Windows admin notes

From Helpful
Jump to navigation Jump to search
Some fragmented windows-related notes (mostly admin stuff)

Windows admin notes

Windows notes - health and statistics|

Special windows variables · special windows folders

Command line windows

Windows and links

Windows user interface tweaks

Troubleshooting when windows spontaneously reboots

Making your windows installation smaller

something taking 100% CPU on windows

TODO: Cleanup

This article/section is a stub — probably a pile of half-sorted notes and is probably a first version, is not well-checked, so may have incorrect bits. (Feel free to ignore, or tell me)


Home, Work, Public, Private, Domain networks

This article/section is a stub — probably a pile of half-sorted notes and is probably a first version, is not well-checked, so may have incorrect bits. (Feel free to ignore, or tell me)

The distinction of Public, Work, and Private seems mostly used in windows firewall.

The distinction seems to be about

  • network discovery and file sharing
  • Firewall rules can choose to apply only on domain, private, and/or public situations.


Firewall:

The windows firewall itself has the distinction of profiles:

  • Domain - if joined to a domain, and currently on its network
(If not joined to a domain, we can only be either private or public)
as restrictive as this domain's admins like it to be for security / functionality
  • Private - on a network not associated with the account
en environment more known than public
e.g. your home network
e.g. a domain we know but are not currently joined to (you can be member of one at a time)
e.g. discoverability and sharing are enabled
  • Public - connected through on
generally most restrictive, because these are unknown environments
e.g. discoverability and sharing are disabled


Profiles:

Discovery and file sharing settings can be set per such profile (see "Advanced sharing settings"), and by default are:

Private allows discoverability, and enables homegroup for file sharing
Work counts as a variant of private, which allows discoverability but not homegroup sharing
Public does not allow either


See also:



SIDs

Security IDentifiers (SIDs) identify users, groups, accounts, and also domains themselves.

...not usernames, though SIDs are usually shown as names whenever possible .


This allows everyone within a domain to have unique identities. Mote that uniqueness is only possible within domains (and since Win2000 in forests). Windowses not part of a domain generate their own SIDs when new accounts are created (seemingly randomly, so even two different windows installations on the same computer will generate different SIDs).


A SID is a variable-length identifier. It must contain:

  • a top-level identifier authority, and
  • one or more relative identifiers (RID). (up to eight(verify))

RIDs allow you to

refer to things in the context of the issuer,
refer to things in the context of the RIDs that come before.

RIDs are 32-bit integers, and may be stored as such in the structs in memory that represent SIDs.

SIDs are often shown as strings, in which the RIDs are shown in radix 10.



Here's some of the more interesting RIDs. Note that most things without domain identifiers are virtual groups - placeholders that qualify users, or not.


  • S-1-5 is the 'NT authority', which contains
    • A good number of system-related and useful pre-defined SIDs (a number of which are placeholders). Includes 'Administrators' group, Guest user, guest group, network/dialup logins, interactive logins, anonymous logins, print/backup/duplication operators, and also references to the SIDs of domain members/clients, and domain controllers. Some of the more interesting ones:
      • S-1-5-32-544: 'Administrators' group
      • S-1-5-32-545: 'Users' group
    • Domain SIDs (RIDs under S-1-5-21 -- or more?, possibly up to S-1-5-31?(verify)), currently 96-bit numbers (3 RIDs), e.g. S-1-5-21-3082338359-1506123309-1605093288
      • User accounts in a domain, e.g. S-1-5-21-3082338359-1506123309-1605093288-3008
      • Pre-set users per domain, like S-1-5-domain-500: domain's Administrator - you can identify the administrator by that 500 even if the name has been changed.

Other notes conflict, noting that Domain SIDs are S-1-5-5-X-Y, where X is the 'domain RID' and S-1-5-5-X the domain SID - and Y is a number that helps domains with multiple PDCs work. TODO: figure that out.


  • S-1-0 is the 'null authority'
    • mostly for S-1-0-0, 'Nobody'
  • S-1-1 is the 'world authority'
    • mostly for S-1-1-0, 'Everybody', a.k.a. 'World'
  • S-1-2 is the 'local authority'
    • mostly for S-1-2-0, 'Local'
  • S-1-3 is the 'creator authority', placeholders that qualify the actual creator:
    • S-1-3-0: creator user
    • S-1-3-1: creator group
    • (S-1-3-2: creator owner server, S-1-3-2: creator group server, obsolete?(verify))


Less used are:

  • S-1-4 is the 'non-unique authority'
  • S-1-9 is the 'resource manage authority'


See also:




Windows connection limits

Errors like:

  • (EventID 4226) TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
  • (EventID 2022) The server was unable to find a free connection number times in the last number seconds.

...seen in the Event Log (System log).


The cause is one of various windows limits:

  • concurrent incomplete (half-open, SYN_SENT(verify)) outbound TCP connection attempts
    • In WinXP:
      • (change since SP2?)
      • 5 per second for WinXP home
      • 10 per second for WinXP pro
    • Vista somewhere between 2 and 25 depending on variation (verify)
    • Disabled in Windows Server (by default; can be enabled); 10 if enabled (verify)
  • total inbound connections (any state?(verify))
    • 5 per second for WinXP home
    • 10 per second for WinXP pro, NT workstation


These are mostly settings, although most are baked into drivers for specific windows variations.


Rate limits are handled via a queue that is handled according to this rate. If your real usage is above this limit, e.g. a file server with more clients, then these imposed limits may make your services and the host in general seem unresponsive or have spurious dropouts (as it is likely to lead to one of various TCP timeouts on the client side of a connection to this host).



Things that run into such limits:

  • port scanners (and some other security tools)
  • malware
  • basic personal file sharing on a medium-size network
  • peer to peer networking, most commonly peer to peer file exchange
  • on occasion, personal security tools (e.g. firewalls)

The outgoing limit seems to be justified by MS as a means to limit the speed of malware spreads. This seems relative nonsense since the spread will be exponential regardless of any local limit, and a user isn't actually notified so will likely be infected long enough to play a real part such distribution.

That said, there are other, sensible reasons for this limit .



See also:

Software Protection Service

Policy settings