Windows Security Day 5

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:20

lượt xem

Windows Security Day 5

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

In this module we are going to look at legacy Windows Desktops. This includes Windows 98 and Me, which are similar. The most important thing to know about Windows 98 and ME is there is no file security and there is no authentication necessary. Even if you configure the system for multiple users and have a password screen at bootup, anyone can hit “Cancel” and still get in. Access to files depends on access to the machine.

Chủ đề:

Nội dung Text: Windows Security Day 5

  1. Windows Security Day 5 Security Essentials The SANS Institute Windows 98/ME Security - SANS ©2001 1 This page intentionally left blank. 1-1
  2. Agenda • Windows Legacy Desktops – Overview – Security Issues • Windows NT – Overview – Security Issues • Windows 2000 – Overview – Security Issues • Windows 2000/XP Desktops Windows Legacy Desktop Security - SANS ©2001 2 This page intentionally left blank. 1-2
  3. Agenda (cont.) • Windows Backups • Windows Auditing • IIS – Overview – Security Windows Legacy Desktop Security - SANS ©2001 3 This page intentionally left blank. 1-3
  4. Windows Legacy Desktops Security Windows 98/ME Security - SANS ©2001 4 In this module we are going to look at legacy Windows Desktops. This includes Windows 98 and Me, which are similar. The most important thing to know about Windows 98 and ME is there is no file security and there is no authentication necessary. Even if you configure the system for multiple users and have a password screen at bootup, anyone can hit “Cancel” and still get in. Access to files depends on access to the machine. If you use passwords and have two users, each can see all of the other’s files on the hard drive, and open any of them. There are three security techniques you can use; two enforce security for Windows 98/Me: physical security and encryption and the other is reactive. Let’s look at an example. Joe travels around the world on business. His laptop is protected by physical security. Since he travels a lot, he tries to keep his laptop bag with him at all times. Still, there are times when Joe leaves it in the hotel room, or accesses the Internet and just hopes. Security for most Windows 98/ME users amounts to hope and nothing more. This section will suggest the addition of a layer of security encryption and introduce tools which can help you determine what is happening with your Windows 98/ME system. 1-4
  5. Windows Tools • System Configuration Editor • Startup • System File Checker • File Compare • File Attributes Windows Legacy Desktop Security - SANS ©2001 5 The first section of this course will be to learn some new tools that give us information about our system. Since everything we see will be inherited from the system’s startup processes, let’s cover the elevator version of the status. From the Power On Self Test (POST) by the ROM BIOS, we go to the disk and the secondary loader (IO.SYS) which loads the logo.sys (the logo screen). At this point, a database called the registry, is consulted for system information. Virtual Device Drivers (VxDs) come next, followed by an army of DLLs (Dynamic Link Libraries) which are actually programs. If your system is configured for multiple users, this is the point at which you log in and your personal password file is examined, which is located at \Windows\.pwl and if you have a user profile it is loaded from the user portion of the registry database, which is \Windows\Profiles\\user.dat If you have never looked at your profile, I highly recommend a tour. Finally, if your system.ini has this line, shell=Explorer.exe, and you shutdown cleanly the last time you used Windows, your Windows Explorer will come up after you boot. Understanding your system and knowing how it operates are critical in order to properly secure that system. 1-5
  6. Windows Legacy Desktop Security - SANS ©2001 6 Start up files are critical to the operation of your system. If they are modified, the system may be unbootable, or you may run a virus or Trojan horse program without your knowledge every time you boot. You should learn the normal contents of your startup files so that you will recognize possible problems and intrusions. Before modifying your startup, it is always a really good idea to back up your registry! I start the scanregw program with the run command: Start → Run → scanregw. It will then scan your registry and give you an opportunity to make a backup. Backups are stored in \Windows\Sysbckup. They are .cab (compressed) files. If you goof up, scanregw can use them to recover. Now we are equipped to look at our startup. Start → Run → sysedit will launch the System Configuration Editor and produce what you see on the slide. This is just a Notepad editor, but it makes it really easy to view or edit these startup files. You should see the system.ini Explorer entry we just mentioned. Your system may have nsmail.ini in addition to the files you see. Autoexec.bat is not critical to Windows 98 and ME like it was for MS-DOS, but you can use it to override the default behavior of IO.SYS. The reason you care about this, is that if you use a boot disk to analyze a machine, you would want to alter the path variable so that the applications on your floppy or CD- ROM are executed before the ones on the suspect system’s hard drive. Remember, it could also be used by an attacker to run other programs on your system. 1-6
  7. Windows Legacy Desktop Security - SANS ©2001 7 If you are prone to typos, then you might be better served by msconfig, the System Configuration Utility, as shown on this screen. You know the drill by now: Start → Programs → msconfig. This is a GUI tool that does everything you can do with sysedit and more. It also has the advantage of identifying for you and allowing you to disable the running of programs at startup. It really is worth your time to become familiar with your startup for a number of reasons. Note on the slide where it says “Reminder” and the option is unchecked. A partially functional version of MS Money was installed on this laptop. It was never used. Every time this laptop booted, time was lost while a Reminder file was loaded and it cost memory as well. Microsoft products are fairly benign, but malicious software will use either the Run or RunOnce Registry entries to install themselves. If you are familiar with what you expect to run, then you may be able to identify and eliminate potentially destructive or abusive software. 1-7
  8. Windows Legacy Desktop Security - SANS ©2001 8 As you install and uninstall software, there are times when the application software will come with its own “enhanced” driver or dynamic link library (DLL). You may recall seeing a message from your operating system warning that a system file was about to be overwritten with a file that was older file than the one you have. Generally you do not want to overwrite newer files with older ones. The logic is that the newer file must be better and this makes a certain degree of sense. In general the worst offenders seem to be networking cards. If you are responsible for configuring networking services for Windows system, it can be worth your time to do a bit of Internet research first. This is especially true if you are considering running multiple operating systems such as Linux and Windows. The System File Checker will make an effort to check all of your system files against a known database (\Windows\Default.sfc). If it finds a file that it feels is the wrong one, you have the option to reinstall from your factory CD. It only takes a couple minutes to scan your system and can be a very prudent thing to do after installing software. 1-8
  9. Startup Cop Main Console Windows Legacy Desktop Security - SANS ©2001 9 Startup Cop is a free download from the publishers of PC Magazine ( that supplements the functionality found in the System Configuration Utility. In addition, it allows for permanent deletion of startup items and provides the ability to use startup profiles. When Startup Cop is initially run, it displays all the items that will run at startup. Another nice feature of Startup Cop is that it shows the user who the entry applies to and when the startup item will be executed. Startup programs can be disabled and enabled through Startup Cop. Clicking the ‘detail’ button provides information in a popup window that can be very helpful when dealing with Trojans, because it tells where the program is located and where in the file system the startup entry was found. It also allows for the permanent deletion of the entry. This makes it easier to cleanup after the Trojan. 1-9
  10. Saving A Startup Profile Windows Legacy Desktop Security - SANS ©2001 10 If a Trojan’s name is sufficiently obfuscated, it may look like a critical system routine. Under these circumstances, you may be reluctant to disable the item. Through the use of startup profiles, you can safely try various startup combinations. If your aim is to suppress certain startup programs, you should mark only those programs as disabled and then save a profile of disabled items. When you restore this profile, the specified programs will be disabled and all other programs will be enabled. If your aim is to load a minimal set of startup programs, you should mark only those programs as enabled, and then save a profile of enabled items. 1 - 10
  11. Restoring A Startup Profile Windows Legacy Desktop Security - SANS ©2001 11 The Restore profile provides two interesting options. In addition to restoring the profile, it allows you to choose to restart the system or to log off. If a startup item was located in the HKEY_LOCAL_MACHINE section of the registry, you should choose the restart option because it will not be launched simply by logging back in. The Shortcut option places a Startup Cop profile restore on the desktop with the same options as are available with the Restore option. 1 - 11
  12. FC MARKET~1 ZIP 593,208 03-04-00 9:19p marketing .zip MARKET~2 ZIP 593,208 03-04-00 9:23p 27 file(s) 4,401,366 bytes 12 dir(s) 2,005.71 MB free C:\My Documents>fc /b Comparing files marketing .zip and FC: no differences encountered Windows Legacy Desktop Security - SANS ©2001 12 This slide shows a tool called FC for File Compare. When you get a complaint from your operating system that you are about to overwrite a file or if System File Checker is upset about a file, you might want to check it out before making a decision. Sometimes the file is actually the same, but the dates are different and this confuses Windows. FC also has a binary compare mode: FC /B file1 file2 that can be useful when you are trying to really dig into a file. If you have a suspected virus and a clean file from a backup, this can be a great way to see a virus or other malicious code. Next we will spend a bit of time learning about our file system and where things tend to be stored. Windows tucks things everywhere; in temp and cache directories, and we have already mentioned your profile. In this next section of the course, I want to sensitize you to two things: Ways you can audit Windows systems, but also to the kinds of information others can get from your system, should the physical security ever be breached. 1 - 12
  13. Windows Legacy Desktop Security - SANS ©2001 13 The screenshot on this page was created by selecting a file with Windows Explorer, clicking with the right mouse button, and then selecting Properties. In a FAT and FAT32 directory listing the DOS attributes are listed. The four FAT attributes are: - Read-only - Hidden - System - Archive Since most of your interaction with your file system in Windows will be with the Windows Explorer, we want to make sure we configure Explorer so that it gives us the information we need to understand and audit our systems effectively. On your next slide, you see that there are options to Explorer that allow us to see system files that are not normally shown, and attributes as well. 1 - 13
  14. Windows Explorer View Customize This Folder Windows Legacy Desktop Security - SANS ©2001 14 The attributes will show up on the right hand side. This means that you will not normally notice these, but you can drag and drop to change the order. Any time you are in the root drive of your disk (C:\) or in your Windows directory (C:\windows), you should probably be aware of attributes and hidden files. I recommend always selecting “show all files.” You never want the operating system to hide files because they could be critical to investigating a security incident. 1 - 14
  15. FAT and FAT32 File System • FAT is a 16-bit address table for 216 (65, 535) maximum clusters. This was the DOS and Windows 95 file system • FAT32 introduced in Windows 95 OSR2 and used in Windows 98 • Directory records are used to store names of files and directories contained in directory Windows Legacy Desktop Security - SANS ©2001 15 One of the most important tools to explore the hard drive is FDISK. This is run from the Windows Command prompt. Type fdisk with no options and we see: Your computer has a disk larger than 512 MB. This version of Windows includes improved support for large disks, resulting in more efficient use of disk space on large drives, and allowing disks over 2 GB to be formatted as a single drive. IMPORTANT: If you enable large disk support and create any new drives on this disk, you will not be able to access the new drive(s) using other operating systems, including some versions of Windows 95 and Windows NT, as well as earlier versions of Windows and MS-DOS. In addition, disk utilities that were not designed explicitly for the FAT32 file system will not be able to work with this disk. If you need to access this disk with other operating systems or older disk utilities, do not enable large drive support. Since FAT16 uses clusters to allocate files, with a 2^16 address size, it uses fairly large clusters. With FAT32’s larger address space, clusters can be smaller and therefore the disk is better utilized. FAT16 and FAT32 offer no security features. You cannot protect local files and folders with access permissions. 1 - 15
  16. Windows Legacy Desktop Security - SANS ©2001 16 Tweak UI is a wonderful application. It comes on your Windows 98 CD-ROM, in the \tools\reskit\powertoy directory. The screenshot shown is the “Paranoia” mode. This makes bootup just a bit longer, since it audits traces from your last login. Tools like these help you understand why, if you ever seize a computer, you must make every effort to produce the best backup you can before you turn the system off. If the system is already off, the best thing to do is pull the disk drive and make a copy of it. If you can’t do that, you need to boot the computer from your own bootable disk and make the backup. Windows has its own cleanup utility in Start → Programs → Accessories → System Tools → Cleanup. This will remove a large number of the tracks a system leaves and will free up disk space. Again, this part of the course has two messages; one is where to find data. I hope that you will take the time to dig around your filesystem and see what is there. The second message is for you to understand how much information about you is on your system in the event someone accesses your computer. Another important note is to be careful with CD’s that automatically run via the autorun file. This will work even if you use password-protected screen savers and they are enabled. If an attacker inserts a CD, the program will run in the background. This can be used to install Trojan horses and other programs. 1 - 16
  17. Windows Legacy Desktop Security - SANS ©2001 17 When files are deleted, the data is not erased, instead the area is marked as ready for use. Data is also never automatically moved around and consolidated. A disk defragmentor can help by rearranging data on a disk. Instead of files of many parts spread all over the disk, a defragmentor consolidates file bits and empty space. Legacy windows systems have a defragmenter. FAT and FAT32 file systems in particular can get fragmented, but fragmentations also occurs with the NTFS file system used in Windows NT and 2000. When you run the disk defragmenter, all of the unallocated clusters will be moved to the back of the drive. This makes it much harder for anyone to do forensic analysis, but not impossible. After defragmentation, deleted files are no longer in the directory. Many times their data still exists in the “back of the disk”. So I begin at the last file and as you can see, I can recover a lot of the data. The defragmenter moves the clusters in order, so the first 20 or so clusters are all deleted email. If you use Windows and you do not want your data recovered easily, it is necessary to remove the data with something more destructive than delete. Deleting data files on most operating systems does not clear the data from the physical drive, but simply removes an entry from the file system's database. This is true for the FAT/FAT32 file system (used in DOS and Windows 3.11/95/98), NTFS/NTFS2 (used in Windows NT and 2000 respectively) and also for Macintosh, OS/2, and most Unix flavors. But things get worse. Even if new information is written over the physical location of the data file, it is still possible to extract the old information, due to the magnetic properties of physical disks. Products like BCWipe, available from Jetico (, will overwrite deleted data with 1, 0’s, and random data. 1 - 17
  18. Hiding Data • Obscuring • Password Protection • Encryption Windows Legacy Desktop Security - SANS ©2001 18 Security through obscurity is often derided as being of no use at all. However, you can make data harder to find by hiding it in unexpected places. Virus and Trojan writers use this technique and you can too. Because there are so many files on Windows systems, these file additions often go unnoticed. Files can be placed in folders within folders and then marked with the hidden attribute. This will stop a determined intruder about 5 seconds. However, the ordinary person, who is merely viewing your file system out of curiosity, will be more interested in files that are clearly visible and have titles such as ‘financial.dat’ or payroll.txt. Some software programs allow you to store data files with password protection. You create a password and use it when storing and retrieving files. While this will stop the casual malingerer, it will not prevent anyone who wishes to spend a few minutes on the Internet where she can find programs which crack these passwords. Encryption, properly done and religiously applied, can keep unwanted people out. A typical algorithm uses a special number, or key, and a complicated mathematical algorithm to scramble data. Without the key, the data cannot be recovered. Windows legacy systems do not have a built-in file encryption tool. You will have to purchase a tool and use it wisely. Encryption is not a panacea, if a weak algorithm is used, if it is dependent on the Windows legacy system password, if the password is easy to guess, or is written down and easily viewable, then encryption offers no security either. Let’s take a minute and think about hiding data. Someone can mark a file as hidden, or give it a reasonable sounding name in a crowded directory, or give a misleading extension, calling a .jpg an .exe or whatever. With a disk editor, they can add data after the end of a file in a cluster. Malicious code can intercept reads to the disk and redirect the read to a new location. With a partition editor, like fdisk, one can create a partition to hide data and not mark it as active. Utilities are available, such as S-Tools, that allow you to hide a file inside of another file. Whew! Then we need to realize that Windows is a bit complex and files don’t even have to be hidden if we don’t know what to look for. If you ever have to audit a Windows 9x system to determine what someone has been doing, odds are there is so much data it will take a long time to find. 1 - 18
  19. Review of Concepts • Tools to help you • Windows leaves a understand and tremendous amount repair Windows 9x of user data • Windows Startup scattered about process • Defragmentation • Introduction to the moves de-allocated Registry clusters to back of • FAT file system does the hard drive not delete files Windows Legacy Desktop Security - SANS ©2001 19 This is the end of our tour of Windows. If you work with the tools and investigate the places I have shown you, you will be amazed how much better you understand your system. Don’t get too brave, make backups before going too wild or simply load an operating system on a non-production machine and play. You now have a solid foundation. If you need to audit or inspect a system, you know where to look and what to look for. You should also better understand the vulnerabilities this operating system has and how to protect your valuable information. 1 - 19
  20. Course History Windows Legacy Desktop Security - SANS ©2001 20 v1.1 – edited E. Cole – June 2001 v1.1a – edited and audio – June 2001 v1.2 – edited/formatted - June 2001 v1.3 –edited by E. Cole – Aug 10 2001 v1.3a – edited December 2001 v1.4 - edited by Roberta Bragg December 2001 v1.4a – edited and audio recorded by Carla Wendt – Jan 10 2002 1 - 20
Đồng bộ tài khoản