Chapter 5: Protecting High-Risk Files

Overview

Microsoft Windows XP Pro and Windows Server 2003 copy over 8,000 files to the local hard disk when initially installed. There are dozens of files that are more likely to be used maliciously by attackers than legitimately by end users and administrators; and by default, regular end users have Read and Execute NTFS permissions to most files and folders (see Chapter 3 for details).

For example, Debug.exe is a legacy assembly program. It was commonly used by programmers in the early days of IBM and PC-DOS to create, view, and disassemble 8-and 16-bit executables (program files with .Com and .Exe extensions). Today, no legitimate programmers use it. For one, it is a very old program. It can only create legacy programs that Microsoft no longer wants to support. Two, its feature set and end-user friendliness are so poor that any programmers that might actually have cause to use it always use something else. However, malicious attackers can use it to create malware programs and overwrite legitimate files. In fact, in the last decade, it's probably fair to say that malware makers are the only ones still using Debug.exe. But even today, it is nearly impossible to remove it from Windows. Because of Windows File Protection, you can't delete, rename, or modify it. This chapter covers high-risk files such as Debug.exe, and details how to minimize their risk.