1
1
Secure System Administration - SANS GIAC
© 2000, 2001
Information System Security
The Big Picture Approach to
Computer Systems Security
Welcome to the second series of your KickStart courses. This course is part of a series of courses
intended for system administrators who are new to the world of information assurance and system
security. The next set of courses will be different from your first set. We will be focusing on
computer systems and operating system commands, so this will be more pragmatic.
The approach to the slides is also a bit different. We hope that you will try a number of these
commands yourself. Finally, there is information both in the slides and in the notes that is testable.
So, please pay close attention as we work through the material.
We are going to discuss Windows 98, Windows NT, Windows 2000, and UNIX/Linux. For each
operating system, you will learn how it works; terminology; some basic commands; the fundamental
security issues; and how to compensate for threats. This course is intended for an audience that
wants to build a solid foundation with basic concepts in information assurance, but needs to build
experience. If you are a new system administrator, or perhaps you have been recently dubbed the
security office for your organization, this course is for you.
Let’s get started. We will first do a short section to cover general concepts. Please pay attention
though – there is a quiz at the end. You are encouraged to try every tool and command that you
learn – except the ones that are marked as dangerous!
2
2
Secure System Administration - SANS GIAC
© 2000, 2001
Purpose and Goal
You are going to learn how to search for clues on computer
systems. We will cover the foundational principles,
terminology, threats and countermeasures for four widely

deployed computer systems: Windows 98, Windows NT,
Windows 2000 and Unix/Linux. The focus is to help you:
• Understand your system
• Perform basic forensics (find and preserve evidence)
Plan on getting access to a Windows and Unix systems and
following along with the exercises. You will need these
systems as you progress in your training anyway.
This course will be pragmatic. We will learn how to do things. You will learn over 75 operating
system commands and information gathering tools. We will also cover some essential theory and
terminology, the concepts behind information systems so we will be able know how to interpret what
the tool is telling us.
The course structure is designed to build on the sections that go before. For instance, when we cover
Windows 2000, we will not repeat information about the FAT file system or operating system
commands that are the same on Windows 98 or NT. You will have already learned those. When you
learn about a tool, it is strongly recommended that you try the exercises yourself.
To get the most out of this course, you need to have access to a Windows system and a Unix system.
We intend for you to try the examples. Make a good backup of your computer, get someone to help
you if need be and go buy the latest Red Hat Linux and install it..
3
3
Secure System Administration - SANS GIAC
© 2000, 2001
“Day 2” Agenda
• How Computers Work
• Backups, Hidden Data
•Windows 98
•Windows NT
•Windows 2000
• Unix/Linux
• Security Forensics and OS Commands

Well, let’s get to work. On this slide you see the areas we will cover; some general information, and
then into the operating specifics. This is a great moment to let you know just how similar the
Windows operating systems are. There are differences, but if you scan one of these systems with the
famous network scanner nmap, it has a really hard time telling them apart, the network stacks are
just about the same, though it can distinguish Windows 2000. Most of the commands we use for
Windows 98 will work fine on Windows 2000. Win2K is an advanced operating system and so there
are differences, primarily the Active Directory. Even so, it is important to remember that Windows
2000 is a marketing term, it really was NT 5.0 and followed NT 4.0.
One of the goals of this course is to help you to be familiar with both Windows and Unix. These are
common operating systems and there is a really good chance you will need to have a basic
understanding of both.
4
4
Secure System Administration - SANS GIAC
© 2000, 2001
How Computers Work
•Boot Sequence
–Operating System
• File System Device
Driver
• Disk Partitions
•ScanDisk
• Sectors, Clusters,
Cylinders, and Disk
Geometry
•Dr Watson
• hdparam
• fdisk
In this first section of the course, we are going to get our feet wet and understand how computer
systems work. Again, don’t expect much theory, we will mention a concept and then try to equip

you to see how the concept works on Windows and Unix systems. We can’t cover everything of
course, the boot sequence for Windows NT would take 10 – 12 slides alone.
The important thing though, is for you to actually try these exercises. Don’t just be passive, get in
the game, if the course talks about ls –l /dev or running Dr. Watson, get to it. Learn how your
system works.
My friend Mary Walker from Motorola was giving a presentation at a DARPA-funded meeting on
intrusion detection once and someone asked a really hard question. She shrugged her shoulders and
held out her hands palm up and said,”That one deserves the Motorola salute!” Bad things happen to
perfectly nice operating systems. If you work to master these concepts and tools, perhaps you can be
part of the solution instead of just giving the shrug salute!
5
5
Secure System Administration - SANS GIAC
© 2000, 2001
The Beginning
• When you power a computer on:
– The disk spins up
– The system begins a boot sequence taking its
directions from a read only memory chip with a
simple basic input output system called a ROM
BIOS
– Most modern operating systems allow the ROM
BIOS to be password protected
– The system begins to read specific tailored
operating system information from the disk
The more you understand the boot sequence of a system, the more of a miracle it is possible to boot
at all. First, at power up, the computer uses an onboard ROM BIOS to find its disk drives, count
and test memory, and search for hardware such as a mouse and keyboard. Then it will search for
further boot instructions on a disk. The computer doesn’t have much software loaded, so the
expectation is to find a specially formatted disk area just for bootup support.

On Windows systems, the first three bytes of the bootup part of the file system contain the address to
jump to that contains the actual bootstrap code. We still jump to something simple, called a
bootstrap loader, which teaches the system just enough to be ready for the secondary bootstrap
loader. The secondary bootstrap loader is actually what does the heavy lifting. Windows 9x
systems call this file IO.SYS, whereas NT and 2000 call it NTLDR. This is such a touchy operation
that attack code which harms the boot area can cause a great deal of damage.
6
6
Secure System Administration - SANS GIAC
© 2000, 2001
Bootstrap Illustrated
Graphic Courtesy National White Collar Crime Center.
When you turn on the computer, the powersupply "awakens“, the CPU registers are cleared, and a
special register called the program counter is set (on PC's) to F000 – the address of the system's
BIOS (Basic Input Output System).
Next, BIOS runs a system check called POST or Power on Self Test.
Graphic Courtesy National White Collar Crime Center. Used by permission.
7
7
Secure System Administration - SANS GIAC
© 2000, 2001
Bootstrap Illustrated(2)
Graphic Courtesy National White Collar Crime Center.
As part of POST's systems checks, it probes for devices – network cards, parallel port devices
including printers, etc, by sending signals over the system bus to ensure it can communicate with the
devices that are present.
Then tests are done on the system timer and video devices. Next RAM (Random Access Memory)
and the keyboard are checked for and tested.
Graphic Courtesy National White Collar Crime Center. Used by permission.
8

8
Secure System Administration - SANS GIAC
© 2000, 2001
Bootstrap Illustrated(3)
Graphic Courtesy National White Collar Crime Center.
Finally disk drives are checked. The findings of the POST program are compared to settings saved
in a special chip called the CMOS (Complimentary Metal Oxide Semiconductor). Any changes to
system configuration must be updated on the CMOS chip. Information stored by the CMOS chip
includes the hard disk type, time and date, memory/cache preferences, power-on password and
disk/CDROM boot-time search sequence. Although this is the process for a PC, the boot up
sequence is similar for most computers.
At this point we are finally ready to load information from the disk to boot the operating system.
Graphic Courtesy National White Collar Crime Center. Used by permission.
9
9
Secure System Administration - SANS GIAC
© 2000, 2001
Booting the OS
Graphic Courtesy National White Collar Crime Center.
When booting the operating system, the CPU reads information in the Master Boot Record – this is
always located at Cylinder 0 Head 0 Sector 0 AKA the first sector The Master boot record (or
Master Boot Block as it is sometimes referred to) contains the location of the boot record. The boot
program, in turn loads IO.SYS, CONFIG.SYS. MSDOS.SYS, COMMAND.COM, and
AUTOEXEC.BAT. If you are able to pause your audio, please take a second an run your windows
explorer and look at your C:\ drive, you should see many of these files there if your system boots
from C. On UNIX platforms it would proceed with loading the kernel.
Graphic Courtesy National White Collar Crime Center. Used by permission.
10
10
Secure System Administration - SANS GIAC

© 2000, 2001
Kernel
• All operating systems (OS) in this
course support multiple privilege
hardware levels
– Privilege restricts the instruction set that
can be run by a running program, called a
process
– User’s programs should not be able to
modify page tables used to support virtual
memory management
The higher the privilege level a program runs at, the more harm it can potentially cause. In practice,
programs have been able to up their priority level with alarming ease. Privilege in this case is
hardware privilege, the ability to interface with processes at layer 2 of the OSI Protocol stack or the
kernel of a program. This is much different that the operating system privileges that allow one to
perform tasks as Administrator or root. That said, attackers that succeed in getting access to
system privileges also succeed in obtaining access to the hardware privilege levels through programs
like device drivers.
In Unix, many networking applications, called daemons, run at the highest application privilege. If
they are compromised by a buffer overflow, then the attacker is able to run her own software at this
privilege level. What is a buffer overflow? It is when the program expects to read in a fixed amount
of data, but doesn’t do checking to make sure that is all that is read in. The data is crafted by the
attacker to be in two parts. Part one is the maximum length the program expected to read in, this is
usually just throwaway data. Part two, is the section that is longer than the maximum expected and
is executable code, a program. This program will then run at the privilege level of the service that
read in the data. If you are old enough to remember drive in movies, this is a little like sneaking your
friends in using the trunk of your car. The attendant doesn’t usually check for extra passengers.
11
11
Secure System Administration - SANS GIAC

© 2000, 2001
Operating System
• Sits between the hardware and the
applications that people interface with. This
is done with
device drivers
• Has a privileged central program called a
kernel
• Is (hopefully) the primary security layer for
the computer system
• Well known examples include windows 98, NT
and 2000 as well as Unix and Linux
The original computers ran a single program that did everything. The development of an operating
system was one of the first steps in the evolution of computing.
When you use a computer, you generally want to run a program to accomplish a task. The
programmer should not have to be bothered with calls to manipulate hardware. This would slow
down application development and make all programs huge. These functions are then handled by
the operating system of the computer.
In our time together we are going to get a crash course in operating systems, especially the file
system component, and then tie that information to information system security. The goal is to help
you understand why attacks succeed and how they can be thwarted. We will also be true to the spirit
of this series and work to establish a solid foundation for the material you will learn in the future.
12
12
Secure System Administration - SANS GIAC
© 2000, 2001
Operating System (2)
• Multi-user – more than one user can access
the computer at the same time
• Multitasking – each user can run multiple

applications
• Virtual Memory – disk space can be used to
effectively extend RAM memory, since it is
usually larger.
• Pages are the fixed sized chunks read in and
out of virtual memory to RAM.
All of the systems we will discuss today are multi-user and multi-tasking, except Windows 98,
which is single user. All can use virtual memory. When you say it like that, it doesn’t sound all
that impressive. In the next slide, I want to introduce you to a tool that works on Windows 9x
systems called Dr Watson. There is a whole lot of tasking going on with even a Windows 98
system. On Unix systems you can type ps –ef (some Unix versions prefer ps –ax or that you do not
use a “-” so you may have to experiment just a bit) or perhaps lsof to get the same type of
information as Dr. Watson gives.
If you are streaming your audio, do not hit pause and try Dr Watson right now. You will get very
angry, but if you have downloaded your audio file by right clicking from the web page, you may
want to sing along with Stephen and run Dr Watson. If you don’t know how to find it, using your
Windows explorer, click on your primary hard drive (usually c:\) and press CTRL-F and a Find
window will come up, enter drwatson.
13
13
Secure System Administration - SANS GIAC
© 2000, 2001
WIN 98 Example
What tasks are running Lists what runs at startup
Editors note: On Windows NT 4.0 and Windows 2000, Dr. Watson is a totally different program and
will report no errors found if there are no errors, select right mouse button to exit. On a Windows
95/98 box it is a powerful tool to understand your system.
Quick as a wink on a Win 9x, you should find Dr. Watson. Before you click on the icon, take a look
at the icons on the bottom right of your screen (if this is where you keep your tool tray). Note the
icon on the far right. Go ahead and click on the Dr. Watson icon in your find window, this program

is pretty safe. Hey, nothing happened! Not to worry, Dr. Watson likes to start out on your tool tray,
look at the bottom right again. Click on it and hit open. The view that produced this slide is
Advanced. It would be a good idea to familiarize yourself with each of the tabs on the advanced
view. Three of them to note are system, basic general information about your operating system, task,
and startup.
In the system view, note that you have a swap file. This is an example of virtual memory. Please
note that you can save this system snapshot as either a Dr. Watson log or a text file so you can
compare this snapshot with what you have later. Since we are going to run a number of utilities, this
is recommended. The system you troubleshoot may be your own. We could devote significant
amount of time to discussing each of the Tabs (under view-> advanced view) as presented by Dr
Watson but really, this is something you should try on your own.
14
PID TTY STAT TIME COMMAND
1 ? S 0:04 init [5]
2 ? SW 0:00 [kflushd]
3 ? SW 0:00 [kupdate]
4 ? SW 0:00 [kpiod]
5 ? SW 0:00 [kswapd]
6 ? SW< 0:00 [mdrecoveryd]
247 ? S 0:00 portmap
263 ? S 0:00 /usr/sbin/apmd -p 10 -w 5 -W
316 ? S 0:16 syslogd -m 0
327 ? S 0:25 klogd
343 ? S 0:00 /usr/sbin/atd
359 ? S 0:00 crond
374 ? S 0:00 /sbin/cardmgr
406 ? S 0:00 inetd
428 ? S 0:00 lpd
466 ? S 0:00 sendmail: accepting connections on port 25
483 ? S 0:00 gpm -t ps/2

500 ? S 0:00 xfs -droppriv -daemon -port -1
536 ? S 0:00 /usr/local/apache/bin/httpd
537 ? S 0:00 sh /usr/local/bin/safe_mysqld
Ps (Unix Command)
This slide shows part of the report from running ps ax (ps for list processes, the “a” is for all and the
“x” is for executable) on a Linux system. The interesting thing about both of these traces, Dr.
Watson and ps ax, is that as complex as they appear to be, both of these are off of systems that I am
the only user of. This is as simple as it gets.
The number on the left hand side is called the Process ID (PID) and in some sense is the address of
a running program. Also note in both of these traces, the Unix view of active processes on this slide
and the Windows view on the previous slide, we find where the location of the program on the disk
as well. For instance in the second from the bottom line, we see /usr/local/apache/bin/httpd, the
location for the Apache web server on this computer. This can come in very handy when
troubleshooting or auditing. There is something else that is important to note. In the second column
from the left, most of the processes have an “S.” This means they are swapped out or sleeping. They
are not running in RAM Memory, they are in virtual memory on the disk in case they are needed.