1 - 1
Windows 98/ME Security - SANS
©2001
1
Windows Security
Day 5
Security Essentials
The SANS Institute
This page intentionally left blank.
1 - 2
Windows Legacy Desktop Security - SANS
©2001
2
Agenda
• Windows Legacy Desktops
–Overview
– Security Issues
•Windows NT
–Overview
– Security Issues
• Windows 2000
–Overview
– Security Issues
• Windows 2000/XP Desktops
This page intentionally left blank.
1 - 3
Windows Legacy Desktop Security - SANS
©2001
3
Agenda (cont.)
• Windows Backups

• Windows Auditing
• IIS
–Overview
–Security
This page intentionally left blank.
1 - 4
Windows 98/ME Security - SANS
©2001
4
Windows Legacy Desktops
Security
In this module we are going to look at legacy Windows Desktops. This includes Windows 98 and
Me, which are similar. The most important thing to know about Windows 98 and ME is there is no
file security and there is no authentication necessary. Even if you configure the system for multiple
users and have a password screen at bootup, anyone can hit “Cancel” and still get in. Access to files
depends on access to the machine. If you use passwords and have two users, each can see all of the
other’s files on the hard drive, and open any of them. There are three security techniques you can
use; two enforce security for Windows 98/Me: physical security and encryption and the other is
reactive.
Let’s look at an example. Joe travels around the world on business. His laptop is protected by
physical security. Since he travels a lot, he tries to keep his laptop bag with him at all times. Still,
there are times when Joe leaves it in the hotel room, or accesses the Internet and just hopes. Security
for most Windows 98/ME users amounts to hope and nothing more.
This section will suggest the addition of a layer of security encryption and introduce tools which can
help you determine what is happening with your Windows 98/ME system.
1 - 5
Windows Legacy Desktop Security - SANS
©2001
5
Windows Tools

• System Configuration Editor
•Startup
• System File Checker
•File Compare
• File Attributes
The first section of this course will be to learn some new tools that give us information about our
system. Since everything we see will be inherited from the system’s startup processes, let’s cover
the elevator version of the status. From the Power On Self Test (POST) by the ROM BIOS, we go to
the disk and the secondary loader (IO.SYS) which loads the logo.sys (the logo screen). At this point,
a database called the registry, is consulted for system information. Virtual Device Drivers (VxDs)
come next, followed by an army of DLLs (Dynamic Link Libraries) which are actually programs. If
your system is configured for multiple users, this is the point at which you log in and your personal
password file is examined, which is located at \Windows\<yourusername>.pwl and if you have a user
profile it is loaded from the user portion of the registry database, which is
\Windows\Profiles\<yourusername>\user.dat If you have never looked at your profile, I highly
recommend a tour. Finally, if your system.ini has this line, shell=Explorer.exe, and you shutdown
cleanly the last time you used Windows, your Windows Explorer will come up after you boot.
Understanding your system and knowing how it operates are critical in order to properly secure that
system.
1 - 6
Windows Legacy Desktop Security - SANS
©2001
6
Start up files are critical to the operation of your system. If they are modified, the system may be
unbootable, or you may run a virus or Trojan horse program without your knowledge every time you
boot. You should learn the normal contents of your startup files so that you will recognize possible
problems and intrusions.
Before modifying your startup, it is always a really good idea to back up your registry! I start the
scanregw program with the run command: Start → Run → scanregw. It will then scan your
registry and give you an opportunity to make a backup. Backups are stored in \Windows\Sysbckup.

They are .cab (compressed) files. If you goof up, scanregw can use them to recover. Now we are
equipped to look at our startup. Start → Run → sysedit will launch the System Configuration
Editor and produce what you see on the slide. This is just a Notepad editor, but it makes it really
easy to view or edit these startup files. You should see the system.ini Explorer entry we just
mentioned. Your system may have nsmail.ini in addition to the files you see. Autoexec.bat is not
critical to Windows 98 and ME like it was for MS-DOS, but you can use it to override the default
behavior of IO.SYS. The reason you care about this, is that if you use a boot disk to analyze a
machine, you would want to alter the path variable so that the applications on your floppy or CD-
ROM are executed before the ones on the suspect system’s hard drive.
Remember, it could also be used by an attacker to run other programs on your system.
1 - 7
Windows Legacy Desktop Security - SANS
©2001
7
If you are prone to typos, then you might be better served by msconfig, the System Configuration
Utility, as shown on this screen. You know the drill by now: Start → Programs → msconfig.
This is a GUI tool that does everything you can do with sysedit and more.
It also has the advantage of identifying for you and allowing you to disable the running of programs
at startup. It really is worth your time to become familiar with your startup for a number of reasons.
Note on the slide where it says “Reminder” and the option is unchecked. A partially functional
version of MS Money was installed on this laptop. It was never used. Every time this laptop booted,
time was lost while a Reminder file was loaded and it cost memory as well. Microsoft products are
fairly benign, but malicious software will use either the Run or RunOnce Registry entries to install
themselves. If you are familiar with what you expect to run, then you may be able to identify and
eliminate potentially destructive or abusive software.
1 - 8
Windows Legacy Desktop Security - SANS
©2001
8
As you install and uninstall software, there are times when the application software will come with

its own “enhanced” driver or dynamic link library (DLL). You may recall seeing a message from
your operating system warning that a system file was about to be overwritten with a file that was
older file than the one you have. Generally you do not want to overwrite newer files with older
ones. The logic is that the newer file must be better and this makes a certain degree of sense. In
general the worst offenders seem to be networking cards. If you are responsible for configuring
networking services for Windows system, it can be worth your time to do a bit of Internet research
first. This is especially true if you are considering running multiple operating systems such as Linux
and Windows.
The System File Checker will make an effort to check all of your system files against a known
database (\Windows\Default.sfc). If it finds a file that it feels is the wrong one, you have the option
to reinstall from your factory CD. It only takes a couple minutes to scan your system and can be a
very prudent thing to do after installing software.
1 - 9
Windows Legacy Desktop Security - SANS
©2001
9
Startup Cop Main Console
Startup Cop is a free download from the publishers of PC Magazine () that
supplements the functionality found in the System Configuration Utility. In addition, it allows for
permanent deletion of startup items and provides the ability to use startup profiles.
When Startup Cop is initially run, it displays all the items that will run at startup. Another nice
feature of Startup Cop is that it shows the user who the entry applies to and when the startup item
will be executed. Startup programs can be disabled and enabled through Startup Cop.
Clicking the ‘detail’ button provides information in a popup window that can be very helpful when
dealing with Trojans, because it tells where the program is located and where in the file system the
startup entry was found. It also allows for the permanent deletion of the entry. This makes it easier
to cleanup after the Trojan.
1 - 10
Windows Legacy Desktop Security - SANS
©2001

10
Saving A Startup Profile
If a Trojan’s name is sufficiently obfuscated, it may look like a critical system routine. Under these
circumstances, you may be reluctant to disable the item. Through the use of startup profiles, you can
safely try various startup combinations.
If your aim is to suppress certain startup programs, you should mark only those programs as disabled
and then save a profile of disabled items. When you restore this profile, the specified programs will
be disabled and all other programs will be enabled. If your aim is to load a minimal set of startup
programs, you should mark only those programs as enabled, and then save a profile of enabled items.
1 - 11
Windows Legacy Desktop Security - SANS
©2001
11
Restoring A Startup Profile
The Restore profile provides two interesting options. In addition to restoring the profile, it allows
you to choose to restart the system or to log off. If a startup item was located in the
HKEY_LOCAL_MACHINE section of the registry, you should choose the restart option because it
will not be launched simply by logging back in.
The Shortcut option places a Startup Cop profile restore on the desktop with the same options as are
available with the Restore option.
1 - 12
Windows Legacy Desktop Security - SANS
©2001
12
FC
MARKET~1 ZIP 593,208 03-04-00 9:19p marketing .zip
MARKET~2 ZIP 593,208 03-04-00 9:23p Marketing.zip
27 file(s) 4,401,366 bytes
12 dir(s) 2,005.71 MB free
C:\My Documents>fc /b market~1.zip market~2.zip

Comparing files marketing .zip and market~2.zip
FC: no differences encountered
This slide shows a tool called FC for File Compare. When you get a complaint from your operating
system that you are about to overwrite a file or if System File Checker is upset about a file, you
might want to check it out before making a decision. Sometimes the file is actually the same, but the
dates are different and this confuses Windows. FC also has a binary compare mode:
FC /B file1 file2
that can be useful when you are trying to really dig into a file. If you have a suspected virus and a
clean file from a backup, this can be a great way to see a virus or other malicious code.
Next we will spend a bit of time learning about our file system and where things tend to be stored.
Windows tucks things everywhere; in temp and cache directories, and we have already mentioned
your profile. In this next section of the course, I want to sensitize you to two things: Ways you can
audit Windows systems, but also to the kinds of information others can get from your system, should
the physical security ever be breached.
1 - 13
Windows Legacy Desktop Security - SANS
©2001
13
The screenshot on this page was created by selecting a file with Windows Explorer, clicking with the
right mouse button, and then selecting Properties. In a FAT and FAT32 directory listing the DOS
attributes are listed. The four FAT attributes are:
- Read-only
-Hidden
-System
- Archive
Since most of your interaction with your file system in Windows will be with the Windows Explorer,
we want to make sure we configure Explorer so that it gives us the information we need to
understand and audit our systems effectively. On your next slide, you see that there are options to
Explorer that allow us to see system files that are not normally shown, and attributes as well.
1 - 14

Windows Legacy Desktop Security - SANS
©2001
14
Windows Explorer
View
Customize This
Folder
The attributes will show up on the right hand side. This means that you will not normally notice
these, but you can drag and drop to change the order. Any time you are in the root drive of your disk
(C:\) or in your Windows directory (C:\windows), you should probably be aware of attributes and
hidden files.
I recommend always selecting “show all files.” You never want the operating system to hide files
because they could be critical to investigating a security incident.
1 - 15
Windows Legacy Desktop Security - SANS
©2001
15
FAT and FAT32 File System
• FAT is a 16-bit address table for 2
16
(65, 535) maximum clusters. This was
the DOS and Windows 95 file system
• FAT32 introduced in Windows 95
OSR2 and used in Windows 98
• Directory records are used to store
names of files and directories
contained in directory
One of the most important tools to explore the hard drive is FDISK. This is run from the Windows
Command prompt. Type fdisk with no options and we see:
Your computer has a disk larger than 512 MB. This version of

Windows includes improved support for large disks, resulting in
more efficient use of disk space on large drives, and allowing
disks over 2 GB to be formatted as a single drive.
IMPORTANT: If you enable large disk support and create any new
drives on this disk, you will not be able to access the new
drive(s) using other operating systems, including some versions of
Windows 95 and Windows NT, as well as earlier versions of Windows
and MS-DOS. In addition, disk utilities that were not designed
explicitly for the FAT32 file system will not be able to work with
this disk. If you need to access this disk with other operating
systems or older disk utilities, do not enable large drive support.
Since FAT16 uses clusters to allocate files, with a 2^16 address size, it uses fairly large clusters.
With FAT32’s larger address space, clusters can be smaller and therefore the disk is better utilized.
FAT16 and FAT32 offer no security features. You cannot protect local files and folders with access
permissions.
1 - 16
Windows Legacy Desktop Security - SANS
©2001
16
Tweak UI is a wonderful application. It comes on your Windows 98 CD-ROM, in the
\tools\reskit\powertoy directory. The screenshot shown is the “Paranoia” mode. This makes bootup
just a bit longer, since it audits traces from your last login. Tools like these help you understand
why, if you ever seize a computer, you must make every effort to produce the best backup you can
before you turn the system off. If the system is already off, the best thing to do is pull the disk drive
and make a copy of it. If you can’t do that, you need to boot the computer from your own bootable
disk and make the backup.
Windows has its own cleanup utility in Start → Programs → Accessories → System Tools →
Cleanup. This will remove a large number of the tracks a system leaves and will free up disk space.
Again, this part of the course has two messages; one is where to find data. I hope that you will take
the time to dig around your filesystem and see what is there. The second message is for you to

understand how much information about you is on your system in the event someone accesses your
computer.
Another important note is to be careful with CD’s that automatically run via the autorun file. This
will work even if you use password-protected screen savers and they are enabled. If an attacker
inserts a CD, the program will run in the background. This can be used to install Trojan horses and
other programs.
1 - 17
Windows Legacy Desktop Security - SANS
©2001
17
When files are deleted, the data is not erased, instead the area is marked as ready for use. Data is
also never automatically moved around and consolidated. A disk defragmentor can help by
rearranging data on a disk. Instead of files of many parts spread all over the disk, a defragmentor
consolidates file bits and empty space. Legacy windows systems have a defragmenter. FAT and
FAT32 file systems in particular can get fragmented, but fragmentations also occurs with the NTFS
file system used in Windows NT and 2000. When you run the disk defragmenter, all of the
unallocated clusters will be moved to the back of the drive. This makes it much harder for anyone to
do forensic analysis, but not impossible.
After defragmentation, deleted files are no longer in the directory. Many times their data still exists
in the “back of the disk”. So I begin at the last file and as you can see, I can recover a lot of the data.
The defragmenter moves the clusters in order, so the first 20 or so clusters are all deleted email.
If you use Windows and you do not want your data recovered easily, it is necessary to remove the
data with something more destructive than delete. Deleting data files on most operating systems does
not clear the data from the physical drive, but simply removes an entry from the file system's
database. This is true for the FAT/FAT32 file system (used in DOS and Windows 3.11/95/98),
NTFS/NTFS2 (used in Windows NT and 2000 respectively) and also for Macintosh, OS/2, and most
Unix flavors.
But things get worse. Even if new information is written over the physical location of the data file, it
is still possible to extract the old information, due to the magnetic properties of physical disks.
Products like BCWipe, available from Jetico (), will overwrite deleted data

with 1, 0’s, and random data.
1 - 18
Windows Legacy Desktop Security - SANS
©2001
18
Hiding Data
•Obscuring
• Password Protection
•Encryption
Security through obscurity is often derided as being of no use at all. However, you can make data harder to find by hiding
it in unexpected places. Virus and Trojan writers use this technique and you can too. Because there are so many files on
Windows systems, these file additions often go unnoticed. Files can be placed in folders within folders and then marked
with the hidden attribute. This will stop a determined intruder about 5 seconds. However, the ordinary person, who is
merely viewing your file system out of curiosity, will be more interested in files that are clearly visible and have titles such
as ‘financial.dat’ or payroll.txt.
Some software programs allow you to store data files with password protection. You create a password and use it when
storing and retrieving files. While this will stop the casual malingerer, it will not prevent anyone who wishes to spend a
few minutes on the Internet where she can find programs which crack these passwords.
Encryption, properly done and religiously applied, can keep unwanted people out. A typical algorithm uses a special
number, or key, and a complicated mathematical algorithm to scramble data. Without the key, the data cannot be
recovered. Windows legacy systems do not have a built-in file encryption tool. You will have to purchase a tool and use
it wisely. Encryption is not a panacea, if a weak algorithm is used, if it is dependent on the Windows legacy system
password, if the password is easy to guess, or is written down and easily viewable, then encryption offers no security either.
Let’s take a minute and think about hiding data. Someone can mark a file as hidden, or give it a reasonable sounding name
in a crowded directory, or give a misleading extension, calling a .jpg an .exe or whatever. With a disk editor, they can add
data after the end of a file in a cluster. Malicious code can intercept reads to the disk and redirect the read to a new
location. With a partition editor, like fdisk, one can create a partition to hide data and not mark it as active. Utilities are
available, such as S-Tools, that allow you to hide a file inside of another file. Whew! Then we need to realize that
Windows is a bit complex and files don’t even have to be hidden if we don’t know what to look for. If you ever have to
audit a Windows 9x system to determine what someone has been doing, odds are there is so much data it will take a long

time to find.
1 - 19
Windows Legacy Desktop Security - SANS
©2001
19
Review of Concepts
• Tools to help you
understand and
repair Windows 9x
• Windows Startup
process
• Introduction to the
Registry
• FAT file system does
not delete files
• Windows leaves a
tremendous amount
of user data
scattered about
• Defragmentation
moves de-allocated
clusters to back of
the hard drive
This is the end of our tour of Windows. If you work with the tools and investigate the places I have
shown you, you will be amazed how much better you understand your system. Don’t get too brave,
make backups before going too wild or simply load an operating system on a non-production
machine and play.
You now have a solid foundation. If you need to audit or inspect a system, you know where to look
and what to look for. You should also better understand the vulnerabilities this operating system has
and how to protect your valuable information.

1 - 20
Windows Legacy Desktop Security - SANS
©2001
20
Course History
v1.1 – edited E. Cole – June 2001
v1.1a – edited and audio – June 2001
v1.2 – edited/formatted - June 2001
v1.3 –edited by E. Cole – Aug 10 2001
v1.3a – edited December 2001
v1.4 - edited by Roberta Bragg December 2001
v1.4a – edited and audio recorded by Carla Wendt – Jan 10 2002