HIR Issue 9: Hackers Information Report 9
Windows 2000: What is it and why does it matter?
Written by Axon
...Guess I'd better give Shouts to MSDN (or else?)
I recently got ahold of a Windows 2000 (Advanced Server) Beta 3 CD (Microsoft Developer Network stuff, for beta testers. My boss just happens to be one of them...) I looked at the system requirements, and gasped for air. This thing was gonna be a BIG HOG!!! If I had to describe it in a single sentence, this would be the one: "Windows 2000 is almost nothing more than Windows 98 sitting on top of an NT Kernel, but it requires almost enough hard drive to install NT4 AND 98."
Now, let it be known by all, this is the Advanced Server Version of Windows 2K... From my understanding this is the equivalent of The Enterprise NT Server. If i'm not mistaken, There will be a Windows 2000 End-user version (Windows 2000 Professional), Windows 2000 Server, and Windows 2000 Advanced Server. I am playing with Advanced Server, so don't expect all this stuff to be in all versions of Win2K.
... I had enough ram in my Bitch Box (tm), you know, the one that I used to rank Server-OS's earlier this issue? The total hardware pricetag on the big W2K is a PII 300 or better, with at least 64 megs of RAM, and the OS takes up a whopping 250-Megs (or so), making it, I believe, the largest hog of all OS's currently known to mankind. This should not bring one glimmer of surprise to any of us, because "hey, it's Microsoft we're dealing with here." It DID run on the P120 though, if what it was doing can be qualified as "running".
Not all is lost, though. Of all the Microsoft OS's (and i've tried them all, even the original OS/2 released by MS), this one FINALLY gives some built-in features I like (as well as quite a few that I loathe, but I'll get over it). Let's take a look at some new and cool things that W2K has to offer, first... (Some things might show up in both good and bad categories)
- NTFS Filesystem adds per-user, per-file access control
- Uses the NT Kernel, making it easier to manage threads
- MS Actually lets administrators telnet in, and they added some new command-line programs that let the admins do some cool stuff remotely or from a command prompt (I'll cover the new commands later)
- Almost all of the current DoS Windows attacks don't work on it
- Network status (connect/disconnect) and things like changing IP Addresses, adding protocols, etc. no longer require a reboot
And, of course there is some stuff I just don't like (and neither of these lists are complete):
- NTFS Filesystem is slow and can still be read by anyone who has a linux floppy with NTFS in the kernel, or has NTFSDOS on a Win95/Dos boot floppy
- It likes to use 131 megs of my 64 megs of ram (it likes to swap)
- You can no longer create bootable floppies with it
- The NT kernel doesn't play games for crap!
- It STILL lies about having to reboot (as in, it says reboot and this will work, you say "no", and it works anyhow, without the reboot)
- 2 Words: Active Desktop. It looks cool, but MAN it's a HOG!
- IE is built RIGHT in, no getting around it...sigh
- MS Actually lets Administrators telnet in, so now they can send their usernames and passwords in the clear across TCP/IP lines that are easy to sniff, and have NO password hashing whatsoever (as if that makes much of a difference)
So, as you can see, you don't want to be switching back to MS Operating systems from your cool Linux/*BSD/Solaris-Intel Boxes just yet. If you have a spare machine that's capable of running this, and you can afford it, I would advise playing with it. It offers quite a few cool little features that I'd wish MS would have thought about long ago.
Commands, commands, commands...(It's still not all point-and-click, guys!)
Yah, they added some stuff... some cool stuff, actually. Take, for instance, the new command interpreter (now shortened to "cmd.exe") has built in functions that make it "kind of" act a little more unixy... for instance it now accepts dual-pipes to run the second command only of the first command fails, or double-ampersand to only run the second command if the first one's successful. All these commands can be run within a command prompt (and a telnet session!) Check this out:
- findstr It's GREP! it uses regular expressions and works through pipes! This is amazing...kind of.
- assoc allows administrator to change what file types are associated with what applications
- ftype modifies file type bindings to file extensions (.txt)
- cacls modifies, adds, or views user access permissions for individual files or directories. Schweet!
at a command-line interface to the Windows 2000 internal event scheduler. This is VERY cool stuff!
- tlntadmn "telnet admin", allows admins to change what port telnet service runs on, how many users can be on at a time, lists current telnet connections, and allows admins to drop specific connections. Kinda nice...
- start Start can open up a window on the box itself and run something in it... kinda fun, fairly useless so far as I've seen.
compact allows file-by-file compression, decompression, or compression status queries.
- Over a telnet session, "Alt" key combos can be generated by pressing "<CTL>-A" followed by the key you were going to use (I.E. <Alt>-F for the File menu in the Text DOS Editor would be <Ctl>-A, followed by the "F" Key.
Stability:
I must say, for being as much of a hog on resources as it is, I haven't really been able to crash it. Windows 2000 (just the beta pre-release) seems DARN stable, which actually took me by surprise. I think MS finally got their act together when it came to the NT kernel. I could always bomb out NT4's kernel, dropping it to it's knees, and making it go BSOD (Blue Screen of Death). Things I've found that BSOD NT4's kernel: Trying to spawn processes while the machine is locked (as in, waiting for a login or at a password-protected screen-saver), running certain Windows 3.x programs, and a handful of other "normal" things that just kill NT. W2K isn't like that. Some of the old DoS attacks make it use a little more CPU (up to 60%, but not 100% like the old ones). This tells me that MS fixed up the TCP stack quite a bit (but not enough, yet). The kernel is larger than the NT kernel, but seems to be a lot more stable and feature-rich from what I've seen.
If you have a spare machine with the power to run this thing decently, I would consider it. No word on how much cash one will shell out for it, though.
Why the heck is Windows 2000 a reality? Didn't 98 just come out, and isn't there already a "second edition" in the works?
Actually, yes, 98 just came out recently, and they really shafted you guys. Windows 98 is NOT Y2K compliant as originally proclaimed by the MS Empire. Once upon a time, there was also a whole load of patches and stuff for Win98 available from MS's web site mirrors, too. Those went Bye-Bye... MS is going to apply all those patches plus some, and release a "Win98 Second edition" thing, that will run you poor guys a pretty chunk of change... I mean really...
So, with all this happening, why is Windows 2000 already in the works? It all has to do with MS wanting everyone to run Windows NT. Back in the day, before Windows NT 3.51, Bill Gates said that this "New Technology" operating system that was under construction would be the way of the future. Everyone would use it. It would be the end of the days of MS-DOS (which is still the primary underlying OS Kernel for 95 and 98. If you want to be honest, not much has changed from the days of MS-DOS 5.x with "C:\windows\win" in the autoexec.bat file.) Why get rid of DOS, you ask. Sometimes I wonder the same thing, but I guess MS thinks that NTFS is "more secure", which it kind of is, mostly to remote users.
But Windows NT was "much too difficult for the end users" at first; and it didn't (and still doesn't) play the cool games very well. It was ugly, and had tons of bizarre menus and options that only would make sense to a system administrator. The latter part hasn't changed a whole lot either, there are literally TONS upon tons of options, menus and trees to expolore, but Windows 2000 looks and feels a lot like a stabilized Windows 98 box. Windows 2000 makes an attempt to nice up the menus (that is, give really verbose menu options so that it's fairly clear what's gonna happen when you click on stuff, and believe me, it helps when there are so many things to choose from). If you're used to NT 4.X, you're gonna be lost for a day or so on your Windows 2000 server box. Things are in different places, and there are less administration programs, and the ones that are there do a lot more than their older, NT4 cousins. If you're using (or have seen) Windows 98, it'll be comfortable, but a lot of admin stuff you're not really used to seeing. Windows 95 users will be lost even longer than the NT4 users, but they'll manage.
This is truly the attempt to "make" everyone use NT. Windows 2000 is totally based on a revised NT kernel, and is even installed from an "i386" directory off the CD, much akin to the Intel NT4 installation. It is installed on a fat16/fat32 drive, and can remain that way if the user wishes. The partition may be changed over to NTFS at any time by the admin, but it requires a reboot.
NTFS WHAT?!
Once changed to NTFS, there is no going back. It's NTFS for good.
I would recommend using NTFS only if you want to have multiple users (local and remote) that you don't completely trust with the files. NTFS basically only adds user-by-user and group file permissions, which are accessible through the "properties" dialog for each file and directory. Converting to NTFS adds another folder tab to the dialog, allowing the administrator to edit the ACLs (Access Control Lists) for the object. If the permissions are set to allow it, certain users might be able to read the ACLs as well, and if misconfigured, users will be able to EDIT the ACLs...so be careful.
ACLs have a kind-of pyramid structure. Possible permissions:
- Full Control
- Modify
- Read/Execute
- List Contents (folders/directories only)
- Read
- Write
Each of these can have three states: Granted, Denied, or Neutral. If Denied, all "grants" are nulled, and Deny takes precidence. This means if you give the user "me" read access, and deny the group "Everyone" read access, the user "me" who is in the "Everyone" group (all local users are in Everyone, and this can't be changed), then the read access you granted "me" becomes denied because of the deny rule that also exists. However, if "Everyone" just isn't granted or denied read access, while "me" *IS* granted read access, "me" will retain the read access, and the null read-denied bit for the "Everyone" group won't overcome "me"'s access rights. Since "Everyone" doesn't have read-access granted, they can't read it anyways, and everyone is happy. If a user is given "Full control" over a file or directory, all other access permissions are immediately granted unless overcome by a "Deny" due to a group they are residing in. Remember this when troubleshooting file access problems.
NTFS can be easily overcome at any time with NTFSDOS (a DOS tool that can be used by a user with a bootable floppy. It allows reading and writing to any file on the NTFS drive) or a linux boot floppy with NTFS in the kernel. This works with all versions of NT that implement NTFS. (NT 3.51 used HPFS) Of course, you realize this relies on a few factors, including Physical access, and the BIOS set to be able to boot from floppy or CDROM.
I would recommend password-protecting the BIOS settings area, and turning off floppy/cdrom boot, which is a good idea anyways. This will help prevent a malicious user with physical access from compromising your system (although pysical access usually means easy admin access anyways, but it never hurts to make it harder). I would also recommend you get a copy of NTFSDOS or a crafted linux bootdisk kit that offers NTFS access (available on the web). Try it out, and get comfortable using it, because one day, you might need to recover something. If you ever need to recover it, go into the bios settings, enter your password, enable floppy/cdrom booting, and proceed, disabling floppy booting when done. This practice will ensure that you have access to recover files in case of an emergency, and will keep most anyone else from doing it the same way you did.
Hacking Windows 2000
Remember all those fun hacks for Windows NT? You know, like the ones where if you had an account and physical access to the box, you could add yourself to the administrators group, and all those? Well, so far as I can tell, not a single one of them work against Windows 2000. I may be wrong, but I've tried all the toys I found for NT4, and nothing works. About the only thing Windows 2000 seems to be vulnerable to is the boot floppy with an NTFS tool (covered in the previous section), and sniffing password hashes/raw telnet/ftp sessions. I would say your best bet is the sniffing route. I have not tried l0phtcrack against Windows 2000, but results are welcome by our readers (and I'll post your findings and appropriate credits on the News page and in the next issue of HiR).
The Windows 2000 Registry
I'm not even going to TRY to get too specific here, as the Windows 2000 registry isn't much different from the Windows NT Registry. I'll give ya some pointers on system policies, though...
First things first... In windows 95/98, it's easy for the end-user to change his/her own registry permissions, because there is no defined "Superuser" level account... you know as well as I do that anyone with a few extra minutes on their hands will eventually be able to gain full access on your Win95/98 box, no matter how hard the policies are locked down (see "Windows 95: User Friendly means Hacker Friendly", HiR issue 6 Article 7). Under the NT environment, there is REALLY an administrator account, and that has access to everything, therefore, the need for any user to be able to change policies around is deprecated (and just plain bad). Normal users can not run registry patches or edit the registry in any way that would allow them more access. Period.
Policies are in a similar location to Windows 95. Follow the registry tree!
Your policies would be under:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
^^|^^
|_--> NOT \WindowsNT\
Windows 2000 Policies are pretty much Identical to Windows 95 Policies (in fact, the policies are Identical to Windows 98, to the best of my knowledge). The new policies add a couple of policies to do things such as Disabling "Windows Update" (which goes out and tries to grab updates from MS, also telling MS what you have on your machine, uploads your Windows 2000 serial number, and other evil things).
Operating-System wise, How does W2K score?
It's maybe a 6. It's possibly the best MS Operating system I've seen. If it's not the best, I would have to say it's the most intuitive. Will I switch to it from Linux, FreeBSD or some other UNIX-derived OS? Not on your life. It's very cool, but there is still something to be said about using too many resources just to make sure the user has an interface to run programs. Windows 2000 doesn't have what it takes just yet; I can do cool raw-socket operations for UNIX OS's, and that means I can have a lot more network fun. I can also do more work in less time, because my OS isn't wasting gerbil-wheel rotations on drawing cool pictures on the screen, and if it IS drawing, it's doing it through X11 or SVGAlib, both of which use less resources that whatever MS is doing with their API to let pictures onto the screen. The only real way I can describe what is happening is if I relate the operating system to the body of a car, and the hardware of the computer to the engine of the car. Here goes:
If the car's body (the OS) is huge, and bulky, not very streamlined, and weighs a lot, the engine (processor, memory, etc) will have to work harder, and it will never run as fast as it could with a lightweight, sleek, and small body.
Windows 2000 takes up 250 megs on the CPU for an install.
I've seen a linux system use 3 megs of ramdisk space to run just fine.
Which do you think is going to let the end-user use the processor (or hard drive for that matter) more efficiently?
--Axon