1
1
Secure System Administration - SANS GIAC
© 2000, 2001
Windows 9x Security
For our third session of the second part of the course, we will focus on the Windows 95 and
Windows 98 operating systems. The examples are tested on Windows 98 since 95 systems are
starting to be retired. The most important thing to know about this flavor of Windows is there is no
file security. If you configure the system for multiple users and have a password screen at bootup,
anyone can hit cancel and still get in. If you use passwords and have two users, each can see all of
the other user’s files. There are exactly two ways to enforce security for Windows 9x, physical
security and encryption.
My laptop is protected by physical security. I travel a lot. I try to keep my laptop bag with me at all
times. Still there are times when I leave it in the hotel room and just hope. Security for most
Windows 9x users amounts to hope and nothing more. We will learn how to add a layer of security
in this section with better living through encryption. The focus of most of this course will be to show
you some of the clues gathering tools you can use to see and understand what is going on with your
Windows 9x system. We will cover several new tools, discuss the file system a bit, and close with
encryption.
2
2
Secure System Administration - SANS GIAC
© 2000, 2001
Windows 9x Tools
• System Configuration Editor
•Startup
• System File Checker
• File Compare
• File Attributes
The first section of this course will be to learn some new tools that give us information about our
system. Since everything we see will be inherited from startup, let’s cover it at least from a high

of the C drive, then in the PGP directory under Program Files\Network Associates.
4
4
Secure System Administration - SANS GIAC
© 2000, 2001
If you are prone to typos, then you might be better served by MSCONFIG, the System Configuration
Editor (available with Windows 98) as shown on this screen. You know the drill by now: Start, Run,
Msconfig. This is a GUI tool that does everything you can do with SYSEDIT and more.
It really is worth your time to become familiar with your startup for a number of reasons. Note on
the slide where it says reminder and it is unchecked. A partially functional version of MS Money
was installed on this laptop. I never used it, nor will I, all accountants expect Quicken. Every time
this laptop booted, time was lost while a reminder file was loaded and it cost memory as well. With
the Reminder box unchecked, the reminder file will not load. Microsoft products are fairly benign,
but malicious software will use either the Run or RunOnce registry entries to install themselves. If
you are familiar with what you expect to run, then you may be able to identify and eliminate
potentially destructive or abusive software. This is what the ILOVEYOU virus did, it set Internet
Explorer to run to go get the password sniffer.
5
5
Secure System Administration - SANS GIAC
© 2000, 2001
As you install and uninstall software, there are times when the application software will come with
its own “enhanced” driver or operating system application. You may recall seeing a message from
your operating system warning that a system file was about to be overwritten by an older file than the
one you have. The logic is the the newer file must be better and this makes a certain degree of sense.
In general, the worst offenders seem to be networking cards. If you plan to network your Windows
system, it can be worth your time to do a bit of Internet research first. This is especially true if you
are considering running multiple operating systems such as Linux and Windows.
The System File Checker will make an effort at checking all of your system files against a known
database (\Windows\Default.sfc) If it finds a file that it feels is the wrong one, you have the option

7
Secure System Administration - SANS GIAC
© 2000, 2001
The screenshot on this page was created by selecting a file with Windows Explorer and clicking with
the right mouse button, and then selecting properties. In a FAT and FAT32 directory listing the DOS
attributes are listed, the four FAT attributes are:
- Read-only
- Hidden
-System
-Archive
Since most of your interaction with your file system in Windows will be with the Windows Explorer,
then we want to make sure we configure our Explorer so that it gives us the information we need to
understand and audit our systems effectively. On your next slide you see that there are options to the
Explorer that allow us to see system files that are not normally shown, as well as the file attributes.
8
8
Secure System Administration - SANS GIAC
© 2000, 2001
Windows Explorer
View
Customize This
Folder
From the screen shot above, select the boxes "Show all files“and Show file attributes in detail view”.
Then when you have the view in Windows Explorer set to “Details”, the file attributes will display in
the rightmost column (to the right of each file listing). This means that you will not normally notice
these, but you can drag and drop (or resize) the columns in Explorer to enable you to see the
attributes. Anytime you are in the root drive of your disk C:\ or in your windows directory
C:\Windows you should probably be aware of attributes and hidden files.
Note that not ALL versions of explorer shipped with Windows 98 appear to have the capability to
display file attributes as shown adjacent to the lower arrow above.

and MS-DOS. In addition, disk utilities that were not designed
explicitly for the FAT32 file system will not be able to work with
this disk. If you need to access this disk with other operating
systems or older disk utilities, do not enable large drive support.
Since FAT16 uses clusters to allocate files, with a 2^16 address size, it uses fairly large clusters.
With FAT32’s larger address space, clusters can be smaller and therefore the disk is better utilized.
10
10
Secure System Administration - SANS GIAC
© 2000, 2001
FDISK
Microsoft Windows 98
Fixed Disk Setup Program
(C)Copyright Microsoft Corp. 1983 - 1998
FDISK Options
Current fixed disk drive: 1
Choose one of the following:
1. Create DOS partition or Logical DOS Drive
2. Set active partition
3. Delete partition or Logical DOS Drive
4. Display partition information
Enter choice: [4]
WARNING: You
can really mess up
your system
messing with your
partitions. At a
minimum, have a
bootable floppy
with fdisk on it in

© 2000, 2001
C:\Temp
Let’s take a minute and review everything we have learned about hiding data. Someone can mark a
file as hidden. Or give it a reasonable sounding name in a crowded directory. Or give a misleading
extension, calling a .jpg an .exe or whatever. With a disk editor, they can add data after the end of
file in a cluster. Malicious code can intercept reads to the disk and redirect the read to a new
location. With a partition editor, one can create a partition in which to place data that is not
accessible by typical commands and operating system utilities. While the partition may display using
fdisk, the data is not readily accessible. With steganographic tools, you can hide a file inside of
another file. Whew! That is a lot! And then we need to realize that Windows is a bit complex and
files don’t even have to be hidden if we don’t know what to look for. This screen shot shows the
C:\Temp directory and Windows crams a lot of stuff there. Another location is C:\Windows. There
are a number of directories here, your profile, another temp, temporary internet files, html, and of
course there is the recycle bin on the desktop. If you ever have to audit a Windows 9x system to
determine what someone has been doing, odds are there is data to find.