This excerpt is from Chapter 4, Hacking Windows 95/98 and Me, from Hacking Exposed: Network Security Secrets & Solutions, Fourth Edition, written by Stuart McClure, Joel Scambray and George Kurtz, and published by McGraw-Hill/Osborne Media.
The most important thing for a network administrator or end user to realize about Windows 95/95B/98/98SE and their updated counterpart Windows Millennium Edition (hereafter Win9x/Me, or the "DOS Family") is that their architecture was not designed to incorporate security from the ground up like Microsoft's other Windows lineage, the Windows NT Family.
In fact, it seems that Microsoft went out of its way in many instances to sacrifice security for ease of use when planning the architecture of Win9x/Me. This becomes double jeopardy for administrators and security-unaware end users. Not only is Win9x/Me easy to configure, but the people most likely to be configuring it are also unlikely to take proper precautions (such as good password selection).
Even worse, unwary users of Win9x/Me could be providing a back door into your corporate LAN, or they could be storing sensitive information on a home PC connected to the Internet. The growing prevalence of viruses and other Web- or e-mail-borne malicious software that "phone home" from compromised systems complicates this issue. A single unsuspecting Windows 9x user who launches a malicious e-mail attachment can create a tunnel back out of the firewall to a malicious
With the increasing adoption of cable and DSL high-speed, always-on Internet connectivity, this problem will only get worse. Whether you are an administrator who manages Windows 9x or a user who relies on Windows 9x to navigate the Net and access your company's network from home, you need to understand the tools and techniques that will likely be deployed against you.
Fortunately, Win9x/Me's simplicity also works to its advantage security-wise. Because it was not designed to be a true multiuser operating system, it has extremely limited remote administration features. It is impossible to execute commands remotely on Win9x/Me systems using built-in tools, and remote access to the Windows 9x Registry is only possible if access requests are first passed through a security provider such as a Windows NT Family server or Novell NetWare server. The NT Family and Novell NetWare provide user-level security, versus the locally stored, username/password-based share-level security that is the default behavior of Win9x/Me. (Win9x/Me cannot act as a user-level authentication server.)
Therefore, Win9x/Me security is typically compromised via the classic routes: misconfiguration, tricking the user into executing code and gaining physical access to the console. We have therefore divided our discussions in this chapter along these lines: remote and local attacks. We also cover Windows 9x separately from Windows Me because the two OSes were released over three years apart. However, in most instances, attacks against Windows 9x should also work against Windows Me, unless otherwise specified.
If you are a Win9x/Me user wondering whether you should upgrade to Microsoft's newest desktop operating system, Windows XP, we'll say, in a word, YES! XP has all the Plug-and-Play warmth that novice users covet with ten times the stability and an actual security subsystem, because it is based on the NT Family code lineage, as opposed to the DOS Family. Either the Home Edition or Professional is appropriate, depending on whether you want a more simplified default user interface with plenty of helpful wizards or need more business-oriented features, such as Remote Desktop, System Restore and advanced networking features. We discuss Windows XP and its business-oriented cousins, Windows NT, Windows 2000 and .NET Server 2003 in Chapter 5.
This was first published in June 2003