Analysis on security techniques for intercept and intercept IPC $ sharing

IPC $ is a resource that shares named pipes. In Microsoft operating systems, named pipelines are open to allow inter-process communication. By providing trusted accounts and passwords, you can establish a secure channel between the two parties and exchange encrypted data through this channel to access remote computers.

Therefore, the intention of the IPC $ shared named pipeline design is good, and it does bring convenience to the Administrator. However, due to the existence of certain vulnerabilities, this also allows hackers to take advantage of them. There are a lot of attack solutions against the IPC $ vulnerability. Some people who have not even connected to the computer network foundation can easily use the IPC $ vulnerability to illegally log on to Microsoft's server system and perform some destructive operations as long as they follow the instructions described in this article. Therefore, improving IPC $ shared security is imminent.

For example, right-click "my computer" on the server desktop and open "shared folder". The shared folder of the current system is displayed in the window on the right. IPC $ share is in it.

Is there any way to improve the security of this IPC $ sharing? "Blocking" and "sparse" can be selected.

First move: blocking, canceling IPC $ sharing

Canceling the sharing is clearly the most fundamental way to eliminate the risk of IPC $ security. However, because it is different from common shared folders, it is not easy to cancel sharing. In the above shared file management window, right-click the "IPC $" entry and choose "cancel sharing ". However, in this case, the system will prompt an error message "the Server Service requires IPC $ and cannot be deleted ". Therefore, if you want to cancel the IPC $ sharing, you cannot use the conventional method.

For example, we can cancel the IPC $ sharing through registry settings.

1. Run the "regedit" command on the Start menu to open the Registry Editor.

2. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters. Find this item.

3. If you are using a server operating system such as 2003, create a dual-byte key value item named "AutoShareServer" in the project above, set the value to 0. If you are using a common workstation system, you need to create a dual-byte key value item named "auto‑wks. This item value is also set to 0.

4. restart the system. In this case, the name IPC $ sharing is canceled.

However, when using the registry to forcibly cancel the IPC $ default share, you need to pay attention to two issues.

First, this setting will not only cancel the IPC $ default share, but also cancel all other default shares. For example, in the operating system of 2000, not only is IPC $ shared by default. In addition, C $ and other disks are shared by default. If this method is used, the default disk share will also be disabled.

Second, as mentioned above, some server system services need to be shared by IPC $ by default. If this sharing is canceled, it may adversely affect the related services, or even cause the services to fail to start normally.

Therefore, in practice, I do not recommend using this "blocking" method to forcibly disable IPC $ by default sharing. I suggest using the following "sparse" method to improve the security of IPC $ default sharing, instead of disabling its default sharing. Instead, we adopt the "restricted use" method.

Method 2: sparse, restricted

For some services, you must enable the IPC $ shared naming pipeline, especially some Microsoft applications. For example, to use a Microsoft SQL Server database, you must enable the IPC $ shared naming pipeline. Otherwise, the database cannot run normally. IPC $ shares the named pipeline, which is also a channel for seamless integration between SQL Server databases and Microsoft Server operating systems. Therefore, although we disabled the IPC $ shared naming channel to improve the security of the server operating system, it also made some application services unavailable. This kind of "Jade co-burning" method is not the best strategy.

We recommend that you use the "restricted use" method to improve the security of the IPC $ shared naming pipeline. In fact, this is relatively simple. We can achieve this through the registry.

Open the Registry Editor using the above method, and find the following content "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa" in sequence ". In this item, there is a key value called restrictanonymous. This key value consists of three optional parameters. If it is set to 0, there is no restriction. Any user, including anonymous users, can use this shared name pipe. This is the default value of the system. If this parameter is set to 1, anonymous users cannot list users on the local machine. If this parameter is set to 2, anonymous users cannot connect to the IPC $ share of this host. Generally, it is not recommended to set it to 2, because this will cause some application services dependent on the shared naming pipeline to fail to start normally.

However, the above settings only apply to earlier Microsoft operating systems. In the 2003 Server System, there is a special key called "restrictanonymoussam ". In later server systems, this key is used to restrict the use of shared naming pipelines. For example:

This key also has two values: 0 and 1. 1 is the default value of the system, indicating that anonymous users cannot list host users. 0 indicates that anonymous users cannot list users on the host, nor use the default shared name pipeline. Therefore, in general, you only need to set this default value to 1.

I also have the following suggestions for this "sparse" method:

First, you can determine the settings based on the Application Services used on the server system. If the SQL Server database is running on the Server system, set this value to 1 (for example, 2003 of the Server system ). That is to say, do not allow anonymous users to list users on the server, but allow anonymous users to use it. In this respect, SQL Server and other database systems can be properly started, while ensuring the security of the Server.

Second, you need to be cautious with setting up some applications that do not require the IPC $ naming pipeline. Some cross-platform applications, such as Oracle databases, do not use the IPC $ naming pipeline. At this point, theoretically, you can cancel the IPC $ naming pipeline to fundamentally eliminate the IPC $ naming pipeline attack and improve the server security. However, it is best to perform a rigorous test before cancellation. Because an application service is often run on a server without light. Sometimes the IPC $ share is not required for the Oracle database, but it is required for other application services. Therefore, whether to disable this IPC $ named pipe, the Enterprise Server administrator needs to test it before deciding.

In short, in terms of the default shared security of IPC $, the author's attitude is "blocking is better than dredging", and disabling is worse than limiting use. As the saying goes, it is impossible to waste food for some reason. As long as anonymous users are reasonably restricted from using IPC $ by default, their security can be guaranteed. At the same time, it will not adversely affect other application services.

Original IT expert network articles are prohibited from being transferred without permission