standsec.html

黑客培训教程

  Disk containing the DiskEdit program and some time near the server.</p>
<ol>
  <li>Boot the server and go to the DOS prompt. To do this, just let the network 
    boot normally and then use the DOWN and EXIT commands. This procedure does 
    not work on old Netware 2.x servers and in some installations where DOS has 
    been removed from memory. In those cases, you'll have to use a DOS bootable 
    disk.</li>
  <li>Run Norton's DiskEdit utility from drive A:</li>
  <li>Select &quot;Tools&quot; in the main menu and then select &quot;Configuration&quot;. 
    At the configuration window, uncheck the &quot;Read-Only&quot; checkbox. And 
    be very careful with everything you type after this point.</li>
  <li>Select &quot;Object&quot; and then &quot;Drive&quot;. At the window, select 
    the C: drive and make sure you check the button &quot;physical drive&quot;. 
    After that, you'll be looking at your physical disk and you be able to see 
    <br>
    (and change) everything on it.</li>
  <li> Select &quot;Tools&quot; and then &quot;Find&quot;. Here, you'll enter 
    the name of the file you are trying to find. Use &quot;NET$BIND&quot; for 
    Netware 2, &quot;NET$PROP.SYS&quot; for Netware 3 and &quot;PARTITIO.NDS&quot; 
    for Netware 4. It is possible that you find these strings in a place that 
    is not the Netware directory. If the file names are not all near each other 
    and proportionaly separated by some unreadable codes (at least 32 bytes between 
    them), then you it's not the place we are looking for. In that case, you'll 
    have to keep searching by selecting &quot;Tools&quot; and then &quot;Find 
    again&quot;. [In Netware 3.x, you can change all occurences of the bindery 
    files and it should still work okay])</li>
  <li>You found the directory and you are ready to change it. Instead of deleting 
    the files, you'll be renaming them. This will avoid problems with the directory 
    structure (like lost FAT chains). Just type &quot;OLD&quot; over the existing 
    &quot;SYS&quot; or &quot;NDS&quot; extension. Be extremely careful and don't 
    change anything else.</li>
  <li>Select &quot;Tools&quot; and then &quot;Find again&quot;. Since Netware 
    store the directory information in two different places, you have to find 
    the other copy and change it the same way. This will again prevent directory 
    structure problems.</li>
  <li>Exit Norton Disk Edit and boot the server again. If you're running Netware 
    2 or 3, your server would be already accessible. Just go to any station and 
    log in as user Supervisor. No password will be asked. If you're running Netware 
    4, there is one last step.</li>
  <li>Load Netware 4 install utility (just type LOAD INSTALL at the console prompt) 
    and select the options to install the Directory Services. You be prompted 
    for the Admin password while doing this. After that, you may go to any station 
    and log in as user Admin, using the password that you have selected.</li>
</ol>
<p>**NOTE: If Disk Edit is unavailable, any Disk Editing utility with searching 
  capabilities will suffice.</p>
<hr>
<p><br>
  <b><font size="4"><a name="31"></a>3. Building a SECURE System</font></b></p>
<p><font size="4"><b><a name="32"></a>3a. Understanding the Issues</b></font></p>
<p><font size="3"><b><a name="33"></a>Potential &quot;Hackers&quot;</b></font><br>
  <br>
  After reading this FAQ, you've probably revised your idea of a secure PC quite 
  a bit. Truth be told, IBM didn't design the Personal Computer with security 
  in mind. Back in 1980, their main objective was to get _something_ to market 
  before Apple gobbled up all the market share.</p>
<p>After awhile, security programs started to emerge that attempted to bridge 
  this gap. These were quite popular, and were put into use by many companies 
  to prevent 'curious' employees from messing with<br>
  the computers.</p>
<p>However, ways to bypass these security programs were quickly found. As long 
  as computers are designed for convenience, and with humans in mind, this will 
  almost always happen.</p>
<p>So, who are potential &quot;Hackers&quot;? The answer is: Anyone. Experienced 
  users especially, but even newbies sometimes find weak spots. This is not to 
  say that everyone *is* a &quot;hacker&quot;. (Note that I use quotes because 
  I don't believe in the popular usage of the term &quot;Hacker&quot;. The media 
  is out of control: their usage of the word has conflated Computer Gurus with 
  Criminals in the minds of the people.)</p>
<p>As always, prevention is the best medicine. The following sections deal with 
  how to secure your system, both through physical and software-based means.</p>
<p></p>
<p><b><font size="3"><a name="34"></a>Physical Security</font></b><br>
  <br>
  In the old days, back when computers filled multiple rooms, the security of 
  a system was basically all physical: Locks, security guards, etc. Now the emphasis 
  has shifted away from physical security, and is leaning more towards software-based 
  methods. However, in some cases, a certain degree of physical security is in 
  order.</p>
<p>***If you want to prevent people from resetting your CMOS and accessing the 
  floppy drives, etc. you have to secure the system itself. This can be done by 
  having the computer in a locked room, leaving only the screen and keyboard accessible. 
  There are many products which let you extend the reach of screen and keyboard 
  cables. Even some that let you control many different computers using one screen. 
</p>
<p>***There are also security devices available made by companies such as Anchor 
  Pad, Lucasey, and others that completely enclose the PC. These are devices such 
  as lockdown pads, cables for monitors, and metal boxes. There are also devices 
  that cover and lock the floppy and CD-ROM slots. </p>
<p>***Computer locks which bind your computer to a desk are good for discouraging 
  theft.</p>
<p>***To protect your hard disk data, I would suggest investing in a removable 
  media system that lets you &quot;hot-swap&quot; and lock hard disks. The hard 
  disk could then be easily removed (with the *unique* key) and stored in a safe 
  to prevent theft of data. Drives such as the Zip (100MB), Ditto (800MB), and 
  Jaz (1GB) are removable as well, but do not lock. </p>
<p>Make sure that you test the computer immediately after these lockdown devices 
  are installed. In some instances the stress induced on the casing by the devices 
  can cause certain parts to malfunction.</p>
<p>***You can buy devices that prevent the PC electrical cord from being unplugged 
  or turned on without a key.</p>
<p>***Investing in a UPS (Uninterruptable Power Supply) System is worth the cost. 
  These protect against power fluxes which can damage your system. In the case 
  of a power out (or if someone trips over the cord), UPS systems give you 5 minutes 
  of rechargeable battery power to save work and perform an emergency shutdown.</p>
<p>***As one last measure of security, it's always nice to invest in some insurance 
  for your computer. It won't get your data back, but it *will* give you some 
  peace of mind.</p>
<p></p>
<p><font size="3"><b><a name="35"></a>Software-Based Security</b></font><br>
  <br>
  Below is a list of measures you can take to secure your system using software/firmware 
  based methods. They are listed in order of increasing security, so minimum security 
  would be only implementing option #1, maximum security would be implementing 
  #1-8. Keep in mind that implementing any of these without implementing every 
  item below it leaves possible entry points open.</p>
<ol>
  <li>Set up a BIOS password for both the Setup screen *and* access to the system.</li>
  <li>Make sure the password is not easily guessable (i.e., birthdate, name backwards, 
    etc. are<br>
    easily guessed) See next section.</li>
  <li>Make sure that the password is the maximum possible number of characters 
    supported by the BIOS.</li>
  <li>Disable floppy booting from within the BIOS</li>
  <li>Disable Bypass of startup files</li>
  <li>This is done by adding the line:<br>
    SWITCHES=/F /N<br>
    to the CONFIG.SYS file.</li>
  <li>Additionally, you might want to precede all statements in the Autoexec.bat 
    with CTTY NUL, and then have CTTY CON as the last line. This prevents breaking 
    out of autoexec.bat</li>
  <li>If you use DriveSpace compression, add the following line to your DRVSPACE.INI 
    file:<br>
    SWITCHES=/F /N</li>
  <li>Add the line:<br>
    BREAK OFF<br>
    This reduces the number of chances you have to break out of AUTOEXEC.BAT, 
    all though it doesn't switch it off entirely</li>
  <li>Set up a DOS-based Security TSR</li>
  <li>Make sure you cannot access the floppy drive without a password, and that 
    it allows for write-protection.</li>
  <li>Make sure it allows for password protection.</li>
  <li>Set up a Windows-Based Security program</li>
  <li>Make sure you can control which features of Windows you can limit or disable.</li>
  <li>Make sure it allows for password protection.</li>
  <li>Install Windows Security Policies using Policy Editor (see Appendix)</li>
  <li> Install an encrypted filesystem program. (i.e., CryptDisk)</li>
  <li>This will prevent access to the computer and files on the hard disk unless 
    the password is entered. It will render your data unaccessible even if the 
    hard disk is extracted from the system.</li>
  <li>Delete the following DOS programs (or move them to a floppy):<br>
    FORMAT<br>
    DELTREE<br>
    SUBST<br>
    JOIN<br>
    BACKUP<br>
    RESTORE<br>
    ATTRIB<br>
    MODE</li>
</ol>
<p><br>
  <b><font size="3"><a name="36"></a>Passwords</font></b><br>
  <br>
  Passwords are generally the weakest link in the security chain. When choosing 
  a password, remember these tips:</p>
<p>Do NOT choose something obvious: Swear words, your birthdate, topics pertaining 
  to what you do and/or your interests are are examples of BAD passwords.</p>
<p>A Good Password is one that is totally random. To pick a password, try this: 
  Grab a dictionary. Close your eyes, and flip to a random page. With your eyes 
  still closed, put your finger on a random spot on this page. Remember the word, 
  and do this again. Combine the two words, and append a three-digit number to 
  the end. You also might want to intersperse non-alphanumeric characters into 
  the password in random ways, such as an odd dash or apostrophe here and there.</p>
<p>Also, NEVER write your password down. Always keep it in your head. A simple 
  Post-It note on your monitor can bring down all the security that you so meticulously 
  set up!</p>
<p>A good password system hides the passwords from everyone, including the system 
  administrators. This means that the sys admins cannot tell if the users are 
  putting in weak passwords.</p>
<p>One final note: When designing a security system, be sure to take the user 
  into account. If a system is of such high-grade security that it is a nuisance 
  to use, people will always find the lazy way to do it. (Post-it Notes...)<br>
  <br>
</p>
<hr>
<p><font size="4"><b><a name="37"></a>Appendix ( (c) Njan 1999 ) </b></font></p>
<ol>
  <li>First, logon on as the default user (push the ESC key)</li>
  <li>Click Start/Run type REGEDIT and push ENTER</li>
  <li>Go to the directory: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 
    (If the key Explorer doesn't exist, you'll have to make it)</li>
  <li>Create new binary values for:<br>
    NoClose If set to &quot;01 00 00 00&quot; then you can't Shut Down windows 
    (you can logoff)<br>
    NoDesktop If set to &quot;01 00 00 00&quot; then there's no icons on the desktop 
    at all)<br>
    NoDrives If set to &quot;ff ff ff ff&quot; then you can't access any drive 
    from windows explorer<br>
    NoFavoritesMenu If set to &quot;01 00 00 00&quot; then there's no Favorites 
    menu on the Start Bar<br>
    NoFind If set to &quot;01 00 00 00&quot; then there's no Find menu on the 
    Start <br>
    NoFolderOptions If set to &quot;01 00 00 00&quot; then you can't change folder 
    options<br>
    NoLogoff If set to &quot;01 00 00 00&quot; then you can't log off<br>
    NoRecentDocsMenu If set to &quot;01 00 00 00&quot; then there's no Recent 
    Documents Menu on the Start Bar<br>
    NoRun If set to &quot;01 00 00 00&quot; then there's no Run command on the 
    Start Bar<br>
    NoSaveSettings If set to &quot;01 00 00 00&quot; then and window positions 
    will not be saved<br>
    NoSetActiveDesktop If set to &quot;01 00 00 00&quot; then you can't configure 
    Active Desktop<br>
    NoSetFolders If set to &quot;01 00 00 00&quot; then you can't edit the ShortCuts 
    which are on the Start Bar<br>
    NoSetTaskbar If set to &quot;01 00 00 00&quot; then you get into Control Panel<br>
    NoViewContextMenu If set to &quot;01 00 00 00&quot; then you can't right-click 
    on the desktop<br>
    NoFile If set to &quot;01 00 00 00&quot; then removes the &quot;File&quot; 
    menu option on explorer<br>
    EditLevel If set to &quot;0x00000004 (4)&quot; then disables the ability to 
    create/delete shortcuts<br>
    AddPrinter If set to &quot;01 00 00 00&quot; then you can't add a printer<br>
    DeletePrinter If set to &quot;01 00 00 00&quot; then you can't delete a printer<br>
    NoDriveTypeAutoRun If set to &quot;01 00 00 00&quot; stops windows from automaticly 
    playing/loading CDs<br>
    NoNetHood If set to &quot;01 00 00 00&quot; disables the network neighbourhood<br>
    NoStartBanner If set to &quot;01 00 00 00&quot; removes that annoying &quot;Click 
    here to begin&quot; banner</li>
  <li>Go to the directory: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network 
    (If the key Explorer doesn't exist, you'll have to make it)<br>
    NoEntireNetwork If set to &quot;01 00 00 00&quot; then disables all access 
    to the network<br>
    NoFileSharingControl If set to &quot;01 00 00 00&quot; stops you changing 
    the sharing controls on your computer<br>
    NoNetSetup If set to &quot;01 00 00 00&quot; disables you changing the network 
    settings<br>
    NoNetSetupIDPage If set to &quot;01 00 00 00&quot; then you can't edit the 
    computers ID<br>
    NoNetSetupSecurityPage If set to &quot;01 00 00 00&quot; then you can't setup 
    security on the network</li>
  <li>Go to the directory: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System 
    (If the key Explorer doesn't exist, you'll have to make it)<br>
    NoConfigPage 'My computer right clicking<br>
    NoDevMgrPage<br>
    NoDispAppearancePage<br>
    NoDispBackgroundPage<br>
    NoDispCPL<br>
    NoDispScrSavPage<br>
    NoDispSettingPage<br>
    NoFileSysPage<br>
    NoProfilePage<br>
    NoSecCPL<br>
    NoVirtMemPage</li>
  <li>Then using these you can log on as each user and change their settings.</li>
  <li>Other places in the registry:<br>
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 
    (Restrictions in here affect all users)</li>
</ol>
<p>If you have Windows 3.0, 3.1 or 3.11</p>
<ol>
  <li> Load up NotePad</li>
  <li> Open PROGMAN.INI</li>
  <li> At the bottom of the file, add these lines:<br>
    [Restrictions]<br>
    EditLevel=4 Chose an edit level restrict 1 - 4, 1 being least restriction, 
    4 being most.<br>
    NoRun=1 Get rid of the &quot;Run&quot; option<br>
    NoClose=1 Means you can't exit Windows<br>
    NoSaveSettings=1 Means you can't save Window positions<br>
    NoFile=1</li>
  <li>To stop access to the Control Panel, then just delete the icons</li>
</ol>
<p>To partialy protect DOS access while booting, you can disable/reenable the 
  key board. Put the command: CTTY &gt; NUL at the top of your AUTOEXEC.BAT and 
  then CTTY &gt; CON at the end of your AUTOEXEC.BAT</p>
<p>Then to stop access to DOS by crashing Windows, add these commands to the bottom 
  of your AUTOEXEC.BAT<br>
  :WINLOOP<br>
  C:\WIN\WIN.COM<br>
  GOTO WINLOOP</p>
<p>Note: These registry keys took months of work to find out. Do NOT redistribute 
  under or your own name, or die a horrible death. Appendix may be distributed 
  with Njan's permission. Main Tutorial? I don't know. Ask the bloke that made 
  it.</p>
</body>
</html>