Anti-Overflow Privilege Escalation Solution

This article will introduce you to the Microsoft series (Win2k Win2k3) SERVER, how to easily and quickly solve security threats such as bounce Trojan, Overflow, elevation of permissions, and bounce Shell attacks. After reading this article, you can protect your server from security threats such as overflow and elevation of permissions.

Preface:
Today, as hackers frequently attack and system vulnerabilities emerge in an endless stream, as network administrators and system administrators, we have made a lot of effort in server security: for example, install system security patches and perform some regular security configurations in a timely manner. However, it is unlikely that each server will immediately patch the system. Therefore, we need to block intruders from the "security door" through a series of security settings before they are intruded; next, let's talk about the simplest and most effective solution to Overflow and local permission attack that I have been using: (because N has no time to write articles, I have promised you to write this article for you before, but you have never had time to write it. You may not be able to write this article ...)

Server Security Settings-anti-Overflow Privilege Escalation solution body:

1. How can we prevent overflow hacker attacks?

① Install patches for system vulnerabilities as much as possible. For example, the system of the Microsoft Windows Server series can enable the automatic update service, then, the server is automatically connected to the Microsoft Update Website for patch updates within a specified period of time. If your server prohibits Internet connections for security reasons, you can use the Microsoft WSUS service to upgrade your server over the Intranet. (For installation and configuration of Microsoft WSUS 2.0, refer to this article: http://www.31896.net/html/2006-1-5/14001689122.shtml)

② Stop all unwanted system services and applications, and minimize the attack coefficient of servers. For example, MSDTC overflows a few days ago, causing many servers to crash. In fact, if a WEB server does not use the MSDTC service at all, you can stop the MSDTC Service so that MSDTC Overflow does not pose any threat to your server.

③ Enable TCP/IP port filtering: only common TCP ports such as 21, 80, 25, 110, and 3389 are opened. If the security requirement is higher, you can disable the UDP port, of course, if this problem occurs, it is inconvenient to connect to the external server. We recommend that you use IPSec to block UDP. In protocol filtering, "only allow" TCP protocol (Protocol Number: 6), UDP protocol (Protocol Number: 17), and RDP protocol (Protocol Number: 27; other useless items are not open.

④ Enable the IPSec Policy: Perform Security Authentication for the server connection and add double insurance to the server. As mentioned in ③, some dangerous end products can be banned here, such: 135 145 139 445 as well as UDP external connections, as well as the encryption of passthrough and communication with only trusted IP addresses or networks. (Note: in fact, the anti-bounce trojan uses IPSec to simply prohibit external access from UDP or non-commonly used TCP ports. The application of IPSec will not be continued here, you can go to server security to discuss Search "IPSec" and there will be N more information about IPSec applications ..) (the game blade is on the edge of the Technical Ghost God to create a server security myth! Pioneer in the Internet revolution! Server Security discussion area [S.S. D. A] http://www.31896.net)

⑤ Delete, move, rename, or use the Access Control table column Access Control Lists (ACLs) to Control key system files, commands, and folders:

The hacker often comes to the shellside, and uses all the features such as net.exe net1.exe ipconfig.exe user.exe query.exe regedit.exe regsvr32.exe to further control the server, such as adding an account, cloning an administrator, etc. Here we can delete or rename these command programs. (Note: When deleting or renaming a file, stop the File Replication Service (FR) or delete or rename the corresponding file under % windir % system32dllcache .)

2.alternatively, you can move these. EXE files to the specified folder, which makes it easier for the Administrator to use ^ 0 ^

3. Access control table column ACLS control:

Find win.exe00000000000032.exe net.exe net1.exe ipconfig.exe tftp.exe ftp.exe user.exe regedit.exe regedt32.exe regsvr32.exe under %windir0000system32.
These files commonly used by hackers are defined in "properties" → "security" for the ACLs users they access. For example, they are only authorized to access the administrator, if you need to prevent overflow attacks and illegal exploitation of these files after the overflow is successful, you only need to deny access to the system users in ACLs. (What if you are a BT character? ^_^ then let's drop all users !, Here we will ask all types of visitors to handle the issue based on their own facts ).

4.if you think guiis too annoying, you can also use the system command cacls.exeto edit and modify the Acls of the. exe file, or write it as a. bat batch file to execute and modify the commands. (For details, see cacls /? I will not list and write batch processing code for you because there are too many commands here !!)

5. it is also necessary to set the Security ACLS for disks such as C, D, E, and F. In addition, especially for win2k, for folders such as Winnt, WinntSystem, Document and Setting.

6. Modify the registry and disable the command interpreter: (if you think the method ⑤ is too cumbersome, try the following permanent method to disable CMD running)

By modifying the registration table, you can disable the use of the command interpreter (cmd.exe) and run the batch processing file (. bat file ). Specific Method: Create a New Dual-byte (REG_DWORD) and execute HKEY_CURRENT_USERSoftwarePolicies MicrosoftWindowsSystemDisableCMD. Change the value to 1. Neither the command interpreter nor the batch file can be run. If the value is changed to 2, the command interpreter is disabled. If the value is changed to 0, the CMS command interpreter is enabled. If you are making too much effort, save the following code as the *. reg file and import it.

 

Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem]

"DisableCMD" = dword: 00000001

7. Downgrade some System services that run with the System permission. (For example, replace a series of services or applications running with System permissions, such as Serv-U, Imail, IIS, Php, Mssql, and Mysql, with the permissions of other administrators or even users, this will be much safer... however, the premise is that you need to know more about these basic running statuses and calling APIs .)

In fact, in addition to using the preceding methods to prevent Overflow attacks such as Overflow, there are also N methods: for example, using group policies for restrictions, the write protection filtering program uses DLL to load windows to related SHell and dynamic link programs. Of course, writing code to verify encryption requires a deep Win32 programming Foundation and a lot of research on Shellcode. This article only discusses simple solutions, so other methods are not described here...

2. How can we further intrude into the system after preventing hacker overflow and obtaining Shell?

① After completing the above work in step 1, it basically prevents the hacker from getting shell after Overflow; because even if Overflow overflows successfully, however, it gets stuck when calling mongoshell and external connections. (Why, because: 1.once the program is out of control, it can be called again. We have banned system1_cmd.exe. 2. The external IP address cannot be connected to the reverse IP address after the overflow. Therefore, it is difficult to rebound the shell through the system permission ...)

② Of course, there is no absolute security in the world. Suppose that the intruders have obtained our shell, what should they do? Generally, after obtaining the shell, intruders can further control the server by transmitting files through tftp, ftp, and vbs using system commands and accounts. Here we use the above method to limit the command. Intruders cannot transmit files through tftp or ftp, but they can still write the batch through echo, use batchcompute scripts such as BAT, VBS, and VBA to download files from the WEB and modify files of other disks. Therefore, we need to restrict the echo command and the permission to write and modify files on other disks. Disable or restrict the running right of the system by using VBS/VBA scripts and XMLhttp components. In this way, the Shell cannot be used to delete files on the server and control the process. In addition, the Local Elevation of Privilege rebounded and Shell won't be used.

Note: the security of other servers and systems is a general concept. It is possible that your website or even the server may be compromised by a small amount of negligence. Therefore, security policies must take the road to preventing problems before they happen. You cannot be careless in any small part of the world. Today's security tips on preventing Overflow are introduced here... for other server security configuration experiences, see the next article :-) (Note: Due to my lack of learning skills, it is inevitable to make mistakes in this article. Please forgive me! It is intended to inspire others. If you have a better solution, please do not forget to post ^ 0 ^ on the Forum. Thank you !)

Copyright of this article: The copyright of this article is shared by the [server security discussion board] and [Love Story online]. You can reprint it at will, but be sure to keep the integrity and author information of this article; please cherish others' knowledge and copyrights!

Author: Li Bolin/LeeBolin senior system engineer, professional network security consultant. ISP service providers have successfully provided complete network security solutions for many large and medium-sized enterprises in China. He is particularly good at the design of the overall network security solution, the planning of large-scale network engineering, and the provision of a complete series of server security solutions. [S.S. d. server A security discussion area] Http: // www.31896.net [F. n. s.T online] Http: // www.fineacer.org E-mail: leebolin # 31896.net QQ: 24460394 if you have any suggestions or questions about this article, you can send a letter or QQ online to communicate with the author; or go to the server security forum to discuss with the author!