Secure System Administration - SANS GIAC © 2000, 2001 Information System Security The Big Picture Approach to Computer Systems Security Welcome to the second series of your KickStart cou
Trang 1Secure System Administration - SANS GIAC © 2000, 2001
Information System Security
The Big Picture Approach to Computer Systems Security
Welcome to the second series of your KickStart courses This course is part of a series of courses
intended for system administrators who are new to the world of information assurance and system
security The next set of courses will be different from your first set We will be focusing on
computer systems and operating system commands, so this will be more pragmatic
The approach to the slides is also a bit different We hope that you will try a number of these
commands yourself Finally, there is information both in the slides and in the notes that is testable
So, please pay close attention as we work through the material
We are going to discuss Windows 98, Windows NT, Windows 2000, and UNIX/Linux For each
operating system, you will learn how it works; terminology; some basic commands; the fundamental
security issues; and how to compensate for threats This course is intended for an audience that
wants to build a solid foundation with basic concepts in information assurance, but needs to build
experience If you are a new system administrator, or perhaps you have been recently dubbed the
security office for your organization, this course is for you
Let’s get started We will first do a short section to cover general concepts Please pay attention
though – there is a quiz at the end You are encouraged to try every tool and command that you
learn – except the ones that are marked as dangerous!
Trang 2Secure System Administration - SANS GIAC © 2000, 2001
Purpose and Goal
You are going to learn how to search for clues on computer
systems We will cover the foundational principles,
terminology, threats and countermeasures for four widely
deployed computer systems: Windows 98, Windows NT,
Windows 2000 and Unix/Linux The focus is to help you:
• Understand your system
• Perform basic forensics (find and preserve evidence)
Plan on getting access to a Windows and Unix systems and
following along with the exercises You will need these
systems as you progress in your training anyway.
This course will be pragmatic We will learn how to do things You will learn over 75 operating
system commands and information gathering tools We will also cover some essential theory and
terminology, the concepts behind information systems so we will be able know how to interpret what
the tool is telling us
The course structure is designed to build on the sections that go before For instance, when we cover
Windows 2000, we will not repeat information about the FAT file system or operating system
commands that are the same on Windows 98 or NT You will have already learned those When you
learn about a tool, it is strongly recommended that you try the exercises yourself
To get the most out of this course, you need to have access to a Windows system and a Unix system
We intend for you to try the examples Make a good backup of your computer, get someone to help
you if need be and go buy the latest Red Hat Linux and install it
Trang 3Secure System Administration - SANS GIAC © 2000, 2001
“Day 2” Agenda
• How Computers Work
• Backups, Hidden Data
• Windows 98
• Windows NT
• Windows 2000
• Unix/Linux
• Security Forensics and OS Commands
Well, let’s get to work On this slide you see the areas we will cover; some general information, and
then into the operating specifics This is a great moment to let you know just how similar the
Windows operating systems are There are differences, but if you scan one of these systems with the
famous network scanner nmap, it has a really hard time telling them apart, the network stacks are
just about the same, though it can distinguish Windows 2000 Most of the commands we use for
Windows 98 will work fine on Windows 2000 Win2K is an advanced operating system and so there
are differences, primarily the Active Directory Even so, it is important to remember that Windows
2000 is a marketing term, it really was NT 5.0 and followed NT 4.0
One of the goals of this course is to help you to be familiar with both Windows and Unix These are
common operating systems and there is a really good chance you will need to have a basic
understanding of both
Trang 4Secure System Administration - SANS GIAC © 2000, 2001
How Computers Work
• Dr Watson
• hdparam
• fdisk
In this first section of the course, we are going to get our feet wet and understand how computer
systems work Again, don’t expect much theory, we will mention a concept and then try to equip
you to see how the concept works on Windows and Unix systems We can’t cover everything of
course, the boot sequence for Windows NT would take 10 – 12 slides alone
The important thing though, is for you to actually try these exercises Don’t just be passive, get in
the game, if the course talks about ls –l /dev or running Dr Watson, get to it Learn how your
system works
My friend Mary Walker from Motorola was giving a presentation at a DARPA-funded meeting on
intrusion detection once and someone asked a really hard question She shrugged her shoulders and
held out her hands palm up and said,”That one deserves the Motorola salute!” Bad things happen to
perfectly nice operating systems If you work to master these concepts and tools, perhaps you can be
part of the solution instead of just giving the shrug salute!
Trang 5Secure System Administration - SANS GIAC © 2000, 2001
The Beginning
• When you power a computer on:
– The disk spins up
– The system begins a boot sequence taking its
directions from a read only memory chip with a simple basic input output system called a ROM BIOS
– Most modern operating systems allow the ROM
BIOS to be password protected – The system begins to read specific tailored
operating system information from the disk
The more you understand the boot sequence of a system, the more of a miracle it is possible to boot
at all First, at power up, the computer uses an onboard ROM BIOS to find its disk drives, count
and test memory, and search for hardware such as a mouse and keyboard Then it will search for
further boot instructions on a disk The computer doesn’t have much software loaded, so the
expectation is to find a specially formatted disk area just for bootup support
On Windows systems, the first three bytes of the bootup part of the file system contain the address to
jump to that contains the actual bootstrap code We still jump to something simple, called a
bootstrap loader, which teaches the system just enough to be ready for the secondary bootstrap
loader The secondary bootstrap loader is actually what does the heavy lifting Windows 9x
systems call this file IO.SYS, whereas NT and 2000 call it NTLDR This is such a touchy operation
that attack code which harms the boot area can cause a great deal of damage
Trang 6Secure System Administration - SANS GIAC © 2000, 2001
Bootstrap Illustrated
Graphic Courtesy National White Collar Crime Center.
When you turn on the computer, the powersupply "awakens“, the CPU registers are cleared, and a
special register called the program counter is set (on PC's) to F000 – the address of the system's
BIOS (Basic Input Output System)
Next, BIOS runs a system check called POST or Power on Self Test
Trang 7Secure System Administration - SANS GIAC © 2000, 2001
Bootstrap Illustrated(2)
Graphic Courtesy National White Collar Crime Center.
As part of POST's systems checks, it probes for devices – network cards, parallel port devices
including printers, etc, by sending signals over the system bus to ensure it can communicate with the
devices that are present
Then tests are done on the system timer and video devices Next RAM (Random Access Memory)
and the keyboard are checked for and tested
Graphic Courtesy National White Collar Crime Center Used by permission.
Trang 8Secure System Administration - SANS GIAC © 2000, 2001
Bootstrap Illustrated(3)
Graphic Courtesy National White Collar Crime Center.
Finally disk drives are checked The findings of the POST program are compared to settings saved
in a special chip called the CMOS (Complimentary Metal Oxide Semiconductor) Any changes to
system configuration must be updated on the CMOS chip Information stored by the CMOS chip
includes the hard disk type, time and date, memory/cache preferences, power-on password and
disk/CDROM boot-time search sequence Although this is the process for a PC, the boot up
sequence is similar for most computers
At this point we are finally ready to load information from the disk to boot the operating system
Trang 9Secure System Administration - SANS GIAC © 2000, 2001
Booting the OS
Graphic Courtesy National White Collar Crime Center.
When booting the operating system, the CPU reads information in the Master Boot Record – this is
always located at Cylinder 0 Head 0 Sector 0 AKA the first sector The Master boot record (or
Master Boot Block as it is sometimes referred to) contains the location of the boot record The boot
program, in turn loads IO.SYS, CONFIG.SYS MSDOS.SYS, COMMAND.COM, and
AUTOEXEC.BAT If you are able to pause your audio, please take a second an run your windows
explorer and look at your C:\ drive, you should see many of these files there if your system boots
from C On UNIX platforms it would proceed with loading the kernel
Graphic Courtesy National White Collar Crime Center Used by permission.
Trang 10Secure System Administration - SANS GIAC © 2000, 2001
Kernel
• All operating systems (OS) in this
course support multiple privilege
hardware levels
– Privilege restricts the instruction set that
can be run by a running program, called a process
– User’s programs should not be able to
modify page tables used to support virtual memory management
The higher the privilege level a program runs at, the more harm it can potentially cause In practice,
programs have been able to up their priority level with alarming ease Privilege in this case is
hardware privilege, the ability to interface with processes at layer 2 of the OSI Protocol stack or the
kernel of a program This is much different that the operating system privileges that allow one to
perform tasks as Administrator or root That said, attackers that succeed in getting access to
system privileges also succeed in obtaining access to the hardware privilege levels through programs
like device drivers
In Unix, many networking applications, called daemons, run at the highest application privilege If
they are compromised by a buffer overflow, then the attacker is able to run her own software at this
privilege level What is a buffer overflow? It is when the program expects to read in a fixed amount
of data, but doesn’t do checking to make sure that is all that is read in The data is crafted by the
attacker to be in two parts Part one is the maximum length the program expected to read in, this is
usually just throwaway data Part two, is the section that is longer than the maximum expected and
is executable code, a program This program will then run at the privilege level of the service that
read in the data If you are old enough to remember drive in movies, this is a little like sneaking your
friends in using the trunk of your car The attendant doesn’t usually check for extra passengers
Trang 11Secure System Administration - SANS GIAC © 2000, 2001
Operating System
• Sits between the hardware and the
applications that people interface with This
• Has a privileged central program called a
kernel
• Is (hopefully) the primary security layer for
the computer system
• Well known examples include windows 98, NT
and 2000 as well as Unix and Linux
The original computers ran a single program that did everything The development of an operating
system was one of the first steps in the evolution of computing
When you use a computer, you generally want to run a program to accomplish a task The
programmer should not have to be bothered with calls to manipulate hardware This would slow
down application development and make all programs huge These functions are then handled by
the operating system of the computer
In our time together we are going to get a crash course in operating systems, especially the file
system component, and then tie that information to information system security The goal is to help
you understand why attacks succeed and how they can be thwarted We will also be true to the spirit
of this series and work to establish a solid foundation for the material you will learn in the future
Trang 12Secure System Administration - SANS GIAC © 2000, 2001
Operating System (2)
• Multi-user – more than one user can access
the computer at the same time
• Multitasking – each user can run multiple
applications
• Virtual Memory – disk space can be used to
effectively extend RAM memory, since it is
usually larger
• Pages are the fixed sized chunks read in and
out of virtual memory to RAM.
All of the systems we will discuss today are multi-user and multi-tasking, except Windows 98,
which is single user All can use virtual memory When you say it like that, it doesn’t sound all
that impressive In the next slide, I want to introduce you to a tool that works on Windows 9x
systems called Dr Watson There is a whole lot of tasking going on with even a Windows 98
system On Unix systems you can type ps –ef (some Unix versions prefer ps –ax or that you do not
use a “-” so you may have to experiment just a bit) or perhaps lsof to get the same type of
information as Dr Watson gives
If you are streaming your audio, do not hit pause and try Dr Watson right now You will get very
angry, but if you have downloaded your audio file by right clicking from the web page, you may
want to sing along with Stephen and run Dr Watson If you don’t know how to find it, using your
Windows explorer, click on your primary hard drive (usually c:\) and press CTRL-F and a Find
window will come up, enter drwatson.
Trang 13Secure System Administration - SANS GIAC © 2000, 2001
WIN 98 Example
What tasks are running Lists what runs at startup
Editors note: On Windows NT 4.0 and Windows 2000, Dr Watson is a totally different program and
will report no errors found if there are no errors, select right mouse button to exit On a Windows
95/98 box it is a powerful tool to understand your system
Quick as a wink on a Win 9x, you should find Dr Watson Before you click on the icon, take a look
at the icons on the bottom right of your screen (if this is where you keep your tool tray) Note the
icon on the far right Go ahead and click on the Dr Watson icon in your find window, this program
is pretty safe Hey, nothing happened! Not to worry, Dr Watson likes to start out on your tool tray,
look at the bottom right again Click on it and hit open The view that produced this slide is
Advanced It would be a good idea to familiarize yourself with each of the tabs on the advanced
view Three of them to note are system, basic general information about your operating system, task,
and startup
In the system view, note that you have a swap file This is an example of virtual memory Please
note that you can save this system snapshot as either a Dr Watson log or a text file so you can
compare this snapshot with what you have later Since we are going to run a number of utilities, this
is recommended The system you troubleshoot may be your own We could devote significant
amount of time to discussing each of the Tabs (under view-> advanced view) as presented by Dr
Watson but really, this is something you should try on your own
Trang 14PID TTY STAT TIME COMMAND
This slide shows part of the report from running ps ax (ps for list processes, the “a” is for all and the
“x” is for executable) on a Linux system The interesting thing about both of these traces, Dr
Watson and ps ax, is that as complex as they appear to be, both of these are off of systems that I am
the only user of This is as simple as it gets
The number on the left hand side is called the Process ID (PID) and in some sense is the address of
a running program Also note in both of these traces, the Unix view of active processes on this slide
and the Windows view on the previous slide, we find where the location of the program on the disk
as well For instance in the second from the bottom line, we see /usr/local/apache/bin/httpd, the
location for the Apache web server on this computer This can come in very handy when
troubleshooting or auditing There is something else that is important to note In the second column
from the left, most of the processes have an “S.” This means they are swapped out or sleeping They
are not running in RAM Memory, they are in virtual memory on the disk in case they are needed
Trang 15Secure System Administration - SANS GIAC © 2000, 2001
6:59pm up 2 days, 10:52, 1 user, load average:
1.09, 1.31, 1.17 65 processes: 60 sleeping, 2
running, 1 zombie, 2 stopped
CPU states: 94.7% user, 5.2% system, 0.0% nice,
Top (Unix Command)
The unix top command in this slide, tells us even more about the Linux laptop It has been running
for two days and the load average of 1.09 means it isn’t working very hard Of 65 processes that
have been loaded (on the previous slide) most of them are sleeping At this second, only two are
actually running and one of those is top
You can tell we invested in this laptop It has 128 Megabytes of Random Access Memory, 124316K
is used and 3572K is free “Free” is another command that you can use to give you this same
information and the numbers don’t jump around every few seconds like they do with top
Finally we see the swap information On Unix, there is a special swap area of the disk called a
partition and it is designed to hold these sleeping processes To go into any greater depth, we need
to take some time to discuss how a file system works
Trang 16Secure System Administration - SANS GIAC © 2000, 2001
File System Driver
• File System Driver provides the framework for
storing information on the disk and other
nonvolatile media (writable CDs and tapes)
• Driver must allow ability to create, modify,
and delete files
• Ability to reference both the physical name
and view as well as a logical name and view
The purpose of a file system (which includes the file system driver, hardware interface, logical
tables, and the disk itself) is to manage files
The most well known file system is the DOS File Allocation Table or the FAT file system FAT
shows which clusters have been allocated already and the ones that are available for use Other well
known file systems include FAT32 and NTFS.
The FAT16 file system has a HUGE vulnerability and should never be used unless necessary (DOS
or Windows 95 first edition) Disk sectors occasionally fail The location of the FAT is hardcoded
and cannot be changed If that sector should fail, it is “game over” for the disk, and data recovery is
fairly difficult
There are techniques for disk mirroring, they are usually implemented on file systems more
advanced than FAT, such as NTFS In the case of disk mirroring there are two approaches, one is to
always mirror, the other involves having spare drives, then at the first sign of trouble, the spare
drives are called into action The second approach has been applied to RAID technology which is
both discussed and defined in a coming slide
Trang 17Secure System Administration - SANS GIAC © 2000, 2001
Disk Dive Basics
Graphic Courtesy National White Collar Crime Center.
Let's take a few minutes to look "under the hood" of a disk drive as we define some of its physical
characteristics and the basic terminology we will use through out the course
Graphic Courtesy National White Collar Crime Center Used by permission.
Trang 18Secure System Administration - SANS GIAC © 2000, 2001
Disk Drive Terminology
• Tracks
Graphic Courtesy National White Collar Crime Center.
Tracks are concentric rings that span the surface of each platter Numbering starts with 0 at the
outermost point of the platter Note that with the exception of single sided disks, each platter will
have 2 of each track, one per side Sides are numbered 0 and 1