Alternative NTFS data streams, or why the PowerShell script did not start. Alternative data streams in NTFS or how to hide a notepad

Were introduced in Windows NT 4.0 and were around all descendants (excluding win-95 descendants: 98, Me). In XP, Vista and Win 7 they still exist. As long as versions of Windows support NTFS, they will support file streams. They will support NTFS for a long time.

The error you provided is described on the page you see in your question. The type command does not understand threads. Usage:

More< 1013.pdf:Zone.Identifier

Working with Threads

Microsoft only has a few commands that work with threads, in fact only< , >work with streams, and therefore only commands that can work with these redirection operators can be used. I wrote about how you can still control threads with just these commands.

Streams will only work with programs that are designed to work with them, simply because they need to be handled specially (compare junction points as well as the NTFS function, but the driver hides the details and programs don't need to do anything special: they just count the junction point real file).

When you try to open a file stream using start filename:streamname and the program says something like "illegal file name" or "file not found" and you are sure the stream name is correct, then most likely the program does not support streams . I noticed that Notepad, Wordpad and Word/Excel work correctly with streams, although Word and Excel consider the files to be dangerous. Below are some experiments.

NOTE: It seems to you that the alternate data streams are odd. They're weird because they're so hidden, but many major file systems (HFS, NSS) have this, and the concept dates back to the early 80s. In fact, streams were originally added to NTFS to interact with other file systems.

    Most users of modern operating systems of the Windows family have encountered a situation where the help file in CHM (Compiled Help Module) format opens only partially - you can only view the table of contents without the contents of its items:

Additionally, if you try to open a CHM file contained on a network share using a UNC (Universal Naming Convention) path such as \\server\h\help.chm, its sections are not displayed. In other words, you can normally view .chm files only if they were not received over the network.

A similar picture occurs when you try to open an executable file that was downloaded from the network. You will see a security warning:

Moreover, the same file, extracted from an archive that was also downloaded from the Internet, can be opened on this computer without any problems. In fact, the only difference is that the file being opened was created locally, during the unzipping process, and not downloaded over the network. In other words, Windows has the ability to determine the network origin of a file, and respond to it using certain security settings.

A mechanism for determining the network origin of files.

When the functions of writing data to a file are performed, they are placed in the main data stream. When we open, for example, a text file with Notepad, we get access to the data of the main thread. The data of alternative streams, when using standard access, is not displayed, and indeed, there is not even any sign of their presence. However, alternate stream data associated with a specific file or directory can be accessed using special programs or by using special syntax on the Windows command line.

For example, writing text to the file test.txt with the command echo:

echo Main stream Data > test.txt- write the text “Main stream Data” to a file test.txt, which means writing to the main unnamed stream.

But you can change the command:

echo Alternate stream Data > test.txt:stream1- write the text “Alternate stream Data” to an alternative stream with the name stream1 file test.txt

Now you can open, for example, each of the streams with Notepad:

notepad test.txt- the contents of the main stream will open with the text “Main stream Data”

notepad test.txt:stream1- the contents of the alternative stream will open with the text “Alternate stream Data”

Alternative streams, being invisible to standard tools for working with file system objects, are nevertheless very often used to store additional information about files and other service information. So, for example, when downloading files from the Internet, browsers add an alternative stream called Zone.Identifier, which can be opened with notepad, as in the example above

notepad %USERPROFILE%\Downloads\ChromeSetup.exe:Zone.Identifier- open an alternative stream with the name in notepad Zone.Identifier ChromeSetup.exe You don’t have to specify the path to the file by first executing the command to go to the directory of the current user’s downloaded files (with the standard location of user service folders):

cd %USERPROFILE%\Downloads- go to the directory of downloaded files.

notepad ChromeSetup.exe:Zone.Identifier- open an alternative stream with the name Zone.Identifier for the Google Chrome browser installation file named ChromeSetup.exe in the current directory.

As you can see, the contents of the alternative stream contain the lines:

- section sign with a description of the data transmission area
ZoneId=3- zone identifier.

This information makes it possible to determine the origin of the file by identifier number ZoneId:

0 - local computer (Local).
1 - local local network (Intranet)
2 - Trusted Sites
3 - Internet
4 - dangerous sites (Restricted Sites)

This definition of zones, for example, corresponds to the security settings of Internet Explorer:

In this case, you can determine that the file ChromeSetup.exe was obtained from the Internet (zone ID = 3). When running such a file, a security warning about an untrusted source will be issued. The security features of Microsoft Office applications work in a similar way when they warn about the danger of opening files that have been downloaded from the Internet. For the same reason, the contents of help files in the CHM format do not open - the contents of the alternative stream allow them to be classified as dangerous, regardless of the actual or non-existent danger.

Try changing the same notepad, the ZoneId value to 0 , which will correspond to the local origin of the file, and the security warning will disappear, as will problems with opening office documents or help topics in .chm files.

A similar behavior of security systems will occur in cases where the contents of the alternative stream are deleted (make it empty), or the alternative stream itself is deleted altogether.

Starting in Windows 7, you can use the command to get a list of alternative file streams DIR with parameter /R:

dir /r %UserpRofile%\Downloads- display a list of files and alternative streams in a directory Downloads current user.

To work with alternative streams in any version of Windows OS, you can use the utility streams.exe from the Microsoft Sysinternals Suite software package. The package contains many small programs for diagnostics, optimization and administration, including a utility that allows you to compensate for shortcomings in working with alternative streams.

Command line format:

streams.exe [-s] [-d]file or directory

Command line options:

-s- process subdirectories.
-d- delete alternative streams.
-nobanner- do not display the start banner and copyright information.

Examples of using:

streams.exe /?- display help on using the program.

streams myfile.txt- display information about file streams myfile.txt

streams –d myfile.txt- remove alternative file streams myfile.txt

streams -d -s D:\Downloads\*.*- delete alternate streams of all files and subdirectories in a directory D:\Downloads\

On Windows 8 and later operating systems, PowerShell also allows you to work with alternative threads:

Get-Item -Path -Path C:\FirefoxSetup.exe -Stream *- display information about threads in the file C:\FirefoxSetup.exe.

Get-Content -Path C:\FirefoxSetup.exe -Stream Zone.Identifier- display the contents of an alternative stream Zone.Identifier file C:\FirefoxSetup.exe

Remove-Item -Path C:\FirefoxSetup.exe -Stream *- remove all alternative streams associated with the file C:\FirefoxSetup.exe

Remove-Item -Path C:\FirefoxSetup.exe -Stream Zone.Identifier- delete alternative stream Stream Zone.Identifier associated with the file C:\FirefoxSetup.exe.

Security zone information is widely used in group policies, and in particular, by the Windows Attachment Manager, which performs protection functions against malware that may be contained in email attachments or files downloaded from the Internet. The Microsoft website contains a detailed article on how to configure the Attachment Manager and resolve problems associated with it:
Description of the operation of the attachment manager, which is included in the Microsoft Windows system.

In conclusion, I will add that alternative streams are a property of the NTFS file system, and, for example, are not supported in FAT32. Accordingly, when copying files from NTFS to any other file system, alternative streams are discarded.

Visibly-invisibly

Blog reader Victor was unable to run the PowerShell script he downloaded from the Internet. Carefully reading my instructions avoided the problem, but the root of it was not PowerShell's strict security policies.

Victor downloaded from the TechNet gallery an archive with the PSWindowsUpdate.zip script for managing Windows Update, which I talked about. However, the unpacked script refused to work. When I suggested to the reader that the first point of my instructions talked about the need to unlock the archive, everything went like clockwork.

Victor asked to explain why the system blocked the script, and how it knew that the archive was downloaded from another computer.

To be honest, today's topic is not new, but I decided to cover it on my blog for several reasons:

• Many articles were written back in the days of Windows XP or Windows 7 and do not take into account the built-in capabilities of newer Microsoft operating systems.
• One of the articles planned for the near future touches on this topic, and it is easier for me to refer to material for the relevance and correctness of which I myself am responsible.
• The blog has a large audience, and for many readers this topic will still be new :)

Today on the program

NTFS data streams

Windows gets information about the file's source from the alternative data stream (ADS) of the NTFS file system. In the file properties, she modestly writes that it is from another computer, but in reality she knows a little more, as you will see later.

From an NTFS point of view, a file is a collection of . The contents of the file is a data attribute named $DATA. For example, a text file with the line “Hello, World!” has the data attribute “Hello, World!”

In NTFS, the $DATA attribute is a data stream and is called primary or unnamed because... it has no name. Formally, it looks like this:

$DATA:""

• $DATA- Name attribute
• : - delimiter
• "" - Name flow(in this case there is no name - there is nothing between the quotes)

Interesting Features of Alternative Data Streams

In the context of the examples above, I want to make a few interesting points.

Invisible changes

Having created a text file with the first command, you can open it in a text editor and make sure that all further manipulations do not affect the contents of the file in any way.

It gets interesting when the file is opened, say, in Notepad++. This editor can warn you about file changes. And it will do this when you write an alternative stream to the file, but the content will remain the same!

Record and view ADS from CMD

ADS can be created and displayed from the command line. The following commands write hidden text to a second ADS named MyStream2 and then display it.

Echo Hidden Text > C:\temp\test.txt:MyStream2 more< C:\temp\test.txt:MyStream2

Viewing ADS in text editors

The same Notepad++ will show you the contents of ADS if you specify the name of the stream on the command line

"C:\Program Files (x86)\Notepad++\notepad++.exe" C:\temp\test.txt:MyStream1

Result:

With notepad, this trick will work only if there is a .txt. The commands below add a third ADS and open it in Notepad.

Echo Hidden Text > C:\temp\test.txt:MyStream3.txt notepad C:\temp\test.txt:MyStream3.txt

Result:

Blocking downloaded files

Let's get back to the question a reader asked me. Whether a file will be blocked depends primarily on the program in which it was downloaded, and secondly on the OS settings. So, all modern browsers support blocking, and it is included in Windows.

Remember that when an archive is locked, all unpacked files will be locked “inheritedly”. Also remember that ADS is a feature of NTFS, i.e. When saving or unpacking an archive on FAT32, no blocking occurs.

View information about the source of a blocked file

In PowerShell, go to the folder with the downloaded file and see information about all the threads.

Get-Item .\PSWindowsUpdate.zip -Stream * FileName: C:\Users\Vadim\Downloads\PSWindowsUpdate.zip Stream Length ------ ------ :$DATA 45730 Zone.Identifier 26

As you already know, $Data is the contents of the file, but ADS also appears in the list Zone.Identifier. This is a clear hint that the file was received from some zone. Do you know where this picture is from?

To find out the zone, you need to read the contents of the ADS.

Get-Content .\PSWindowsUpdate.zip -Stream Zone.Identifier ZoneId=3

Obviously, it is aimed at batch unlocking (for example, when the archive is already unpacked). The command below will unlock in the Downloads folder all files containing in the name PS:

Dir C:\Downloads\*PS* | Unblock-File

Of course, there are all sorts of utilities with a graphical interface, even those that can be integrated into the context menu. But, in my opinion, PowerShell or, at worst, streams is quite enough.

How to prevent files from being blocked

The blocking is controlled by the group policy Do not store information about the zone of origin of attached files. As the name suggests, blocking is standard Windows behavior, and the policy allows you to change it.

However, it is not obvious from the name that the policy applies not only to email attachments, but also to files downloaded from the Internet. Read more about the attachment manager in KB883260.

In home editions there is no group policy editor, but no one has canceled the registry: SaveZoneInformation.zip.

Other examples of practical application of ADS

The scope of ADS is not limited to adding a downloaded file zone, nor is it necessary to store only text in ADS. Any program can use this NTFS feature to store any kind of data, so I'll just give a couple of examples from different areas.

File Classification Infrastructure

about the author

Interesting material, thank you. I learned something new about PowerShell, which is still a little familiar to me :)

I often use WhatsApp to communicate with my family - so far there have been the fewest problems with this service, even my parents have gotten used to it. Kontaktik is also mainly for family, although the exchange of messages there is mainly around published albums with photos and videos. Some relatives remain faithful to Viber - it didn’t work out for me, I just keep it for them, without giving up trying to drag them to WhatsApp.

For work, mainly Slack, when something is urgent - WhatsApp, very urgent - SMS. VKontakte for communication about working with the outside world.

I use Skype only for video calls, mainly with my family. I would gladly replace it with WhatsApp if there were video calls.

urix

Viber now has video calls, and even video calls for the desktop version. So maybe Viber will be the next Skype... in a good way

Andrey Kuznetsov

Interesting material, thank you. I knew about the existence of threads, but I didn’t know that it was so easy to work with them through PowerShell.
As for IM: The only complaints I have about Skype are the startup time on Windows Phone. There is no such problem on iPad and Windows. I use it for voice communication when for some reason it is inconvenient to use GSM.
And correspondence via Whatsapp. Having it only on your phone is more of a plus from a privacy standpoint.

• Andrey Kuznetsov: And correspondence via Whatsapp. Having it only on your phone is more of a plus from a privacy standpoint.

  Andrey, explain what is the plus here?

Pavlovsky Roman

1. I use most often: Skype and Hangouts - for work on a PC, for other correspondence on VKontakte from any device, since work clients usually use Skype, and friends and acquaintances on Social Networks.

2. I would ideally like to use: Jabber - for correspondence and calls from any device. As for me, the client can be installed on any device and correspond with each other wherever the user is, even on a weak Internet connection + in addition, you can deploy your own jabber server and store all correspondence on the server, so that later you can quickly find the necessary correspondence, if the client does not know how to store history, and plugins for calls via Jabber can be found (for example, through the same SIP Asterisk 1.8+)

Andrey Bayatakov

Most often I use WhatsApp (mainly for work), for calls (audio/video/international calls) Skype. Although desktop Skype is terribly infuriating (I have a transformer and at home I use it mainly as a tablet)… Viber has not caught on. To make calls via WhatsApp you just need to have nerves of steel. You say something to your interlocutor and wait a minute or two for him to hear you (50Mbit connection)…
If there was an opportunity, I would completely switch to Skype. On Windows 10 Mobile, after a recent update, messages from Skype come directly to the built-in Messages application (like SMS), which is very convenient.

Maxim

1. Reluctantly, I use ICQ (for retrograde customers) and Slack (for more modern ones).
2. I would like to use Jabber - for the same reasons as Roman Pavlovsky above.

Vladimir Kiryushin

Hello Vadim!
Before this article, I read your article about how to read the report of scanning the entire system disk using the chkdsk command. Great article! Thanks to her, today after checking the system disk with the chkdsk command, I received a text file of the report. And this article also clarifies a lot of things about the PowerShell program. Some things are incomprehensible to me as a pensioner, but I try not to panic and read diligently to the end. Thank you for the study you are doing with us! All the best to you!

Lecron

What browsers and downloaders create this stream?

What other options are there for the user to use threads? And in particular, a script writer user? Because, although I knew about them for a long time, I never used them. When actually working with a computer, you simply don’t remember about them, and because of this, you may end up using crutches instead of a convenient tool, and without this work, from memory, you can’t come up with anything.
I only thought of one option. A comment to the file, if there is no possibility or desire to write long text in the file name. But this requires support from the file manager, who previously, and even now, writes them to descript.ion or files.bbs.

Speed ​​Guru

Another garbage technology like USN magazine. How much use will you get from ZoneIdentifier or from a virus attached to a file or folder? Of course not. Moreover, this is cluttering the system with unnecessary “sub-files” that are in no way needed by a normal user. Every extra reading in the MFT directory and other operations associated with the maintenance and maintenance of alternative streams means extra wasted processor cycles, RAM, and most importantly, extra load on the hard drive.
You can tell me that this technology is very necessary for the system. But this is nonsense - the system would work perfectly without threads. But no one asks the user - they sold it (like a USN magazine) and did not give the opportunity to completely disable the maintenance of these flows. But as users, I don’t need them at all, I think like you…
All we can do is “streams -s -d %systemdrive%”. But this also does not make it possible to delete threads on the system partition.

Alexiz Kadev

Named streams are a great thing, and they existed, as far as I remember, from the first release of NTFS. It’s quite convenient to store, for example, document versions in named streams, which, if I’m not mistaken, a number of applications have done. But there remains an ambush with copying to another file system - named streams are simply cut off.

It’s a pity that it was impossible to select several messengers in the poll: I use several, since some of my contacts prefer certain ones. So, I use WhatsUp, ICQ (though, of course, not a native client), Skype, SkypeforBusiness (quiet horror, not a client, however, when it was called Lync it was even worse) and Viber (here there is more spam than in others at least once at 5).
And ideally, use just one, like Miranda with plugins, since finding, if necessary, who said/wrote something when in this whole bunch is simply unrealistic. But alas, a number of manufacturers close their protocols and protect them like Kashchei protects his needle.

DIR /B C:\WINDOWS\System32\*.SCR

DIR /B C:\WINDOWS\System32\*.* |FIND /i ".SCR"

Describe in detail the purpose of the parameters of each command (remember that for each command you can call help with the /? key). Please note that the same keys may have different effects for different commands.

4.1.8. NTFS* file streams

The NTFS file system supports file streams - alternative data streams. In fact, file streams are a combination of several files into one group with one common file name (each stream has its own additional name). Within a group there is a main data stream, which most programs work with as a file, and additional named streams that are not displayed by normal means. During file operations of copying, moving, deleting, etc., in NTFS the operation is performed on the entire group. When using some archivers and copying files containing alternative streams to a FAT partition, these streams may be lost. Technically, alternate streams are used to supplement a file with information without changing the contents of the main stream and without creating additional files that may be lost.

Alternative streams are used by antiviruses to save information about a file (“fingerprint”, checksum) to detect changes in the file over time. Direct Connect (DC++) file sharing clients can store hash results (checksum calculations) for large files that are used when a file is moved and re-hashed, greatly speeding up list updating.

In the future, library programs, film libraries and audio libraries can use alternative streams to store, together with documents, streams of covers, audio tracks, descriptions, and in different languages. Alternate streams allow “secret” data to be attached, which is a potential danger.

You can view information about streams using the STREAMS command25, the NTFS Stream Explorer26 program, using file manager extension modules27; in Windows 7, the dir /r command displays a list of all streams for the specified objects (you can also use additional keys with the dir command).

When saving files from the Internet, by default a Zone.Identifier 28 stream is added to the file in NTFS, which has an ini file format and usually contains the text:

The ZoneId parameter with a number means the zone from which the file arrived on the computer; the zone number is taken from the security zone settings ( Control Panel/Internet Options(Network and Internet / Browser Properties -

Zera )/Security tab). The following values ​​are allowed29: 0 – local computer

1 – intranet (local network, domain)

2 – trusted source

3 – Internet

4 – untrusted source

If the value is 3, the system will issue a warning “ Cannot check

rip the publisher. Do you really want to run this program?"

At the bottom of the message there is a checkbox " Always ask when opening this file", removing which removes the Zone.Identifier stream. If ZoneId contains a value of 4, a warning will appear " These files cannot be opened. Internet security settings prevented you from opening

25 Streams (http://technet.microsoft.com/ru-ru/sysinternals/bb897440)

26 NTFS Stream Explorer, a program for working with NTFS streams (http://hex.pp.ua/ntfs-stream-explorer.php)

27 NTFS File Information

(http://forum.farmanager.com/viewtopic.php?t=2050)

28 You can disable the creation of a blocking thread for files in the Local Group Policy Editor (gpedit.msc):User Configuration

/ Administrative Templates / Windows Components / Attachment Manager / Remove information about the zone of origin of attachments.

29 Zone.Identifier stream (http://hex.pp.ua/Zone.Identifier.php)

one or more files" and opening files is blocked. When you open the Properties window in Explorer for a file received from the Internet, the Unblock button appears at the bottom of the General tab and

"Caution: This file came from another computer and may have been blocked to protect your computer" ", button press Unblock removes the Zone.Identifier stream.

Using an Internet browser, download the STREAMS.zip file (you can download any small file by specifying its name in the command below), save it to the root folder of the F: drive, view the contents of the Zone.Identifier stream with the command:

MORE< F:\Streams.zip:Zone.Identifier

Open the Properties window in Explorer (Alt+Enter or the Properties context menu command) for the downloaded file, on the General tab, click the Unblock button, and repeat the previous command in the console.

Create a test file with a command that redirects the text of the text output operator, add an alternative stream, view the result:

ECHO Main text > F:\M.TXT

ECHO Hidden text > F:\M.TXT:Secret.TXT

TYPE F:\M.TXT

MORE< F:\M.TXT:Secret.TXT

An alternative text stream can be loaded into notepad:

NOTEPAD F:\M.TXT:Secret.TXT

Alternative streams can also be created for folders and system files30.

Streams are also used to store extended attributes31.

30 Hidden storage of data in streams of the $Repair file in the system directory $RmMetadata (http://hex.pp.ua/RmMetadata.php)

31 Extended NTFS and FAT16 attributes

(http://hex.pp.ua/extended-attributes.php) 53

Windows operating systems come with two little-known data hiding features: NTFS data streams (also known as alternate data streams) and Access-based Enumeration (ABE) resource enumeration. Alternate data streams provide the ability to add hidden information to a file, such as file information. You probably won't need to use hidden data streams, but attackers could use this technology against you, so you should be aware of it and how it might work.

As for the ABE method, it can add to your arsenal. This method allows you to make shared resource folders and files invisible to users who do not have permission to access them.

Here's what you need to know about these funds.

Rivers feeding the sea of ​​data

Alternate data streams are a feature of the NTFS file system. They were once included in Windows NT 3.1 to allow NT and Macintosh users to share files.

An NTFS file consists of data streams. This is the standard $DATA data stream, and possibly one or more alternative data streams. Any user with the necessary permissions to the file can see the existing $DATA data stream, can open it, and read and write data to the stream.

An alternate data stream is additional information or files that a user or application can attach to an NTFS file. Only the user who created it knows about the existence of an alternative data stream. Users typically do not know whether an alternate data stream is attached to a file; The point is that neither the content of this stream nor its name are visible. In addition, there is no way to see the change in file size.

There are many ways to use alternative data streams. On Windows, these streams are used to store summary data for documents created by applications that are not included with Microsoft Office, such as plain text (.txt) files. You can enter summary information, such as title, subject, and author information, on the Summary tab of the file's Properties dialog box. This summary data is stored in an alternate data stream, SummaryInformation.

Windows applications such as Encrypting File System (EFS) and Windows Explorer use alternate data streams to append file-specific data to files stored on NTFS-formatted drives. EFS appends encoding and decoding information to encrypted files using alternate data streams, allowing for decentralized encryption and decryption by EFS.

In Windows XP Service Pack 2 (SP2), Microsoft Internet Explorer (IE) uses the Security.Zone alternative data stream to provide security zone classification of files stored on an NTFS volume. As a result, IE has the ability to block user-escalation attacks that can occur in situations where a user downloads malicious code from a non-secure area of ​​the Internet and stores the code on the local hard drive. IE classifies locally stored content into the Local Machine security zone, which provides more rights than the Internet security zone. XP SP2 always checks the Security.Zone data flow before allowing loaded code to take any action on the local system.

Channel for introducing malicious code

What makes alternative data streams noteworthy and dangerous is that their names and contents are not displayed in Windows Explorer. Therefore, the organizers of various types of attacks consider such flows to be a convenient means of hiding data or malicious code that has entered the system. An example of the use of these threads is the VBS.Potok@mm worm. Hackers used an alternate data stream to attach multiple Visual Basic (VB) scripts to an existing ODBC .ini file.

When activated, the worm creates an account with administrative rights and sends itself to addresses that it detects in the Microsoft Outlook address book.

Another danger is that the disk space allocated for alternative data streams is not reflected in Windows Explorer's (file) size and unallocated disk space data. A hacker can use alternate data streams to fill up the file server's disk space, leaving the administrator scratching his head trying to get to the bottom of the problem. Additionally, it should be noted that the Dir command line utility does not take alternate data streams into account when calculating size data (files and folders). Currently, there is only one Microsoft tool that can take into account alternative data streams when calculating sizes: the Chkdsk utility.

Adding a new thread

Anyone with write access to an NTFS file can use normal operating system commands to append an alternate data stream to the file. For example, the following command creates an alternate data stream mystream, appends mystream to a file named file.txt, and stores the phrase "top secret" in mystream.

echo top secret > file.txt: mystream

You can view the contents of the mystream using the command

As noted above, executable files can be added to alternative data streams. Thus, it is possible to add a hidden copy of the Windows calculator (calc.exe) to the file file.txt. To do this you just need to enter the command

type calc.exe > file.txt: calc.exe

To launch a hidden calculator, enter the command

start .file.txt: calc.exe

You can verify for yourself that alternate data streams and their contents are not displayed in Microsoft tools. Open Windows Explorer and view the properties of file.txt. The actual file size is 112 KB (that's how much space the embedded calc.exe takes up) - but the program will show the file size as 0 KB: there is no information about the embedded file in the $DATA data stream, and Windows Explorer does not have the ability to read information from an alternative data stream .

It is clear that there are many threats associated with alternative data streams, especially in networks where the work of issuing permissions to access NTFS resources is not given due attention and strict access control to Windows servers is not established. There is a simple security mechanism that can prevent hackers from trying to take advantage of alternative data streams - the NTFS access control system. If attackers do not have permission to write data to a file, they will not be able to create alternate data streams and append them to the file.

Detecting Changes

If you feel that hackers have bypassed your permissions, use one of the alternate data stream content discovery tools that have been developed to date. System integrity checkers, such as Tripwire Enterprise and Tripwire for Servers, can detect all changes to the NTFS file system that have occurred on a Windows system, including additions or changes to the contents of the data stream.

Sysinternal's Streams program is a free command-line utility that determines the names of alternate data streams attached to files. Figure 1 shows how to use the Streams utility to view the name of the calc.exe data stream that we previously added to the file.txt file. This utility can be downloaded from http://www.sysinternals.com/utilities/streams.html.

Another easy way to detect an alternate data stream is to use Windows Explorer to copy the suspicious file to a drive with a file system other than NTFS (say, a FAT drive). Other file systems are not equipped to handle alternative data streams. So if you try to copy an NTFS file with alternate data streams attached to place it on a different file system, NTFS will issue a warning similar to the one shown in Figure 2. But be aware that if you copy this file in the Command Prompt window using the Copy command , Windows will copy it to a non-NTFS file system and delete the data stream without warning.

Hiding shared resources using ABE

ABE is an optional file sharing layer feature that Microsoft first implemented in Windows Server 2003 SP1. It can be used in any Windows shared directory, regardless of the file system on which the shared data is stored. ABE allows administrators to hide folders and files stored on shared resources from users who do not have appropriate permissions to access them at the NTFS level. In other words, we are talking about providing security at the folder level.

In cases where ABE is not used, users connecting to a shared directory will see all files and folders located on the share, including those that they do not have read permissions to read and those that they are blocked from accessing. When a user tries to open a file or folder that they are not allowed to access, the system displays an error message explaining that access is denied. These error messages can be confusing for users, so enabling ABE can help reduce support workload.

However, using ABE also has its disadvantages. Before returning a list of objects in a folder to a client connected to a share, the server must check all ACLs on those objects so that it can determine what data to return. As a result, you may experience a significant decrease in system performance, especially when accessing shared resources that contain many objects.

It is advisable to use ABE tools, for example, to configure public resources in user home directories. Instead of creating a hidden share for each user's home directory, you can create one share that contains the home directories of all users under the root home directory folder. Users will connect to this root directory, and you can use ABE as well as NTFS permissions to control the visibility of all users' home directories.

Activating the ABE function

This function uses the new public resource level flag SHI1005_FLAGS_ENFORCE_NAMESPACE_ ACCESS; at the time these lines are being written, it is implemented only in Windows 2003 SP1 and Release 2 (R2). This flag means that you are applying the ABE function to one of the folders.

You can use the Windows Explorer folder properties extensions or the abecmd.exe command line tool to set the flag. Microsoft distributes the ABE Explorer extension and abecmd.exe in the ABE installation package, which is an add-on module for the Windows Server 2003 SP1 platform. The installation package can be downloaded from Microsoft at http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D 9-78D9-4342-A485-B030AC442084. Because ABE is a server-side extension, it can be used regardless of what version of Windows is installed on the client.

After installing ABE tools on the server, you can set this flag for a particular folder. Right-click the folder, select Properties, go to the Access-based Enumeration tab, and set the Enable access-based enumeration on this shared folder flag, as Figure 3 shows. To apply the ABE function to all shared resources on the system, set the Apply flag this folder"s setting to all existing shared folders on this computer.

The second method is to use the abecmd.exe command line tool. To apply the ABE function to the shareddocs public resource, enter the following command:

abecmd /enable shareddocs

You can use the /all option to enable ABE on all available resources, or use the /disable option to disable ABE.

Access Control

ABE is a simple tool that allows you to limit user permissions to only those files that they need to do their work. Users can easily find the files they need because they don't have to wade through unrelated folders, and they don't have to bother the support team with questions about why files they don't have permission to open won't open.

To protect against alternate data stream hackers, administrators should monitor their public access control settings and use one of the utilities I described to identify hidden alternate data streams as well as changes to the NTFS system.