Windows 9x Security

For our third session of the second part of the course, we will focus on the Windows 95 andWindows 98 operating systems. The examples are tested on Windows 98 since 95 systems arestarting to be retired. The most important thing to know about this flavor of Windows is there is nofile security.
Nội dung trích xuất từ tài liệu:
Windows 9x Security Windows 9x Security Secure System Administration - SANS GIAC © 2000, 2001 1For our third session of the second part of the course, we will focus on the Windows 95 andWindows 98 operating systems. The examples are tested on Windows 98 since 95 systems arestarting to be retired. The most important thing to know about this flavor of Windows is there is nofile security. If you configure the system for multiple users and have a password screen at bootup,anyone can hit cancel and still get in. If you use passwords and have two users, each can see all ofthe other user’s files. There are exactly two ways to enforce security for Windows 9x, physicalsecurity and encryption.My laptop is protected by physical security. I travel a lot. I try to keep my laptop bag with me at alltimes. Still there are times when I leave it in the hotel room and just hope. Security for mostWindows 9x users amounts to hope and nothing more. We will learn how to add a layer of securityin this section with better living through encryption. The focus of most of this course will be to showyou some of the clues gathering tools you can use to see and understand what is going on with yourWindows 9x system. We will cover several new tools, discuss the file system a bit, and close withencryption. 1 Windows 9x Tools • System Configuration Editor • Startup • System File Checker • File Compare • File Attributes Secure System Administration - SANS GIAC © 2000, 2001 2The first section of this course will be to learn some new tools that give us information about oursystem. Since everything we see will be inherited from startup, let’s cover it at least from a highlevel. From the Power On Self Test (POST) by the ROM BIOS, we go to the disk and thesecondary loader (IO.SYS) which loads the the logo.sys (the logo screen). At this point a databasecalled the registry is consulted for system information. Virtual Device Drivers (VxDs) come next,followed by an army of DLLs (Dynamic Link Libraries) which are actually programs. If yoursystem is configured for multiple users, this is the point you log in and your personal password fileis examined (Windowsyourusername.pwl) and if you have a user profile it is loaded from the userportion of the registry database, (WindowsProfilesyourusernameuser.dat). If you have neverlooked at your profile, I highly recommend a tour. Finally if your system.ini has this line:shell=Explorer.exe and you shutdown clean, your Windows explorer will come up when youreboot. 2 Secure System Administration - SANS GIAC © 2000, 2001 3Before mucking with your startup, it is always a really good idea to back up your registry! On aWindows 98 computer, I start SCANREGW with the RUN command, Start, Run, Scanregw. It willthen scan your registry and give you an opportunity to make a backup. Backups are stored inWindowsSysbckup and the file names start with rb and they are .cab (compressed) files. The .cabfile contains a copy of user.dat, system.dat, win.ini, and system.ini from theWindowsSysem directory. Note that scanregw will NOT back up the user.dat files for eachof the individual users. You will need to do this manually. If you goof up, SCANREGW can use thesefiles to restore the Registry should it become corrupted.Now we are equipped to look at our startup. Start, Run, SYSEDIT will produce what you see on theslide. This is just a notepad editor, but it makes it really easy to view or edit these startup files. Youshould see the system.ini explorer entry we just mentioned. Your system may havensmail.ini in addition to the files you see. Autoexec.bat is not critical to Windows 98 like itwas for DOS, but you can use it to override the default behavior of IO.SYS. The reason you care isthat if you use a boot disk to analyze a machine, then you would want to alter the PATH variable sothat the applications on your floppy or CDROM are executed before the ones on the suspect system’shard drive. We see in the screen shot above that the operating system looks firs in the DOS directoryof the C drive, then in the PGP directory under Program FilesNetwork Associates. 3 Secure System Administration - SANS GIAC © 2000, 2001 4If you are prone to typos, then you might be better served by MSCONFIG, the Syst ...