1
1
Secure System Administration - SANS GIAC
© 2000, 2001
Windows 9x Security
For our third session of the second part of the course, we will focus on the Windows 95 and
Windows 98 operating systems. The examples are tested on Windows 98 since 95 systems are
starting to be retired. The most important thing to know about this flavor of Windows is there is no
file security. If you configure the system for multiple users and have a password screen at bootup,
anyone can hit cancel and still get in. If you use passwords and have two users, each can see all of
the other user’s files. There are exactly two ways to enforce security for Windows 9x, physical
security and encryption.
My laptop is protected by physical security. I travel a lot. I try to keep my laptop bag with me at all
times. Still there are times when I leave it in the hotel room and just hope. Security for most
Windows 9x users amounts to hope and nothing more. We will learn how to add a layer of security
in this section with better living through encryption. The focus of most of this course will be to show
you some of the clues gathering tools you can use to see and understand what is going on with your
Windows 9x system. We will cover several new tools, discuss the file system a bit, and close with
encryption.
2
2
Secure System Administration - SANS GIAC
© 2000, 2001
Windows 9x Tools
• System Configuration Editor
•Startup
• System File Checker
• File Compare
• File Attributes
The first section of this course will be to learn some new tools that give us information about our
system. Since everything we see will be inherited from startup, let’s cover it at least from a high
level. From the Power On Self Test (POST) by the ROM BIOS, we go to the disk and the
secondary loader (IO.SYS) which loads the the logo.sys (the logo screen). At this point a database
called the registry is consulted for system information. Virtual Device Drivers (VxDs) come next,
followed by an army of DLLs (Dynamic Link Libraries) which are actually programs. If your
system is configured for multiple users, this is the point you log in and your personal password file
is examined (\Windows\yourusername.pwl) and if you have a user profile it is loaded from the user
portion of the registry database, (\Windows\Profiles\yourusername\user.dat). If you have never
looked at your profile, I highly recommend a tour. Finally if your system.ini has this line:
shell=Explorer.exe and you shutdown clean, your Windows explorer will come up when you
reboot.
3
3
Secure System Administration - SANS GIAC
© 2000, 2001
Before mucking with your startup, it is always a really good idea to back up your registry! On a
Windows 98 computer, I start SCANREGW with the RUN command, Start, Run, Scanregw. It will
then scan your registry and give you an opportunity to make a backup. Backups are stored in
\Windows\Sysbckup and the file names start with rb and they are .cab (compressed) files. The .cab
file contains a copy of user.dat, system.dat, win.ini, and system.ini from the
Windows\Sysem directory. Note that scanregw will NOT back up the user.dat files for each
of the individual users. You will need to do this manually. If you goof up, SCANREGW can use these
files to restore the Registry should it become corrupted.
Now we are equipped to look at our startup. Start, Run, SYSEDIT will produce what you see on the
slide. This is just a notepad editor, but it makes it really easy to view or edit these startup files. You
should see the system.ini explorer entry we just mentioned. Your system may have
nsmail.ini in addition to the files you see. Autoexec.bat is not critical to Windows 98 like it
was for DOS, but you can use it to override the default behavior of IO.SYS. The reason you care is
that if you use a boot disk to analyze a machine, then you would want to alter the PATH variable so
that the applications on your floppy or CDROM are executed before the ones on the suspect system’s
hard drive. We see in the screen shot above that the operating system looks firs in the DOS directory
of the C drive, then in the PGP directory under Program Files\Network Associates.
4
4
Secure System Administration - SANS GIAC
© 2000, 2001
If you are prone to typos, then you might be better served by MSCONFIG, the System Configuration
Editor (available with Windows 98) as shown on this screen. You know the drill by now: Start, Run,
Msconfig. This is a GUI tool that does everything you can do with SYSEDIT and more.
It really is worth your time to become familiar with your startup for a number of reasons. Note on
the slide where it says reminder and it is unchecked. A partially functional version of MS Money
was installed on this laptop. I never used it, nor will I, all accountants expect Quicken. Every time
this laptop booted, time was lost while a reminder file was loaded and it cost memory as well. With
the Reminder box unchecked, the reminder file will not load. Microsoft products are fairly benign,
but malicious software will use either the Run or RunOnce registry entries to install themselves. If
you are familiar with what you expect to run, then you may be able to identify and eliminate
potentially destructive or abusive software. This is what the ILOVEYOU virus did, it set Internet
Explorer to run to go get the password sniffer.
5
5
Secure System Administration - SANS GIAC
© 2000, 2001
As you install and uninstall software, there are times when the application software will come with
its own “enhanced” driver or operating system application. You may recall seeing a message from
your operating system warning that a system file was about to be overwritten by an older file than the
one you have. The logic is the the newer file must be better and this makes a certain degree of sense.
In general, the worst offenders seem to be networking cards. If you plan to network your Windows
system, it can be worth your time to do a bit of Internet research first. This is especially true if you
are considering running multiple operating systems such as Linux and Windows.
The System File Checker will make an effort at checking all of your system files against a known
database (\Windows\Default.sfc) If it finds a file that it feels is the wrong one, you have the option
to reinstall from your factory CD. It takes anywhere from a couple of minutes to several minutes to
scan your system and can be a very prudent thing to do after installing software. The file we need to
run is msinfo32.exe. Get to it by clicking on Start, Programs, Accessories, System Tools,
System Information. The System File Checker is accessed from the Tools menu. Note that
msinfo32.exe is also available on Windows 95 - but it doesn’t have the System File Checker.
6
6
Secure System Administration - SANS GIAC
© 2000, 2001
FC
MARKET~1 ZIP 593,208 03-04-00 9:19p marketing .zip
MARKET~2 ZIP 593,208 03-04-00 9:23p Marketing.zip
27 file(s) 4,401,366 bytes
12 dir(s) 2,005.71 MB free
C:\My Documents>fc /b market~1.zip market~2.zip
Comparing files marketing .zip and market~2.zip
FC: no differences encountered
This slide shows a tool called FC for File Compare. When you get a complaint from your operating
system that you are about to overwrite a file or if System File checker is upset about a file, you might
want to check it out before making a decision.
Sometimes the file is actually the same, but the dates are different and this confuses Windows. FC
also has a binary compare mode FC /B file1 file2 that can be useful when trying to really
dig into a file. If you have a suspected virus and a clean file from a backup, this can be a great way
to see a virus or other malicious code.
Next we will spend a bit of time learning about our file system and where things tend to be stored.
Windows tucks things everywhere, in temp and cache directories, and we have already mentioned
your profile. In this next section of the course I want to sensitize you to two things: ways you can
audit Windows 9x systems, but also to the kinds of information others can get from your system,
should the physical security ever be breached.
7
7
Secure System Administration - SANS GIAC
© 2000, 2001
The screenshot on this page was created by selecting a file with Windows Explorer and clicking with
the right mouse button, and then selecting properties. In a FAT and FAT32 directory listing the DOS
attributes are listed, the four FAT attributes are:
- Read-only
- Hidden
-System
-Archive
Since most of your interaction with your file system in Windows will be with the Windows Explorer,
then we want to make sure we configure our Explorer so that it gives us the information we need to
understand and audit our systems effectively. On your next slide you see that there are options to the
Explorer that allow us to see system files that are not normally shown, as well as the file attributes.
8
8
Secure System Administration - SANS GIAC
© 2000, 2001
Windows Explorer
View
Customize This
Folder
From the screen shot above, select the boxes "Show all files“and Show file attributes in detail view”.
Then when you have the view in Windows Explorer set to “Details”, the file attributes will display in
the rightmost column (to the right of each file listing). This means that you will not normally notice
these, but you can drag and drop (or resize) the columns in Explorer to enable you to see the
attributes. Anytime you are in the root drive of your disk C:\ or in your windows directory
C:\Windows you should probably be aware of attributes and hidden files.
Note that not ALL versions of explorer shipped with Windows 98 appear to have the capability to
display file attributes as shown adjacent to the lower arrow above.
CREDIT: SSA3_1, If you are taking this course for academic credit, email your instructor (or point
of contact) a screen shot from Windows Explorer of a file with all four attributes set. If you have
done backups recently and the archive bit is not set that is fine as well. You can send a screen shot
with RSH (Read-only, System, Hidden) showing.
See note above. If you can’t get the attributes to show in a column in Windows Explorer, select a
file, right click on properties, and take a screen shot of the result.
9
9
Secure System Administration - SANS GIAC
© 2000, 2001
FAT and FAT32 File System
• FAT is a 16 bit address table for 2
16
(65,535) maximum clusters. This was
the DOS and Windows 95 filesystem
• FAT32 was introduced in Windows 95
OSR2 and used in Windows 98
• Directory records are used to store
names of files and directories contained
in directory
One tool to help us understand how the hard disk is organized is FDISK. This is run from the
Windows Command Prompt. Type FDISK with no options and we see:
Your computer has a disk larger than 512 MB. This version of
Windows includes improved support for large disks, resulting in
more efficient use of disk space on large drives, and allowing
disks over 2 GB to be formatted as a single drive.
IMPORTANT: If you enable large disk support and create any new
drives on this disk, you will not be able to access the new
drive(s) using other operating systems, including some versions of
Windows 95 and Windows NT, as well as earlier versions of Windows
and MS-DOS. In addition, disk utilities that were not designed
explicitly for the FAT32 file system will not be able to work with
this disk. If you need to access this disk with other operating
systems or older disk utilities, do not enable large drive support.
Since FAT16 uses clusters to allocate files, with a 2^16 address size, it uses fairly large clusters.
With FAT32’s larger address space, clusters can be smaller and therefore the disk is better utilized.
10
10
Secure System Administration - SANS GIAC
© 2000, 2001
FDISK
Microsoft Windows 98
Fixed Disk Setup Program
(C)Copyright Microsoft Corp. 1983 - 1998
FDISK Options
Current fixed disk drive: 1
Choose one of the following:
1. Create DOS partition or Logical DOS Drive
2. Set active partition
3. Delete partition or Logical DOS Drive
4. Display partition information
Enter choice: [4]
WARNING: You
can really mess up
your system
messing with your
partitions. At a
minimum, have a
bootable floppy
with fdisk on it in
case you make a
mistake.
The FDISK slide shows the menu, and the results of running FDISK on my laptop are shown below.
You see I only have one partition and so of course it is active. Creating a second partition can be one
way of hiding data on a computer. You can do this trivially so that will not show up unless you run a
tool like FDISK. If you like living dangerously you can create the partition, write the data and then
delete the partition. According to security researcher Bill Cheswick, he ran into this and so
developed a tool for UNIX that did a raw disk read regardless of partition information.
Display Partition Information
Current fixed disk drive: 1
Partition Status Type Volume Label Mbytes System Usage
C: 1 A PRI DOS 4126 FAT32 100%
Total disk space is 4126 Mbytes (1 Mbyte = 1048576 bytes)
11
11
Secure System Administration - SANS GIAC
© 2000, 2001
This slide shows further information about the hard drive on my laptop. You can see it is a FAT32
system and the cluster size is 8 sectors. This is a common value for Windows 98 systems.
Notice that it says there are two FATs. These are mirrored and this is true for both FAT and FAT32
file systems. If there is a problem with the primary, the file system driver will complain and the
system attempts to read from secondary. If this happens, immediately begin to recover your most
important data, and then reformat the drive when backup is complete.
Also, notice the “hidden sectors.” This is commonly 32 sectors large on disks with a single partition
and refers to space between the physical beginning of the disk and the beginning of the first partition.
Next we will look at the attributes of a given Windows 9x file. Recall in the last section we learned
about one file attribute, the hidden file attribute using the ATTRIB command.
12
12
Secure System Administration - SANS GIAC
© 2000, 2001
C:\Temp
Let’s take a minute and review everything we have learned about hiding data. Someone can mark a
file as hidden. Or give it a reasonable sounding name in a crowded directory. Or give a misleading
extension, calling a .jpg an .exe or whatever. With a disk editor, they can add data after the end of
file in a cluster. Malicious code can intercept reads to the disk and redirect the read to a new
location. With a partition editor, one can create a partition in which to place data that is not
accessible by typical commands and operating system utilities. While the partition may display using
fdisk, the data is not readily accessible. With steganographic tools, you can hide a file inside of
another file. Whew! That is a lot! And then we need to realize that Windows is a bit complex and
files don’t even have to be hidden if we don’t know what to look for. This screen shot shows the
C:\Temp directory and Windows crams a lot of stuff there. Another location is C:\Windows. There
are a number of directories here, your profile, another temp, temporary internet files, html, and of
course there is the recycle bin on the desktop. If you ever have to audit a Windows 9x system to
determine what someone has been doing, odds are there is data to find.