1
1
Secure System Administration - SANS GIAC
© 2000, 2001
Windows NT 4.0 Security
In our next sections together we will consider the Windows NT and Windows 2000 operating
systems. Windows NT was Microsoft’s first effort in building a production server operating system,
and they made a number of changes and improvements in Windows 2000. We are going to take a
quick look at the architecture and file system and then move into the tools that you can use to gather
clues from your operating system. I am going to approach the tools in the following way: since NT
has tools to implement security, we are going to learn to configure our system security policy and at
the same time how to check it. As always, we will focus on learning to use the tools that are
available with the operating system and possibly the Resource Kit, but we are also going to look at
something new, your operating system’s interface to the network. In order to run a number of the
exercises, you will need to be logged in as Administrator. As always, unless this is a scratch
operating system that you loaded only for testing, make sure you have a good backup before trying
privileged system commands.
2
2
Secure System Administration - SANS GIAC
© 2000, 2001
HARDWARE
Hardware Abstraction Layer
( Responsible for CPU and bus)
Windows NT Kernel
NT Executive
( Object Manager, Virtual Memory Manager, I/O Manager )
Subsystems: Security, Win32, POSIX ….
User Processes: Outlook, Explorer ….
K
E

Secure System Administration - SANS GIAC
© 2000, 2001
What is Running?
Start -> Settings -> Control Panel -> Devices.
Attackers may target device drivers because they run in the kernel space with access to most of the
system functions. For this reason, we need to know what drivers are installed on our system. To see
which drivers are installed and their current status use:
Start → Settings → Control Panel → Devices
The above screen appears, showing the device name, its current status, and the configured startup
behavior. Highlight a device name to start or stop the device or to change its startup behavior.
Available options for startup behavior include Automatic, Manual, and Disabled. Other options may
be available depending on the Service Pack applied and your current system configuration.
New and reassigned systems often arrive with optional hardware that is not required. These can
complicate configuring the server and may give attackers another door into the system. Experts do
not recommend modems and removable media devices for critical systems. Physically remove these
and their associated drivers and software.
Protecting the devices involved in the boot process is critical. If at all possible, place servers in a
locked room with limited access to maintain physical security. When this is not possible, secure the
server with a power-on password and consider disabling the option to boot from the floppy drive. If
the system doesn't need the floppy drive, remove it.
4
4
Secure System Administration - SANS GIAC
© 2000, 2001
Kernel Mode
• Hardware Abstraction Layer (HAL)
–
directly interfaces with the hardware and allows NT to run on
completely different hardware such as Intel and also Alpha chips
•Windows NT Kernel

Core NT File Systems
•FAT 16
•FAT 32
•NTFS4 and NTFS5
Any discussion of NT or Windows 2000 should be
based on the NTFS file system. The differences
between NT 4.0 and NT 5.0 (Win 2K) are very small
in regards to the file system
Core NT File Systems
The three file systems listed on your slide account for most Windows files. If you read system
documentation you will see references that claim NT systems can support a number of file systems.
This is not true in practice except for special purposes:
• CDFS ISO 9660 disks
• UDFS DVDs
These are examples of Installable File Systems.
Both Windows NT and Windows 2000 were designed around the NTFS file system and are happiest
in an NTFS environment.
Instead of FDISK, on NT you should use Disk Administrator. As the user Administrator, use Start
→ Programs → Administrative Tools → Disk Administrator to do partition and other FDISK work.
[Editor’s note: vol will display the serial number and label for a disk with any of the Windows file
systems. This can be used as a step in evidence collection, for instance vol c:\ >
disklabel.txt. It will not, however display the file system, whereas chkdsk will. - SRN]
6
6
Secure System Administration - SANS GIAC
© 2000, 2001
NTFS
• 64 bit address scheme, 2**64 bytes
• Hierarchical database (Master File Table) MFT
– Files are a record in this database

• A good attacker can change this
information to hide their files!
• To check creation date/time and size of
all EXE files:
dir c:\winnt\*.exe /s/t:c > exefiles.txt
Checking File Stamps
One sign of system compromise is unauthorized modification of files. This slide shows an example
of using options to the dir command to query one or more files as to their creation or last access
time. Be aware that an attacker can change the file attributes, so this technique is not perfect. But,
dir is still a useful tool for exploring what an attacker has done to a system during a given session.
The example at the bottom of the screen is using the /t:c switch which will report the date and
time stamp of when the file was created. You can substitute a “w” for the “c” to see the last time the
file was written to, or an “a” to see the last access time. This implies that NTFS has more attributes
than the four kept by the FAT file system. For more information on the dir switches available, type
dir /? at the command prompt.
Next let’s see how to configure our browser to see more file types.
8
8
Secure System Administration - SANS GIAC
© 2000, 2001
Viewing all files
As you probably discovered in the previous section on Windows 9x, while dir has a large number
of options, it really has some limitations. The default viewing options in NT hide the following files:
.dll, .sys, .vxd, .386, .drv, and .pnf files. These initial options also hide extensions for known file
types, such as .bat, .txt, .htm, .rtf, .doc, .exe, etc. This represents a security risk since an attacker can
hide rogue code under a known file extension or disguise the file type by using multiple extensions
such as YourReport.rpt.exe.
9
9
Secure System Administration - SANS GIAC