-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-
			Hackers Information Report 9

		Windows 2000: What is it and why does it matter?

			      Written by Axon
	       ...Guess I'd better give Shouts to MSDN (or else?)
-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-

	I recently got ahold of a Windows 2000 (Advanced Server) Beta 3 CD
(Microsoft Developer Network stuff, for beta testers.  My boss just
happens to be one of them...)  I looked at the system requirements, and
gasped for air.  This thing was gonna be a BIG HOG!!!  If I had to
describe it in a single sentence, this would be the one: "Windows 2000 is
almost nothing more than Windows 98 sitting on top of an NT Kernel, but
it requires almost enough hard drive to install NT4 AND 98."

	Now, let it be known by all, this is the Advanced Server Version
of Windows 2K...  From my understanding this is the equivalent of The
Enterprise NT Server.  If i'm not mistaken, There will be a Windows 2000
End-user version (Windows 2000 Professional), Windows 2000 Server, and
Windows 2000 Advanced Server. I am playing with Advanced Server, so don't
expect all this stuff to be in all versions of Win2K.  

	... I had enough ram in my Bitch Box (tm), you know, the one that
I used to rank Server-OS's earlier this issue?  The total hardware
pricetag on the big W2K is a PII 300 or better, with at least 64 megs of
RAM, and the OS takes up a whopping 250-Megs (or so), making it, I
believe, the largest hog of all OS's currently known to mankind.  This
should not bring one glimmer of surprise to any of us, because "hey, it's
Microsoft we're dealing with here."  It DID run on the P120 though, if
what it was doing can be qualified as "running".

	Not all is lost, though.  Of all the Microsoft OS's (and i've
tried them all, even the original OS/2 released by MS), this one FINALLY
gives some built-in features I like (as well as quite a few that I loathe,
but I'll get over it).  Let's take a look at some new and cool things that
W2K has to offer, first... (Some things might show up in both good and bad
categories)

	* NTFS Filesystem adds per-user, per-file access control
	* Uses the NT Kernel, making it easier to manage threads
	* MS Actually lets administrators telnet in, and they added
	  some new command-line programs that let the admins do some
	  cool stuff remotely or from a command prompt (I'll cover the
	  new commands later)
	* Almost all of the current DoS Windows attacks don't work on it
	* Network status (connect/disconnect) and things like changing
	  IP Addresses, adding protocols, etc. no longer require a reboot

And, of course there is some stuff I just don't like (and neither of these
lists are complete):

	* NTFS Filesystem is slow and can still be read by anyone who
	  has a linux floppy with NTFS in the kernel, or has NTFSDOS
	  on a Win95/Dos boot floppy
	* It likes to use 131 megs of my 64 megs of ram (it likes to swap)
	* You can no longer create bootable floppies with it
	* The NT kernel doesn't play games for crap!
	* It STILL lies about having to reboot (as in, it says reboot and
	  this will work, you say "no", and it works anyhow, without the
	  reboot)
	* 2 Words: Active Desktop.  It looks cool, but MAN it's a HOG!
	* IE is built RIGHT in, no getting around it...sigh
	* MS Actually lets Administrators telnet in, so now they can send
	  thier usernames and passwords in the clear across TCP/IP lines
	  that are easy to sniff, and have NO password hashing whatsoever
	  (as if that makes much of a difference)

	So, as you can see, you don't want to be switching back to MS 
Operating systems from your cool Linux/*BSD/Solaris-Intel Boxes just yet.
If you have a spare machine that's capable of running this, and you can
afford it, I would advise playing with it.  It offers quite a few cool
little features that I'd wish MS would have thought about long ago.  

-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-

Commands, commands, commands...(It's still not all point-and-click, guys!)

	Yah, they added some stuff... some cool stuff, actually.
Take, for instance, the new command interpreter (now shortened to
"cmd.exe") has built in functions that make it "kind of" act a little more
unixy... for instance it now accepts dual-pipes to run the second command
only of the first command fails, or double-ampersand to only run the
second command if the first one's successful.  All these commands can be
run within a command prompt (and a telnet session!) Check this out:

findstr		It's GREP!  it uses regular expressions and works through
		pipes!  This is amazing...kind of.

assoc		allows administrator to change what file types are
		associated with what applications

ftype		modifies file type bindings to file extensions (.txt)

cacls		modifies, adds, or views user access permissions for
		individual files or directories.  Schweet!

at		a command-line interface to the Windows 2000 internal
		event scheduler.  This is VERY cool stuff!

tlntadmn	"telnet admin", allows admins to change what port telnet
		service runs on, how many users can be on at a time, 
		lists current telnet connections, and allows admins to 
		drop specific connections.  Kinda nice...

start		Start can open up a window on the box itself and run
		something in it... kinda fun, fairly useless so far as 
		I've seen.

compact		allows file-by-file compression, decompression, or
		compression status queries.

* Over a telnet session, "Alt" key combos can be generated by pressing
  "<CTL>-A" followed by the key you were going to use (I.E. <Alt>-F for
  the File menu in the Text DOS Editor would be <Ctl>-A, followed by the
  "F" Key.

-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-

Stability:

	I must say, for being as much of a hog on resources as it is, I 
haven't really been able to crash it.  Windows 2000 (just the beta
pre-release) seems DARN stable, which actually took me by surprise.  I
think MS finally got their act together when it came to the NT kernel.  I
could always bomb out NT4's kernel, dropping it to it's knees, and making
it go BSOD (Blue Screen of Death).  Things I've found that BSOD NT4's
kernel: Trying to spawn processes while the machine is locked (as in,
waiting for a login or at a password-protected screen-saver), running
certain Windows 3.x programs, and a handful of other "normal" things that
just kill NT.  W2K isn't like that.  Some of the old DoS attacks make it
use a little more CPU (up to 60%, but not 100% like the old ones).  This
tells me that MS fixed up the TCP stack quite a bit (but not enough, yet).
The kernel is larger than the NT kernel, but seems to be a lot more stable
and feature-rich from what I've seen.  

	If you have a spare machine with the power to run this thing
decently, I would consider it.  No word on how much cash one will shell
out for it, though.

-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-

Why the heck is Windows 2000 a reality?  Didn't 98 just come out, and
isn't there already a "second edition" in the works?

	Actually, yes, 98 just came out recently, and they really shafted 
you guys.  Windows 98 is NOT Y2K compliant as originally proclaimed by the
MS Empire.  Once upon a time, there was also a whole load of patches and
stuff for Win98 available from MS's web site mirrors, too.  Those went
Bye-Bye... MS is going to apply all those patches plus some, and release a
"Win98 Second edition" thing, that will run you poor guys a pretty chunk
of change... I mean really...

	So, with all this happening, why is Windows 2000 already in the 
works?  It all has to do with MS wanting everyone to run Windows NT.  Back
in the day, before Windows NT 3.51, Bill Gates said that this "New
Technology" operating system that was under construction would be the way
of the future.  Everyone would use it.  It would be the end of the days of
MS-DOS (which is still the primary underlying OS Kernel for 95 and 98.  If
you want to be honest, not much has changed from the days of MS-DOS 5.x
with "C:\windows\win" in the autoexec.bat file.)  Why get rid of DOS, you
ask. Sometimes I wonder the same thing, but I guess MS thinks that NTFS is
"more secure", which it kind of is, mostly to remote users.

	But Windows NT was "much too difficult for the end users" at first; 
and it didn't (and still doesn't) play the cool games very well.  It was
ugly, and had tons of bizarre menus and options that only would make sense
to a system administrator.  The latter part hasn't changed a whole lot
either, there are literally TONS upon tons of options, menus and trees to
expolore, but Windows 2000 looks and feels a lot like a stabilized Windows
98 box. Windows 2000 makes an attempt to nice up the menus (that is,
give really verbose menu options so that it's fairly clear what's gonna
happen when you click on stuff, and believe me, it helps when there are so
many things to choose from). If you're used to NT 4.X, you're gonna be
lost for a day or so on your Windows 2000 server box.  Things are in
different places, and there are less administration programs, and the ones
that are there do a lot more than their older, NT4 cousins.  If you're
using (or have seen) Windows 98, it'll be comfortable, but a lot of admin
stuff you're not really used to seeing.  Windows 95 users will be lost
even longer than the NT4 users, but they'll manage.

	This is truly the attempt to "make" everyone use NT.  Windows 2000
is totally based on a revised NT kernel, and is even installed from an
"i386" directory off the CD, much akin to the Intel NT4 installation.  It
is installed on a fat16/fat32 drive, and can remain that way if the user
wishes.  The partition may be changed over to NTFS at any time by the
admin, but it requires a reboot.  

-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-

NTFS WHAT?!

	Once changed to NTFS, there is no going back.  It's NTFS for good.  

	I would recommend using NTFS only if you want to have multiple users
(local and remote) that you don't completely trust with the files.  NTFS
basically only adds user-by-user and group file permissions, which are
accessible through the "properties" dialog for each file and directory.
Converting to NTFS adds another folder tab to the dialog, allowing the
administrator to edit the ACLs (Access Control Lists) for the object.  If
the permissions are set to allow it, certain users might be able to read
the ACLs as well, and if misconfigured, users will be able to EDIT the
ACLs...so be careful.

ACLs have a kind-of pyramid structure.  Possible permissions:  

Full Control
Modify
Read/Execute
List Contents (folders/directories only)
Read
Write

Each of these can have three states: Granted, Denied, or Neutral.
If Denied, all "grants" are nulled, and Deny takes precidence.  This means
if you give the user "me" read access, and deny the group "Everyone" read
access, the user "me" who is in the "Everyone" group (all local users are
in Everyone, and this can't be changed), then the read access you granted
"me" becomes denied because of the deny rule that also exists.  However,
if "Everyone" just isn't granted or denied read access, while "me" *IS*
granted read access, "me" will retain the read access, and the null
read-denied bit for the "Everyone" group won't overcome "me"'s access
rights.  Since "Everyone" doesn't have read-access granted, they can't
read it anyways, and everyone is happy.  If a user is given "Full control"
over a file or directory, all other access permissions are immediately
granted unless overcome by a "Deny" due to a group they are residing in.
Remember this when troubleshooting file access problems.

NTFS can be easily overcome at any time with NTFSDOS (a DOS tool that can  
be used by a user with a bootable floppy.  It allows reading and writing
to any file on the NTFS drive) or a linux boot floppy with NTFS in the
kernel.  This works with all versions of NT that implement NTFS.  (NT 3.51
used HPFS)  Of course, you realize this relies on a few factors, including
Physical access, and the BIOS set to be able to boot from floppy or CDROM.

I would recommend password-protecting the BIOS settings area, and turning
off floppy/cdrom boot, which is a good idea anyways.  This will help
prevent a malicious user with physical access from compromising your
system (although psysical access usually means easy admin access anyways,
but it never hurts to make it harder).  I would also recommend you get a
copy of NTFSDOS or a crafted linux bootdisk kit that offers NTFS access
(available on the web).  Try it out, and get comfortable using it, because
one day, you might need to recover something.  If you ever need to recover
it, go into the bios settings, enter your password, enable floppy/cdrom 
booting, and proceed, disabling floppy booting when done.  This practice
will ensure that you have access to recover files in case of an emergency,
and will keep most anyone else from doing it the same way you did.

-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-
 
			   Hacking Windows 2000

	Remember all those fun hacks for Windows NT?  You know, like the
ones where if you had an account and physical access to the box, you could
add yourself to the administrators group, and all those?  Well, so far as
I can tell, not a single one of them work against Windows 2000.  I may be
wrong, but I've tried all the toys I found for NT4, and nothing works.
About the only thing Windows 2000 seems to be vulnerable to is the boot
floppy with an NTFS tool (covered in the previous section), and sniffing
password hashes/raw telnet/ftp sessions.  I would say your best bet is the
sniffing route.  I have not tried l0phtcrack against Windows 2000, but
results are welcome by our readers (and I'll post your findings and
appropriate credits on the News page and in the next issue of HiR).

-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-

			The Windows 2000 Registry

	I'm not even going to TRY to get too specific here, as the Windows
2000 registry isn't much different from the Windows NT Registry.  I'll
give ya some pointers on system policies, though...

	First things first... In windows 95/98, it's easy for the end-user
to change his/her own registry permissions, because there is no defined
"Superuser" level account... you know as well as I do that anyone with a
few extra minutes on their hands will eventually be able to gain full
access on your Win95/98 box, no matter how hard the policies are locked
down (see "Windows 95: User Friendly means Hacker Friendly", HiR issue 6
Article 7).  Under the NT environment, there is REALLY an administrator
account, and that has access to everything, therefore, the need for any
user to be able to change policies around is depricated (and just plain
bad).  Normal users can not run registry patches or edit the registry in
any way that would allow them more access.  Period.

Policies are in a similar location to Windows 95.  Follow the registry
tree! 

Your policies would be under:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
                                      ^^|^^
					|_--> NOT \WindowsNT\

	Windows 2000 Policies are pretty much Identical to Windows 95 
Policies (in fact, the policies are Identical to Windows 98, to the best
of my knowledge). The new policies add a couple of policies to do things
such as Disabling "Windows Update" (which goes out and tries to grab
updates from MS, also telling MS what you have on your machine, uploads
your Windows 2000 serial number, and other evil things).

-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-

Operating-System wise, How does W2K score?

	It's maybe a 6.  It's possibly the best MS Operating system I've
seen.  If it's not the best, I would have to say it's the most intuitive.
Will I switch to it from Linux, FreeBSD or some other UNIX-derived OS?
Not on your life.  It's very cool, but there is still something to be said
about using too many resources just to make sure the user has an interface
to run programs.  Windows 2000 doesn't have what it takes just yet; I can
do cool raw-socket operations for UNIX OS's, and that means I can have a
lot more network fun.  I can also do more work in less time, because my OS
isn't wasting gerbil-wheel rotations on drawing cool pictures on the
screen, and if it IS drawing, it's doing it through X11 or SVGAlib, both
of which use less resources that whatever MS is doing with their API to
let pictures onto the screen.  The only real way I can describe what is
happening is if I relate the operating system to the body of a car, and
the hardware of the computer to the engine of the car.  Here goes:

If the car's body (the OS) is huge, and bulky, not very streamlined, and
weighs a lot, the engine (processor, memory, etc) will have to work
harder, and it will never run as fast as it could with a lightweight,
sleek, and small body.  

Windows 2000 takes up 250 megs on the CPU for an install.
I've seen a linux system use 3 megs of ramdisk space to run just fine.

Which do you think is going to let the end-user use the processor (or hard
drive for that matter) more efficiently?

--Axon

