Renaming or uninstalling unsafe components Unsafe components not surprising I've added an unsafe component detection function to the 7I24 probe 1.9 (In fact, this is written in reference to the code of the just to change the interface a bit friendlier, the detection method and he is basically the same), this feature so many webmasters surprised not small, because he found that his server support a lot of unsafe components. In fact, as long as the above permissions set, then FSO, XML, Strem are no longer unsafe components, because they do not have to cross their own folder or site permissions. That happy time not to fear, there are anti-virus software in the fear of what time ah. The most dangerous component is WSH and shell, because it can run programs such as the EXE on your hard drive, such as it can run a lifting program to elevate Serv-u permissions and even use SERVU to run higher-privileged system programs. Carefully decide whether to uninstall a component Components are intended to be applied, not to be unsafe, and all components are useful, so before uninstalling a component, you must verify that the component is not required by your Web site program, or that it is not roughly the same if removed. Otherwise, you can only keep this component and do the same in your ASP program itself, to prevent others from coming in, rather than preventing others from coming in after the shell. For example, FSO and XML are one of the most common components, and many programs use them. The WSH component will be used by some host management programs, as well as some packaging programs. Uninstall the least secure component The easiest way to do this is to remove the appropriate program files after you uninstall them directly. Save the following code as one. BAT file, (WIN2000 for example, if 2003 is used, the system folder should be C:\WINDOWS\) Regsvr32/u C:\WINNT\System32\wshom.ocx Del C:\WINNT\System32\wshom.ocx Regsvr32/u C:\WINNT\system32\shell32.dll Del C:\WINNT\system32\shell32.dll Then run it, Wscript.Shell, Shell.Application, and Wscript.Network will be unloaded. You may be prompted not to delete the file, do not worry about it, restart the server, you will find that all three prompts "x security". Renaming unsafe components Notice that the name of the component and the CLSID are changed, and that they are completely changed. The following is an example of shell.application to introduce the method. Open Registry Editor start → Run →regedit carriage return, and then "edit → find → fill shell.application→ Find Next", this method can find two registry entries: "{13709620- c279-11ce-a49e-444553540000} "and" Shell.Application ". To ensure that it is foolproof, export the two registry keys and save them as a. reg file. Like we want to make changes like this. 13709620-c279-11ce-a49e-444553540000 renamed as 13709620-c279-11ce-a49e-444553540001 Shell.Application renamed as Shell.application_ajiang Then, replace the contents of the. reg file that you just exported with the corresponding relationship above, and then import the modified. reg file into the registry (double click), and after you import the renamed registry key, don't forget to delete the original two items. It should be noted here that the CLSID can only be 10 digits and abcdef six letters. Here is my revised code (two files I come together): Windows Registry Editor Version 5.00
[hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}] @= "Shell Automation Service"
[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\inprocserver32] @= "C:\\winnt\\system32\\shell32.dll" "ThreadingModel" = "Apartment"
[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\progid] @= "Shell.application_ajiang.1"
[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\typelib] @= "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"
[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\version] @= "1.1"
[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\versionindependentprogid] @= "Shell.application_ajiang"
[Hkey_classes_root\shell.application_ajiang] @= "Shell Automation Service"
[Hkey_classes_root\shell.application_ajiang\clsid] @= "{13709620-c279-11ce-a49e-444553540001}"
[Hkey_classes_root\shell.application_ajiang\curver] @= "Shell.application_ajiang.1" You can save this as a. reg file. Try it, but don't do it, because if the hacker had read my article, he would have tried the name I had changed. Prevent listing of user groups and system processes I used GetObject ("WINNT") in arjunolic ASP probe 1.9 to get a list of system users and system processes, which could be exploited by hackers and should be hidden by: "Start → program → admin tools → services", find workstation, stop it, disable it. |