Windows Security

Question 1

What should build and test environments reflect?

Answer 1

Same security update levels (patches, service packs) as the user base.

Question 2

What does Microsoft recommend for security updates?

Answer 2

Install the latest patches and service packs immediately.

Question 3

Why is waiting to install patches not recommended?

Answer 3

Risk of zero-day exploits.

Question 4

What should developers determine about app resources?

Answer 4

Resources used and privileged APIs called to assess admin privilege needs.

Question 5

What is the Secure Development Lifecycle (SDL)?

Answer 5

A process aligning security-focused activities with software development phases.

Question 6

What activities are part of SDL?

Answer 6

Developing threat models, using code scanning tools, conducting code reviews, security testing.

Question 7

What is the principle of least possible privilege?

Answer 7

Build apps with minimal privileges to reduce system compromise risk.

Question 8

Why is least privilege important?

Answer 8

Reduces risk of intrusion from apps calling privileged functions.

Question 9

What risk do apps with special privileges pose?

Answer 9

May leave the system open to intrusion if run longer than necessary.

Question 10

How should apps requiring special privileges be managed?

Answer 10

Run for the least time possible and inform users of security risks.

Question 11

How can apps run with less risk of admin privileges?

Answer 11

Use a less privileged account, break into separate functions, authenticate users.

Question 12

What function authenticates users for admin privileges?

Answer 12

CredUIPromptforCredentials (CUI) or CredUICmdLinePromptforCredentials (cli).

Question 13

What does PrivilegeCheck do?

Answer 13

Determines which privileges are enabled in an access token.

Question 14

When is PrivilegeCheck typically used?

Answer 14

By server apps to check privileges of a client’s access token.

Question 15

What happens if privileges are insufficient?

Answer 15

Prompt user to log on with an account having sufficient privileges.

Question 16

What are privileges in Windows?

Answer 16

Rights to perform system tasks like shutdown or changing system time.

Question 17

How do privileges differ from access rights?

Answer 17

Privileges control system tasks; access rights control securable objects.

Question 18

Who assigns privileges in Windows?

Answer 18

Administrators, to user and group accounts.

Question 19

What controls access to securable objects?

Answer 19

The object’s discretionary access control list (DACL).

Question 20

What is an impersonation token?

Answer 20

An access token capturing a client’s security info for a server to impersonate.

Question 21

What is an access token?

Answer 21

A structure identifying a user’s security info, created at logon.

Question 22

What does an access token contain?

Answer 22

User’s identity, group memberships, and privileges.

Question 23

What are the types of access tokens?

Answer 23

Primary and impersonation tokens.

Question 24

Who creates a primary token?

Answer 24

Windows kernel, for a process’s default security info.

Question 25

What is the minimum OS for PrivilegeCheck?

Answer 25

Windows 2000 (client or server).

Question 26

What header file is needed for PrivilegeCheck?

Answer 26

winbase.h (included in windows.h).

Question 27

What does PrivilegeCheck check?

Answer 27

Only enabled privileges in an access token.

Question 28

How can privileges be enabled or disabled?

Answer 28

Using the AdjustTokenPrivileges function.

Question 29

What are Windows objects in security terms?

Answer 29

COM-like objects with security descriptors defining access rights.

Question 30

What is a security descriptor?

Answer 30

A structure specifying the rights needed to access an object.

Question 31

What does a user’s access token provide?

Answer 31

Rights and group memberships for accessing objects.

Question 32

What is a Security Identifier (SID)?

Answer 32

A unique account number identifying a user or group across the network.

Question 33

What does a SID in an access token include?

Answer 33

References to group SIDs the user belongs to.

Question 34

How is an access token modified?

Answer 34

Using Local Users and Groups or Active Directory Users and Computers MMC.

Question 35

What does an access token’s privilege entry contain?

Answer 35

A locally unique identifier (LUID) and an attribute mask of rights.

Question 36

What is a group SID entry?

Answer 36

Contains a privilege count and an array of privilege entries.

Question 37

Who can own a Windows object?

Answer 37

A user or group, identified by a SID.

Question 38

What controls Windows auditing?

Answer 38

The security access control list (SACL).

Question 39

What controls object reuse in Windows?

Answer 39

The discretionary access control list (DACL).

Question 40

What are absolute security descriptors?

Answer 40

Contain a copy of each ACL within their structure.

Question 41

What are self-relative security descriptors?

Answer 41

Contain pointers to SACL and DACL, saving memory.

Question 42

Why avoid manipulating ACL or SID contents?

Answer 42

Structures may change in future Windows updates.

Question 43

What is a zero-day exploit?

Answer 43

A vulnerability exploited before a patch is available.

Question 44

Why test environments need identical patches?

Answer 44

To mirror user base security and avoid discrepancies.

Question 45

What is a privileged API?

Answer 45

An API requiring special permissions to execute.

Question 46

Why break apps into separate functions?

Answer 46

Isolates admin-privileged functions, reducing overall risk.

Question 47

What does CredUIPromptforCredentials do?

Answer 47

Prompts users for username and password for authentication.

Question 48

What is the role of an access token in processes?

Answer 48

Every process uses a copy to define user permissions.

Question 49

What is a locally unique identifier (LUID)?

Answer 49

A pointer to a privilege entry in an access token.

Question 50

What tasks require special privileges?

Answer 50

System shutdown, loading drivers, changing system time.

Question 51

How does the system use DACLs?

Answer 51

Grants or denies access based on an object’s DACL.

Question 52

What is the purpose of an impersonation token?

Answer 52

Allows a server to perform security operations as the client.

Question 53

What OS versions support PrivilegeCheck?

Answer 53

Windows 2000 and later, client or server.

Question 54

What happens to disabled privileges?

Answer 54

PrivilegeCheck ignores them; they must be enabled via AdjustTokenPrivileges.

Question 55

What are securable objects in Windows?

Answer 55

Resources like files or registry keys protected by security descriptors.

Question 56

How does a user access a Windows object?

Answer 56

Presents an access token, which the system checks against the object’s security descriptor.

Question 57

What does a group SID indicate?

Answer 57

The groups a user belongs to, included in the access token.

Question 58

How are SACL and DACL used together?

Answer 58

SACL controls auditing; DACL controls access and reuse.

Question 59

Why are self-relative descriptors memory-efficient?

Answer 59

Use pointers to ACLs instead of copying them.

Question 60

What is the risk of running apps with admin privileges?

Answer 60

Increases vulnerability to system compromise.

Question 61

Why inform users of security risks?

Answer 61

Transparency about potential vulnerabilities in privileged apps.

Question 62

What is the Windows kernel’s role in tokens?

Answer 62

Creates primary tokens for processes.

Question 63

What is the attribute mask in a privilege entry?

Answer 63

Defines the specific rights a user has to an object.

Question 64

Why is PrivilegeCheck server-focused?

Answer 64

Typically used to verify client privileges in server-client interactions.

Question 65

What is the difference between primary and impersonation tokens?

Answer 65

Primary is for process default security; impersonation is for client impersonation.

Question 66

How does Windows handle group privileges?

Answer 66

Assigns them via group SIDs in the user’s access token.

Question 67

What is the role of Active Directory in tokens?

Answer 67

Manages user and group SIDs for access token updates.

Question 68

Why is SDL critical for secure coding?

Answer 68

Embeds security practices throughout development phases.

Question 69

What is a threat model in SDL?

Answer 69

A model identifying potential security threats to an application.

Question 70

What do code scanning tools do in SDL?

Answer 70

Detect vulnerabilities in code during development.

Question 71

Why conduct code reviews in SDL?

Answer 71

Identify security flaws missed by automated tools.

Question 72

What is security testing in SDL?

Answer 72

Verifying an app’s resistance to attacks and vulnerabilities.

Question 73

Why minimize app runtime with privileges?

Answer 73

Reduces the window for potential intrusions.

Question 74

What is the benefit of running under less privilege?

Answer 74

Lowers the risk of unauthorized system access.

Question 75

How does PrivilegeCheck enhance security?

Answer 75

Ensures only necessary privileges are used for tasks.

Question 76

What is a security risk of special privilege functions?

Answer 76

May expose the system to exploits if misused.

Question 77

Why use impersonation in apps?

Answer 77

Allows secure execution of tasks as a specific user.

Question 78

What does an access token’s privilege count indicate?

Answer 78

The number of privilege entries in the token.

Question 79

How does Windows auditing work?

Answer 79

Tracks access and actions via the SACL.

Question 80

Why are absolute descriptors less efficient?

Answer 80

Copy ACLs, increasing memory usage.

Question 81

What is the purpose of a security descriptor?

Answer 81

Defines access rights for a securable object.

Question 82

Why is an access token created at logon?

Answer 82

To establish a user’s security context for all processes.

Question 83

What is the role of group SIDs in access tokens?

Answer 83

Indicate group memberships affecting user privileges.

Question 84

How does DACL affect object access?

Answer 84

Specifies which users or groups can access an object.

Question 85

What is the risk of not patching immediately?

Answer 85

Exposure to zero-day exploits before vulnerabilities are fixed.

Question 86

Why align test environments with user base?

Answer 86

Ensures consistent security behavior in development and production.

Question 87

What is the benefit of breaking apps into functions?

Answer 87

Isolates high-risk privileged operations from others.

Question 88

How does CredUICmdLinePromptforCredentials work?

Answer 88

Prompts for credentials via command line for authentication.

Question 89

What is the difference between SACL and DACL?

Answer 89

SACL tracks auditing; DACL controls access permissions.

Question 90

Why is PrivilegeCheck dependent on enabled privileges?

Answer 90

Only enabled privileges are active for security checks.

Question 91

What is a COM object in Windows security?

Answer 91

An object with a security descriptor controlling access.

Question 92

How does a SID function across a network?

Answer 92

Uniquely identifies users or groups for consistent access control.

Question 93

What is the MMC used for in security?

Answer 93

Manages user and group accounts to update access tokens.

Question 94

Why avoid direct ACL manipulation?

Answer 94

Risks incompatibility with future Windows updates.

Question 95

What is the benefit of self-relative descriptors?

Answer 95

Saves memory and simplifies group rights changes.

Question 96

How does AdjustTokenPrivileges enhance security?

Answer 96

Allows dynamic enabling/disabling of privileges as needed.

Question 97

What is the role of a security descriptor in access?

Answer 97

Specifies the rights required to interact with an object.

Question 98

Why is an impersonation token temporary?

Answer 98

Used only for specific security operations by a server.

Question 99

What is the significance of a user’s SID?

Answer 99

Ensures consistent identification across network resources.

Question 100

How does Windows verify object access?

Answer 100

Compares the user’s access token with the object’s security descriptor.