Thursday, April 19, 2018

Windows 10 SysAdmin : Maintenance Ideas and Tasks for Power Users - edit 1

As I write this, I'm thinking of the multiple ways Windows needs to be managed after its installed.

Lots of people only know 3 steps. #1.Install, #2.Run WindowsUpdates, and #3.Re-Format when its broken. Thats not my style.

Before we even install we have choices to make: Enterprise LTSB Version of Windows.
The current version is Enterprise LTSB 2016 and this removes all the extraneous Modern Apps and allows the blocking of telemetry easier, and applies some group policy updates.
Regular Windows 10 Pro 1709 has more features tightly integrated that are harder to rip out after installing.

The Windows 10 OS has many subsystems which need to be understood as seperate parts that are all interconnected. Understanding what to do with them and why is the mission of this blogpost.

Task Manager: 
Processes (PID, CPU Time, RAM usage) / Performance Counters, Services
This should be the first place you should start looking.

Filesystem Permissions / ACLs' / Security Descriptors / SIDs
the built-in named Administrator account should be disabled, and a new Administrative one with a new name should be Created, and a strong password that you can remember be given to it. This password should not be something re-used as the local Windows SAM Security database is highly insecure and these credentials can be easily read or reset by anyone with physical access.
Your Daily Driver user account should be a standard user, and only use the new Admin account and password when you need to UAC escalate priveleges. This follows the concept of Principle of Least Priveleges.

Group Policy / User Accounts / User Groups / Active Directory (Domain)
Now that you're a standard user and you can hardly do anything, you may feel tempted to just re-add yourself to the Administrator group or PowerUser group or BackupOperator group. These groups accounts come provided with certain pre-defined rights pre-assigned. Its very hard to tell what does what, and there is some advanced configuration located in GPedit.msc \ \ Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment & Security Options.
This brings us to group policy: Theres a ton of stuff in here that you are free to look through and customize.
The major trick to run is "Windows Restricted Functionality Limited Baseline" profile available from external download from Microsoft.  That will run a few scripts and lock the system down, even 1 step too far in fact. It will over-ambitiously enable "Disable Automatic Root Certificate Updates".  Reason we need to change this is, you need your OS Certificates stored certs to update or you will be unable to browse most websites (even in Chrome). Go into gpedit.msc and d this and reverse that entry (to "Not configured"). It is under computer configuration, Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings. Any hyper paranoid person can individually manage their certificate store and this is another topic.


Windows Registry - regedit - hives
HKEY_CURRENT_USER = %USERPROFILE%\NTuser.dat (@ C:\Users\Username)
HKEY_LOCAL_MACHINE  = %WINDIR%\config\SYSTEM (@ C:\Windows\system32)

Task Scheduler Service - Automatic (important)
Task Scheduler Engine: C:\Windows\System32\Tasks
Files exist in this directory and can be managed with: taskschd.msc
Security Permissions are required for any Tasks running as NETWORK SERVICE, etc.
Individual Tasks:
My specific Win10.10240 Install has 143 Tasks , about half of which I was able to disable manually.
They have "Description" fields written by Microsoft with actually valid information to decipher what these mystery tasks actually do. Note Some are blank, and Note some tasks being disabled cause Event Log Errors. This leads me to the next point.

The Event Viewer: eventvwr.msc
Application, Security, Setup, System = Default Logfiles
These are useful to skim through on their own. You can diagnose most of your errors this way.
But, Microsoft has also hidden thousands of other logfiles under the \Microsoft directory (a lot of which are useless, blank, disabled) and you can dig down to obtain further info on anything in specific, an example as such is "DeviceSetupManager" - to look at the list of every device that was plugged into your computer.
You can then Filter the list by "Event ID" and there is even a whole .XML for customizing the filters, saving them as a Custom Log, and referring back to that in the future.


"Programs & Features" > "Turn Windows features on or off" (list of toggleboxes)
Disabling Internet Explorer 11 will prevent it from being run, however it can never be truly gone, as its provided in DLL form as shdocvw.dll and mshtml.dll. These cannot be force-deleted as the number of programs that used the Windows Shell API (SHLWAPI.dll which indirectly references those IE dlls) to make outgoing internet connections will fail. This is something other people have noticed as having security impacts: https://packetstormsecurity.com/files/136702/Microsoft-Internet-Explorer-11-DLL-Hijacking.html
100% disable the "SMB 1.0/CIFS File Sharing Support" this is a vulnerable component in SMB filesharing (Samba support) for backwards compatible to legacy windows or legacy linux systems. Read: Old. Nothing will be impacted and this was in fact even recommended by Microsoft recently.
You will want to look through the list and Disable Everything EXCEPT the .NET environment, Windows Powershell 2.0 and Windows Process Activation Service.

"Uninstall or change a program"
This list of programs comes directly from the registry. Environment variables are set mapped to the proper directory there also.
Windows Installer Service
C:\Windows\Installer\
C:\ProgramData\ (%ProgramData%)
C:\Program Files\Common Files (%CommonProgramFiles%)
C:\Program Files and C:\Program Files (x86)  = Administrator (%ProgramFiles% and %ProgramFiles(x86)%)e
C:\Users\Username\AppData\Local  = User Local (%LOCALAPPDATA%)
C:\Users\Username\AppData\Roaming = User Roaming (%APPDATA%)

Windows Updates:
Windows Update Service , Background Intelligent Transfer Service , Device Setup Manager (drivers)
C:\Windows\SoftwareDistribution\ (safe to delete and auto-rebuild, instructions online)
This should be disabled with the settings in the program "O&O Shutup 10" available free.
To install updates, you need to do it manually.
Step 1 - visit the list of updates and find the right version: https://support.microsoft.com/en-us/help/4093112
Step 2 - at the bottom of that, click "Microsoft Update Catalog" and follow the download links.
Windows Update Service needs to be re-enabled for the Cumulative Update .msi Packs to install, or it will say some Error like "Could not run this update" If you see "This was not compatible with your machine, you picked the wrong one"

Modern  / Metro / Tile Apps:
C:\Program Files\WindowsApps
C:\ProgramData\Microsoft\Windows\AppRepository
Tile Data Model Server - updates modern start menu's tiles.

TaskBar
Shell Infrastructure Host ( sihost.exe ) - The black GUI overlay of systray and Modern GUI desktop/taskbar app-windows. Disabling this will cause some problems like not being able to start Calculator or Display Settings (desktop ms-settings:display has no assosciated program)
SIH client (server-initiated healing) sihclient.exe - detect and fix system components that are vital to automatic updating of Windows and Microsoft software (Constantly Goes Online) - disable in TaskScheduler
Cortana:
This can be slightly disabled with O&O Shutup 10 and thats all you can do. Other ways to force rip Cortana out can result in OS breaking.
Remove-AppxPackage -name *Cortana* (dont do this unless you follow another guide)

Startup:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win10 Task Manager Startup tab does not show those entries, they are different.

PowerShell:
Remote-Signed Security Policy - necessary to run scripts from the internet, BUT can/should be toggled by admin On/Off as needed instead of leaving it as default on.
All the Internal Components in Windows can be managed by the appropriate PowerShell Cmdlets.
There is Tab Completion, and a Get-Help command which downloads useful help from the web.

Windows Firewall:
Windows Firewall with Advanced Security = On by Default, Leave on, VERY IMPORTANT.
You should be micro-managing this. This is your lifeline to prevent intrusion and exfiltration.
This deserves its own whole topic but I will try to keep it short. The default config comes with hardly anything blocked. The Restricted Traffic Baseline does a better job at it, however most Outbound conections are still Unblocked. Don't trust your Win10 OS. It makes random connections out, and you want to set a default rule of Block ALL Outgoing, Block ALL Incoming. And then set up whitelists for every program you use. Most people hate using Windows Firewall because of the poor GUI, and the tedium of adding a rule for every single program. But new programs have come out called "Windows Firewall Control" and "Windows Firewall Notifier" that pop up Notifications everytime an unknown Outgoing connection is made and you will be prompted (normal windows firewall only prompts you for Incoming). For reference, I have 842 rules and I try to keep them logically organized and up to date. These programs are very powerful and inventing your own system and Getting used to this fully will take several months.

Windows Defender:
Unless you are Admin'ing someone elses computer, I personally see no use for this; definition based scanning has a poor success rate and consistently takes a ton of resources and it bogs down hard drive accesses because its literally scanning every single file you access while Real Time Protection is running. MSMPENG.exe is the process name, and related ones, and you can check to see the resource usage in Task Manager... I just force disable it with "O&O Shutup 10" and disabling the tasks in Task Scheduler  - \Microsoft\Windows Defender
Following the rest of my tips will keep you informed of when your system is going wrong, you should be able to prevent yourself from getting virused and malwared, and you dont need this waste of space built-in program and its weak detection heuristics and false positives.

Drivers:
Device Manager : View | Show Hidden Devices
Make sure nothing weird is latent.
You can delete any grayed out devices that you know you don't need.
Device Drivers and System Drivers and System Services
Serviwin.exe from NirSoft: Gives you access to the list of System Drivers and Services.

System Drivers:

Services:


Data Backup
Strategy : 
1. Onsite Backups: When a server crashes or fails, it is helpful to have data backups on hand for easy restoration. It’s a cliché, but time is indeed money. Onsite backups are often faster to restore than cloud backups and almost always faster than offsite tape backups.

2. Offsite Backups: Onsite backups are valuable, but they cannot be counted on alone. Should something disastrous happen to the data center, it could also damage any backups you have in the building. For that reason, it is always wise to have copies of your backups offsite where they can be accessed manually or through the cloud.

3. Optimized Backup Schedule: Backups are not a one and done process. Key data in your data center must be regularly and consistently backed up according to a clear and organized schedule. Check out our blog article on just a few backup rotation schemes for more information.

4. Backup Testing: Backups need to be tested and need to be tested regularly. In addition, the IT staff must be trained on how to access and restore their data backups as quickly as possible. A backup that fails or a team that is unable to restore the backup quickly undermines the company’s investment in a backup solution in the first place.

5. Organized Storage System: Mostly applying to tape-based backup solutions, the storage repository for backups and labeling system must be clear and organized. The team cannot commit extra time digging through box after box of tape looking for a specific backup from a specific date several years ago

Practicality (my strategy):
Nightly backup of the entire C drive and boot partition, with Macrium Reflect. To a compressed non-linear Macrium image *.mrimg , for dynamic incremental restore using Volume Shadow Copy . 
However using Macrium seems to cause errors restoring Chrome, it detects a change in the filesystem and corrupts the userprofile unless you use the Account Sync to Cloud UserProfile feature. Restoring sector-by-sector instead is extremely slow, but also more accurate. 
Sector Backups (like with linux dd) also have the benefit of being more robust for data-recovery in disaster situations where part of the image may be unreadable, you may still be able to read parts of the direct disk image. A NTFS FileSystem can even be mounted and manually restored from a linux recovery console.
Windows Account User Profile is backed up to FreeNAS ZFS + DeDupe and Snapshotted nightly.
Some Documents and Pictures are backed up too, but not much.
All the rest of my stuff is stored on FreeNas on a ZFS RAIDZ-1 or ZFS Mirrored SMB share
Data needs to be categorized into: 3 Copies, 2 Copies, 1 Copy. Anything with 1 copy is accepting the risk of total loss. The 3rd copy is for the most important stuff and should be in a totally different format, and physical location.
Programs:
Macrium Reflect Pro
Easeus Todo Backup Home
Acronis Backup 11.7 Workstation 
Windows Block Level Backup Engine Service
System Recovery Partition , WinRe.wim
NextCloud / OwnCloud
Backblaze / Carbonite / Crashplan / Mozy / etc

2 comments:

blog said...

Here is one of the best offers to play free slots no deposit

Alex said...

Very good post!

Thanks!