1
1
Secure System Administration - SANS GIAC
© 2000, 2001
Windows NT 4.0 Security
In our next sections together we will consider the Windows NT and Windows 2000 operating
systems. Windows NT was Microsoft’s first effort in building a production server operating system,
and they made a number of changes and improvements in Windows 2000. We are going to take a
quick look at the architecture and file system and then move into the tools that you can use to gather
clues from your operating system. I am going to approach the tools in the following way: since NT
has tools to implement security, we are going to learn to configure our system security policy and at
the same time how to check it. As always, we will focus on learning to use the tools that are
available with the operating system and possibly the Resource Kit, but we are also going to look at
something new, your operating system’s interface to the network. In order to run a number of the
exercises, you will need to be logged in as Administrator. As always, unless this is a scratch
operating system that you loaded only for testing, make sure you have a good backup before trying
privileged system commands.
2
2
Secure System Administration - SANS GIAC
© 2000, 2001
HARDWARE
Hardware Abstraction Layer
( Responsible for CPU and bus)
Windows NT Kernel
NT Executive
( Object Manager, Virtual Memory Manager, I/O Manager )
Subsystems: Security, Win32, POSIX ….
User Processes: Outlook, Explorer ….
K
E

R
N
E
L
M
O
D
E
U
S
E
R
M
O
D
E
Windows NT is a synthesis of operating systems that came before it, including MACH, UNIX, and
VMS. The hardware privilege model is straightforward: kernel mode can run anything and user
mode is tightly constrained. Two things to note:
• Though there are multiple subsystems, including POSIX, OS/2, and the Virtual DOS
Machine (VDM), they are rarely used. The Win32 subsystem is the animal that is more
equal than other animals and it operates with more privileges.
• Application programmers are supposed to write to the subsystems via Application
Programming Interfaces (APIs), not write direct calls into the kernel. The subsystems use
system service calls to communicate with the kernel mode portion of the operating system.
If programmers stick to APIs, their software is more portable and safer in some sense. The
APIs communicate with device drivers and these manage the hardware. These layers of
abstraction increase the size of the operating system, but make it easier to write software.
3
3

Secure System Administration - SANS GIAC
© 2000, 2001
What is Running?
Start -> Settings -> Control Panel -> Devices.
Attackers may target device drivers because they run in the kernel space with access to most of the
system functions. For this reason, we need to know what drivers are installed on our system. To see
which drivers are installed and their current status use:
Start → Settings → Control Panel → Devices
The above screen appears, showing the device name, its current status, and the configured startup
behavior. Highlight a device name to start or stop the device or to change its startup behavior.
Available options for startup behavior include Automatic, Manual, and Disabled. Other options may
be available depending on the Service Pack applied and your current system configuration.
New and reassigned systems often arrive with optional hardware that is not required. These can
complicate configuring the server and may give attackers another door into the system. Experts do
not recommend modems and removable media devices for critical systems. Physically remove these
and their associated drivers and software.
Protecting the devices involved in the boot process is critical. If at all possible, place servers in a
locked room with limited access to maintain physical security. When this is not possible, secure the
server with a power-on password and consider disabling the option to boot from the floppy drive. If
the system doesn't need the floppy drive, remove it.
4
4
Secure System Administration - SANS GIAC
© 2000, 2001
Kernel Mode
• Hardware Abstraction Layer (HAL)
–
directly interfaces with the hardware and allows NT to run on
completely different hardware such as Intel and also Alpha chips
•Windows NT Kernel

– provides process and thread
scheduling, multiprocessor support and interrupt handling
• Windows NT Executive
– uses the services of HAL
and the kernel, handles file systems, device drivers and I/O
This slide gives an overview of the kernel mode processes for NT. The NT kernel is fairly small in
terms of size or lines of code compared to the NT Executive. It is responsible for core OS
functionality such as hardware exceptions, interrupts and traps. This is supposed to be the most
privileged process in the operating system.
The kernel gets its configuration from the registry database. The startup information is kept in
HKEY_LOCAL_MACHINE, which has the following registry keys: HARDWARE, SAM,
SECURITY, SOFTWARE, and SYSTEM. In troubleshooting, HARDWARE and SYSTEM are the
most important and SYSTEM is used heavily in bootup.
If the registry gets corrupted, bootup and operation of the system is nearly impossible. You can back
up the registry on the local system using the NTBACKUP program, but you must select it
specifically. Another thought is to create an Emergency Repair Disk (ERD). The Emergency Repair
Disk can be used to repair a corrupt Partition Boot Sector. The ERD is unique for each system. An
ERD created on one workstation or server will probably not work with a different workstation or
server. The ERD should be kept in a secure location since the disk contains security information
from the machine on which it was created.
To create an emergency repair disk, type RDISK /S at the command prompt. Please do this NOW.
We will remind you several times in the course, but if you make a mistake, you will need an ERD.
You MUST protect this disk! The /S switch copies the SAM database onto the floppy. Password
crackers can crack the passwords from this disk. Also note, the Repair Disk is not a boot disk. Setup
disks – bootable disks used in installing Windows NT – are created by running winnt32.exe with
the /ox switch.
5
5
Secure System Administration - SANS GIAC
© 2000, 2001

Core NT File Systems
•FAT 16
•FAT 32
•NTFS4 and NTFS5
Any discussion of NT or Windows 2000 should be
based on the NTFS file system. The differences
between NT 4.0 and NT 5.0 (Win 2K) are very small
in regards to the file system
Core NT File Systems
The three file systems listed on your slide account for most Windows files. If you read system
documentation you will see references that claim NT systems can support a number of file systems.
This is not true in practice except for special purposes:
• CDFS ISO 9660 disks
• UDFS DVDs
These are examples of Installable File Systems.
Both Windows NT and Windows 2000 were designed around the NTFS file system and are happiest
in an NTFS environment.
Instead of FDISK, on NT you should use Disk Administrator. As the user Administrator, use Start
→ Programs → Administrative Tools → Disk Administrator to do partition and other FDISK work.
[Editor’s note: vol will display the serial number and label for a disk with any of the Windows file
systems. This can be used as a step in evidence collection, for instance vol c:\ >
disklabel.txt. It will not, however display the file system, whereas chkdsk will. - SRN]
6
6
Secure System Administration - SANS GIAC
© 2000, 2001
NTFS
• 64 bit address scheme, 2**64 bytes
• Hierarchical database (Master File Table) MFT
– Files are a record in this database

• Provides for file and folder level security:
– Full Control (all of the rest)
–Modify
–Write
– Read & Execute
– List Folder Contents
NTFS is a major improvement over the FAT file systems. This applies to a number of dimensions:
more files, bigger files, more naming flexibility, resistance to becoming fragmented, and so on.
NTFS also makes more efficient use of the disk, limiting the available hiding places for malware.
Like the FAT file system, the NTFS file system uses clusters as the fundamental unit of disk
allocation. In NTFS, the default cluster size depends on the volume size. For volumes of 512MB or
less, the default cluster size equals the sector size of 512 bytes. For volume sizes of 513MB or
greater, the cluster size increases but the sector size remains constant. Very large drives may be
formatted to make use of larger clusters to improve operating system performance at the cost of a bit
of wasted disk space.
All of these are certainly important, but the most important thing is that NTFS file security is more
granular than FAT, allowing fine tuning of permissions at the file level through Access Control Lists
(ACLs). FAT/FAT32 allows limited use of passwords to protect shared folders (no file-level
security is available) and provides absolutely no protection when a user logs on locally.
You can convert from FAT to NTFS with the convert utility. From the command line, first run
vol to get your volume name. Then type:
CONVERT <volume_name> /fs:ntfs
You can also use the drive letter with the CONVERT command, e.g. ,CONVERT C: /fs:ntfs.
7
7
Secure System Administration - SANS GIAC
© 2000, 2001
Checking File Stamps
•The DIR command can be used to
check size and date/time

• A good attacker can change this
information to hide their files!
• To check creation date/time and size of
all EXE files:
dir c:\winnt\*.exe /s/t:c > exefiles.txt
Checking File Stamps
One sign of system compromise is unauthorized modification of files. This slide shows an example
of using options to the dir command to query one or more files as to their creation or last access
time. Be aware that an attacker can change the file attributes, so this technique is not perfect. But,
dir is still a useful tool for exploring what an attacker has done to a system during a given session.
The example at the bottom of the screen is using the /t:c switch which will report the date and
time stamp of when the file was created. You can substitute a “w” for the “c” to see the last time the
file was written to, or an “a” to see the last access time. This implies that NTFS has more attributes
than the four kept by the FAT file system. For more information on the dir switches available, type
dir /? at the command prompt.
Next let’s see how to configure our browser to see more file types.
8
8
Secure System Administration - SANS GIAC
© 2000, 2001
Viewing all files
As you probably discovered in the previous section on Windows 9x, while dir has a large number
of options, it really has some limitations. The default viewing options in NT hide the following files:
.dll, .sys, .vxd, .386, .drv, and .pnf files. These initial options also hide extensions for known file
types, such as .bat, .txt, .htm, .rtf, .doc, .exe, etc. This represents a security risk since an attacker can
hide rogue code under a known file extension or disguise the file type by using multiple extensions
such as YourReport.rpt.exe.
9
9
Secure System Administration - SANS GIAC

© 2000, 2001
Viewing all files (2)
You will note, we have an option to view hidden files and while we are learning the operating
system we should see all files. Windows 2000 users will have a new attribute called superhidden
files. These are system files with the hidden attribute set. Tools → Folder Options → View Tab →
Show Hidden Files and Folders and the Hide Protected Operating System Files is where the
superhidden attribute is maintained.
10
10
Secure System Administration - SANS GIAC
© 2000, 2001
Setting the Account Policy
To begin our discussion of checking and setting system policies, our first stop is Account Policy.
Hitting “Cancel” to bypass a password will not work on an NT machine. The first thing to notice at
the top of the screen is the word “Domain.” For NT and Windows 2000, domains are security
entities. If your workstation or server is a member of a domain, you obtain your authentication from
a special server. These are called Primary Domain Controllers (PDCs) and Backup Domain
Controllers (BDCs). If you are installing a machine that does not need to share credentials with
other machines, you can make it a member of a workgroup and it can still do file and print sharing
with other systems on its network.
The “Account Policy” under User Manager for Domains sets the general domain-wide password
policy for all network accounts. However, for each user account, “User Properties” also affects
passwords for a specific account. It is important to note that settings in User Properties override the
settings in the Account Policy. For example, an Account Policy requiring a password change every
“X” days can be overridden for a particular user by selecting “Password never expires” in the User
Properties for that particular user.