1 - 1 Windows 98/ME Security - SANS ©2001 1 Windows Security Day 5 Security Essentials The SANS Institute This page intentionally left blank. 1 - 2 Windows Legacy Desktop Security - SANS ©2001 2 Agenda • Windows Legacy Desktops –Overview – Security Issues •Windows NT –Overview – Security Issues • Windows 2000 –Overview – Security Issues • Windows 2000/XP Desktops This page intentionally left blank. 1 - 3 Windows Legacy Desktop Security - SANS ©2001 3 Agenda (cont.) • Windows Backups • Windows Auditing • IIS –Overview –Security This page intentionally left blank. 1 - 4 Windows 98/ME Security - SANS ©2001 4 Windows Legacy Desktops Security In this module we are going to look at legacy Windows Desktops. This includes Windows 98 and Me, which are similar. The most important thing to know about Windows 98 and ME is there is no file security and there is no authentication necessary. Even if you configure the system for multiple users and have a password screen at bootup, anyone can hit “Cancel” and still get in. Access to files depends on access to the machine. If you use passwords and have two users, each can see all of the other’s files on the hard drive, and open any of them. There are three security techniques you can use; two enforce security for Windows 98/Me: physical security and encryption and the other is reactive. Let’s look at an example. Joe travels around the world on business. His laptop is protected by physical security. Since he travels a lot, he tries to keep his laptop bag with him at all times. Still, there are times when Joe leaves it in the hotel room, or accesses the Internet and just hopes. Security for most Windows 98/ME users amounts to hope and nothing more. This section will suggest the addition of a layer of security encryption and introduce tools which can help you determine what is happening with your Windows 98/ME system. 1 - 5 Windows Legacy Desktop Security - SANS ©2001 5 Windows Tools • System Configuration Editor •Startup • System File Checker •File Compare • File Attributes The first section of this course will be to learn some new tools that give us information about our system. Since everything we see will be inherited from the system’s startup processes, let’s cover the elevator version of the status. From the Power On Self Test (POST) by the ROM BIOS, we go to the disk and the secondary loader (IO.SYS) which loads the logo.sys (the logo screen). At this point, a database called the registry, is consulted for system information. Virtual Device Drivers (VxDs) come next, followed by an army of DLLs (Dynamic Link Libraries) which are actually programs. If your system is configured for multiple users, this is the point at which you log in and your personal password file is examined, which is located at \Windows\<yourusername>.pwl and if you have a user profile it is loaded from the user portion of the registry database, which is \Windows\Profiles\<yourusername>\user.dat If you have never looked at your profile, I highly recommend a tour. Finally, if your system.ini has this line, shell=Explorer.exe, and you shutdown cleanly the last time you used Windows, your Windows Explorer will come up after you boot. Understanding your system and knowing how it operates are critical in order to properly secure that system. 1 - 6 Windows Legacy Desktop Security - SANS ©2001 6 Start up files are critical to the operation of your system. If they are modified, the system may be unbootable, or you may run a virus or Trojan horse program without your knowledge every time you boot. You should learn the normal contents of your startup files so that you will recognize possible problems and intrusions. Before modifying your startup, it is always a really good idea to back up your registry! I start the scanregw program with the run command: Start → Run → scanregw. It will then scan your registry and give you an opportunity to make a backup. Backups are stored in \Windows\Sysbckup. They are .cab (compressed) files. If you goof up, scanregw can use them to recover. Now we are equipped to look at our startup. Start → Run → sysedit will launch the System Configuration Editor and produce what you see on the slide. This is just a Notepad editor, but it makes it really easy to view or edit these startup files. You should see the system.ini Explorer entry we just mentioned. Your system may have nsmail.ini in addition to the files you see. Autoexec.bat is not critical to Windows 98 and ME like it was for MS-DOS, but you can use it to override the default behavior of IO.SYS. The reason you care about this, is that if you use a boot disk to analyze a machine, you would want to alter the path variable so that the applications on your floppy or CD- ROM are executed before the ones on the suspect system’s hard drive. Remember, it could also be used by an attacker to run other programs on your system. 1 - 7 Windows Legacy Desktop Security - SANS ©2001 7 If you are prone to typos, then you might be better served by msconfig, the System Configuration Utility, as shown on this screen. You know the drill by now: Start → Programs → msconfig. This is a GUI tool that does everything you can do with sysedit and more. It also has the advantage of identifying for you and allowing you to disable the running of programs at startup. It really is worth your time to become familiar with your startup for a number of reasons. Note on the slide where it says “Reminder” and the option is unchecked. A partially functional version of MS Money was installed on this laptop. It was never used. Every time this laptop booted, time was lost while a Reminder file was loaded and it cost memory as well. Microsoft products are fairly benign, but malicious software will use either the Run or RunOnce Registry entries to install themselves. If you are familiar with what you expect to run, then you may be able to identify and eliminate potentially destructive or abusive software. 1 - 8 Windows Legacy Desktop Security - SANS ©2001 8 As you install and uninstall software, there are times when the application software will come with its own “enhanced” driver or dynamic link library (DLL). You may recall seeing a message from your operating system warning that a system file was about to be overwritten with a file that was older file than the one you have. Generally you do not want to overwrite newer files with older ones. The logic is that the newer file must be better and this makes a certain degree of sense. In general the worst offenders seem to be networking cards. If you are responsible for configuring networking services for Windows system, it can be worth your time to do a bit of Internet research first. This is especially true if you are considering running multiple operating systems such as Linux and Windows. The System File Checker will make an effort to check all of your system files against a known database (\Windows\Default.sfc). If it finds a file that it feels is the wrong one, you have the option to reinstall from your factory CD. It only takes a couple minutes to scan your system and can be a very prudent thing to do after installing software. 1 - 9 Windows Legacy Desktop Security - SANS ©2001 9 Startup Cop Main Console Startup Cop is a free download from the publishers of PC Magazine (http://www.pcmag.com) that supplements the functionality found in the System Configuration Utility. In addition, it allows for permanent deletion of startup items and provides the ability to use startup profiles. When Startup Cop is initially run, it displays all the items that will run at startup. Another nice feature of Startup Cop is that it shows the user who the entry applies to and when the startup item will be executed. Startup programs can be disabled and enabled through Startup Cop. Clicking the ‘detail’ button provides information in a popup window that can be very helpful when dealing with Trojans, because it tells where the program is located and where in the file system the startup entry was found. It also allows for the permanent deletion of the entry. This makes it easier to cleanup after the Trojan. 1 - 10 Windows Legacy Desktop Security - SANS ©2001 10 Saving A Startup Profile If a Trojan’s name is sufficiently obfuscated, it may look like a critical system routine. Under these circumstances, you may be reluctant to disable the item. Through the use of startup profiles, you can safely try various startup combinations. If your aim is to suppress certain startup programs, you should mark only those programs as disabled and then save a profile of disabled items. When you restore this profile, the specified programs will be disabled and all other programs will be enabled. If your aim is to load a minimal set of startup programs, you should mark only those programs as enabled, and then save a profile of enabled items. [...]... critical to investigating a security incident 1 - 14 FAT and FAT32 File System • FAT is a 16-bit address table for 216 ( 65, 53 5) maximum clusters This was the DOS and Windows 95 file system • FAT32 introduced in Windows 95 OSR2 and used in Windows 98 • Directory records are used to store names of files and directories contained in directory Windows Legacy Desktop Security - SANS ©2001 15 One of the most important... available with the Restore option 1 - 11 FC MARKET~1 ZIP 59 3,208 03-04-00 9:19p marketing zip MARKET~2 ZIP 59 3,208 03-04-00 9:23p Marketing.zip 27 file(s) 4,401,366 bytes 12 dir(s) 2,0 05. 71 MB free C:\My Documents>fc /b market~1.zip market~2.zip Comparing files marketing zip and market~2.zip FC: no differences encountered Windows Legacy Desktop Security - SANS ©2001 12 This slide shows a tool called... section of the course, I want to sensitize you to two things: Ways you can audit Windows systems, but also to the kinds of information others can get from your system, should the physical security ever be breached 1 - 12 Windows Legacy Desktop Security - SANS ©2001 13 The screenshot on this page was created by selecting a file with Windows Explorer, clicking with the right mouse button, and then selecting... address space, clusters can be smaller and therefore the disk is better utilized FAT16 and FAT32 offer no security features You cannot protect local files and folders with access permissions 1 - 15 Windows Legacy Desktop Security - SANS ©2001 16 Tweak UI is a wonderful application It comes on your Windows 98 CD-ROM, in the \tools\reskit\powertoy directory The screenshot shown is the “Paranoia” mode This... enable large disk support and create any new drives on this disk, you will not be able to access the new drive(s) using other operating systems, including some versions of Windows 95 and Windows NT, as well as earlier versions of Windows and MS-DOS In addition, disk utilities that were not designed explicitly for the FAT32 file system will not be able to work with this disk If you need to access this... file system in Windows will be with the Windows Explorer, we want to make sure we configure Explorer so that it gives us the information we need to understand and audit our systems effectively On your next slide, you see that there are options to Explorer that allow us to see system files that are not normally shown, and attributes as well 1 - 13 Windows Explorer View Customize This Folder Windows Legacy... you use Windows and you do not want your data recovered easily, it is necessary to remove the data with something more destructive than delete Deleting data files on most operating systems does not clear the data from the physical drive, but simply removes an entry from the file system's database This is true for the FAT/FAT32 file system (used in DOS and Windows 3.11/ 95/ 98), NTFS/NTFS2 (used in Windows. .. Hiding Data • Obscuring • Password Protection • Encryption Windows Legacy Desktop Security - SANS ©2001 18 Security through obscurity is often derided as being of no use at all However, you can make data harder to find by hiding it in unexpected places Virus and Trojan writers use this technique and you can too Because there are so many files on Windows systems, these file additions often go unnoticed... Whew! Then we need to realize that Windows is a bit complex and files don’t even have to be hidden if we don’t know what to look for If you ever have to audit a Windows 9x system to determine what someone has been doing, odds are there is so much data it will take a long time to find 1 - 18 Review of Concepts • Tools to help you understand and repair Windows 9x • Windows Startup process • Introduction... Windows Startup process • Introduction to the Registry • FAT file system does not delete files • Windows leaves a tremendous amount of user data scattered about • Defragmentation moves de-allocated clusters to back of the hard drive Windows Legacy Desktop Security - SANS ©2001 19 This is the end of our tour of Windows If you work with the tools and investigate the places I have shown you, you will be amazed . - 1 Windows 98/ME Security - SANS ©2001 1 Windows Security Day 5 Security Essentials The SANS Institute This page intentionally left blank. 1 - 2 Windows. security incident. 1 - 15 Windows Legacy Desktop Security - SANS ©2001 15 FAT and FAT32 File System • FAT is a 16-bit address table for 2 16 ( 65, 53 5)