Chapter 4

Hardening Operating
Systems
 4.1
Windows Services
Configuration
1. BIOS Security.
2. Windows Registry.
3. Root kit detection using Rootkit Revealer.
4. Disable all unneeded services.
 Windows services configuration.
Rootkit
 A rootkit is a collection of tools (programs) that
enable administrator-level access to a computer
or computer network.
 Rootkits are a particularly insidious form of
malware because they load before an operating
system boots and can hide from ordinary
antimalware scans and protection.
 Rootkit hides running processes, files, or system
data enabling attacker to access a system
without the knowledge of the users.
 Their ability to avoid detection also makes them
 Windows services configuration.
 2 levels of rootkit:
 Kernel level rootkit- appends additional codes
or/and replaces a portion of kernel code with
modified code for hiding a backdoor on a
computer.
 Application level rootkit – modifies the behaviour
of existing application using hooks, patches and
injected code.
 Typically, a cracker installs a rootkit on a
computer after first obtaining user-level access,
either by exploiting a known vulnerability or
cracking a password.
 Once the rootkit is installed, it allows the
 Windows services configuration.
Rootkit
 A rootkit may consist of spyware and other
programs that:
 monitor traffic and keystrokes;
create a "backdoor" into the system for the
hacker's use;
alter log files;
attack other machines on the network; and
alter existing system tools to escape
detection.
 Windows services configuration.
Rootkit
 Because a rootkit runs at such high levels of
privilege and often hides itself from notice and
can even actively subvert (disrupt) antimalware
tools, detecting rootkits can be tricky.
 Rootkit detection usually requires special tools or
specific add-ons to antimalware packages.
 Rootkit detection methods are often based on
detection by inference as well as entire detection
of specific files or signatures.
 Windows services configuration.
Rootkit Revealer for root kit detection
 Bryce Cogswell and Mark Russinovich, founders
of the freeware site Sysinternals, released the
first version of their rootkit detection
tool, Rootkit Revealer.
 Rootkit Revealer is an advanced root kit
detection utility.
 The program looked for discrepancies in the
system registry and file system to indicate the
presence of a rootkit.
 By comparing high-level and low-level scans of
several object types, the tool could identify a
 Windows services configuration.
Rootkit Revealer for root kit detection
 How it detects software that tries to hide
itself - It compares the results of scanning the
registry and file system at the highest level and
the lowest level.
 a high-level view - filtered by stealthy
rootkits using APIs included with Windows.
 the low-level scan – it examines raw data
directly from each storage volume and
registry hive.
 the latest version creates a randomly named copy
of itself that runs as a Windows service.
 Windows services configuration.
Rootkit Revealer for root kit detection

Rootkit Revealer output

 Windows services configuration.
Other root kit detection tools
 TDSSKiller utility - https://www.kaspersky.com
 GMER - an application that detects and
removes rootkits . http://www.gmer.net