A. Uninstall the WScript. Shell and Shell. application Components and save the following code as A. BAT file for execution (2000 and 2003 systems)
Windows2000.bat regsvr32/u C: \ WINNT \ System32 \ wshom. ocx del C: \ WINNT \ System32 \ wshom. ocx regsvr32/u C: \ WINNT \ system32 \ shell32.dll del C: \ WINNT \ system32 \ shell32.dll
Windows2003.bat regsvr32/u C: \ WINDOWS \ System32 \ wshom. ocx del C: \ WINDOWS \ System32 \ wshom. ocx regsvr32/u C: \ WINDOWS \ system32 \ shell32.dll del C: \ WINDOWS \ system32 \ shell32.dll
B. Change the name of the insecure component. Note that the component name and Clsid must be modified completely.
[Start → run → regedit → press enter] to open the Registry Editor.
Then [edit → search → fill in Shell. application → find next]
Two registry keys can be found using this method:
{13709620-C279-11CE-A49E-444553540000} and Shell. application.
Step 1: export these two registry keys to save them as the xxxx. reg file.
Step 2: for example, we want to make such a change.
13709620-C279-11CE-A49E-444553540000 renamed 13709620-C279-11CE-A49E-444553540001
Shell. application is renamed as Shell. application_nohack.
Step 3: Click Export. the contents in the reg file are replaced by the above correspondence, and modified. import the reg file to the Registry (double-click it). After importing the renamed registry key, do not forget to delete the original two items. Note that the Clsid can only contain ten numbers and six ABCDEF letters.
In fact, you only need to export the corresponding registry key for backup and directly change the key name,
Example
It is recommended that you change it yourself.
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT \ CLSID \ {certificate}] @ = "Shell Automation Service" [HKEY_CLASSES_ROOT \ CLSID \ {certificate} \ InProcServer32] @ = "C: \ WINNT \ system32 \ shell32.dll "" ThreadingModel "=" Apartment "[HKEY_CLASSES_ROOT \ CLSID \ {13709620-C279-11CE-A49E-444553540001} \ ProgID] @ =" Shell. application_nohack.1 "[HKEY_CLASSES_ROOT \ CLSID \ {partition} \ TypeLib] @ =" {partition} "[HKEY_CLASSES_ROOT \ CLSID \ {partition} \ Version] @ =" 1.1 "[HKEY_CLASSES_ROOT \ CLSID \ {13709620-C279-11CE-A49E-444553540001} \ VersionIndependentProgID] @ = "Shell. application_nohack "[HKEY_CLASSES_ROOT \ Shell. application_nohack] @ = "Shell Automation Service" [HKEY_CLASSES_ROOT \ Shell. application_nohack \ CLSID] @ = "{13709620-C279-11CE-A49E-444553540001}" [HKEY_CLASSES_ROOT \ Shell. application_nohack \ CurVer] @ = "Shell. application_nohack.1"
Old Du comment: WScript. shell and Shell. the application component is an important part of improving permissions during the script intrusion process. the uninstallation and modification of the two components can greatly improve the Script Security performance of the VM, in general, ASP and php scripts cannot be implemented to improve permissions. In addition, with some system services, hard disk access permissions, port filtering, and Local Security Policy settings, the VM should say, security can be greatly improved, and the possibility of hacker intrusion is very low. After the Shell component is deregistered, the possibility of the attacker running the lifting tool is very small, but other script languages such as prel also have shell capabilities. It is better to set it to prevent attacks. The following is another setting, which is similar.
1. Disable the FileSystemObject component
FileSystemObject can perform regular operations on files. You can modify the registry and rename this component to prevent the harm of such Trojans.
HKEY_CLASSES_ROOT \ Scripting. FileSystemObject \
Change the name to another name, for example, FileSystemObject_ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
HKEY_CLASSES_ROOT \ Scripting. FileSystemObject \ CLSID \ project value
You can also delete the Trojan to prevent its harm.
2000 unregister this component command: RegSrv32/u C: \ WINNT \ SYSTEM \ scrrun. dll
2003 unregister this component command: RegSrv32/u C: \ WINDOWS \ SYSTEM \ scrrun. dll
How does one Prevent Guest users from using scrrun. dll to prevent calling this component?
Use this command: cacls C: \ WINNT \ system32 \ scrrun. dll/e/d guests
Ii. Do not use the WScript. Shell component
WScript. Shell can call the system kernel to run basic dos Commands
You can modify the registry and rename this component to prevent the dangers of such Trojans.
HKEY_CLASSES_ROOT \ WScript. Shell \ and HKEY_CLASSES_ROOT \ WScript. Shell.1 \
Change the name to another name, for example, WScript. Shell_ChangeName or WScript. Shell.1 _ ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
HKEY_CLASSES_ROOT \ WScript. Shell \ CLSID \ project value
HKEY_CLASSES_ROOT \ WScript. Shell.1 \ CLSID \ project value
You can also delete the Trojan to prevent its harm.
3. prohibit the use of the Shell. Application Component
Shell. Application can call the system kernel to run basic dos commands.
You can modify the registry and rename this component to prevent the dangers of such Trojans.
HKEY_CLASSES_ROOT \ Shell. Application \
And
HKEY_CLASSES_ROOT \ Shell. Application.1 \
Change the name to another name, for example, Shell. Application_ChangeName or Shell. Application.1 _ ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
HKEY_CLASSES_ROOT \ Shell. Application \ CLSID \ project value
HKEY_CLASSES_ROOT \ Shell. Application \ CLSID \ project value
You can also delete the Trojan to prevent its harm.
Disable Guest users from using shell32.dll to prevent calling this component.
2000 run the following command: cacls C: \ WINNT \ system32 \ shell32.dll/e/d guests.
2003 run the following command: cacls C: \ WINDOWS \ system32 \ shell32.dll/e/d guests.
Note: All operations take effect only after the WEB Service is restarted.
Use cmd.exe
Disable the use of cmd.exe for guests
2000 run the command cacls C: \ WINNT \ system32 \ Cmd.exe/e/d guests.
2003 run the command cacls C: \ WINDOWS \ system32 \ Cmd.exe/e/d guests.
The above four steps can be used to prevent several popular Trojans, but the most effective method is to achieve the server and program security standards through comprehensive security settings, to prevent more illegal intrusions.
C. Prevent Serv-U Privilege Escalation (applicable to earlier versions of the Serv-U6.0, after which you can directly set a password)
Stop the Serv-U service first
Use ultraeditto open servudaemon.exe
Search for Ascii: LocalAdministrator and # l @ $ ak #. lk; 0 @ P
You can modify the parameter value to an equal length, and the process of servuadmin.exe is the same.
In addition, pay attention to setting the ACL for the folder where Serv-U is located. do not grant anonymous IIS users the permission to read the files. Otherwise, the files you modified will be stored, you can also analyze your Administrator name and password.
