Windows 9x Security

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:30

lượt xem

Windows 9x Security

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

For our third session of the second part of the course, we will focus on the Windows 95 and Windows 98 operating systems. The examples are tested on Windows 98 since 95 systems are starting to be retired. The most important thing to know about this flavor of Windows is there is no file security.

Chủ đề:

Nội dung Text: Windows 9x Security

  1. Windows 9x Security Secure System Administration - SANS GIAC © 2000, 2001 1 For our third session of the second part of the course, we will focus on the Windows 95 and Windows 98 operating systems. The examples are tested on Windows 98 since 95 systems are starting to be retired. The most important thing to know about this flavor of Windows is there is no file security. If you configure the system for multiple users and have a password screen at bootup, anyone can hit cancel and still get in. If you use passwords and have two users, each can see all of the other user’s files. There are exactly two ways to enforce security for Windows 9x, physical security and encryption. My laptop is protected by physical security. I travel a lot. I try to keep my laptop bag with me at all times. Still there are times when I leave it in the hotel room and just hope. Security for most Windows 9x users amounts to hope and nothing more. We will learn how to add a layer of security in this section with better living through encryption. The focus of most of this course will be to show you some of the clues gathering tools you can use to see and understand what is going on with your Windows 9x system. We will cover several new tools, discuss the file system a bit, and close with encryption. 1
  2. Windows 9x Tools • System Configuration Editor • Startup • System File Checker • File Compare • File Attributes Secure System Administration - SANS GIAC © 2000, 2001 2 The first section of this course will be to learn some new tools that give us information about our system. Since everything we see will be inherited from startup, let’s cover it at least from a high level. From the Power On Self Test (POST) by the ROM BIOS, we go to the disk and the secondary loader (IO.SYS) which loads the the logo.sys (the logo screen). At this point a database called the registry is consulted for system information. Virtual Device Drivers (VxDs) come next, followed by an army of DLLs (Dynamic Link Libraries) which are actually programs. If your system is configured for multiple users, this is the point you log in and your personal password file is examined (\Windows\yourusername.pwl) and if you have a user profile it is loaded from the user portion of the registry database, (\Windows\Profiles\yourusername\user.dat). If you have never looked at your profile, I highly recommend a tour. Finally if your system.ini has this line: shell=Explorer.exe and you shutdown clean, your Windows explorer will come up when you reboot. 2
  3. Secure System Administration - SANS GIAC © 2000, 2001 3 Before mucking with your startup, it is always a really good idea to back up your registry! On a Windows 98 computer, I start SCANREGW with the RUN command, Start, Run, Scanregw. It will then scan your registry and give you an opportunity to make a backup. Backups are stored in \Windows\Sysbckup and the file names start with rb and they are .cab (compressed) files. The .cab file contains a copy of user.dat, system.dat, win.ini, and system.ini from the Windows\Sysem directory. Note that scanregw will NOT back up the user.dat files for each of the individual users. You will need to do this manually. If you goof up, SCANREGW can use these files to restore the Registry should it become corrupted. Now we are equipped to look at our startup. Start, Run, SYSEDIT will produce what you see on the slide. This is just a notepad editor, but it makes it really easy to view or edit these startup files. You should see the system.ini explorer entry we just mentioned. Your system may have nsmail.ini in addition to the files you see. Autoexec.bat is not critical to Windows 98 like it was for DOS, but you can use it to override the default behavior of IO.SYS. The reason you care is that if you use a boot disk to analyze a machine, then you would want to alter the PATH variable so that the applications on your floppy or CDROM are executed before the ones on the suspect system’s hard drive. We see in the screen shot above that the operating system looks firs in the DOS directory of the C drive, then in the PGP directory under Program Files\Network Associates. 3
  4. Secure System Administration - SANS GIAC © 2000, 2001 4 If you are prone to typos, then you might be better served by MSCONFIG, the System Configuration Editor (available with Windows 98) as shown on this screen. You know the drill by now: Start, Run, Msconfig. This is a GUI tool that does everything you can do with SYSEDIT and more. It really is worth your time to become familiar with your startup for a number of reasons. Note on the slide where it says reminder and it is unchecked. A partially functional version of MS Money was installed on this laptop. I never used it, nor will I, all accountants expect Quicken. Every time this laptop booted, time was lost while a reminder file was loaded and it cost memory as well. With the Reminder box unchecked, the reminder file will not load. Microsoft products are fairly benign, but malicious software will use either the Run or RunOnce registry entries to install themselves. If you are familiar with what you expect to run, then you may be able to identify and eliminate potentially destructive or abusive software. This is what the ILOVEYOU virus did, it set Internet Explorer to run to go get the password sniffer. 4
  5. Secure System Administration - SANS GIAC © 2000, 2001 5 As you install and uninstall software, there are times when the application software will come with its own “enhanced” driver or operating system application. You may recall seeing a message from your operating system warning that a system file was about to be overwritten by an older file than the one you have. The logic is the the newer file must be better and this makes a certain degree of sense. In general, the worst offenders seem to be networking cards. If you plan to network your Windows system, it can be worth your time to do a bit of Internet research first. This is especially true if you are considering running multiple operating systems such as Linux and Windows. The System File Checker will make an effort at checking all of your system files against a known database (\Windows\Default.sfc) If it finds a file that it feels is the wrong one, you have the option to reinstall from your factory CD. It takes anywhere from a couple of minutes to several minutes to scan your system and can be a very prudent thing to do after installing software. The file we need to run is msinfo32.exe. Get to it by clicking on Start, Programs, Accessories, System Tools, System Information. The System File Checker is accessed from the Tools menu. Note that msinfo32.exe is also available on Windows 95 - but it doesn’t have the System File Checker. 5
  6. FC MARKET~1 ZIP 593,208 03-04-00 9:19p marketing .zip MARKET~2 ZIP 593,208 03-04-00 9:23p 27 file(s) 4,401,366 bytes 12 dir(s) 2,005.71 MB free C:\My Documents>fc /b Comparing files marketing .zip and FC: no differences encountered Secure System Administration - SANS GIAC © 2000, 2001 6 This slide shows a tool called FC for File Compare. When you get a complaint from your operating system that you are about to overwrite a file or if System File checker is upset about a file, you might want to check it out before making a decision. Sometimes the file is actually the same, but the dates are different and this confuses Windows. FC also has a binary compare mode FC /B file1 file2 that can be useful when trying to really dig into a file. If you have a suspected virus and a clean file from a backup, this can be a great way to see a virus or other malicious code. Next we will spend a bit of time learning about our file system and where things tend to be stored. Windows tucks things everywhere, in temp and cache directories, and we have already mentioned your profile. In this next section of the course I want to sensitize you to two things: ways you can audit Windows 9x systems, but also to the kinds of information others can get from your system, should the physical security ever be breached. 6
  7. Secure System Administration - SANS GIAC © 2000, 2001 7 The screenshot on this page was created by selecting a file with Windows Explorer and clicking with the right mouse button, and then selecting properties. In a FAT and FAT32 directory listing the DOS attributes are listed, the four FAT attributes are: - Read-only - Hidden - System - Archive Since most of your interaction with your file system in Windows will be with the Windows Explorer, then we want to make sure we configure our Explorer so that it gives us the information we need to understand and audit our systems effectively. On your next slide you see that there are options to the Explorer that allow us to see system files that are not normally shown, as well as the file attributes. 7
  8. Windows Explorer View Customize This Folder Secure System Administration - SANS GIAC © 2000, 2001 8 From the screen shot above, select the boxes "Show all files“and Show file attributes in detail view”. Then when you have the view in Windows Explorer set to “Details”, the file attributes will display in the rightmost column (to the right of each file listing). This means that you will not normally notice these, but you can drag and drop (or resize) the columns in Explorer to enable you to see the attributes. Anytime you are in the root drive of your disk C:\ or in your windows directory C:\Windows you should probably be aware of attributes and hidden files. Note that not ALL versions of explorer shipped with Windows 98 appear to have the capability to display file attributes as shown adjacent to the lower arrow above. CREDIT: SSA3_1, If you are taking this course for academic credit, email your instructor (or point of contact) a screen shot from Windows Explorer of a file with all four attributes set. If you have done backups recently and the archive bit is not set that is fine as well. You can send a screen shot with RSH (Read-only, System, Hidden) showing. See note above. If you can’t get the attributes to show in a column in Windows Explorer, select a file, right click on properties, and take a screen shot of the result. 8
  9. FAT and FAT32 File System • FAT is a 16 bit address table for 216 (65,535) maximum clusters. This was the DOS and Windows 95 filesystem • FAT32 was introduced in Windows 95 OSR2 and used in Windows 98 • Directory records are used to store names of files and directories contained in directory Secure System Administration - SANS GIAC © 2000, 2001 9 One tool to help us understand how the hard disk is organized is FDISK. This is run from the Windows Command Prompt. Type FDISK with no options and we see: Your computer has a disk larger than 512 MB. This version of Windows includes improved support for large disks, resulting in more efficient use of disk space on large drives, and allowing disks over 2 GB to be formatted as a single drive. IMPORTANT: If you enable large disk support and create any new drives on this disk, you will not be able to access the new drive(s) using other operating systems, including some versions of Windows 95 and Windows NT, as well as earlier versions of Windows and MS-DOS. In addition, disk utilities that were not designed explicitly for the FAT32 file system will not be able to work with this disk. If you need to access this disk with other operating systems or older disk utilities, do not enable large drive support. Since FAT16 uses clusters to allocate files, with a 2^16 address size, it uses fairly large clusters. With FAT32’s larger address space, clusters can be smaller and therefore the disk is better utilized. 9
  10. FDISK Microsoft Windows 98 Fixed Disk Setup Program (C)Copyright Microsoft Corp. 1983 - 1998 WARNING: You can really mess up FDISK Options your system Current fixed disk drive: 1 messing with your Choose one of the following: partitions. At a 1. Create DOS partition or Logical DOS Drive minimum, have a 2. Set active partition 3. Delete partition or Logical DOS Drive bootable floppy 4. Display partition information with fdisk on it in case you make a Enter choice: [4] mistake. Secure System Administration - SANS GIAC © 2000, 2001 10 The FDISK slide shows the menu, and the results of running FDISK on my laptop are shown below. You see I only have one partition and so of course it is active. Creating a second partition can be one way of hiding data on a computer. You can do this trivially so that will not show up unless you run a tool like FDISK. If you like living dangerously you can create the partition, write the data and then delete the partition. According to security researcher Bill Cheswick, he ran into this and so developed a tool for UNIX that did a raw disk read regardless of partition information. Display Partition Information Current fixed disk drive: 1 Partition Status Type Volume Label Mbytes System Usage C: 1 A PRI DOS 4126 FAT32 100% Total disk space is 4126 Mbytes (1 Mbyte = 1048576 bytes) 10
  11. Secure System Administration - SANS GIAC © 2000, 2001 11 This slide shows further information about the hard drive on my laptop. You can see it is a FAT32 system and the cluster size is 8 sectors. This is a common value for Windows 98 systems. Notice that it says there are two FATs. These are mirrored and this is true for both FAT and FAT32 file systems. If there is a problem with the primary, the file system driver will complain and the system attempts to read from secondary. If this happens, immediately begin to recover your most important data, and then reformat the drive when backup is complete. Also, notice the “hidden sectors.” This is commonly 32 sectors large on disks with a single partition and refers to space between the physical beginning of the disk and the beginning of the first partition. Next we will look at the attributes of a given Windows 9x file. Recall in the last section we learned about one file attribute, the hidden file attribute using the ATTRIB command. 11
  12. C:\Temp Secure System Administration - SANS GIAC © 2000, 2001 12 Let’s take a minute and review everything we have learned about hiding data. Someone can mark a file as hidden. Or give it a reasonable sounding name in a crowded directory. Or give a misleading extension, calling a .jpg an .exe or whatever. With a disk editor, they can add data after the end of file in a cluster. Malicious code can intercept reads to the disk and redirect the read to a new location. With a partition editor, one can create a partition in which to place data that is not accessible by typical commands and operating system utilities. While the partition may display using fdisk, the data is not readily accessible. With steganographic tools, you can hide a file inside of another file. Whew! That is a lot! And then we need to realize that Windows is a bit complex and files don’t even have to be hidden if we don’t know what to look for. This screen shot shows the C:\Temp directory and Windows crams a lot of stuff there. Another location is C:\Windows. There are a number of directories here, your profile, another temp, temporary internet files, html, and of course there is the recycle bin on the desktop. If you ever have to audit a Windows 9x system to determine what someone has been doing, odds are there is data to find. 12
  13. Secure System Administration - SANS GIAC © 2000, 2001 13 Tweak UI is a wonderful application. It comes on your CDROM, in the reskit tools directory. You’ll need to install it manually after you install the OS. For the screen shot shown, on the far right is the paranoia mode. This makes bootup just a bit longer since it erases audit traces from your last login. From the screen shot above, you can see that the various selections clear or erase the indicated histories that were left behind by the previous user. These histories or audit trails can be valuable in identifying and recreating suspected security violations. Tools like these help you understand why, if you ever seize a computer, you must make every effort to produce the best backup you can before you turn the system off. If the system is already off, the best thing to do is pull the disk drive and make a copy of it. If you can’t do that, you need to boot the computer from your own bootable disk and make the backup. Windows has its own cleanup utility in Start, Programs, Accessories, System Tools, Cleanup. This will remove a large number of the tracks a system leaves and will free up disk space. Again, this part of the course has two messages, one is where to find data. I hope that you will take the time to dig around your filesystem and see what is there. The second message is for you to understand how much information about you is on your system in the event someone accesses your computer. 13
  14. Now Select the Working Backup Secure System Administration - SANS GIAC © 2000, 2001 14 I don’t know if you have ever seen a forensic tool in action or know what is possible with one. The next four slides or so will give you an overview of some typical forensic capabilities. I will take you on a tour of an investigative tool used to search a suspect drive. It can’t find things any better than debug, Norton Utilities or any disk editor, but it has some time saving features for the investigator. Before we begin the overview, let’s quickly review some forensic ‘ground rules’. They are a lot like what you see on TV or in the movies where the investigator puts up a tape to keep observers from damaging the scene. We need to analyze the data in such a way that we do not change it and we need to be able to show that we have a process to protect the data - a chain of custody. In this case, the evidence in question is a floppy disk that was found in the suspect’s desk drawer. We should do a binary backup first using a tool like Safeback or Ghost and then work from the backup. 14
  15. Remember Chain of Custody Secure System Administration - SANS GIAC © 2000, 2001 15 We will use the exclusive lock, so that a process on our system doesn’t muck with our data. This is where a tape recorder can be very useful in noting what you did, how and when you did it, and in what order. It provides great information to supplement the data you collect on magnetic media. Mention on the recorder that you are selecting exclusive lock. [Editors note: Chain of custody is a set of processes with a single goal. To ensure that any evidence used in a court or internal Human Resources hearing can be proven not to be tampered with. In general, chain of custody involves describing the crime scene accurately, using approved steps to collect evidence. This slide shows such a step, by locking the volume, no other process should be able to write to it preventing contamination of the evidence. Finally, the evidence must be stored in a tamper proof manner.] 15
  16. Save the Evidence File Secure System Administration - SANS GIAC © 2000, 2001 16 Here we are choosing the disk location to store the evidence. When possible, I like to use a brand new Zip or Superdrive so all the evidence can be stored in a pristine location. Sometimes the easiest thing to do is to use the network. Norton Ghost and other disk imaging tools can be run in a mode to copy the disk bit by bit. 16
  17. Label the Evidence File Secure System Administration - SANS GIAC © 2000, 2001 17 This is one of the time saving features of a tool like this over a simple disk editor. You can create a case file and when you find things, simply mark them and they are saved in the case file. For years I had to use a note book and write down the file name and disk location of any potential evidence, with a tool like this, you hit a checkbox and it is saved to your case file. 17
  18. Secure System Administration - SANS GIAC © 2000, 2001 18 Here we see a large number of deleted files. This is an important concept. The FAT file system does not delete anything, it simply no longer allocates those clusters and makes them available for use. Even the filename is still there, though the first letter of the filename is marked with a question mark so the file system knows it is OK to reallocate the data. Note that the data is NOT erased when the file is deleted. The information remains on the media until such time that it is overwritten. The new information can be the result of one of several actions (disk defragmentation that moves information from one sector to another, creation of a new file, etc.). This means if you have a system that gets hit by one of these new nasty macro virus variants that delete files … STOP everything. The data is probably recoverable if you do not muck with the disk. Now that we have the notion of such a tool in our minds, let’s do a bit more exploring of some of the kinds of things we are likely to see on a drive. By now, if you have been doing your assignments of looking around, you know these are some sort of system files. This is the result of using the cleanup tool and I told it to get rid of unused applications as well as temporary internet files. There is one more tool we can run: Start, Programs, Accessories, System Tools, Disk Defragmenter. 18
  19. Secure System Administration - SANS GIAC © 2000, 2001 19 This screen shot is the disk defragmenter we just described. It comes with Windows. FAT file systems in particular can get fragmented, but this can happen to the NT and Win 2K file system as well. When it is necessary to save data to the disk, the OS reads the FAT to find the first available free space on the disk to write the data. If the space available is insufficient to write all the data, the OS goes back to the FAT to find the next available space. The OS then goes to the new space and continues the write function. This back and forth continues until all data is written. The file gets scattered (fragmented) in pieces across the disk. This is one way in which disk fragmentation occurs. The defragmentation process reads the data and re-writes it to contiguous spaces on the disk bringing each of the file's fragments together in one continuous chunk. However, these file movements and re-writes may overwrite valuable forensic evidence. During the defragmentation, all the un-allocated clusters will be moved to the back of the drive. This makes it much harder (but not impossible) for anyone doing forensic analysis. 19
  20. Win 98 After Defragment Effect of countermeasures Secure System Administration - SANS GIAC © 2000, 2001 20 This screen shot shows the effect after the defragmenter has been run. The deleted files are gone. It might still be possible to recover some of the data from the unallocated and moved clusters, reading data they may have. This is a time consuming task, however with good tools you can recover a lot of text information quickly. Reconstructing graphics and sound files takes a bit more work. 20
Đồng bộ tài khoản