IP-TEC - Infopeople Technical Service Archive: Re: Strange security question.

Re: Strange security question.

Bill Moseley (moseley@netcom.com)
Sat, 18 May 1996 05:25:16 -0700

Sorry for the long message....

At 05:33 PM 5/16/96 -0700, you wrote:
>Hi JoAnn-
>I think if you use a non-standard name for windows directory, hiding the
>directory name is good enough. No need to hide the files. Besides we all know
>that there is a win.ini file for instance.
>
>Just a little suggestion: be careful when you use hide/readonly attrib,
>especially with /s. Also be specific, eg. attrib \trumpet\*.cmd +r.

These are good points.

The hidden attribute is designed to hide files from directory listings - not
from access by a program. The fact that Windows and security programs get
confused if some files that are hidden (or readonly) screams bad
programming. But, that's one programmer's opinion.

>So last night I tried the hidden thing again. The same thing happened-but
>this time as I was tearing my hair out, I noticed that when I went into DOS
>and used the attrib -h /s command to make the files unhidden, I got a
>message saying that there were threefiles that the -h did not work with-
>they were IO.SYS, MSDOS.SYS, and 386SPART.PAR. After a little trial and
>error, I found that if I used the attrib command for each to take off the
>system, hidden and read only attributes, then put the system attribute back
>on, the computer worked fine. And only 15 minutes instead of 3 hours!

It is the attrib command that won't let you change attributes on a file if
the "SYSTEM" attribute is set. Other programs that will change attributes
(Norton's FA, for example) are less restrictive.

Normally, IO.SYS and MSDOS.SYS are set System, Hidden, and Readonly.
386SPART.PAR is typically set System and Hidden. (I would't think it would
matter if 386SPART.PAR was readonly since the entire reason for this file is
to bypass the DOS file system.)

As Riki said, if you use non-standard directory names and make them hidden
it will be harder to find your windows files that can't be protected by
readonly.

(You think Win 3.1 is odd, in Windows 95 you can set up different "users".
If you make a user's password file readonly, then Windows 95 will allow
*any* password to work!).

In addition to making the directories non-standard and hidden, I make all
.ini files readonly. This keeps parameters from changing and prevents
hackers from modifying these files. I also make .exe files readonly. This
prevents hackers from overwriting a "good" program with a "bad" program.

For example, say you allow downloading. A patron, no, a hacker brings in a
disk with command.com on it. They first download netscape.exe to their
floppy or the hard disk to make a "backup". Then they download command.com
from their floppy to the C: drive overwriting netscape.exe. Click on the
Netscape icon which now runs command.com and they have full control of the
computer. When done adding their "back door" to your system they put
everything back.

Not all programs use .ini files. Some programs (like Ewan) use additional
files for their configuration information. Here is a simple trick. The
archive attribute on a file will tell you if a file was modified. So,
remove the archive attribute from all files: attrib -a *.* /s (as you found
this won't remove the archive attribute from SYSTEM files). Enter this
command from the root directory. It may take a few seconds to modify all
the directory entries.

Use the computer and change settings and windows sizes, for example. Then
back at the root directory type: dir /aa /s (show all attributes=archive,
and search subdirs too). You will see every file that was modified by your
changes on the entire computer.

You can also use this method to look for files that patrons have saved to
the hard disk. Just clear all the archive attributes - wait a week and then
use the DIR command to find all the new files.

Protecting config.sys and autoexec.bat:
---------------------------------------

You also want to protect config.sys and autoexec.bat since it is simple to
look at those files to find out the name of the Windows directory, which
defeats renaming the Windows directory. Of course, these files need to be
set readonly.

Preventing access to these files depends on how they can get to them. Most
likely is accessing them using Netscape.

If you are using Netscape you can set up a "dummy" helper application that
prevents displaying .sys, .ini, .bat, and .cmd files. This is done by
telling Netscape to run a fake program (X:\dummy.exe) when a user clicks on
a given file type. When a patron clicks on config.sys, for example,
Netscape tries and fails to run X:\dummy.exe and they file won't be displayed.

Before Netscape version 2.0, using the URL file:///c|/ would NOT display
hidden files. Making config.sys and autoexec.bat hidden in addition to
readonly prevents them from showing in a file:///c|/ listing. They would
have to enter the URL file:///c|/config.sys to TRY to display the file. But
the dummy.exe setup above would still prevent viewing.

Now, version 2.0 displays hidden files so it is a simple matter to
shift-click to download (save) hidden files, such as config.sys. If the
patron was smart, they could download config.sys to the C: drive with a
different extension and then view the file. I would hope that Netscape
would fix this, but we all know how likely that is.

So, one option is to edit Netscape to make the "file:///C|/" syntax not work
- this takes a binary editor and finding the right "file:" text and changing
it. Email me if you want more information on this.

Ok, lets get technical:

Yet, another (extreme) option is to modify IO.SYS so that DOS uses a
different file than config.sys. This requires a "sector" editor like
Norton's NU (or the debug program included with DOS) that can modify sectors
directly on the hard disk. A sector editor is required because io.sys MUST
be located at an expected physical place on the hard disk and io.sys can't
be edited as a DOS file.

For example, you could edit io.sys and change it to use "hidden.sys" instead
of config.sys. Place your normal parameters in hidden.sys (leave conifg.sys
as a decoy) and mark hidden.sys +r +s +h with attrib.

Of course, there are a number of issues to keep in mind if you decide to be
this tricky. Many programs (typically during installation) edit the
config.sys and autoexec.bat files - so you would have to watch for problems
when installing new software. Also, if you ever have to "sys c:" your hard
disk, you will need to edit io.sys again (or have a emergency recovery
diskette that has the modified io.sys on it).

For most though, it is enough to hide directories, protect configuration
files and use a good backup system.

Bill Moseley
mailto:moseley@netcom.com