Solution to Server Overflow Elevation of Privilege

Today, users and system vulnerabilities are frequently attacked. As network administrators and system administrators, although they have made great efforts in server security, such as timely patching of system security and some conventional security configurations, but sometimes still insecure. Therefore, before malicious user intrusion, some series of Security Settings must be used to block intruders out of the "security door". below, the simplest and most effective protection (Overflow) will be implemented) overflow and local access attack solutions are provided to you.

I. How to prevent overflow attacks

1. Install patches for system vulnerabilities as much as possible. For example, the system of Microsoft Windows Server can enable the automatic update service, then, the server is automatically connected to the Microsoft Update Website for patch updates within a specified period of time. If your server prohibits Internet connections for security reasons, you can use the Microsoft WSUS service to upgrade your server over the Intranet.

2. Stop all unwanted system services and applications, and minimize the number of attacks on servers. For example, MSDTC overflows a few days ago, causing many servers to crash. In fact, if a WEB server does not use the MSDTC service at all, you can stop the MSDTC Service so that MSDTC Overflow does not pose any threat to your server.

3. Enable TCP/IP port filtering. Only common TCP ports such as 21, 80, 25, 110, and 3389 are opened. If the security requirement is higher, you can disable the UDP port, of course, if the defect is that it is inconvenient to connect to the outside on the server, we recommend that you use IPSec to block UDP. In protocol filtering, "accept only" TCP protocol (Protocol Number: 6), UDP protocol (Protocol Number: 17), and RDP protocol (Protocol Number: 27) are required; other useless items are not open.

4. Enable the IPSec Policy: Perform Security Authentication for the server connection and add double insurance to the server. As mentioned in ③, some dangerous end products can be banned here, such: 135 145 139 445 as well as UDP external connections, as well as the encryption of passthrough and communication with only trusted IP addresses or networks. (Note: in fact, the anti-bounce trojan uses IPSec to simply prohibit external access from UDP or non-commonly used TCP ports. The application of IPSec will not be continued here, you can go to server security to discuss Search "IPSec" and there will be N more information about IPSec applications ..)

5. Delete, move, rename, or use the Access Control table column Access Control Lists (ACLs) to Control critical system files, commands, and folders:

Net1.exe ipconfig.exe user.exe query.exe regedit.exe regsvr32.exe to further control the server, such as adding an account and cloning the Administrator. Here you can delete or rename these command programs. (Note: When deleting or renaming a file, stop the File Replication Service (FR) or delete or rename the corresponding file under % windir % \ system32 \ dllcache .)

(22.16.txt) also moves these. EXE files to the specified folder, which is convenient for future use by the Administrator.

(3 ). access control table list ACLS control: Find the files commonly used by hackers, such as. exe0000000032.exe net.exe net1.exe ipconfig.exe tftp.exe ftp.exe user.exe reg.exe regedit.exe regedt32.exe regsvr32.exe, under % windir % \ System32, define the ACLs users they access in "properties" → "security", for example, only the administrator has the right to access, if you want to prevent overflow attacks and illegal exploitation of these files after the overflow is successful, you only need to deny access to the system user in ACLs.

(42.16.txt) can also use the system command cacls.exeto edit and modify the Acls of the. exe file, or write it as a. bat batch file to execute and modify the commands. (For details, see cacls /? Help, because there are too many commands here, I will not list and write batch processing code for you !!)

(5 ). it is also necessary to set the Security ACLS for disks such as C/D/E/F in terms of overall security. In addition, win2k, for folders such as Winnt, Winnt \ System, Document and Setting.

6. Modify the Registry to disable the command interpreter: Batch) and run the batch processing file (. bat file ). Specific Method: Create a New Dual-byte (REG_DWord) and execute HKEY_CURRENT_USER \ Software \ PolicIEs \ Microsoft \ Windows \ System \ DisableCMD to change its value to 1, command interpreters and batch files cannot be run. If the value is changed to 2, the command interpreter is disabled. If the value is changed to 0, the CMS command interpreter is enabled. If you make too much effort, save the following code as the *. reg file and import it.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER \ Software \ Policies \ Microsoft \ Windows \ System]

"DisableCMD" = dword: 00000001

7. Downgrade some System services that run with the System permission. (For example, replace a series of services or applications running with System permissions, such as Serv-U, Imail, IIS, Php, Mssql, and Mysql, with the permissions of other administrators or even users, this will be much safer... however, the premise is that you need to know more about these basic running statuses and calling APIs .)

In fact, in addition to using the preceding methods to prevent Overflow attacks such as Overflow, there are also N methods: for example, using group policies for restrictions, the write protection filtering program uses DLL to load windows to related SHell and dynamic link programs. Of course, writing code to verify encryption requires a deep Win32 programming Foundation and a lot of research on Shellcode. This article only discusses simple solutions, therefore, other methods are not described here.