Secure System Administration - SANS GIAC © 2000, 2001 Windows 9x Security For our third session of the second part of the course, we will focus on the Windows 95 and Windows 98 operating
Trang 1Secure System Administration - SANS GIAC © 2000, 2001
Windows 9x Security
For our third session of the second part of the course, we will focus on the Windows 95 and
Windows 98 operating systems The examples are tested on Windows 98 since 95 systems are
starting to be retired The most important thing to know about this flavor of Windows is there is no
file security If you configure the system for multiple users and have a password screen at bootup,
anyone can hit cancel and still get in If you use passwords and have two users, each can see all of
the other user’s files There are exactly two ways to enforce security for Windows 9x, physical
security and encryption
My laptop is protected by physical security I travel a lot I try to keep my laptop bag with me at all
times Still there are times when I leave it in the hotel room and just hope Security for most
Windows 9x users amounts to hope and nothing more We will learn how to add a layer of security
in this section with better living through encryption The focus of most of this course will be to show
you some of the clues gathering tools you can use to see and understand what is going on with your
Windows 9x system We will cover several new tools, discuss the file system a bit, and close with
encryption
Trang 2The first section of this course will be to learn some new tools that give us information about our
system Since everything we see will be inherited from startup, let’s cover it at least from a high
level From the Power On Self Test (POST) by the ROM BIOS, we go to the disk and the
secondary loader (IO.SYS) which loads the the logo.sys (the logo screen) At this point a database
called the registry is consulted for system information Virtual Device Drivers (VxDs) come next,
followed by an army of DLLs (Dynamic Link Libraries) which are actually programs If your
system is configured for multiple users, this is the point you log in and your personal password file
is examined (\Windows\yourusername.pwl) and if you have a user profile it is loaded from the user
portion of the registry database, (\Windows\Profiles\yourusername\user.dat) If you have never
looked at your profile, I highly recommend a tour Finally if your system.inihas this line:
shell=Explorer.exeand you shutdown clean, your Windows explorer will come up when you
reboot
Trang 3Secure System Administration - SANS GIAC © 2000, 2001
Before mucking with your startup, it is always a really good idea to back up your registry! On a
Windows 98 computer, I start SCANREGW with the RUN command, Start, Run, Scanregw It will
then scan your registry and give you an opportunity to make a backup Backups are stored in
\Windows\Sysbckup and the file names start with rb and they are cab (compressed) files The cab
file contains a copy of user.dat, system.dat, win.ini, and system.inifrom the
Windows\Sysem directory Note thatscanregwwill NOT back up the user.datfiles for each
of the individual users You will need to do this manually If you goof up, SCANREGWcan use these
files to restore the Registry should it become corrupted
Now we are equipped to look at our startup Start, Run, SYSEDIT will produce what you see on the
slide This is just a notepad editor, but it makes it really easy to view or edit these startup files You
should see the system.iniexplorer entry we just mentioned Your system may have
nsmail.iniin addition to the files you see Autoexec.batis not critical to Windows 98 like it
was for DOS, but you can use it to override the default behavior of IO.SYS The reason you care is
that if you use a boot disk to analyze a machine, then you would want to alter the PATH variable so
that the applications on your floppy or CDROM are executed before the ones on the suspect system’s
hard drive We see in the screen shot above that the operating system looks firs in the DOS directory
of the C drive, then in the PGP directory under Program Files\Network Associates
Trang 4Secure System Administration - SANS GIAC © 2000, 2001
If you are prone to typos, then you might be better served by MSCONFIG, the System Configuration
Editor (available with Windows 98) as shown on this screen You know the drill by now: Start, Run,
Msconfig This is a GUI tool that does everything you can do with SYSEDITand more
It really is worth your time to become familiar with your startup for a number of reasons Note on
the slide where it says reminder and it is unchecked A partially functional version of MS Money
was installed on this laptop I never used it, nor will I, all accountants expect Quicken Every time
this laptop booted, time was lost while a reminder file was loaded and it cost memory as well With
the Reminder box unchecked, the reminder file will not load Microsoft products are fairly benign,
but malicious software will use either the Run or RunOnce registry entries to install themselves If
you are familiar with what you expect to run, then you may be able to identify and eliminate
potentially destructive or abusive software This is what the ILOVEYOU virus did, it set Internet
Explorer to run to go get the password sniffer
Trang 5Secure System Administration - SANS GIAC © 2000, 2001
As you install and uninstall software, there are times when the application software will come with
its own “enhanced” driver or operating system application You may recall seeing a message from
your operating system warning that a system file was about to be overwritten by an older file than the
one you have The logic is the the newer file must be better and this makes a certain degree of sense
In general, the worst offenders seem to be networking cards If you plan to network your Windows
system, it can be worth your time to do a bit of Internet research first This is especially true if you
are considering running multiple operating systems such as Linux and Windows
The System File Checker will make an effort at checking all of your system files against a known
database (\Windows\Default.sfc) If it finds a file that it feels is the wrong one, you have the option
to reinstall from your factory CD It takes anywhere from a couple of minutes to several minutes to
scan your system and can be a very prudent thing to do after installing software The file we need to
run is msinfo32.exe Get to it by clicking on Start, Programs, Accessories, System Tools,
System Information The System File Checker is accessed from the Tools menu Note that
msinfo32.exeis also available on Windows 95 - but it doesn’t have the System File Checker
Trang 6Secure System Administration - SANS GIAC © 2000, 2001
FC
MARKET~1 ZIP 593,208 03-04-00 9:19p marketing zip
MARKET~2 ZIP 593,208 03-04-00 9:23p Marketing.zip
27 file(s) 4,401,366 bytes
12 dir(s) 2,005.71 MB free
C:\My Documents>fc /b market~1.zip market~2.zip
Comparing files marketing zip and market~2.zip
FC: no differences encountered
This slide shows a tool called FC for File Compare When you get a complaint from your operating
system that you are about to overwrite a file or if System File checker is upset about a file, you might
want to check it out before making a decision
Sometimes the file is actually the same, but the dates are different and this confuses Windows FC
also has a binary compare mode FC /B file1 file2that can be useful when trying to really
dig into a file If you have a suspected virus and a clean file from a backup, this can be a great way
to see a virus or other malicious code
Next we will spend a bit of time learning about our file system and where things tend to be stored
Windows tucks things everywhere, in temp and cache directories, and we have already mentioned
your profile In this next section of the course I want to sensitize you to two things: ways you can
audit Windows 9x systems, but also to the kinds of information others can get from your system,
should the physical security ever be breached
Trang 7Secure System Administration - SANS GIAC © 2000, 2001
The screenshot on this page was created by selecting a file with Windows Explorer and clicking with
the right mouse button, and then selecting properties In a FAT and FAT32 directory listing the DOS
attributes are listed, the four FAT attributes are:
- Read-only
- Hidden
- System
- Archive
Since most of your interaction with your file system in Windows will be with the Windows Explorer,
then we want to make sure we configure our Explorer so that it gives us the information we need to
understand and audit our systems effectively On your next slide you see that there are options to the
Explorer that allow us to see system files that are not normally shown, as well as the file attributes
Trang 8Secure System Administration - SANS GIAC © 2000, 2001
Windows Explorer View
Customize This Folder
From the screen shot above, select the boxes "Show all files“and Show file attributes in detail view”
Then when you have the view in Windows Explorer set to “Details”, the file attributes will display in
the rightmost column (to the right of each file listing) This means that you will not normally notice
these, but you can drag and drop (or resize) the columns in Explorer to enable you to see the
attributes Anytime you are in the root drive of your disk C:\ or in your windows directory
C:\Windows you should probably be aware of attributes and hidden files
Note that not ALL versions of explorer shipped with Windows 98 appear to have the capability to
display file attributes as shown adjacent to the lower arrow above
CREDIT: SSA3_1, If you are taking this course for academic credit, email your instructor (or point
of contact) a screen shot from Windows Explorer of a file with all four attributes set If you have
done backups recently and the archive bit is not set that is fine as well You can send a screen shot
with RSH (Read-only, System, Hidden) showing
See note above If you can’t get the attributes to show in a column in Windows Explorer, select a
file, right click on properties, and take a screen shot of the result
Trang 9Secure System Administration - SANS GIAC © 2000, 2001
FAT and FAT32 File System
(65,535) maximum clusters This was
the DOS and Windows 95 filesystem
• FAT32 was introduced in Windows 95
OSR2 and used in Windows 98
• Directory records are used to store
names of files and directories contained
in directory
One tool to help us understand how the hard disk is organized isFDISK.This is run from the
Windows Command Prompt Type FDISKwith no options and we see:
Your computer has a disk larger than 512 MB This version of
Windows includes improved support for large disks, resulting in
more efficient use of disk space on large drives, and allowing
disks over 2 GB to be formatted as a single drive
IMPORTANT: If you enable large disk support and create any new
drives on this disk, you will not be able to access the new
drive(s) using other operating systems, including some versions of
Windows 95 and Windows NT, as well as earlier versions of Windows
and MS-DOS In addition, disk utilities that were not designed
explicitly for the FAT32 file system will not be able to work with
this disk If you need to access this disk with other operating
systems or older disk utilities, do not enable large drive support
Since FAT16 uses clusters to allocate files, with a 2^16 address size, it uses fairly large clusters
With FAT32’s larger address space, clusters can be smaller and therefore the disk is better utilized
Trang 10Current fixed disk drive: 1
Choose one of the following:
1 Create DOS partition or Logical DOS Drive
2 Set active partition
3 Delete partition or Logical DOS Drive
4 Display partition information
The FDISKslide shows the menu, and the results of running FDISKon my laptop are shown below
You see I only have one partition and so of course it is active Creating a second partition can be one
way of hiding data on a computer You can do this trivially so that will not show up unless you run a
tool like FDISK If you like living dangerously you can create the partition, write the data and then
delete the partition According to security researcher Bill Cheswick, he ran into this and so
developed a tool for UNIX that did a raw disk read regardless of partition information
Display Partition Information
Current fixed disk drive: 1
Partition Status Type Volume Label Mbytes System Usage
Total disk space is 4126 Mbytes (1 Mbyte = 1048576 bytes)
Trang 11Secure System Administration - SANS GIAC © 2000, 2001
This slide shows further information about the hard drive on my laptop You can see it is a FAT32
system and the cluster size is 8 sectors This is a common value for Windows 98 systems
Notice that it says there are two FATs These are mirrored and this is true for both FAT and FAT32
file systems If there is a problem with the primary, the file system driver will complain and the
system attempts to read from secondary If this happens, immediately begin to recover your most
important data, and then reformat the drive when backup is complete
Also, notice the “hidden sectors.” This is commonly 32 sectors large on disks with a single partition
and refers to space between the physical beginning of the disk and the beginning of the first partition
Next we will look at the attributes of a given Windows 9x file Recall in the last section we learned
about one file attribute, the hidden file attribute using the ATTRIBcommand
Trang 12Secure System Administration - SANS GIAC © 2000, 2001
C:\Temp
Let’s take a minute and review everything we have learned about hiding data Someone can mark a
file as hidden Or give it a reasonable sounding name in a crowded directory Or give a misleading
extension, calling a jpg an exe or whatever With a disk editor, they can add data after the end of
file in a cluster Malicious code can intercept reads to the disk and redirect the read to a new
location With a partition editor, one can create a partition in which to place data that is not
accessible by typical commands and operating system utilities While the partition may display using
fdisk, the data is not readily accessible With steganographic tools, you can hide a file inside of
another file Whew! That is a lot! And then we need to realize that Windows is a bit complex and
files don’t even have to be hidden if we don’t know what to look for This screen shot shows the
C:\Temp directory and Windows crams a lot of stuff there Another location is C:\Windows There
are a number of directories here, your profile, another temp, temporary internet files, html, and of
course there is the recycle bin on the desktop If you ever have to audit a Windows 9x system to
determine what someone has been doing, odds are there is data to find
Trang 13Secure System Administration - SANS GIAC © 2000, 2001
Tweak UI is a wonderful application It comes on your CDROM, in the reskit tools directory
You’ll need to install it manually after you install the OS For the screen shot shown, on the far
right is the paranoia mode This makes bootup just a bit longer since it erases audit traces from your
last login From the screen shot above, you can see that the various selections clear or erase the
indicated histories that were left behind by the previous user These histories or audit trails can be
valuable in identifying and recreating suspected security violations Tools like these help you
understand why, if you ever seize a computer, you must make every effort to produce the best
backup you can before you turn the system off If the system is already off, the best thing to do is
pull the disk drive and make a copy of it If you can’t do that, you need to boot the computer from
your own bootable disk and make the backup
Windows has its own cleanup utility in Start, Programs, Accessories, System Tools, Cleanup This
will remove a large number of the tracks a system leaves and will free up disk space
Again, this part of the course has two messages, one is where to find data I hope that you will take
the time to dig around your filesystem and see what is there The second message is for you to
understand how much information about you is on your system in the event someone accesses your
computer
Trang 14Secure System Administration - SANS GIAC © 2000, 2001
Now Select the Working Backup
I don’t know if you have ever seen a forensic tool in action or know what is possible with one The
next four slides or so will give you an overview of some typical forensic capabilities I will take you
on a tour of an investigative tool used to search a suspect drive It can’t find things any better than
debug, Norton Utilities or any disk editor, but it has some time saving features for the investigator
Before we begin the overview, let’s quickly review some forensic ‘ground rules’ They are a lot like
what you see on TV or in the movies where the investigator puts up a tape to keep observers from
damaging the scene We need to analyze the data in such a way that we do not change it and we
need to be able to show that we have a process to protect the data - a chain of custody
In this case, the evidence in question is a floppy disk that was found in the suspect’s desk drawer
We should do a binary backup first using a tool like Safeback or Ghost and then work from the
backup
Trang 15Secure System Administration - SANS GIAC © 2000, 2001
Remember Chain of Custody
We will use the exclusive lock, so that a process on our system doesn’t muck with our data This is
where a tape recorder can be very useful in noting what you did, how and when you did it, and in
what order It provides great information to supplement the data you collect on magnetic media
Mention on the recorder that you are selecting exclusive lock
[Editors note: Chain of custody is a set of processes with a single goal To ensure that any evidence
used in a court or internal Human Resources hearing can be proven not to be tampered with In
general, chain of custody involves describing the crime scene accurately, using approved steps to
collect evidence This slide shows such a step, by locking the volume, no other process should be
able to write to it preventing contamination of the evidence Finally, the evidence must be stored in
a tamper proof manner.]