Windows OS Security Ratings

Orange Book.


US government saw the tremendous usage of commercial operating systems in mid 1980’s , it proposed a standard related to operating system security. Security was one of the major / key role in order to manage the data , this is not specific to single organization because different organizations has different set of data which they need to get secured.


Trusted Computer System Evaluation Criteria ( TCSEC ) was then brought in by US DOD , they wrote the standard which followed specific criteria to handle different levels of security and printed it with a Orange cover , since then TCSEC got its name as Orange Book.


Orange Book main objective was to evaluate the computer security with 3 major areas

a)      storage of data in computer

b)      Retrieval of sensitive data


Orange Book defines 4 broad hierarchies starting from A to D ( A1, B3, B2, B1, C2, C1, D)  with subcategories where A being very secure and D being less secure.





Microsoft Operating systems security falls under C and B category,  where in under B division Microsoft operating system only meets 2 of the required security and not all.




The four Divisions are


A Division (Verified Protection): While developing operating system to meet A1 rating , developers should keep system design and security policy has high priority , so vendor manages to design operating systems which meet A rating till date.


B Division (Mandatory Protection)  : B division is sub categorized into B3, B2 and B1 respectively . These B division systems requires more testing and documentation. Windows operating system falls under B division and the component Microsoft developed is SAS .


C Division (Discrete Protection): Most of Microsoft operating systems along with LINUX falls under this division. Implementation of passwords , auditing, protection for files are some of the major factors of C division.


D Division( Minimal Security ) : Operating systems with minimal or no security falls under this division where as there are no rules defined for D division operating systems.



This article would be helpful for the architects who are designing the infrastructure with mixed operating systems and help them to evaluate the security protections supported by them.


Some Important LInks




Microsoft MVP



DHCP Interface Crash – windows 2008 R2

I have raised a bug with microsoft regarding MMC crash, and here are the details about the same.
I have observed this behavior on windows 2008 R2 RC build and would encourage users to try with the latest build.
ISSUE : On windows 2008 R2 Rc 64 bit edition server uncheck IPV4 address and use IPV6 and try to configure the DHCP role , and we get MMC error “MMC snap-in failed to load”
Resolution From Product DHCP Product Group :
There are a couple of work arounds which could be used in this situation:
1. Have a static IPv6 address on the interface. This is in any case would be required for DHCP server to bind to. We have found that in case of a static IPv6 address, the role installation of DHCP server works fine.

2. Use the command line mode for installation (ocsetup or powershell). (In powershell, you can run import-module servermanager, followed by add-windowsfeature dhcp)

3. Enable IPv4, install the server role and then disable IPv4. After installation of the server role, the DHCP MMC works fine regardless of whether IPv4 is enabled or not.

Hope the article will help and please do post your comments after testing the behavior.

Microsoft MVP

Hardware Exceptions



While understand the hardware exception , one should have the thorough knowledge or segregation between Processor , RAM , Operating system and hardware. Majority of the times we understand the details of these components when we debug them. And understanding the Instruction set makes life easy for any debugger.


A hardware device / I/O devices usually sends an interrupt , this interrupt is followed by an vector. The vector determines what code needs to be exectuted to handle the interrupt. Most commonly used interrupt types are Non-Maskable Interrupt and Maskable Interrupt.



Non-Maskable Interrupts / NMI :


These are very critical and they should never be ignored. And NMI directly talk to the process and not via PIC (programmable interupt controller). Two major points to remember


a) NMI is hardware specific. NMI is generated by a specific hardware ( RAM ) and most common is parity error. 


b) when NMI is triggered no other interrupts are processed and cpu stops the instruction execution and starts processing NMI




Maskable Interrupts:


These interrupts are of low / normal priority , processor may execute or ignore the interrupts. These interrupts are categorized as device interrupts occuring from network adapters , disk etc..



Following are the important considerations for handling Interrupts.


a) The device driver should be capable of handling the interrupts both NMI and MI.


b) Decide on what action should be performed when interrupt occurs by your driver such as calling evtDeviceD0EntryPostinterruptsEnabled and




some of commonly known exceptions are listed below.


ACCESS VIOLATIONAccess violation exceptions are generated by modern processors when a memory access caused by an instruction or program execution does not satisfy certain conditions defined by the processor architecture or memory management unit structures.


This exception occurs in 3 main situations.


 1.when we try to read or write an inaccessible memory location .

 2.when a page which is belongs to a system component is used in usermode .i.e For example   using a page that the kernel is using . inavlid read or write operation is done to a read only page .



 By encountering a hardware defined breakpoint this exception occurs. This is usually referred to as Instruction address breakpoint and it is specific to the microprocessor.



 If u read or write data at an address that is not properly aligned .for example 16 bit entry must    be aligned to 2 boundaries and is not applicable to 32 bit processor INTEL 80X86



 By dividing an integer point variable with ‘0’ divided by aero exception occurs.

 By exeeding maximum positive  exponent  of floating type over flow exception occurs .

 By exeeding maximum negative  exponent  of floating point  type , floating underflow    exception occurs.



 Usage of reserved floating point format is incorrct, so exception occurs .



 Attempting to execute an instruction code which is not defined by processor causes to illegal  exception. Executing an instruction not allowed in current machine mode creates an exception.



 Dividing an integer type by zero causes   exception.



 If we execute an instruction in single step mode ,it causes to exception.



 The above mentioned exceptions are generally handled by Debuggers, the operating system

 or other low level code .





Microsoft MVP


Windows Exception – Sail Through


Often Administrators or System Engineers are stumped when they see exception errors and have different thoughts running in their mind as to what has caused this exception . Many ignore them and close the application window and restart the system. But this doesn’t help if the error again knocks the door. 

I would say a good administrator has to understand the windows architecture to analyze the issue and troubleshoot the issue , I understand the timelines , stress, pressure but eventually if you hit the right spot , the problem gets resolved.


What is an Exception? 

Exception can be caused due to different components in windows operating system..  An exception is an event which occurs during the program execution which stops the normal execution of instructions and a relevant exception handling technique will be used to handle these exceptions .Exception can be caused either by Hardware and Software 


Software Exception / Application Level Exception :  

When you see a software exception , it might be because of the following reasons 

·         Your application / driver tries to write to an read-only page. 

·         Every program will be assigned its own address space and if your program access memory out of assigned memory space, you could experience an exception. 

·         Guard-Page , this is very interesting feature provided by Microsoft which is use to monitor growing data structures and if your application tries to access the Guard-page you would see a Blue Screen or BSOD STATUS_GUARD_PAGE_VIOLATION exception 

·         Most famous OUT OF MEMORY Exception occurs due to applications ( managed / unmanaged )  


Action To Be Taken: 

Most of the time these exceptions are handled,  you will see an event in event viewer followed by the module name, or a BSOD with the bug check ID,  so there is not much  System Engineers or administrators has little to do when they see exceptions , report the exception to the in-house development team or to external development teams.  



System Administrator / System Engineer Tools :


Memory Dump:

When you see a BSOD on windows server, do not panic. BSOD doesn’t mean that the system has crashed, operating system enters stop state , it doesn’t process any instruction , it does by calling a function ( keBugCheckEx).

For memory exceptions / BSOD a relevant dump should be generated for analysis. Please follow the below link to configure the same

please do follow the below steps which will not automatically restart the server when crash occurs.

1. Right-click “My Computer” and select “Properties” on the desktop

2. Click on the “Advanced”

3. Click “Settings” in the area of “Startup and Recovery”

4. In the prompt dialog box, uncheck the “Automatically restart” in the area of “System failure”

5. Click OK




 ADPlus Utility

The second utility I would suggest system administrators or engineers is ADPlus , this is a console based script used to generate memory dumps and logs. This utility eases the task of administrator by using –notify switch.


ADPlus can be configured in Hang mode or Crash mode , engineers can configure ADPlus prior to the exception / error so that when an application error occurs a relevant dump will be generated under  C:TempCrash_Mode_Date_Time





If you want to debug  common issues like Illegal Instruction , Unknown Exception , Stack Overflow , Access Violation  exceptions you can configure ADPlus tool in crash mode . There are many other exceptions which can be debugged using this tool but I am writing this document exclusively for system engineers and administrators.

Note: Start ADPlus in crash mode before the process throws exception or becomes unstable




If you are hardcore debugger and want to analyze memory stack of a process or troubleshoot 100% CPU utilization , then I would suggest using ADPlus in Hang mode which will dump complete  process memory

Note: Start ADPlus in hang mode after the process / application hangs.


Please use ADPlus –help to understand the switches and try using them , its fun !





ADPlus  -hang –p <PID> or ADPlus –hang –pn <processname>


ADPlus –crash –p <PID> or ADPlus –crash –pn <processname>


You can use tasklist from command prompt to get PID / Processname



Tips About ADPlus:


ADPlus is best configured for exceptions

ADPlus is a replacement for UserDump.exe

With ADPlus you can analyze multiple process using –p <PID> -p <PID> -p <PID>




Below are the screen shots of using ADPlus utility.


As a system administrators / Engineers I would suggest rather force to learn system architecture widely, this will bring more insight about the communication and you can have good hold on windows Operating system. Microsoft has and is supporting to achieve this by giving us the best tools in world.


ADPlus utility is the part of Debugging Tools For Windows package. You could download and install from below location


After you install the tools , you need to navigate to the below directory and run adplus.vbs which will pop up a warning and you need to select No and proceed.







 Upon which you will see Windows Script Host window opened , Press OK and continue




You need to attach the process either in Hang mode or in Crash mode  depending on the requirement




In my example , I will be using Notepad.exe . As I said earlier you can run Tasklist to find the PID of the application. And observer the command , I am using ADPlus in Crash mode, once you attach the process hit Enter




After you attach the process using ADPlus command in Crash mode to an application , the utility starts logging the information of all the threads in the process / processes.





And you would see a minimized shell window for each of the process <please check the below screen> *this window is called as debugger window. During this stage ADPlus utility is monitoring the process for crash exceptions such as ( Invalid handle, Illegal Instruction, Unknown Exception … etc ) , and the below window closes only for 2 reasons


a)      Manually detaching the debugger : To manually detach the debugger and dump all the threads related to the process press CTRL +C “on the below debugger window “

b)      When the above said exceptions occur. 




After you hit CTRL+C the dump gets generated under “C:Program FilesDebugging Tools for Windows (x86) “ folder along with date and time, Please find the screen shot below







Alright ! , so you are done with successfully capturing the dump and now its time to involve the debuggers /Integration team or the Development team to analyze the dump





Next session I will be concentrating on Hardware Exceptions and Troubleshooting techniques.






Microsoft MVP