HostedDB - Dedicated UNIX Servers
nt-part2_91 Analysis of the Security of  Windows NT 1 March 1999 91 Both a read-only and a read/write version of the program exists. If the read-only ver- sion is used, the following commands are disabled: ACCESS, COPY, DEL, MOVE, RENAME and XCOPY. D.3.4  NTRecover NTRecover is an NT utility that can be used to recover a dead-system. It can only be used on x86 based NT installations. Using NTRecover, it is possible to access file sys- tems even when the computer fails to boot NT. The following equipment is necessary: •   the non-booting system (client) •   a working NT system with NT version 3.51 or 4.0 (host) •   a standard null-modem serial cable, used to connect the client with the host. The utility consists of both client and host software, where the client program is exe- cuted on the failed system, and the host is running on the working system. The failed system is booted off a floppy directly to the NTRecover program. Once the client and the host program are started and configured on their respective computers, native NT file systems such as NTFS and FAT on the client machine are visible on the host com- puter. There are two versions of the utility. A free trail version that only permits read- only access to the damaged system, and a retail version which offers both read and write access. D.3.5  Ghost Ghost is a utility that can be used to install completely new copies of operating sys- tems, such as Windows 95, NT and OS/2, on a local partition. The source files can reside on either local or on remote computers. The program runs under MS-DOS. However, it can be used to reinstall operating systems on FAT partitions as well as on NTFS partitions. Ghost can also be used for backup purposes. An evaluation copy of the product can be retrieved from the Internet, see appendix E. D.4  Keyboard Filtering (ctrl2cap) Ctrl2Cap is a program written by Mark Russinovich that demonstrates how to write kernel mode drivers for NT. Its main purpose is to convert the control (ctrl) key to the shift key, so that the program in itself is not harmful, but the implications inherent in this are. We believe that by extending this driver or writing a similar program it is pos- sible to catch and manipulate any key pressed on the keyboard before NT sees it, which means that it is feasible to snoop, and save passwords when they are entered. It is also possible to filter out the ctrl-alt-delete key combination which would totally lock the workstation since no user will be able to logon to the that station. This in turn would cause trouble on workstations shared among several users, or could be used by a mali- XCOPY Copies files and directory trees. VER Displays ERD Commander version number TABLE 9. Commands in ERD Commander as described on the Web site. Command Description