home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
zines
/
hir
/
hir6 Folder.sit
/
hir6 Folder
/
hir6-7.txt
< prev
next >
Wrap
Text File
|
1998-07-09
|
34KB
|
689 lines
HiR 6
Windows 95: User Friendly means Hacker Friendly
by Axon
Everyone knows that Windows 95 is extremely insecure. I would argue that if
you're going to plop Windows 95 on a machine in a public place, you might as
well put a sticky note on the monitor that proclaims "Hack Me!". From the
very genesis of Windows, it's been a huge hacker target. Microsoft has tried
their damnedest to make it more secure, but even with the way Windows can use
the "magic" registry mechanism for "security", there are still many holes
that need help. Even the registry has its holes. In this article, I'll
discuss several of the little inner workings that lie under the "gee whiz"
graphical loser interface that Bill stole from other companies anyway.
In short: Many things that add power or ease of use to Windows will also
decrease privacy and security:
I. The registry
a. Why the registry is so good for security
b. Registry keys that are used for security
c. Why the registry's "security" features mean absolutely nothing
II. OLE (Object Linking and Embedding)
a. OLE features that make the user cheer "OLE!"
b. Why OLE opens up some major security holes
III. Windows 95 Login Screen (Secure? I'd doubt it.)
IV. Windows 95 AutoRun
a. Advantages
b. Problems
c. Disabling AutoRun
V. Help
a. Useful applications for Windows Help
b. Windows help needs to practice what it preaches
VI. Find (A great utility, but...)
VII. Boot Menu
a. Explanation of the Boot Menu
b. Dangers of the Boot Menu
c. Customizing MSDOS.SYS (Contains Boot Menu Information)
Appendix A: Advanced Registry Fun
Appendix B: Some final stuff
Closing Remarks on Windows 95 Security
------------------------------------------------------------------------------
In long: I'll expand on that outline, but keep its structure.
I. The registry
The registry is a good idea. It does everything from getting rid of the
need for .INI files for Windows programs, to keeping track of what
applications should be used for each file extension type (which was its
only function in Windows 3.x). In windows 95 and NT, it's even an okay
security mechanism. If you find this section interesting, then I'd
suggest checking out Appendix A of this article, "Advanced Registry Fun"
which covers more complex registry toys. Note: Due to the power that is
held within the registry, I am telling you now: "Back up your registry
before you play with it, EACH AND EVERY TIME YOU PLAY WITH IT!!!" This
is easily accomplished by running Regedit.exe, and selecting the file
menu, and exporting your registry file. I usually save it with the
date, such as 6-3-98.reg. if your registry gets messed up, it is easy
to blow away and restore it with this backup. Also, looking at this
backup with a text editor will show you a great example of a huge
registry patch file (see below).
a. Why the registry is good for security
It would seem like the ideal way to enforce security permissions: Alter
the registry so that it no longer allows certain things to be done
anymore, and then, throw in a registry value that keeps the user from
running the registry editor.
b. A registry patch file is one of several ways to make "Cookie-Cutter"
changes to the registry (I will cover a more advanced method of creating
registry-editing files, .INF files) in Appendix A, Advanced Registry
Fun). The first line of any registry patch file is "REGEDIT4". The
keys are stored in registry patch files in the following format:
--
REGEDIT4
[HKEY_...\PATH\WITHIN\REGISTRY\TREE\TO\KEY1]
"NameOfKey1Value1"=dword:xxxxxxxx (Hexadecimal)
[HKEY_...\PATH\WITHIN\REGISTRY\TREE\TO\KEY2]
"NameOfKey2Value1"="blahblah" (String value, text)
"NameOfKey2Value2"=dword:xxxxxxxx (Hexadecimal)
"NameOfKey2Value3"=hex:ff,00,20,1c...(Hexadecimal Bytes)
"NameOfKey2Value4"=dword:xxxxxxxx (Hexadecimal)
"NameOfKey2Value5"=dword:xxxxxxxx (Hexadecimal)
--
You get the picture...
Here are some of the registry keys and values used for security. These
values are mostly policy values. I will explain a LOT more on policies
at the end of this article. (values are all DWord.) 00000000 is
basically a "No" and 00000001 is basically a "Yes" for these values.
This is not true with ALL the values in the registry! This is true with
the values listed here, though. All of the following values are DWORDs,
not Hex or String.
You can probably figure out what most (or some) of these values do:
I'll explain some archaic values in ()'s next to the value.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\Explorer
* NoAddPrinter
* NoDeletePrinter
* NoSaveSettings
* NoRun ("Run" item doesn't show up in Start Menu if 00000001)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\Network
* NoNetSetup (Won't let ya use "Network" from control panel)
* NoFileSharingControl
* NoPrintSharingControl
* NoEntireNetwork (Can't see entire network on Net 'hood)
* DisablePwdCaching (stuff you type in Run doesn't stay in the
list box below.)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\System (Stuff under System/Display Properties Control panels)
* NoDispCPL
* NoDispScrSavPage
* NoDispSettingsPage
* NoSecCPL
* NoDevMgrPage
* NoConfigPage
* NoFileSysPage
* NoVirtMemPage
* DisableRegistryTools (Keeps regedit from being run...kinda)
c. Why the registry's security features mean nothing.
The registry editor might not allow you to open it and screw with the
underlying registry (thanks to the DisableRegistryTools value) but the
funny thing is that you can create registry patches (using the format I
described above) and name them with a .REG extension. If you double
click on a .REG file, the registry editor reads the registry patch file
and des a "merge", or in other words, changes the values contained in
the registry to match the ones in the patch file. This means fun for
the little guys! Here's a snippit from my favorite registry patch file
that I keep on my Windows 95 disk o' death (anything in parenthesis
isn't part of the registry patch. Square brackets ARE a part of the
patch!!!). Here we go:
----------------------< Cut Edit-reg.REG >-----------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000 (Lets us use the regedit now)
----------------------< Cut >------------------------------------
If you double click on Edit-Reg.REG (Or double click a link to it via
OLE), you will be able to launch registry editor without the "Registry
Editing has been disabled..." message. The rest of the system is yours
once you "adjust" the setting for those other values I listed in section
Ib.
By the same token, replacing the 00000000 with 00000001 in the
"DisableRegistryTools" value in the registry itself, or in the patch
file (of course you need to run the patch file first) will disallow
access to registry-altering tools such as regedit. This is why the
registry needs some work. How do you fix it?
I would advise giving technicians a copy of regedit.exe (and other stuff
like a registry patch file like this one) on a floppy disk, and erase
regedit.exe from the machines. Regedit accepts command line arguments,
running "A:\regedit.exe a:\Edit-Reg.REG" will then allow the technician
to run "A:\regedit.exe", then edit the registry for that system. (Then,
before quitting the registry editor, modify the DisbleRegistryTools value
again, or run another patch to lock the registry down again.) Secure? If
someone has a copy of regedit.exe on a floppy and can fabricate a patch
(not hard to do, as shown above) then you're not much better off.
II. OLE (Object Linking and Embedding)
a. OLE features that make the user cheer "OLE!"
OLE isn't necessarily a bad thing. It allows tons of funky things to be
done, such as throwing a digital image into a plain-old text document.
Introduced full-force in win3.x, it was very similar to what the people
at APPLE had been toying with for a while. Add sounds to your documents
or plop part of your spreadsheet into a fiscal report for your boss, and
even attach a whole file to the essay you e-mailed to your English
teacher! OLE handles 2 types of connection methods, Linking and
Embedding (imagine that...). Linking will not place a copy of the
linked document into the work in progress. It merely points to it on
the current computer. Any changes you make to the linked file will be
reflected equally in any document that it is linked to. Embedding a file
places a copy of the embedded file INTO the work in progress. Any
changes made to the embedded part do not have any effect on the original
file, nor do changes to the original have an effect on the embedded one.
You use OLE often when doing clipboard operations such as cut, copy and
paste. OLE is not a bad thing...at first glance...
b. Why OLE opens some major security holes
OLE allows you to attach or link to almost any file that Windows knows
how to handle. One can link to a bitmap file and Windows will access
Paintbrush, and use it to show the bitmap as if it were PART of the
document. If an executable file is embedded, it will be handled like
Windows normally handles an executable (runs it). Granted, some times
command.com still won't work (This is a registry thing again... See
"Advanced Registry Fun, Appendix A of this article.), but there are still
a lot of things you can pull off. I know of no workaround for problems
with OLE, because it's impossible (I think) to disable it. Frogman is
experimenting with the idea of removing OLE from Windows. This far, he's
seeing that apps which do not require OLE to function work fine, but
many programs use OLE to ovcmmunicate between modules, as well. These
programs do not run properly, and sometimes not at all. It is a hypo-
thesis that if a secure system is needed, anti-OLE mods can be made, and
specially chosen software programs (which don't require OLE). Perhaps
an article on anti-OLE techniques later, if we find a decent way to pull
it off...
III. Windows 95 Login Screen
I really don't have a lot to say about the login screen. It is an
extremely pathetic (almost worthless) security mechanism.
It's basically good for each user having a customized desktop. By
hitting the Windows key (CTRL-ESC), you can launch the task manager, and
go to the file menu, select "RUN", and browse through anything you'd
want to run. A fun thing is to run "explorer.exe", as this is what
creates the desktop environment. Granted, you still have a login
dialog box on-screen, but you have a desktop and start menu. Often
enough, if the system is REALLY insecure, you do not even need to go
through that mess. Just hit the escape key at the login and it'll give
you a desktop. Fun stuff. To fix this, there are 2 paths to be taken.
If your system does not give a desktop when escape is hit at the login,
all you must do is delete taskman.exe out of the C:\Windows folder. As
long as A:\ isn't in your path (so that someone with taskman.exe on a
floppy could still use this bug), you should be secure in this aspect.
If your login screen gives up the desktop when escape is pressed, then
you need to not only erase taskman.exe, but you must either modify the
registry to disallow this behavior, or modify the desktop settings so
that it is locked down in the registry and nothing can be run from
within the default desktop.
IV. Windows AutoRun
AutoRun is a feature that was introduced in Windows 95. It senses when
a CD is inserted into the CD-ROM drive, then scans the root directory
of the CD for a file called AUTORUN.INF. This file contains only a
file name and an extension. No path, just a file name. This is usually
(but not limited to being) an executable that is found in the root of
the CD-ROM. If AutoRun is enabled, Windows opens (or runs) the file.
a. AutoRun is obviously a very handy thing. Programs that use AutoRun
will seem to launch themselves when you insert the CD-ROM. Some pro-
grams will launch a menu that allows you to install the software (in
case it isn't installed yet), change installation options, launch the
program, or quit. The original idea behind this feature was to add yet
another level of convenience and ease-of-use.
b. AutoRun can spell disaster for your dreams of a secure computer. Not
only does it allow people to walk up to your system and install a game
they bought down the street somewhere with ease, even if they can't SEE
the CD-ROM drive, or run an install program; there are several other
problems that AutoRun introduces. One that is less obvious than most is
that AutoRun is willing and able to bypass the screensaver password (if
one exists), bomb out of the screensaver, and run whatever it was that
the AUTORUN.INF file points to. This is an easy way around a screen
saver password. Also, with the advent of CD-ROM Writers (Burners),
and the falling prices of the same, more and more people (hackers,
crackers, little kids with rich parents, etc) are getting ahold of 'em.
Those who can program worth a darn could easily make their custom
program run as soon as they inserted the CD-ROM they just burned, just
by making AUTORUN.INF point to it. Do you REALLY want anyone to be
able to run whatever they can program/copy on your computer?
c. Disabling AutoRun
On my desktop, I leave AutoRun enabled. It's convenient. But when I
am trying to secure a system, this is not a hole I wish to leave un-
scathed. It takes me all of 30 seconds (or less) to disable AutoRun,
and it'll probably be one of the quickest security modifications you
will make. The first step is to get to System Properties. This is
done by right clicking on the "My Computer" icon, and selecting the
"Properties" item on the pop-up menu, or by selecting "System" from
the Control Panel. Next, choose the "Device Manager" tab. Find
"CDROM" on the Device Manager tree, and expand it (by clicking the +
sign to the left of it). This shows a list of all CD-ROM devices
attached to your system. Select the CD-ROM that you want to disable
AutoRun on, and click the "Properties" button. Then, click on the
"Settings" tab. The check box labeled "Auto Insert Notification"
is the key here. If it is checked (which it probably is), then
AutoRun is enabled. Uncheck it to disable AutoRun. This is one
of those settings that don't get read in again until the system is
restarted. If you have other modifications to moke, make them
before restarting (or else you'll probably reboot 4 or 5 times).
If you want to (re) enable AutoRun, it should be fairly obvious how
to do it.
V. Help
a. Help is a very useful aspect of Windows programs. It's like having a
personal online quick reference for many of the programs. When you
select a help screen (or when you press F1 while on the desktop), one of
two programs are usually executed: WINHELP.EXE or WINHLP32.EXE in the
Windows folder. Pressing F1 at the desktop will give you a very large
and possibly exhaustive database of answers about various user-level
Windows stuff. It has a very powerful find utility that allows the user
to quickly seek answers, and to do so with quite a bit of speed. Very
handy, indeed.
b. Sometimes, however, Windows' help facility can "help" a little too much,
for instance it can "help" people circumvent those restrictions that
you've worked so hard to fortify. By searching for the right help
topics, such as help topics on installing software, one might be able to
navigate the hard drive, delete files, and even execute any file on the
system, including things on floppy disk. This is very bad. The only way
to get around this is by deleting the Windows help executables:
WINHELP.EXE and WINHLP32.EXE in the C:\Windows folder. Not always the
best way, as this will disable Windows' help, and most likely help will
not work in many other aplications, either.
VI. Find
Find is a great utility for locating those files that get lost in the
maze of your hard drive's directory structure. It can be accessed by
pressing the F3 key when you're at the desktop. Find, similar to help,
can also sometimes allow people to run illicit programs, delete files,
or copy stuff from your system to a floppy disk. The only workaround I
know of is to remove the find option from the start menu (Another
registry toy I'll discuss in Appendix A), and then rip the F3 key off
of your keyboard. This can be circumvented by a psycho who brings in
a keyboard when trying to take over your machine.
VII. Boot Menu
a. Explanation of the Boot Menu.
The Boot Menu is a menu that is accessed a few different ways. It is
most commonly accessed when Windows Does not start all the way up, and
the boot menu prompts for a safe-mode boot, but the user can choose what
boot option to proceed with. This menu is also accessible by pressing
the F8 key right when the computer starts to load Windows 95 (if you see
the splash screen, it's too late). This allows access to a normal DOS
mode session, which is typically option #6 on the menu. Sometimes this
is a good option if some of your DOS apps just don't like Windows.
b. Dangers of the Boot Menu
Hackers will often try to reboot the computer and use F8 to get into
a DOS session (where Windows' petty security settings haven't even been
enforced). This is an extremely dangerous hole, in that any monkey with
half a brain could look through anyone else's stuff, and Crackers could
format your hard drive or plant viruses with ease. When Windows 95 is
booted into safe mode, ALL policy setting are TOTALLY IGNORED. This is
a Bad Thing, as almost all of your security settings have temporarily
(or permanently, assuming the user knows his stuff) bitten the dust.
c. Modifying MSDOS.SYS (Which contains Boot Menu options)
MSDOS.SYS is a hidden system file, usually found in the root directory
of the Booting Hard Drive. You will need to change its attributes in
order to edit it. This is done with the "attrib" command. If you don't
know how to use it, read a DOS manual, and it'll help you out. This is
what a typical MSDOS.SYS file looks like:
[Paths]
UninstallDir=C:\
WinDir=C:\WINDOWS
WinBootDir=C:\WINDOWS
HostWinBootDrv=C
[Options]
BootGUI=1
DoubleBuffer=1
Network=1
;
;The following lines are required for compatibility with other programs.
;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
...(File continues with xxxxxxxxxx...ending in letters a-s)...
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
It is not hard to disable the F8 (and other) keys while booting. All you
need to do is to add a line under [Options] saying "BootKeys=0". It is
still possible to induce a Boot Menu by restarting the computer, then
pressing the RESET button or turning it off and back on again while the
Splash screen is still up (Windows 95 still loading). You can also add
another line saying "BootMenuDelay=1" so that the menu will only appear
for 1 second. If you set this to 0, the boot menu will display for an
indefinite period of time. Below is a full table of all (that i know of)
options that can be placed under the [Options] section of MSDOS.SYS.
BootMulti= If set to 1, allows booting into previous operating
System with the F4 Key. Default is 0.
BootDelay=n Initial Delay before boot (This Determines how many
Seconds the user is given to hit a Startup Key such
as F4 or F8, before the system boots) Default is 2.
BootMenu= If Set to 1, Boot menu Will appear whenever the
Machine is booted up. Default is 0.
BootMenuDefault= This sets the default menu item on the Boot Menu.
Look at the boot menu if you want to know what all the
options are on your machine.
BootMenuDelay=n This sets the number of seconds that the boot menu
will wait for a user to enter an option before using
the default option as set with BootMenuDefault.
Default is 30 seconds.
BootKeys= When set to 1, Boot Keys are enabled. When set to 0,
User cannot use boot keys to access boot menu.
Default is 1.
BootGUI= When set to 1, Machine boots into windows mode. If
Set to 0, machine will always boot into DOS mode.
Default is 1.
Logo= If set to 1, The Splash Screen logo will appear while
Machine starts up. If set to 0, no logo will be
displayed on startup. Default is 1.
BootWarn= Enables starting in SafeMode without warning. Default
is 1.
DoubleBuffer= Enables Double-Buffering driver for SCSI controllers.
Default is 0.
Network= Enables Safe Mode with Networking as a Boot Menu
option. Default is 0.
------------------------------------------------------------------------------
Apendix A: Advanced Registry Fun
The registry contains more power than the human mind can comprehend. Through
it, a lot of very scary things may be accomplished, as well as quite a few
useful things. At any rate, This section is not for people who just started
learning about the registry as they read the first part of this article. I
strongly urge you to back up your registry before you do anything here.
The first thing I really must explain is the idea of policies. Microsoft
has a "policy editor" called "poledit.exe" which is basically a cheap-ass
cheesy, user-friendly registry editor that edits a very small and specific
portion of the registry that contains policy information. It also creates
".POL" files, where a handfull of other elusive policies are stored. I don't
intend on covering the Policy Editor, though. In my eyes, the policies are
easier to edit with the registry editor (or through patches) than through the
policy editor. If you know the locations of each policy key and can remember
what subkeys and values are under the policies, then you'll be in good shape.
More likely than not, you'll have to create the policy keys and values in the
registry editor. They won't already be in place. If they are, someone knew
what they were doing.
The policy key is actually locted in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
There are 4 Subkeys under policies: Explorer, Network (If the computer is
networked), System, and WinOldApp. For those of you who still aren't
getting this, I'll do a little tree thing:
HKEY_CURRENT_USER
|
Software
|
Microsoft
|
Windows
|
CurrentVersion
|
Policies
|
Explorer
Network
System
WinOldApp
In this segment, We'll only be dealing with stuff under policies, as this
alone is a very powerful part of the registry. There are other parts as
well, but I would need to write a novel if i were to cover it all. I
won't talk about an HKEY path anymore. I'll just talk about "This and
that value under the Explorer subkey". Remember, if the policies key and
the 4 subkeys under it don't exist, then CREATE THEM in the place I said
they should be.
Locking Down the default user (When ESCAPE is pressed at login screen).
HKEY_USERS contains a list of all users with accounts on the machine.
when expanded, there is a list of subkeys that, when the user logs on,
will become the structure of HKEY_CUERRENT_USER key. By editing the
.default user under HKEY_USERS, you can lock down the default desktop
to allow next to nothing to occur.
Restricting Programs From Being Executed.
Restricting the command prompt is somewhat easy, but I'll tell you that
restricting executables is extremely messy. This does not work the
way you think it should, though. You can specify what executables
you want to be able to run, and all others will be locked out. There
is no way to lock out a handfull of specific applications. The value
that locks down executables is the "RestrictRun" Value under the
Explorer subkey.
When RestrictRun is set to 0, no execute restrictions are placed into
effect. If RestrictRun is set to 1, restrictions are placed into
effect. Before you take off and enable this, please be sure to set
the names of programs you wish to allow run access. These are values
labeled 1, 2, 3, 4, etc. These are string values under the RestrictRun
SUBKEY of the Explorer Subkey. Do not confuse this with the value by
the same name. I'll do a Mini-Tree (this one just goes back to the
policies key, not all the way back to the HKEY)
...
Policies
|
Explorer ------------> RestrictRun=0x00000001 (1)
|
RestrictRun ------> 1="Niceprog.exe"
| 2="Regedit.exe"
| 3="cdplayer.exe"
------> 4="telnet.exe"
A registry patch that would lock out all software except for regedit,
poledit (Policy editor), netscape, wordpad, and explorer would look
like this:
(This is a file snippit. Text may run off the right margin. Please look
carefully at this segment)
----------------------------<Software-lock.reg>-------------------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
"RestrictRun"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]
"1"="REGEDIT.EXE"
"2"="POLEDIT.EXE"
"3"="NETSCAPE.EXE"
"4"="WORDPAD.EXE"
"5"="EXPLORER.EXE"
----------------------------<END>---------------------------------------------
If this has been inserted into the registry, nothing will run except the
applications you listed. I believe this modification kicks in after reboot.
This is really not an efficient method to go about locking out programs, and
I would advise using EXTREME caution when playing with this aspect.
To disable a command prompt while in windows, you just need to set the value
called "Disabled" (under WinOldApp subkey) to dword 1. The drawback to this
is that no dos-based programs or executables will run (due to the poss-
ibility that they might induce a shell). This is good for security unless
old DOS-based apps are still being used.
Desktop Effects:
Sometimes, a good way to hinder a user's ability to do harm is to make it
harder to navigate through the hard drive. One common trick is to remove
all of the desktop icons. This makes it harder for them to execute
anything that is not in the start menu, and makes it difficult to browse
through the hard drive. If that's too drastic for you, you may just want
to hide all the drives under My Computer, and disallow "Entire Network"
browsing under Network Neighborhood. There are many options. All of
the below values are under Explorer unless noted by another subkey (i.e.
Network\NoNetHood)
To do this: Set this value to a dword 1
Remove all desktop icons NoDesktop
Hide all drives in My Computer NoDrives
Hide Network Neighborhood Network\NoNetHood
Disable "Entire Network" in NetHood Network\NoEntireNetwork
Start Menu stuff:
It's always nice to remove as many intrusive things from the Start Menu as
possible. This is also achieved with policies. Since the "Start Menu" and
taskbar are all handled by EXPLORER.EXE, these values will need to be under
the explorer subkey of policies.
To do this: Set this value to a dword 1
Remove Run option from Start Menu NoRun
Remove all folders from "Settings"* NoSetFolders
Remove Taskbar Properties from "Settings"* NoSetTaskbar
Remove Find option from Start Menu NoFind
Disable Shutdown Command% NoClose
* if both values are set to 1, Settings will not show up on Start Menu
% This is not adviseable, as it is no longer possible to "correctly"
shut down the machine.
Another way to edit the registry is through an ".INF" file. These files
are similar to patch files, except for a few slight differences.
.REG (Patch) files and .INF files compared:
Similarities:
Both can seriousely mess up a registry file
Both can add values or edit existing values
Neither are restricted via the "DisableRegistryTools" stuff
Differences:
.INF files are MUCH more difficult to create.
.INF files can delete registry values and keys.
.INF files need to be Right-Clicked and the "Install" option selected in
order to affect the registry, therefore they are a little safer.
Using .INF files for registry editing:
All .inf files start with:
--------<CUT>---------
[Version]
Signature="$Chicago$"
----------------------
After that, you need to make a section called "DefaultInstall", and
include the names of the sections that will hold registry editing
Data. Then you need to create the proper sections (Called Add.Entries
and Del.Entries in this example). If you place a semicolon (;) at the
beginning of a line, it will be ignored, for commenting purposes. Look
at the following example:
------------------------------------------------------------------------
[DefaultInstall]
AddReg=Edd.Entries
DelReg=Del.Entries
[Add.Entries]
HKCU,Software\Microsoft\,BillShallDie,,"Down With Bill!!!"
;Registry Entries are stored in the following format:
;Branch (Abbreviated), Key (Path), ValueName, ValueDataType, ValueData
;
;There are a few things that need explaining here. The first is
;"Branch Abreviations", the next is "DataTypes". Here We Go...
;
;Abbreviations:
;HKEY_CURRENT_USER = HKCU
;HKEY_LOCAL_MACHINE = HKLM
;HKEY_CURRENT_CONFIG = HKCC
;HKEY_USERS = HKU
;HKEY_CLASSES_ROOT = HKCR
;HKEY_DYN_DATA = HKDD
;
;datatypes:
;0=string
;1=hex:01,ff,...
;2=string (but don't replace value if it already exists)
;3=hex (but don't replace value if it already exists)
; Note: As shown in the example, if the DataType value is left blank,
; A DataType value of "0" is assumed.
[Del.Entries]
HKCU,Software\Microsoft\,BillShallDie
;The format for Delete Entries is similar:
;Branch (Abbreviated), Key (Path), ValueName
------------------------------------------------------------------------
Appendix B: Some final stuff
Although you might be able to restrict executables from being run with
policies, in some cases, the shortcuts in help files will still allow
an application to be run.
The registry is almost impossible to secure. As noted in section I,
it's fairly easy to mess around with the registry restrictions by using
simple little patch files. There are also rumors that Norton's Registry
editor is fully capable and willing to mess with the registry, regard-
less of the setting contained within the registry that supposedly will
protect the registry from "Tools" that access the registry.
About policies, if the .POL files are stored on the local computer, and
not on a network, then it's potentially easy for someone to locate and
delete these files. This would ultimately result in a loss of certain
policiy restrictions. If your Windows 95 machines are on a network, you
would be wise to keep the policy files stored on the server, rather than
on each machine. Be sure to restrict user access to these files via
your network's access restrictions. This will make it more difficult to
mess with the policies.
Closing Remarks on Windows 95 Security
The point of this article was to bring to light some of the major security
flaws that are associated with Windows 95. There are some really good
3rd party programs that will totally patch some of these holes and many
others, but the programs themselves might have a few little flaws of their
own. Please do not rip any keys off of your keyboard, though. Most of
these little modifications do nothing more than keep the newbies and
wanna-be's from being little destructive punks. Some examples in here
were simply to show you that no matter how hard you try, someone will
almost inevitably find a way in if it means enough to them.