Windows Security Features

User Account Control is a security feature introduced in Windows Vista that helps prevent unauthorized changes to the operating system. UAC works by prompting for consent or credentials when a program tries to make changes that require administrator-level permission. The prompt appears in a secure desktop, dimming the rest of the screen to prevent malicious programs from interfering.

How it works: When a process requests access to a protected resource (e.g., writing to Program Files, modifying system registry keys), Windows checks the integrity level of the calling process. Standard user processes run at medium integrity, while administrator processes can run at high integrity. If a process with low or medium integrity attempts to modify a high-integrity resource, UAC triggers a prompt. The user must either approve (if they are an administrator) or enter administrator credentials (if they are a standard user).

UAC Levels: There are four notification levels: - Always notify: Prompts when programs try to install software or make changes, and when you change Windows settings. This is the most secure but most intrusive. - Notify me only when programs try to make changes to my computer (default): Does not prompt when you change Windows settings. - Notify me only when programs try to make changes to my computer (do not dim my desktop): Same as above but without the secure desktop. - Never notify: Disables UAC prompts entirely. This is not recommended.

Configuration: UAC can be configured via: - Control Panel > System and Security > Security and Maintenance > Change User Account Control settings - Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - EnableLUA (DWORD): 1 enables UAC, 0 disables - ConsentPromptBehaviorAdmin: 0 = no prompt, 1 = prompt for credentials, 2 = prompt for consent (default for admins) - PromptOnSecureDesktop: 1 enables secure desktop, 0 disables - Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > User Account Control: Run all administrators in Admin Approval Mode

Exam Tip: The default UAC setting on Windows 10/11 is "Notify me only when programs try to make changes to my computer." The exam may ask about the impact of changing this setting.

Windows Defender Firewall (formerly Windows Firewall) is a host-based firewall that monitors and controls incoming and outgoing network traffic based on security rules. It is enabled by default on all Windows editions.

How it works: The firewall inspects packets at the network layer and transport layer (TCP/UDP). It uses rules to determine whether to allow or block traffic. Rules can be based on: - Direction: Inbound or outbound - Protocol: TCP, UDP, ICMP, etc. - Port numbers: Source and destination ports - IP addresses: Specific IP addresses or ranges - Program: Path to an executable - Service: Windows service name

Profiles: Windows Firewall has three profiles: - Domain: Applied when the computer is connected to a domain controller. - Private: Applied when connected to a private network (e.g., home or work). - Public: Applied when connected to a public network (e.g., coffee shop). This is the most restrictive.

Configuration: - GUI: Windows Defender Firewall with Advanced Security (wf.msc) - Command line: netsh advfirewall commands - netsh advfirewall set allprofiles state on (enable firewall) - netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80 - PowerShell: New-NetFirewallRule cmdlet - New-NetFirewallRule -DisplayName "Allow HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow

Default Behavior: All inbound traffic is blocked unless it matches an allow rule. All outbound traffic is allowed unless a block rule exists. This is a key exam point: inbound is blocked by default, outbound is allowed.

Exam Trap: Candidates often think that Windows Firewall blocks all traffic by default. It only blocks unsolicited inbound traffic. Outbound traffic is allowed by default.

BitLocker is a full-disk encryption feature available in Windows Pro, Enterprise, and Education editions. It encrypts the entire drive, including the operating system, system files, and user data, to protect against offline attacks (e.g., booting from another OS to read files).

How it works: BitLocker uses AES encryption (128-bit or 256-bit) with an encryption key that is stored in the Trusted Platform Module (TPM) chip on the motherboard. When the system boots, the TPM releases the key only if the boot components (boot loader, kernel) have not been modified. This ensures that the system has not been tampered with.

Components: - TPM: A hardware chip that stores encryption keys and performs cryptographic operations. TPM version 1.2 or 2.0 is required. - Recovery Key: A 48-digit numeric key that can be used to unlock the drive if TPM fails or if the boot configuration changes. It should be backed up to Active Directory, a Microsoft account, or printed. - Startup Key: A USB drive that contains the encryption key. Used instead of TPM on systems without TPM. - Startup PIN: A PIN that must be entered before the OS loads. Adds an extra layer of security.

Configuration: - Control Panel: BitLocker Drive Encryption - Command line: manage-bde - manage-bde -status (check encryption status) - manage-bde -on C: (enable BitLocker on C: drive) - manage-bde -protectors -add C: -RecoveryPassword (add recovery password) - PowerShell: Enable-BitLocker cmdlet

Exam Points: - BitLocker requires TPM 1.2 or later. - BitLocker To Go encrypts removable drives. - Recovery key is 48 digits. - BitLocker is not available in Windows Home edition.

Microsoft Defender Antivirus is the built-in antivirus solution in Windows 10 and 11. It provides real-time protection against malware, spyware, and other threats. It is part of the Windows Security Center (formerly Windows Defender Security Center).

How it works: Defender uses multiple engines for detection: - Signature-based detection: Compares files against a database of known malware signatures. - Heuristic analysis: Looks for suspicious behavior patterns. - Cloud-based protection: Submits suspicious files to Microsoft's cloud for analysis. - Behavioral monitoring: Monitors running processes for malicious actions.

Key Features: - Real-time protection: Scans files when they are accessed or downloaded. - Cloud-delivered protection: Uses Microsoft's cloud to identify new threats quickly. - Automatic sample submission: Sends suspicious files to Microsoft for analysis. - Tamper protection: Prevents malware from disabling Defender.

Configuration: - Windows Security app: Settings > Update & Security > Windows Security > Virus & threat protection - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus - PowerShell: Set-MpPreference cmdlet - Set-MpPreference -DisableRealtimeMonitoring $false (enable real-time monitoring) Get-MpComputerStatus (check status)

Exam Tip: Microsoft Defender Antivirus is enabled by default and should not be disabled unless another antivirus is installed. Windows automatically disables Defender when a third-party AV is detected.

SmartScreen is a security feature that protects against phishing and malware by checking downloaded files and websites against a list of known malicious sites and files. It is integrated into Microsoft Edge and Windows.

How it works: When a user downloads a file, SmartScreen checks the file's reputation against Microsoft's cloud database. If the file is unknown or known to be malicious, SmartScreen blocks the download or displays a warning. Similarly, when visiting a website, SmartScreen checks the URL against a list of phishing sites.

Configuration: - Windows Security app: App & browser control - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen

Exam Point: SmartScreen is often tested in the context of phishing protection. It is not a full antivirus but works alongside Defender.

These are advanced security features available in Windows Enterprise editions.

Credential Guard: Uses virtualization-based security to protect domain credentials (hashes) from being stolen by malware. It isolates the Local Security Authority (LSA) process in a virtualized container that cannot be accessed by the OS.

Device Guard: Ensures that only trusted applications can run on the system. It uses code integrity policies (Windows Defender Application Control) to allow only approved executables.

Requirements: - UEFI firmware with Secure Boot - Virtualization support in CPU (Intel VT-x or AMD-V) - Windows Enterprise edition

Configuration: - Group Policy: Computer Configuration > Administrative Templates > System > Device Guard - PowerShell: Enable-DeviceGuard cmdlet

Windows security features are designed to work together. For example, UAC prevents unauthorized changes, but if malware bypasses UAC, Defender Antivirus should catch it. Firewall blocks inbound attacks, but if malware is already inside, Defender monitors behavior. BitLocker protects data at rest, while firewall protects data in transit. Understanding these layers is key to the exam.

In an enterprise environment, Windows security features are critical for protecting sensitive data and meeting compliance requirements. For example, a financial institution might use BitLocker to encrypt all laptops and desktops to comply with data protection regulations like GDPR or PCI-DSS. They would enforce BitLocker via Group Policy, requiring TPM + PIN for startup and backing up recovery keys to Active Directory. The IT team would use manage-bde scripts to monitor encryption status across thousands of devices. If an employee loses their laptop, the recovery key can be retrieved from AD to unlock the drive and recover data.

Another scenario involves a healthcare organization using Windows Defender Firewall to segment network traffic. They might create rules to allow only specific medical devices to communicate with the EHR server on port 443, blocking all other inbound traffic. They would use the Advanced Security snap-in to create rules based on IP ranges and services. They also enable logging to monitor for unauthorized access attempts. Misconfiguration here could lead to either blocked legitimate traffic (e.g., doctors unable to access patient records) or security gaps.

A common issue is when users disable UAC to avoid prompts, which weakens security. In one case, a helpdesk technician disabled UAC on a user's machine to install software, forgetting to re-enable it. Later, the machine was infected with ransomware that made system-wide changes without prompting. The company had to restore from backups. The lesson: always keep UAC enabled, and use Group Policy to prevent users from changing the setting.

Performance considerations: BitLocker encryption has negligible performance impact on modern SSDs with hardware encryption. On older HDDs, it can reduce throughput by 5-10%. Windows Defender Antivirus scans can consume CPU during full scans, so scheduling them during off-hours is common. Firewall rules with many IP addresses can slow down packet processing, but this is rarely an issue on modern hardware.