Chapter 4

Windows Security
Prologue /Chapter 1 This Machine
Kills Secrets / Whistleblowers

Dr Rudi Rusdiah
T1005
March 18, 2017
1. User awareness; 2. never use default; Defense in Depth Strategy
3. Windows Security Security of Enterprise
/Network. Critical for Defence in Dept
(DID): (1). General methodology to slow
down & obstruct attackers; (2). Reduce
damage from attack & security incident. (3)
Give time for administrator to react to
Threat.
Onion show layer of protections (fig4.1)
Attackers sees vulnerability & explores it
until resistance (Defense in Depth (DID)) is
met. Attack the path of least resistance.
Largest group of attackers, Script Kiddies
Immature, anarchist hackers that acquire
tools developed by knowledge hackers.
Attackers will take the least resistance path. Attackers are opportunity. With DID the
attacker must be knowledgeable & able to execute several attacks.
Most of this tools target a single vulnerability or flaw. The perpetrator affect a
networked device ie: Host or Server Secure Windows OS/ Firewall Windows
Workstations : Ease of use vs Security www.microsoft.com/security/protect : (1).
Internet firewall; (2).Updates anti virus; (3).Backup &Testing; (4).End Point Protection
 Microsoft Recommendation
Ease to use & install of the shelf package & rich default/ features price to
pay: less secure/more vulnerability
Ease of use vs Security: www.microsoft.com/security/protect:
(1). Use Internet firewall. Firewall prevent hackers, viruses & worms from
accessing your computer.
(2.) Updates anti virus s/w. Daily update using automatic update available in
Window 2000 Service Pack 3 or later.
Microsoft suggest antivirus from Computer Associate, Mc Cafee Security or
Symantec, keeping it up to date.
(3). Backup & testing
General Process of SYSTEM HARDENING: (Note: Windows
Workstations = Win PC):
sss
Establish a plan to harden any host connected to Internet, even on LAN or
sharing file with other PC. It takes 50 hours.
Never put out of the box OS on a LAN, unless Secure Test LAN. OEM Windows
design for wide audience General Purpose PC.
Never put Win PC that has previously been in Internet even for 1 hour to a
trusted LAN. It will pose risk to other PC.
Any Win PC that has been in Internet, unprotected, should be completely
Rebuilt before putting it to a trusted environment.
ContinuedHardening systems on the Net
Turn off unneeded port on Windows PC. Run nMap to check/scan for open
port on LAN. Run netstat a will list the open port on PC.
Turn off unneeded Services.
Use Microsoft update site recommended patches & upgrade O/S
Install & maintain good antivirus apps.
Put personal firewall on PC to deterrent attack (DiD). Free version: Zone alarm
by Zone Labs or Tiny Firewall by Tiny S/W.
Do not run highly visibility services (Web, mail File Sharing, Information
sharing LDAP, FTP) on PC without a business case.
Run reliable secure version: SSH Telnet; IMAP POP3; Secure FTP FTP.
Identify mission critical apps & maintain security patches.
Established program to scan PC periodically to determine why port was Open.
Use Strong Password. Change password frequently every 60 days.
Operate safely. & dont operate not known S/W. Dont open email from
strangers. Dont open attachment not expected. Remove unneeded data &
history files from PC. Use Encryption.
Watch for performance issues.
Run a Host based Intrusion Detection Systems (HIDS) to detect unauthorized
activity on critical host. Admin should spent a couple hours a week on HIDS
 Out of d box (oodb) OS Hardening
Prior to System hardening: Physically disconnect PC from network. Oodb installation of
Windows on LAN target within minutes even seconds. Too fast for admin to harden system.
If reinstalling Windows on PC, backup data & Systems:
- Write down type of video card & memory
- Record NIC type & TCP/IP settings. If use wireless record SSID & any encryption keys.
- Check dial up connections for phone numbers
- Check book mark page on Web browser.
- Record Printer Soundcard; Web cam; Scanners Config & Driver.
The General Process of System hardening:
Assess the Role, Responsibility & place PC in LAN.
Acquire hardening procedure from similar role PC ( Usewinmsd.exeto list apps & setting)
Install a clean version of OS; then document the changes & burn ghost image (snapshot) on CD-
RW disk.
Remove Services that are not required; documented changes & burn another ghost image
Remove any extra unneeded apps.
Check & Close Port; Detect using Netstat an Anyprotocol listed in the result show a status
of Listening has an open port.
Locate & Close any Share. Open Share can be check Net Share. Show the share name &
resources (folder) being shared. You can disable sharing thru Windows Explorer by clicking
the property of the folder.
Install a personal firewall on the Windows Systems & Thoroughly test the system & burn final
Ghost
You can obtain List of Windows Services using net command Net Start
Install Window 2003 Enterprise Edition& OpenPort I
Baseline installation, no special features. 6 ports found open scan using nmap &
nessus: 65530 ports
Port/Services: 135/tcploc-srv; 137/udp netbios ns; 139/tcp netbios ssn;
445/tcp microsoft ds; 1025/tcp NFS-or-IIS; 1026/tcp LSA-or-nterm
-------
Port 135/tcp Microsoft Data Circuit Terminating Equipment (DCE) Locator Service
aka End point mapper (named pipes)= Sun RPC (Remote Procedure Call) port
mapper. Microsoft DCE RPC manage Services remotely. DHCP (Dynamic Host
Config. Protocol); DNS (Domain Name Systems); WINS (Windows Internet Name
Service) use Port 135. If there is flaw in Windows RPC Interface can be
compromised and attack using worm or execute arbitrary code & gain System
privileges & control Host. MS03-026 security buletin patch fixes the flaw exploited
by MSBlast (or LoveScan) worm. Remote DCE Services do queries & connect to
Port 135 can be gained by attackers to get more remote host knowledge.
Solusi www.microsoft.com/technet/security/bulletin/MS03-039.asp (or -026.asp)
Port 139 NetBIOS Session (TCP) Windows File & Printer Sharing Port. A SMB
(Server Message Block) run on Port 139. Most dangerous port on Internet. 10%
MSWin user left their H/D exposed on this port. The first port exploited by hackers
usually block by Firewall.
Port 139 NetBIOS Session UDP Remote Host run NetBT name Service, if suffered
from memory disclosure problem attacker send special remote NetBT name
Service, & the reply contain random arbitrary data from remote host memory ie:
fragment of web page remote user view; POP password; sensitive info etc.. This
flaws use by attacker that pool the content of remote host memory.
Install Window 2003 Enterprise Edition&OpenPort 2/2
Baseline installation, no special features. 6 ports found open scan using nmap
& nessus: 65530 ports
ssn;445/tcp microsoft ds; 1025/tcp NFS-or-IIS;1026/tcp LSA-or-
nterm.=============================
Port 445 SMB (Server Message Block) in Win2000, MS create new transport
for SMB over TCP & UDP on Port 445 replace old ports 137-139 &Common
Internet FileSystem(CIFS).
Log into remote host using Null Session: use nul user name & passwrod grant
the user guest access. Computer name on Windows 2003 host determined
thru the null session, may be facilitate by attacker. Disable null session
Port 1025 /1026 dynamic assigned port for any program requested. Ex DCE
service running via this port:
UUID: 1. Version 1 Endpoint ncacn_ip_tcp:192.168.1.12[1025] IPSec policy
agent end point.
Port 1026: NMAP report that a LSA (Local Security Authority) Server or the
nterm apps is running.
These are sample inherent compromised problem from OOTB installation of
MSWin systems. The installed systems was not intended for file sharing or
serving DHCP, NFS, IIS, LSA or nterm, yet, apparently, ports are open &
compromised.
 Install Window 2003 Enterprise Edition& more Tips
Do not use Autorun (Untrusted Code can be run underground) or Attacker put CD
with script to run.
File Permissions: Lockdown File Level permission for Server. Default Windows dont
apply specific restriction on local file & folders. Everyone Group got full
permission. To harden O/S this Group must be removed.
Registry: done in GUI although many features must directly in the Registry & contain
vulnerability found in OS registry.
FAT (File Allocation Table) Security: Many network scenario, security features are
inactive. NTFS (New Tech Files Systems) allow file level permissions. Admin should
made sure all Windows server is formated by NTFS & proper permission applied.
User Group Right: Standard: User; Domain Admin; Power User; Backup Operator.
Admin keep tighter control on network user permissions infrastructure. Only domain
admin have rights to log on locally to any machine in the server environment.
Create or Edit User Level Account: All other than Administrator account should be
reset to Restricted User. Use Net Account or NetLocal Group command prompt
1. Must enter user name & password max password age 360 days minimum 0 days.
Min length 14 characters ( letters numbers and special marks).
2. Account Lock after 3 invalid logon attempt. Duration 15 minutes.
 Install Window 2003 Enterprise Edition& more Tips
Secure Windows Business PC: Typically user not admin general computing device
& protocol
Word processing & Office productivity: Disable Macro.
Email: only email client needed not email server. Use Virus Protections. PC should use
SSH Secure Shell so that traffic encripted & not sniffed on LAN.
Web browsing Not to download unknown website.
File Transfer: If downloading a File, only turn on the transfer capacility short time.
File Sharing:Use F/S to share file. Use Anti virus &Pest Control.Kill pop up window
Note: Firewall block outside access of WP, Email, Brousing & File Transfer
Secure Windows Game PC: similar to secure business PC. Games can be an
uncontrolled means introducing Malcode (malicious logic) HW/SW Firmware
Logic-bomb, Troyan horse; viruses & Worm.
Three Cases: - (1.) Shrink wrap trusted source game. S/w put in exposed trusted LAN.
After use the PC should be rebuilt with new OS. Check for abnormal condition as
security risk.
(2.) Unauthorized game unknown source Risky PC should be isolated consider
compromised & not trusted to interact with trusted LANs.
3. If PC connected to Internet should only be used for Gaming. No private data
should be there. & cant be connected to Trusted Network.
 Tips: Installing Applications, Anti Virus (AV)
After OS has been hardened, time to install apps. Only limited apps allowed to
perform the users mission reducing risk from attack.
AV Protections: Virus is a PC program embedded in another program or data file, that
can copy itself & infected file is opened or executed. It can even delete file in
harddisk malicious. Focus not only on Systems but also virus code itself. AV
signatures: Patterns of bits inside a virus that let AV detect virus. Symantec,
Network Associates; Computer Associates. AV: Realtime Protections & Schedule
Scanning.
Viruses & worm spread via:
1. On bootable floppy, flashdisk etc from M2M.; 2. Via File Sharing W32NetSky virus
duplicates itself on every open file; (3.) via Email attachment; (4). via downloading
in Internet; (5). by exploiting a vulnerability in the apps.
Virus Protection control focus on: (1) Use Antivirus apps (2).Window Vulnerability
Configuration ie: Stop NetBIOS share between PC. A virus can exploit the trust
established by 2 user when a Net Bios setup between 2 PC. (3). User Training &
Awareness.
Once running, virus worm can connect to apps running on other Windows Systems PC
to exploit vulnerability a SQL database: ie SLAMMER, which jumps from host to
host
 Personal Fire Walls (PFW) Secure Shell
PFW Software run on user PC provide perimeter & blocks incoming & outgoing LAN
traffic. PFW more effective than Perimeter Firewall prevent insider attack
Secure Shell(SSH): secure connections over network by encrypting password or data.
SSH program for logging into & execute commend on remote machine. Replace
rlogin & rsh, provide secure encrypted communication between two untrusted
hosts over an insecure network.
X11 connections & arbitrary TCP/IP ports can be forwarded via secure channel.
Authentication method SSH support RSA based authentication. Encrypt & Decript by
separate keys not possible to derive the decrypt key from the encrypt key. Each
user creates public/private key pair for authentication. Server know the public key
& only user know private key.
SSH open command prompt Windows (Terminal Session) to server/ host. SSH
essentially open an encrypted Telnet Session & use to encrypting email traffic
using Port forwarding option to secure; since POP3 email sends /received email in
clear, easily read not encrypted from mail server by Port 110 (PoP3 email).
When establishing SSH connection Forward Windows client port 65110 to the mail
servers port 110 (POP3 email). Email will be encripted because it travel via SSH
Port forwarding. Can also using Windows port to port 25, SMTP (Simple Mail
Transfer Protocol) on the Mail Server. (Chapter 8 SMTP)
Secure FTP(File Transfer Protocol)&PGP(Pretty Good Privacy)
Secure FTP or sFTP File Transfer client program enable file transfer between Windows
PC & FTP Server. Use same authentication as SSH. sFTP can transfer, delete, change
file name, create & delete directories & change file access right.
Using sFTP recommeded alternative to NetBIOS file shares. sFTP required to run
separate FTP Server & run sFTP Server daemon on the Windows PC.
PGP Public Key (PK) encryption package to protect email & data files, to commu-
nicate securely who has a PK. Public Key exchange do not require a secure
channel to exchange key so it is simple. PK can be email or put on Website(Chp16)
PUTTING PC ON NETWORK: It takes second local attack a new PC. PC should be
hardened & test all Open port & vulnerability scan against attack (Pentest).
Physical Security: UPS to prevent lost data & HD failure. Backup. Firewall. IDS
(Intrusion Detections System). (Chp 13)
 Data Class & Limit use of NetBios
Common Data Classification: (1.) Company Sensitive This doc should not be divulged to
public without NDA (Non Disclosure Agreement) ie competitive info ; 2. Department
Restricted - Info should stay within the Department (ie: Payroll); 3. Personal or Private
Should not be available to anyone beyond the individual or few people who need to
process the data; 4. Eyes Only;
Data should be stored hierarchy properly on the Windows PC. Sensitive data should be
encrypted PGP password protected or Zipped.
Files should be stored and handled properly; Media should be properly locked up;
Obsolete data should be destroyed immediately.
Avoid Viruses, Worms & Troyan Horses. Protections against sprad of Malcode:
Turn off any preview feature automatics some has imbedded script in message to
execute. Dont open any email from strangers that has attachment. (Social engineering)
Turn off macros in excel & words.
Use Good Password minimum 8 characters contain special characters. Six characters
alphanumeric (a-z,0-9) can be crack in 60 days. So should be changed regularly (30
days). Never used default or null/bypassed/reused password.
Test new questionable applications : especially download from Internet/free software not
shrink wrap from store.
Be sensitive to system performance: Excessive unexplained HD or Network activities.
Frequent System Crashes; Unusual Application behavior
 Data Class & Limit use of NetBios
Limit use of NetBIOS used for the convenient sharing of files in interoffice or home.
NetBIOS support print sharing. NetBIOS session vulnerabilities WinPC target
Remove NetBIOS from Windows or disable NetBIOS or network preference.
If NetBios is used, Strong password should be used; Limit the shared folder; Use command
Net Share or command Net Use:
Avoid NULL Sessions: - Session established with a server in which no user authentication is
performed. No user name & password. Access can be done anonymously. Hacker can
put troyan horsei via null session.
To established a nuls sessions: Net Use <mount point>\\host>\ <path> /user: : <host>
=system name; <mount point>
The Net command is powerful command line: Net Accounts; Net Computer; Net Config;
Net Share; Net Start etc
Keep Current with Microsoft Upgrades & Patches also Antivirus Signature.
Microsoft security bulletin rating systems: Critical ( Vulnerability propagation of Internet
worms); Important (Vulnerability : exploitation compromised of CIA (Confidentiality
Integrity & Availability)); Moderate; Low (Minimal impact & exploitation is difficult).
Scan for Vulnerability & Open Ports periodically Chapter 18
 Monitoring & Attack Against Windows PC
Hardening Windows & Protecting Network tends to address known security issue.
The Admin can monitor for risky behaviour as follows:
1. Systems Log; 2. Mail Logs; 3. Failed Access Attempts; 4. Application errors; 5 Changing
of Critical Files; 6. Permission on Critical Files; 7. Performance Test; 8.Disk Usage.

Clean up/Purged the Systems: 1. Remove any program were installed no longer used; 2.
Archive & Remove old work project that are no longer active. 3.Check to make sure
any company sensitive data was removed; 4. Run windows tools for cleaning H/D ie:
remove any cache
Prepare for the eventual Attack (Chapter 17 www.sans.org):
Attack: Viruses ie Melissa spread by Microsoft Word files (Normal.dot template), when the
File is open; Email Viruses usually in the Attachment ILOVEYOU viruses in spring
2000 using Visual Basis (VB) Script infected User Address Book. VB script can removed
by deleting association of VBE and VBS with Windows Scripting Host.
WORMS Code able to replicate itself while propagating to other Host and sometimes
destructive.The wom must first exploit vulnerability on the remote host. Worm target
the most high visibility apps such Microsoft WebServer, Internet Information Server (
(IIS) . Worm much more complex routine than virus targeting company, designed to
embed in binary executable files
 Troyan Horses
A program that masquerades as a legitimate application, while also performing a covert
function.When the Troyan horse runs, user has every indication that their application is
running.However the Troyan Horse also runs additional code in the background
perform some covert activity.
To identify Troyan to check EXE File that have been altered. This is mostly easily done by
Baselining CRC (Cyclic Redundancy Check)value.
Troyan have a distribution problem they dont propagate by their own. They rely user
accepting questionable executable from untrusted sources (like social engineering).
Troyan Horse Powerful Threat bypass most security controls such as Firewalls,
Intrusion (IDS) or ACL (Access Control List);
The key feature of Troyan it has capability and permission of a user a malicious user

SpyWare and Ad support: Software Apps that gathers info about the workstation & the
user. The info send back to the developer or distributor of SpyWare to prepare ads or
revise marketing campaigns.
Cookies can potentially contain a wide range of personal & sensitive data.

Ransomware
 Spyware & Big Brother
Refers to set of applications that intentionally snoop & monitor user activities in a
covert manner. This is reminiscent Big Brother in George Orwells 1984. These PC
surveillance tools report detailed information back to the person installing the
spyware. Typical information that can be reported includes:
User keystrokesto capture passwords and other very sensitive data.
Copies of e-mailsE-mails sent or received can be forwarded to the person
wanting to monitor the user.
Copies of instant messagesEssentially, any communications to & from PC can be
copied and sent to the spywares owner.
Screen snapshotsEven encrypted communications will at some point be
displayed in the clear to the screen. At this point, the spyware can take a
screen shot and send the image to developer of thespyware.
Other usage informationLogin times, applications used, and Web sites visited
examples data captured & reported back.
Spyware reports to its owner relies on stealth to accomplish its mission. If the
user knows that the spyware is present, they will remove the spyware, change their
behavior, or otherwise avoid the use of the particular applications being monitored.
A number of commercial products claim to detect spyware, maintain database of
known spyware applications.
 Tempest attacks & BackDoors
Transient electromagnetic pulse emanation standard (TEMPEST) attacks consist
of capturing electromagnetic radiation leaking from electronic equipment. Usually
done by analyzing the electromagnetic radiation from monitor. Because TEMPEST
attacks can be carried out at a distance of tens of yards, this can be a concern
when dealing with very sensitive data. The best protection against TEMPEST
attacks is to do : Dont operate with systems opened or in a manner inconsistent
with FCC guidelines. The FCC regulates the emissions from PCs to keep down the
broadcast interference.
Limit the processing of very sensitive data to TEMPEST-certified systems.
Be aware of the surrounding environment.
If a problem is suspected, have the environment checked for TEMPESTemissions.
Backdoors : a means for an attacker to easily get into Windows workstations.
Often, initial attack on a workstation is difficult & potentially detectable by a
firewall or IDS device. So the attacker will install an application that will allow him
to get back into the workstation quickly and easily. These backdoors are often
stealthy and difficult to detect. If a Windows workstation has been on the Internet
unprotected and unhardened for more than a day, it most likely has been rooted
and has a backdoor installed. In such a case, the best thing to do is wipe the
system clean and re-install the Windows
 Denial of Service Attack (DOS) & File Extension
Security concerned: Confidentiality, Integrity, & Availability. It is security loss if you are
denied access to your data or capability to use your resources. When attacker
prevents a system from functioning normally, a denial-of-service (DoS) attack.
DoS attacks are difficult to prevent. Every PC device will have limit capabilities. Many
DoS attacks push the device to its limits &cause it to fail. DoS attacks will often
access the device in a normal manner, but so frequently that no other user can
access the same device. The device does not fail, but because legitimate
users cannot access the device, a DoS situation exists.
Windows can best prevent DoS attacks by taking the following actions:
Install a personal firewall. Use a firewall on the network.
Limit unnecessary PC applications . If the following, in particular,
are not needed : Web server Mail server
FTP server File server File extensions
Windows has a feature file extensions to be hidden to user, makes system more user
friendly. By hiding the extensions, malicious code is able to masquerade as
something benign. For example, a user open a file named readme.txt, knowing
that simple ASCII text files cannot contain malicious code. However, the user will
be at risk if the file name is readme.txt.bat, because the true extension, .bat, is
hidden by Windows. Now if the user opens the file by double clicking on it, the
 Packet Sniffing & Hijacking & Session Replay
Packet sniffing: Windows vulnerable having its network traffic intercepted &
read by other PC on same LAN segment. Now, tools ettercap available to attackers
that will allow them to read the traffic in a switched environment. In a hub
environment, the traffic can be read passively without the Windows user being
affected. In the switched environment, the tools set up a man-in-the-middle
attack, in which the traffic is intercepted, copied, & sent on intended destination.
Using packet sniffing,attacker can read all the users Internet traffic, including
e-mail, instant messages, & Web traffic. With regard to Web traffic, the attacker
sees every screen just as the user does. The best Windows protection against packet
sniffing is to use encryption whenever possible. The attacker can still intercept the
traffic, but it will be encrypted and of no use.
Hijacking & session replay : occurs when TCP/IP session is observed & captured by a
network sniffer. The session has originator & target host. The attacker captures
traffic sent out by the originator. The attacker can then modify the captured traffic
to allow the attacker to appear to be the target host. The traffic is now sent to the
attacker instead of the original target host. All future traffic in the session is now
between originator & attacker. Session replay occurs when TCP/IP session is
captured by a network sniffer. Some aspect of session is modified (certain replays,
such as transferring bank funds, may not require modifications). The modified
session is then fed back onto the network and the transaction is replayed.
 Social Engineering
a method to gain valuable information about a system from personnel. The attacker
uses a little bit of inside information to gain trust of the victim. With this trust, the
victim ends up providing sensitive data to attacker to exploit the system further.
Ex: Pretending an Authority figure, an attacker may call help desk & tell them that
they forgot their password & need immediate access to a system in order not to
lose a very important client. Many situations can be made up, depending on what
information has already been gained about the enterprise and the particular
application. In some cases, the attacker will construct a situation that creates a lot
of pressure on the personnel to get information fast.
It should be assumed that serious and malicious attackers will always want to use
social engineering to make their work easier. Information should not be public
forum that does not contribute to mission of the Windows PC. This information
might make the social engineering task easier. For example, user names and IDs
should not be displayed in a manner that is visible to a stranger.
Social engineering is hardest attack to defend against & potentially most damaging.
Despite best training, people will share critical & sensitive infoin an effort to get
the job done. The attacker can then do some very damaging things with this
information. If the information obtained contains user IDs and passwords, the
attacker can essentially do anything that a legitimate user can do.
THE END QUESTION - ANSWER
 Specifics PC System Hardening Recommendation
Enable built-in Encrypting File System
Set specific users to have access to shared
(EFS) with NTFS. folders.
Remove Enable LMhosts lookup. This will prevent other users (except administrato
Disable NetBIOS over TCP/IP. Set users allowed to access shared folder
Remove ncacn_ip_tcp. to a reasonable number. If the folder to be
Set MaxCachedSockets (REG_DWORD) accessed by only 1 user, set users to 1.
to 0. If encryption of folders content is available
Set SmbDeviceEnabled (REG_DWORD) (as in XP Professional version),use it.
to 0. Apply appropriate Registry &file system ACLs.
Set AutoShareServer to 0. Protect registry from anonymous access.
Set AutoShareWks to 0. Display legal notice before user logs in.
For NullSessionPipes & Shares delete all value
Set paging file cleared at system shutdown.
data INSIDE. Set strong password policies.
If the workstation has significant random Set account lockout policy.
access memory (RAM), disable Windows Enable auditing of failed logon attempts &
swapfile. privilege requests.
This will increase security, because no Secure LDAP features.
sensitive data written to hard drive. Remove exploitable sample data from IIS.
 Data Class & NetBios & Null Session continue
Null session allow easy inter-host communications, usually at the service level expose
info to attacker compromise security on a system by list user name that allow attacker
reduce the amount time to carry brute force attack on a user account.
Can also provide an attacker with enumeration of machines & resources domain.
Null Session can be used to establish connection to share as \\Servername\IPC$.
IPC = Inter process communication. IPC$ is a special hidden share allow communication
between two process.
Conduct Frequent Backup after installation & hardening, burn a ghost image; prior
patches & upgrade, back up all data.
Upgrade & Patches Security is ever changing arena, hacker constantly adapting &
exploring attack.
Microsoft Rating for Security: 1. Critical ; 2. Important; 3. Moderate; 4. Low
Be Sensitive to performance of Systems: Attackers try to keep activity below radar.
- Excessive harddisk activity
- Exessive or unexplained Network Activity
- Frequent System Crashes
-Unusual Application Behavior
Periodically Re-evaluate & Rebuilt
Peak performance afterWS has highest Security Level prior to being built & hardened.