Professional Documents
Culture Documents
Hardening Operating
Systems
4.1
Windows Services
Configuration
1. BIOS Security.
2. Windows Registry.
3. Root kit detection using Rootkit Revealer.
4. Disable all unneeded services.
Windows services configuration.
Rootkit
A rootkit is a collection of tools (programs) that
enable administrator-level access to a computer
or computer network.
Rootkits are a particularly insidious form of
malware because they load before an operating
system boots and can hide from ordinary
antimalware scans and protection.
Rootkit hides running processes, files, or system
data enabling attacker to access a system
without the knowledge of the users.
Their ability to avoid detection also makes them
Windows services configuration.
2 levels of rootkit:
Kernel level rootkit- appends additional codes
or/and replaces a portion of kernel code with
modified code for hiding a backdoor on a
computer.
Application level rootkit – modifies the behaviour
of existing application using hooks, patches and
injected code.
Typically, a cracker installs a rootkit on a
computer after first obtaining user-level access,
either by exploiting a known vulnerability or
cracking a password.
Once the rootkit is installed, it allows the
Windows services configuration.
Rootkit
A rootkit may consist of spyware and other
programs that:
monitor traffic and keystrokes;
create a "backdoor" into the system for the
hacker's use;
alter log files;
attack other machines on the network; and
alter existing system tools to escape
detection.
Windows services configuration.
Rootkit
Because a rootkit runs at such high levels of
privilege and often hides itself from notice and
can even actively subvert (disrupt) antimalware
tools, detecting rootkits can be tricky.
Rootkit detection usually requires special tools or
specific add-ons to antimalware packages.
Rootkit detection methods are often based on
detection by inference as well as entire detection
of specific files or signatures.
Windows services configuration.
Rootkit Revealer for root kit detection
Bryce Cogswell and Mark Russinovich, founders
of the freeware site Sysinternals, released the
first version of their rootkit detection
tool, Rootkit Revealer.
Rootkit Revealer is an advanced root kit
detection utility.
The program looked for discrepancies in the
system registry and file system to indicate the
presence of a rootkit.
By comparing high-level and low-level scans of
several object types, the tool could identify a
Windows services configuration.
Rootkit Revealer for root kit detection
How it detects software that tries to hide
itself - It compares the results of scanning the
registry and file system at the highest level and
the lowest level.
a high-level view - filtered by stealthy
rootkits using APIs included with Windows.
the low-level scan – it examines raw data
directly from each storage volume and
registry hive.
the latest version creates a randomly named copy
of itself that runs as a Windows service.
Windows services configuration.
Rootkit Revealer for root kit detection