkill.

Kill Command 01:01-01:39 We'll start with the kill command. Let's run 'gedit' again, but this time I'll use the ampersand (&) to run the program in the background. This makes working in the shell prompt a little easier.

As we look at each of these commands, keep in mind that each process started in Linux is assigned a Process ID number, or PID. With this Linux distribution, when I started gedit, it showed me the PID – in this case, 4050. Most of the time the process will already be running, and your job is to find out which process to kill. A simple way to do that is to run the ps command. When you run this command, you see the same PID for gedit.

Kill Signals 01:39-03:18 The full syntax for the kill command is to enter 'kill', a dash (–), and then the kill signal that you want to send to the process, such as 15, followed by the process ID, 4050. When I press Enter, gedit is killed.

If the process you're running isn't playing nice, you may need to use a different kill signal. To see which kill signals are available, you can type ‘kill -l', which displays a list of all the different kill signals available. Some of these signals are more useful than others. There are four you should be familiar with.

The first one is kill signal number 15, or SIGTERM. This signal tells the process to terminate immediately and allows the process to clean up after itself before exiting. In fact, if you kill a process without specifying a kill signal, the default kill signal is 15.

The next kill signal to be familiar with is number 1, or SIGHUP. SIGHUP sends a signal to restart the process. After restarting, the process will be assigned the same PID number that it had when it was running previously.

The third signal is signal 2, or SIGINT. It sends a Ctrl + C sequence to the process. The one I want to discuss is number 9, or SIGKILL.

SIGKILL is more of a brute force process and, in most cases, should only be used when the other signals we discussed aren't killing a hung process or the process initiated by a cyberattack. If you have to use kill 9, be aware that the process may not be able to clean up after itself. The resources that were allocated to the process will remain allocated until you restart the system--it leaves a lot of junk behind.

killall Command 03:18-04:24 In addition to kill, you can also use the 'killall' command. This command adds the ability to kill all processes without knowing the PID. It also kill all the processes that matches the specified criteria as long as the criteria matches exactly.

To see how this works, we're going to use the ‘yes' command, which will output a string repeatedly until it's killed. To do that, I'll type t ‘yes > /dev/null &'. This sends the string generated by the yes command to the standard null output. Let's do this several more times.

Now when I run ps, you see I have 3 ‘yes' processes running. To kill all these processes with one command, I need to type ‘killall -15 yes'. But before doing that, let me show you what happens if I don't use the full name of the process. To do that, I'll delete the ‘S'. When I press Enter, you see there are no Y E processes running, so the kill command fails. But when I use the full name, it finds all the yes processes and kills them all.

pkill Command 04:24-05:13 Next, we have the pkill command. The pkill command is very similar to killall. You don't need to know the PID, and it kills all processes that match the options entered. pkill also lets you kill process where the criteria is only a partial match.

Let's start several more yes processes as an example. Okay, now we have three yes process running again. Let's run ‘pkill -15 ye'. Remember, when we tried this with killall, it failed. But as you can see, pkill found and killed all the yes processes. Although this is very handy, it can also be very dangerous. If you're not familiar with all the processes running on your system, you may inadvertently kill a process you didn't intend to. So use this command carefully.

Locate Zombie Processes 05:13-06:27 This leads us into the last topic I wanted to cover. As I mentioned earlier, a system may have processes running as a result of a zombie attack. You would want to use one of these kill commands to terminate that process. In most cases, you would use kill -9. That's easy. The difficult part is finding the zombie process.

One way to find zombie processes is using the ‘ps aux' command. The added ‘aux' options represent the three things the ps command will look for. ‘a' tells ps to show the processes for all users. ‘u' displays the user or owner of the processes. And ‘x' includes the processes not attached to a terminal.

So, let's see how it works. Let's add the pipe sign (|) and the word ‘less' and press enter. The less command lets you page through the results more easily. When looking for zombies, you'll want to look in the ‘STAT' column for the letter Z. When I page down to the bottom, I see I have one zombie process running, with a PID of 4256. Notice the letter Z in the STAT column. I'll type q to get out of the ps dialog. And now, I'll kill the zombie process by tying ‘kill -9 4256, and it's gone.

Summary 06:27-06:50 That's it for this demonstration. In this demo, we talked about how to find and kill processes. First, we looked at the kill command. Then we used the killall command and the pkill command. We ended this demonstration with finding zombie processes using the ps aux command and then killing that process.

4.1.7 Disable Windows Services

You are the security analyst for a small corporate network. You have had problems with users installing remote access services like Remote Desktop Services and VNC Server. You need to find, stop, and disable these services on all computers running them.

In this lab, your task is to:

  • Use Zenmap to run a scan on the 192.168.0.0/24 network to look for the following open ports:
    • Port 3389 - Remote Desktop Services (TermServices)
    • Port 5900 - VNC Server (vncserver)
    • Answer Questions 1 and 2.
  • Disable and stop the services for the open ports found running on the applicable computers.
    Use the following table to identify the computers:
  • IP AddressComputer Name
    192.168.0.30Exec
    192.168.0.31ITAdmin
    192.168.0.32Gst-Lap
    192.168.0.33Office1
    192.168.0.34Office2
    192.168.0.45Support
    192.168.0.46IT-Laptop
Last Updated: