Q: What are NTFS file streams? Do they have any security risks associated with them? How can I detect them?
A: NTFS file streams are also referred to as alternate data streams. An NTFS file always includes a default data stream, the $DATA stream, which includes the file's content. NTFS files can also have alternate data streams that Windows Explorer can't see and that attackers can therefore use to hide malicious information or code on your system. The main reason why Microsoft included the alternate data stream capabilities in NTFS was to enable an NT system to act as a file server for Macintosh clients. The Mac OS uses a similar feature, resource forks, to store file metadata (e.g., date and time information).
To set up an alternate data stream, open a command line and type
echo top secret > file.txt:stream1
This command adds an alternate data stream called stream1 to the file.txt file. To display stream1's contents, type the following command:
NTFS alternate data streams are dangerous. You don't want a malicious user to hide anything on any of your organization's core systems (e.g., file servers, Web servers, domain controllers—DCs). The first level of protection you should use is the NTFS access control settings. If attackers can't access a file, they can't create alternate data streams. If a malicious user manages to bypass the permissions you've set, you'll need special tools to detect the existence of alternate data streams. System-integrity-checking software, such as Tripwire's line of integrity-checker solutions, can detect any system changes, as well as changes to alternate data streams. You can find more information about Tripwire at http://www.tripwiresecurity.com. To find out whether files have alternate data streams, you can use Sysinternals' Streams command-prompt utility, which is freely available at its Web site.