1 1 Secure System Administration - SANS GIAC © 2000, 2001 Windows 9x Security For our third session of the second part of the course, we will focus on the Windows 95 and Windows 98 operating systems. The examples are tested on Windows 98 since 95 systems are starting to be retired. The most important thing to know about this flavor of Windows is there is no file security. If you configure the system for multiple users and have a password screen at bootup, anyone can hit cancel and still get in. If you use passwords and have two users, each can see all of the other user’s files. There are exactly two ways to enforce security for Windows 9x, physical security and encryption. My laptop is protected by physical security. I travel a lot. I try to keep my laptop bag with me at all times. Still there are times when I leave it in the hotel room and just hope. Security for most Windows 9x users amounts to hope and nothing more. We will learn how to add a layer of security in this section with better living through encryption. The focus of most of this course will be to show you some of the clues gathering tools you can use to see and understand what is going on with your Windows 9x system. We will cover several new tools, discuss the file system a bit, and close with encryption. 2 2 Secure System Administration - SANS GIAC © 2000, 2001 Windows 9x Tools • System Configuration Editor •Startup • System File Checker • File Compare • File Attributes The first section of this course will be to learn some new tools that give us information about our system. Since everything we see will be inherited from startup, let’s cover it at least from a high level. From the Power On Self Test (POST) by the ROM BIOS, we go to the disk and the secondary loader (IO.SYS) which loads the the logo.sys (the logo screen). At this point a database called the registry is consulted for system information. Virtual Device Drivers (VxDs) come next, followed by an army of DLLs (Dynamic Link Libraries) which are actually programs. If your system is configured for multiple users, this is the point you log in and your personal password file is examined (\Windows\yourusername.pwl) and if you have a user profile it is loaded from the user portion of the registry database, (\Windows\Profiles\yourusername\user.dat). If you have never looked at your profile, I highly recommend a tour. Finally if your system.ini has this line: shell=Explorer.exe and you shutdown clean, your Windows explorer will come up when you reboot. 3 3 Secure System Administration - SANS GIAC © 2000, 2001 Before mucking with your startup, it is always a really good idea to back up your registry! On a Windows 98 computer, I start SCANREGW with the RUN command, Start, Run, Scanregw. It will then scan your registry and give you an opportunity to make a backup. Backups are stored in \Windows\Sysbckup and the file names start with rb and they are .cab (compressed) files. The .cab file contains a copy of user.dat, system.dat, win.ini, and system.ini from the Windows\Sysem directory. Note that scanregw will NOT back up the user.dat files for each of the individual users. You will need to do this manually. If you goof up, SCANREGW can use these files to restore the Registry should it become corrupted. Now we are equipped to look at our startup. Start, Run, SYSEDIT will produce what you see on the slide. This is just a notepad editor, but it makes it really easy to view or edit these startup files. You should see the system.ini explorer entry we just mentioned. Your system may have nsmail.ini in addition to the files you see. Autoexec.bat is not critical to Windows 98 like it was for DOS, but you can use it to override the default behavior of IO.SYS. The reason you care is that if you use a boot disk to analyze a machine, then you would want to alter the PATH variable so that the applications on your floppy or CDROM are executed before the ones on the suspect system’s hard drive. We see in the screen shot above that the operating system looks firs in the DOS directory of the C drive, then in the PGP directory under Program Files\Network Associates. 4 4 Secure System Administration - SANS GIAC © 2000, 2001 If you are prone to typos, then you might be better served by MSCONFIG, the System Configuration Editor (available with Windows 98) as shown on this screen. You know the drill by now: Start, Run, Msconfig. This is a GUI tool that does everything you can do with SYSEDIT and more. It really is worth your time to become familiar with your startup for a number of reasons. Note on the slide where it says reminder and it is unchecked. A partially functional version of MS Money was installed on this laptop. I never used it, nor will I, all accountants expect Quicken. Every time this laptop booted, time was lost while a reminder file was loaded and it cost memory as well. With the Reminder box unchecked, the reminder file will not load. Microsoft products are fairly benign, but malicious software will use either the Run or RunOnce registry entries to install themselves. If you are familiar with what you expect to run, then you may be able to identify and eliminate potentially destructive or abusive software. This is what the ILOVEYOU virus did, it set Internet Explorer to run to go get the password sniffer. 5 5 Secure System Administration - SANS GIAC © 2000, 2001 As you install and uninstall software, there are times when the application software will come with its own “enhanced” driver or operating system application. You may recall seeing a message from your operating system warning that a system file was about to be overwritten by an older file than the one you have. The logic is the the newer file must be better and this makes a certain degree of sense. In general, the worst offenders seem to be networking cards. If you plan to network your Windows system, it can be worth your time to do a bit of Internet research first. This is especially true if you are considering running multiple operating systems such as Linux and Windows. The System File Checker will make an effort at checking all of your system files against a known database (\Windows\Default.sfc) If it finds a file that it feels is the wrong one, you have the option to reinstall from your factory CD. It takes anywhere from a couple of minutes to several minutes to scan your system and can be a very prudent thing to do after installing software. The file we need to run is msinfo32.exe. Get to it by clicking on Start, Programs, Accessories, System Tools, System Information. The System File Checker is accessed from the Tools menu. Note that msinfo32.exe is also available on Windows 95 - but it doesn’t have the System File Checker. 6 6 Secure System Administration - SANS GIAC © 2000, 2001 FC MARKET~1 ZIP 593,208 03-04-00 9:19p marketing .zip MARKET~2 ZIP 593,208 03-04-00 9:23p Marketing.zip 27 file(s) 4,401,366 bytes 12 dir(s) 2,005.71 MB free C:\My Documents>fc /b market~1.zip market~2.zip Comparing files marketing .zip and market~2.zip FC: no differences encountered This slide shows a tool called FC for File Compare. When you get a complaint from your operating system that you are about to overwrite a file or if System File checker is upset about a file, you might want to check it out before making a decision. Sometimes the file is actually the same, but the dates are different and this confuses Windows. FC also has a binary compare mode FC /B file1 file2 that can be useful when trying to really dig into a file. If you have a suspected virus and a clean file from a backup, this can be a great way to see a virus or other malicious code. Next we will spend a bit of time learning about our file system and where things tend to be stored. Windows tucks things everywhere, in temp and cache directories, and we have already mentioned your profile. In this next section of the course I want to sensitize you to two things: ways you can audit Windows 9x systems, but also to the kinds of information others can get from your system, should the physical security ever be breached. 7 7 Secure System Administration - SANS GIAC © 2000, 2001 The screenshot on this page was created by selecting a file with Windows Explorer and clicking with the right mouse button, and then selecting properties. In a FAT and FAT32 directory listing the DOS attributes are listed, the four FAT attributes are: - Read-only - Hidden -System -Archive Since most of your interaction with your file system in Windows will be with the Windows Explorer, then we want to make sure we configure our Explorer so that it gives us the information we need to understand and audit our systems effectively. On your next slide you see that there are options to the Explorer that allow us to see system files that are not normally shown, as well as the file attributes. 8 8 Secure System Administration - SANS GIAC © 2000, 2001 Windows Explorer View Customize This Folder From the screen shot above, select the boxes "Show all files“and Show file attributes in detail view”. Then when you have the view in Windows Explorer set to “Details”, the file attributes will display in the rightmost column (to the right of each file listing). This means that you will not normally notice these, but you can drag and drop (or resize) the columns in Explorer to enable you to see the attributes. Anytime you are in the root drive of your disk C:\ or in your windows directory C:\Windows you should probably be aware of attributes and hidden files. Note that not ALL versions of explorer shipped with Windows 98 appear to have the capability to display file attributes as shown adjacent to the lower arrow above. CREDIT: SSA3_1, If you are taking this course for academic credit, email your instructor (or point of contact) a screen shot from Windows Explorer of a file with all four attributes set. If you have done backups recently and the archive bit is not set that is fine as well. You can send a screen shot with RSH (Read-only, System, Hidden) showing. See note above. If you can’t get the attributes to show in a column in Windows Explorer, select a file, right click on properties, and take a screen shot of the result. 9 9 Secure System Administration - SANS GIAC © 2000, 2001 FAT and FAT32 File System • FAT is a 16 bit address table for 2 16 (65,535) maximum clusters. This was the DOS and Windows 95 filesystem • FAT32 was introduced in Windows 95 OSR2 and used in Windows 98 • Directory records are used to store names of files and directories contained in directory One tool to help us understand how the hard disk is organized is FDISK. This is run from the Windows Command Prompt. Type FDISK with no options and we see: Your computer has a disk larger than 512 MB. This version of Windows includes improved support for large disks, resulting in more efficient use of disk space on large drives, and allowing disks over 2 GB to be formatted as a single drive. IMPORTANT: If you enable large disk support and create any new drives on this disk, you will not be able to access the new drive(s) using other operating systems, including some versions of Windows 95 and Windows NT, as well as earlier versions of Windows and MS-DOS. In addition, disk utilities that were not designed explicitly for the FAT32 file system will not be able to work with this disk. If you need to access this disk with other operating systems or older disk utilities, do not enable large drive support. Since FAT16 uses clusters to allocate files, with a 2^16 address size, it uses fairly large clusters. With FAT32’s larger address space, clusters can be smaller and therefore the disk is better utilized. 10 10 Secure System Administration - SANS GIAC © 2000, 2001 FDISK Microsoft Windows 98 Fixed Disk Setup Program (C)Copyright Microsoft Corp. 1983 - 1998 FDISK Options Current fixed disk drive: 1 Choose one of the following: 1. Create DOS partition or Logical DOS Drive 2. Set active partition 3. Delete partition or Logical DOS Drive 4. Display partition information Enter choice: [4] WARNING: You can really mess up your system messing with your partitions. At a minimum, have a bootable floppy with fdisk on it in case you make a mistake. The FDISK slide shows the menu, and the results of running FDISK on my laptop are shown below. You see I only have one partition and so of course it is active. Creating a second partition can be one way of hiding data on a computer. You can do this trivially so that will not show up unless you run a tool like FDISK. If you like living dangerously you can create the partition, write the data and then delete the partition. According to security researcher Bill Cheswick, he ran into this and so developed a tool for UNIX that did a raw disk read regardless of partition information. Display Partition Information Current fixed disk drive: 1 Partition Status Type Volume Label Mbytes System Usage C: 1 A PRI DOS 4126 FAT32 100% Total disk space is 4126 Mbytes (1 Mbyte = 1048576 bytes) [...]... like “XyZZy.” Remember, since there are no file permissions, encryption is the best way to keep a file private on Windows 9x 28 Review of Concepts • Tools to help you understand and repair Windows 9x • Windows Startup process • Backing up the Registry • FAT file system does not delete files • Windows leaves a tremendous amount of user data scattered about • Defragmentation moves de-allocated clusters to... protection with Windows 9x Secure System Administration - SANS GIAC © 2000, 2001 28 Let’s take a second to summarize this section We have shown that if you know where to look on a Windows system, you can find a lot of information created by the actions of the system’s user We have discussed a number of tools that can be used to find or hide information as appropriate for implementing our security policy... that Windows is a bit complex and files don’t even have to be hidden if we don’t know what to look for This screen shot shows the C:\Temp directory and Windows crams a lot of stuff there Another location is C: \Windows There are a number of directories here, your profile, another temp, temporary internet files, html, and of course there is the recycle bin on the desktop If you ever have to audit a Windows. .. you use Windows and you do not want your data recovered easily, it is necessary to remove the data with something more destructive than delete Deleting data files on most operating systems does not clear the data from the physical drive, but simply removes an entry from the file system's database This is true for the FAT/FAT32 file system (used in DOS and Windows 3.11/95/98), NTFS/NTFS2 (used in Windows. .. suspected security violations Tools like these help you understand why, if you ever seize a computer, you must make every effort to produce the best backup you can before you turn the system off If the system is already off, the best thing to do is pull the disk drive and make a copy of it If you can’t do that, you need to boot the computer from your own bootable disk and make the backup Windows has... sectors large on disks with a single partition and refers to space between the physical beginning of the disk and the beginning of the first partition Next we will look at the attributes of a given Windows 9x file Recall in the last section we learned about one file attribute, the hidden file attribute using the ATTRIB command 11 C:\Temp Secure System Administration - SANS GIAC © 2000, 2001 12 Let’s... scattered about • Defragmentation moves de-allocated clusters to back of the hard drive • Encryption protects files Secure System Administration - SANS GIAC © 2000, 2001 29 This is the end of our tour of Windows 9x If you work with the tools and investigate the places I have shown you, you will be amazed how much better you understand your system Don’t get too brave Make backups before going too wild or simply... course with a quick discussion on using PGP 22 We Select a File Secure System Administration - SANS GIAC © 2000, 2001 23 This is just a graphics image that we wish to destroy I will select it using the Windows Explorer After BC Wipe is available, it can be accessed with a right mouse click anytime It will not just delete the file, it will overwrite it according to the configurations we selected on the... Administration - SANS GIAC © 2000, 2001 11 This slide shows further information about the hard drive on my laptop You can see it is a FAT32 system and the cluster size is 8 sectors This is a common value for Windows 98 systems Notice that it says there are two FATs These are mirrored and this is true for both FAT and FAT32 file systems If there is a problem with the primary, the file system driver will complain... of the system’s user We have discussed a number of tools that can be used to find or hide information as appropriate for implementing our security policy Now we have one last topic This is a system’s security course so we are not going into the theory of cryptography, but we certainly should understand the practice of it The tool most used is PGP It is available for personal use from www.pgp.com and . SANS GIAC © 2000, 2001 Windows 9x Security For our third session of the second part of the course, we will focus on the Windows 95 and Windows 98 operating. exactly two ways to enforce security for Windows 9x, physical security and encryption. My laptop is protected by physical security. I travel a lot. I try