Windows admin notes: Difference between revisions
Jump to navigation
Jump to search
(Created page with " ===Home, Work, Public, Private, Domain networks=== {{stub}} The distinction of Public, Work, and Private seems mostly used in windows firewall. The distinction seems to be...") |
mNo edit summary |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{#addbodyclass:tag_tech}} | |||
{{windows}} | |||
{{stub}} | |||
==SIDs== | |||
Security IDentifiers (SIDs) identify users, groups, accounts, and also domains themselves. | |||
...not usernames, though SIDs are usually ''shown'' as names whenever possible <!--(cases it can't include not being connected, reading a drive with unknown SIDs, etc)-->. | |||
This allows everyone within a domain to have unique identities. Mote that uniqueness is only possible within domains (and since Win2000 in forests). <!--Each domain controllers will connect to the RID Operation Master, of which each domain has one). http://www.serverwatch.com/tutorials/article.php/2241151--> | |||
Windowses not part of a domain generate their own SIDs when new accounts are created {{comment|(seemingly randomly, so even two different windows installations on the same computer will generate different SIDs)}}. | |||
A SID is a variable-length identifier. It must contain: | |||
* a top-level identifier authority, and | |||
* one or more relative identifiers (RID). (up to eight{{verify}}) | |||
RIDs allow you to | |||
: refer to things in the context of the issuer, | |||
: refer to things in the context of the RIDs that come before. | |||
RIDs are 32-bit integers, and may be stored as such in the structs in memory that represent SIDs. | |||
SIDs are often shown as strings, in which the RIDs are shown in radix 10. | |||
Here's some of the more interesting RIDs. | |||
Note that most things without domain identifiers are virtual groups - placeholders that qualify users, or not. | |||
* '''S-1-5''' is the 'NT authority', which contains | |||
** A good number of system-related and useful pre-defined SIDs {{comment|(a number of which are placeholders)}}. Includes 'Administrators' group, Guest user, guest group, network/dialup logins, interactive logins, anonymous logins, print/backup/duplication operators, and also references to the SIDs of domain members/clients, and domain controllers. Some of the more interesting ones: | |||
*** S-1-5-32-544: 'Administrators' group | |||
*** S-1-5-32-545: 'Users' group | |||
** Domain SIDs (RIDs under S-1-5-21 -- or more?, possibly up to S-1-5-31?{{verify}}), currently 96-bit numbers (3 RIDs), e.g. S-1-5-21-3082338359-1506123309-1605093288 | |||
*** User accounts in a domain, e.g. S-1-5-21-3082338359-1506123309-1605093288-3008 | |||
*** Pre-set users per domain, like S-1-5-''domain''-500: domain's Administrator - you can identify the administrator by that 500 even if the name has been changed. | |||
Other notes conflict, noting that Domain SIDs are S-1-5-5-X-Y, where X is the 'domain RID' and S-1-5-5-X the domain SID - and Y is a number that helps domains with multiple PDCs work. | |||
TODO: figure that out. | |||
* '''S-1-0''' is the 'null authority' | |||
** mostly for S-1-0-0, 'Nobody' | |||
* '''S-1-1''' is the 'world authority' | |||
** mostly for S-1-1-0, 'Everybody', a.k.a. 'World' | |||
* '''S-1-2''' is the 'local authority' | |||
** mostly for S-1-2-0, 'Local' | |||
* '''S-1-3''' is the 'creator authority', placeholders that qualify the actual creator: | |||
** S-1-3-0: creator user | |||
** S-1-3-1: creator group | |||
** (S-1-3-2: creator owner server, S-1-3-2: creator group server, obsolete?{{verify}}) | |||
Less used are: | |||
* '''S-1-4''' is the 'non-unique authority' | |||
* '''S-1-9''' is the 'resource manage authority' | |||
See also: | |||
* http://support.microsoft.com/kb/243330 | |||
* http://msdn2.microsoft.com/en-us/library/aa379650.aspx | |||
* https://system32.eventsentry.com/codes/field/Well-known%20Security%20Identifiers%20(SIDs) | |||
<!-- | |||
http://msdn2.microsoft.com/en-us/library/aa379650.aspx | |||
http://support.microsoft.com/kb/267553 | |||
http://antionline.com/showthread.php?t=244083 | |||
http://www.informit.com/articles/article.aspx?p=419048&rl=1 | |||
http://technet.microsoft.com/en-us/library/aa997309.aspx | |||
http://msdn2.microsoft.com/en-us/library/aa374876.aspx | |||
--> | |||
<!-- | |||
===NTFS User / ACL notes=== | |||
{{stub}} | |||
Files and directories have | |||
* an owner | |||
* a group | |||
* an ACL | |||
Notes: | |||
* Directory ACLs can be inherited from parent directories, or set explicitly. | |||
* On file access, windows does ''not'' check directory permissions. When browsing to a file, those checks are implicit, but accessing a specific file (from code) does not, and there may be ways (e.g. journal logs) to discover locations. | |||
* '''Object Inheritance''' means setting a desired ACL on a directory, and marking files in a directory as inheriting the ACL from their parent. | |||
** ...for files created there (not moved there) | |||
* Delete Child rights for a directory is dangerous: | |||
** any files (even those the same user cannot do anything with) can be removed from the directory. | |||
** if the file is also readable, and the same user can create files in the directory, they can effectively take ownership of the file, by reading, deleting, and creating a new file with the same name. | |||
--> | |||
==Windows connection limits== | |||
Errors like: | |||
* (EventID 4226) TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. | |||
* (EventID 2022) The server was unable to find a free connection number times in the last number seconds. | |||
...seen in the Event Log (''System'' log). | |||
The cause is one of various windows limits: | |||
* concurrent incomplete (half-open, [[SYN_SENT]]{{verify}}) outbound TCP connection attempts | |||
** In WinXP: | |||
*** (change since SP2?) | |||
*** 5 per second for WinXP home | |||
*** 10 per second for WinXP pro | |||
** Vista somewhere between 2 and 25 depending on variation {{verify}} | |||
** Disabled in Windows Server (by default; can be enabled); 10 if enabled {{verify}} | |||
* total inbound connections (any state?{{verify}}) | |||
** 5 per second for WinXP home | |||
** 10 per second for WinXP pro, NT workstation | |||
These are mostly settings, although most are baked into drivers for specific windows variations. | |||
Rate limits are handled via a queue that is handled according to this rate. | |||
If your real usage is above this limit, e.g. a file server with more clients, then these imposed limits may make your services and the host in general seem unresponsive or have spurious dropouts (as it is likely to lead to one of various TCP timeouts on the client side of a connection to this host). | |||
Things that run into such limits: | |||
* port scanners (and some other security tools) | |||
* malware | |||
* basic personal file sharing on a medium-size network | |||
* peer to peer networking, most commonly peer to peer file exchange | |||
* on occasion, personal security tools (e.g. firewalls) | |||
The outgoing limit seems to be justified by MS as a means to limit the speed of malware spreads. This seems relative nonsense since the spread will be exponential regardless of any local limit, and a user isn't actually notified so will likely be infected long enough to play a real part such distribution. | |||
That said, there are other, sensible reasons for this limit <!--, such as buggy networking apps not DOSsing your network-->. | |||
<!-- | |||
You can raise the limit by patching tcpip.sys (yourself, or via some tool with a GUI), while tools like BIOT (Bypassing Incomplete Outbound TCP connection limit) tweaks the value in-memory and leaves your system files alone. | |||
--> | |||
See also: | |||
* http://support.microsoft.com/kb/961654 | |||
* http://support.microsoft.com/kb/122920 | |||
* http://support.microsoft.com/kb/314882 | |||
* http://research.eeye.com/html/tools/RT20060808-1.html | |||
* http://www.mydigitallife.info/2007/07/17/tcpip-has-reached-the-security-limit-imposed-on-the-number-of-concurrent-tcp-connect-attempts-error-on-windows-vista/ | |||
* http://support.microsoft.com/kb/822219 | |||
<!-- | |||
http://www.windowsreference.com/windows-xp/remove-windows-xp-sp3-tcpip-connections-limit/ | |||
http://www.lvllord.de/ | |||
--> | |||
==Software Protection Service== | |||
<!-- | |||
Seems to be part of https://en.wikipedia.org/wiki/Microsoft_Software_Licensing_and_Protection_Services | |||
Which is essentially a license manager, for parts of windows, and applications that wants to use it. | |||
It seems to be implemented as a windows service, which is started on request. See your Event Manager. | |||
See also: | |||
* https://en.wikipedia.org/wiki/Microsoft_Software_Licensing_and_Protection_Services | |||
* https://www.microsoft.com/slps/ | |||
--> | |||
===Home, Work, Public, Private, Domain networks=== | ===Home, Work, Public, Private, Domain networks=== | ||
| Line 39: | Line 231: | ||
* https://www.howtogeek.com/245982/whats-the-difference-between-private-and-public-networks-in-windows/ | * https://www.howtogeek.com/245982/whats-the-difference-between-private-and-public-networks-in-windows/ | ||
* http://www.thewindowsclub.com/network-location-public-private | * http://www.thewindowsclub.com/network-location-public-private | ||
==At least vaguely AD related== | |||
===Policy settings=== | |||
<!-- | |||
A Group Policy Object (GPO) is set of policy settings | |||
* has a GIUD | |||
* has a name | |||
* contains a set of alterations to the registry | |||
A Resultant Set of Policy (RSoP) refers to the collection of all group policies applied to a user and computer. | |||
You can get a list e.g. via | |||
gpresult /r | |||
GPOs are typically talked about when managing a large pool of PCs, | |||
as a tool that lets Active Directory (or things with similar intent) apply settings to large groups. | |||
Such hosts also tend to have the Local Group Policy Editor (gpedit.msc) ''disabled'' - that is effectively the alternative to let people mess with groups of settings on ''non-''managed PCs (though it is removed from Home versions of Windows). | |||
Standalone computers will allow the Local Group Policy Editor (gpedit.msc) to manage certain aspects. | |||
Advanced Group Policy Management | |||
If you want a login to pull changes: | |||
gpupdate /force | |||
If you want to | |||
gpresult /z | |||
--> | |||
===Determine whether folder is local or network mount=== | |||
<!-- | |||
If we are talking about folders shown in explorer, we have to consider some of them are [[windows special folders]] or [[windows virtual folders]], which often but not always have a physical path. | |||
: if they are not, then filesystem operations will then not be able to see them - only Explorer's graphical interface can interact with them | |||
On windows's own filesystems, any entry can be a [[reparse point]] - a "this directory entry needs to be handled in a special way" which can e.g. | |||
* make it appear that one directory points to another | |||
* make it appear that another one (local) filesystem, or a directory on it, appears somewhere within another filesystem | |||
* make it appear than an UNC path is mounted somewhere within another filesystem (not common at all, but possible) | |||
[https://en.wikipedia.org/wiki/Special_folder], which do not have any specific | |||
If we are talking about additional drive letters | |||
: there are a few different sources that will tell you, {{inlinecode|net use}} is one. | |||
: usually fairly visible, via the icon and/or an UNC-style path or 'DFS' in its name | |||
--> | |||
Latest revision as of 12:08, 24 April 2024
| Some fragmented windows-related notes (mostly admin stuff)
Windows notes - health and statistics| Special windows variables · special windows folders Troubleshooting when windows spontaneously reboots Making your windows installation smaller something taking 100% CPU on windows TODO: Cleanup |
✎ This article/section is a stub — some half-sorted notes, not necessarily checked, not necessarily correct. Feel free to ignore, or tell me about it.
SIDs
Security IDentifiers (SIDs) identify users, groups, accounts, and also domains themselves.
...not usernames, though SIDs are usually shown as names whenever possible .
This allows everyone within a domain to have unique identities. Mote that uniqueness is only possible within domains (and since Win2000 in forests).
Windowses not part of a domain generate their own SIDs when new accounts are created (seemingly randomly, so even two different windows installations on the same computer will generate different SIDs).
A SID is a variable-length identifier. It must contain:
- a top-level identifier authority, and
- one or more relative identifiers (RID). (up to eight(verify))
RIDs allow you to
- refer to things in the context of the issuer,
- refer to things in the context of the RIDs that come before.
RIDs are 32-bit integers, and may be stored as such in the structs in memory that represent SIDs.
SIDs are often shown as strings, in which the RIDs are shown in radix 10.
Here's some of the more interesting RIDs. Note that most things without domain identifiers are virtual groups - placeholders that qualify users, or not.
- S-1-5 is the 'NT authority', which contains
- A good number of system-related and useful pre-defined SIDs (a number of which are placeholders). Includes 'Administrators' group, Guest user, guest group, network/dialup logins, interactive logins, anonymous logins, print/backup/duplication operators, and also references to the SIDs of domain members/clients, and domain controllers. Some of the more interesting ones:
- S-1-5-32-544: 'Administrators' group
- S-1-5-32-545: 'Users' group
- Domain SIDs (RIDs under S-1-5-21 -- or more?, possibly up to S-1-5-31?(verify)), currently 96-bit numbers (3 RIDs), e.g. S-1-5-21-3082338359-1506123309-1605093288
- User accounts in a domain, e.g. S-1-5-21-3082338359-1506123309-1605093288-3008
- Pre-set users per domain, like S-1-5-domain-500: domain's Administrator - you can identify the administrator by that 500 even if the name has been changed.
- A good number of system-related and useful pre-defined SIDs (a number of which are placeholders). Includes 'Administrators' group, Guest user, guest group, network/dialup logins, interactive logins, anonymous logins, print/backup/duplication operators, and also references to the SIDs of domain members/clients, and domain controllers. Some of the more interesting ones:
Other notes conflict, noting that Domain SIDs are S-1-5-5-X-Y, where X is the 'domain RID' and S-1-5-5-X the domain SID - and Y is a number that helps domains with multiple PDCs work. TODO: figure that out.
- S-1-0 is the 'null authority'
- mostly for S-1-0-0, 'Nobody'
- S-1-1 is the 'world authority'
- mostly for S-1-1-0, 'Everybody', a.k.a. 'World'
- S-1-2 is the 'local authority'
- mostly for S-1-2-0, 'Local'
- S-1-3 is the 'creator authority', placeholders that qualify the actual creator:
- S-1-3-0: creator user
- S-1-3-1: creator group
- (S-1-3-2: creator owner server, S-1-3-2: creator group server, obsolete?(verify))
Less used are:
- S-1-4 is the 'non-unique authority'
- S-1-9 is the 'resource manage authority'
See also:
- http://support.microsoft.com/kb/243330
- http://msdn2.microsoft.com/en-us/library/aa379650.aspx
- https://system32.eventsentry.com/codes/field/Well-known%20Security%20Identifiers%20(SIDs)
Windows connection limits
Errors like:
- (EventID 4226) TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
- (EventID 2022) The server was unable to find a free connection number times in the last number seconds.
...seen in the Event Log (System log).
The cause is one of various windows limits:
- total inbound connections (any state?(verify))
- 5 per second for WinXP home
- 10 per second for WinXP pro, NT workstation
These are mostly settings, although most are baked into drivers for specific windows variations.
Rate limits are handled via a queue that is handled according to this rate. If your real usage is above this limit, e.g. a file server with more clients, then these imposed limits may make your services and the host in general seem unresponsive or have spurious dropouts (as it is likely to lead to one of various TCP timeouts on the client side of a connection to this host).
Things that run into such limits:
- port scanners (and some other security tools)
- malware
- basic personal file sharing on a medium-size network
- peer to peer networking, most commonly peer to peer file exchange
- on occasion, personal security tools (e.g. firewalls)
The outgoing limit seems to be justified by MS as a means to limit the speed of malware spreads. This seems relative nonsense since the spread will be exponential regardless of any local limit, and a user isn't actually notified so will likely be infected long enough to play a real part such distribution.
That said, there are other, sensible reasons for this limit .
See also:
- http://support.microsoft.com/kb/961654
- http://support.microsoft.com/kb/122920
- http://support.microsoft.com/kb/314882
- http://research.eeye.com/html/tools/RT20060808-1.html
- http://www.mydigitallife.info/2007/07/17/tcpip-has-reached-the-security-limit-imposed-on-the-number-of-concurrent-tcp-connect-attempts-error-on-windows-vista/
- http://support.microsoft.com/kb/822219
Software Protection Service
Home, Work, Public, Private, Domain networks
✎ This article/section is a stub — some half-sorted notes, not necessarily checked, not necessarily correct. Feel free to ignore, or tell me about it.
The distinction of Public, Work, and Private seems mostly used in windows firewall.
The distinction seems to be about
- network discovery and file sharing
- Firewall rules can choose to apply only on domain, private, and/or public situations.
Firewall:
The windows firewall itself has the distinction of profiles:
- Domain - if joined to a domain, and currently on its network
- (If not joined to a domain, we can only be either private or public)
- as restrictive as this domain's admins like it to be for security / functionality
- Private - on a network not associated with the account
- en environment more known than public
- e.g. your home network
- e.g. a domain we know but are not currently joined to (you can be member of one at a time)
- e.g. discoverability and sharing are enabled
- Public - connected through on
- generally most restrictive, because these are unknown environments
- e.g. discoverability and sharing are disabled
Profiles:
Discovery and file sharing settings can be set per such profile (see "Advanced sharing settings"), and by default are:
- Private allows discoverability, and enables homegroup for file sharing
- Work counts as a variant of private, which allows discoverability but not homegroup sharing
- Public does not allow either
See also:
- https://www.howtogeek.com/245982/whats-the-difference-between-private-and-public-networks-in-windows/
- http://www.thewindowsclub.com/network-location-public-private