Objective
In fact, in the server security settings, although I have some experience, but there is no research, so I write this article when the heart is very not practical, always afraid to say wrong will be mistaken for others.
This article is more focused on the prevention of ASP vulnerabilities, so the server black and other aspects of the explanation may be slightly too little.
Basic server security Settings
Install Patches
After installing the operating system, it is best to install the patch before hosting, configure the network, if it is 2000 to determine the installation of the SP4, if it is 2003, it is best to install the SP1, then click Start →windows Update, install all the key updates.
Install antivirus Software
Although anti-virus software sometimes does not solve the problem, but anti-virus software to avoid a lot of problems. I've been using Norton 2004, and it's said that 2005 can kill a Trojan, but I haven't tried it. There are people with rising, rising is determined to kill the Trojan horse. More people say that Kabbah driver is good, but I did not use.
Do not expect anti-virus software to kill all Trojans, because the characteristics of the ASP Trojan Horse can be through a certain means to avoid the killing of anti-virus software.
Set port protection and firewalls, delete default shares
It's all about server protection, and even if you don't have IIS on your server, these security measures are best done. This is the blind area of the arjunolic, probably know the shielding port with local security strategy, but this aspect of things online introduction a lot, we can impressive out to see, later I may copy some to my website.
Permission settings
Arjunolic feel this is the key to preventing an ASP vulnerability attack, and good permissions settings can reduce the damage to an IIS site or even a virtual directory. I am here to talk about the principle and set up ideas, smart friends should read this will be able to solve the problem.
The principle of permission setting
Windows users, most of the time in the Winnt system, divide permissions by User (group). Manage system users and user groups at the start → programs → administration tools → Computer Management → local users and groups.
NTFS permission settings, remember to partition all the hard drives into an NTFS partition, and then we can determine the permissions that each partition opens for each user. The file (folder) right → properties → security "here to manage NTFS file (folder) permissions."
IIS anonymous users, each IIS site or virtual directory, can set an anonymous access user (now call it "IIS anonymous user") when the user visits your site. ASP file, this. The permissions that an ASP file has, that is, the permissions that this "IIS anonymous user" has.
The idea of permission setting
To create a system user for each independent individual to protect (such as a Web site or a virtual directory), the site has the unique ability to set permissions on the system.
In IIS, "Site properties or virtual directory properties → directory security → Anonymous access and authentication control → edit → anonymous access → edit" fill in the user name you just created.
All partitions are set to prohibit this user from accessing, and the folder setting that corresponds to the home directory of the site just now allows this user access (to remove inherited parent permissions and to add the hyper-control and system groups).
This set up after the ASP program in this site only the current folder permissions, from the probe, all the hard drives are red fork.
My Setup method
I created a user group first, and then all of the site's users were built in this group, and then set up the groups in each partition without permissions or outright rejection. Then set the permissions for each IIS user in each folder.
Because more, so I do not want to write, actually know the above principle, most people should understand, unless you do not know how to add system users and groups, do not know how to set folder permissions, do not know the IIS site properties there. Really have that kind of person, you also don't worry, want to slow down slowly, the concrete method actually oneself also can grope out, I am this. Of course, if I am free, I will write my specific settings, I am proud to be able to match the picture.
Renaming or uninstalling unsafe components
Unsafe components not surprising
I've added an unsafe component detection function to the 7I24 probe 1.9 (In fact, this is written in reference to the code of the just to change the interface a bit friendlier, the detection method and he is basically the same), this feature so many webmasters surprised not small, because he found that his server support a lot of unsafe components.
In fact, as long as the above permissions set, then FSO, XML, Strem are no longer unsafe components, because they do not have to cross their own folder or site permissions. That happy time not to fear, there are anti-virus software in the fear of what time ah.
The most dangerous component is WSH and shell, because it can run programs such as the EXE on your hard drive, such as it can run a lifting program to elevate Serv-u permissions and even use SERVU to run higher-privileged system programs.
Carefully decide whether to uninstall a component
Components are intended to be applied, not to be unsafe, and all components are useful, so before uninstalling a component, you must verify that the component is not required by your Web site program, or that it is not roughly the same if removed. Otherwise, you can only keep this component and do the same in your ASP program itself, to prevent others from coming in, rather than preventing others from coming in after the shell.
For example, FSO and XML are one of the most common components, and many programs use them. The WSH component will be used by some host management programs, as well as some packaging programs.
Uninstall the least secure component
The easiest way to do this is to remove the appropriate program files after you uninstall them directly. Save the following code as one. BAT file, (WIN2000 for example, if 2003 is used, the system folder should be C:\WINDOWS\)
Regsvr32/u C:\WINNT\System32\wshom.ocx
Del C:\WINNT\System32\wshom.ocx
Regsvr32/u C:\WINNT\system32\shell32.dll
Del C:\WINNT\system32\shell32.dll
Then run it, Wscript.Shell, Shell.Application, and Wscript.Network will be unloaded. You may be prompted not to delete the file, do not worry about it, restart the server, you will find that all three prompts "x security".
Renaming unsafe components
Notice that the name of the component and the CLSID are changed, and that they are completely changed. The following is an example of shell.application to introduce the method.
Open Registry Editor start → Run →regedit carriage return, and then "edit → find → fill shell.application→ Find Next", this method can find two registry entries: "{13709620- c279-11ce-a49e-444553540000} "and" Shell.Application ". To ensure that it is foolproof, export the two registry keys and save them as a. reg file.
Like we want to make changes like this.
13709620-c279-11ce-a49e-444553540000 renamed as 13709620-c279-11ce-a49e-444553540001
Shell.Application renamed as Shell.application_ajiang
Then, replace the contents of the. reg file that you just exported with the corresponding relationship above, and then import the modified. reg file into the registry (double click), and after you import the renamed registry key, don't forget to delete the original two items. It should be noted here that the CLSID can only be 10 digits and abcdef six letters.
Here is my revised code (two files I come together):
Windows Registry Editor Version 5.00
[hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}]
@= "Shell Automation Service"
[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\inprocserver32]
@= "C:\\winnt\\system32\\shell32.dll"
"ThreadingModel" = "Apartment"
[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\progid]
@= "Shell.application_ajiang.1"
[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\typelib]
@= "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"
[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\version]
@= "1.1"
[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\versionindependentprogid]
@= "Shell.application_ajiang"
[Hkey_classes_root\shell.application_ajiang]
@= "Shell Automation Service"
[Hkey_classes_root\shell.application_ajiang\clsid]
@= "{13709620-c279-11ce-a49e-444553540001}"
[Hkey_classes_root\shell.application_ajiang\curver]
@= "Shell.application_ajiang.1"
You can save this as a. reg file. Try it, but don't do it, because if the hacker had read my article, he would have tried the name I had changed.
Prevent listing of user groups and system processes
I used GetObject ("WINNT") in arjunolic ASP probe 1.9 to get a list of system users and system processes, which could be exploited by hackers and should be hidden by:
"Start → program → admin tools → services", find workstation, stop it, disable it.
Prevent serv-u privilege elevation
In fact, after the shell component is logged off, the intruder is less likely to run the lifting tool, but Prel and other scripting languages also have shell capabilities, in case, or set it up for good.
With UltraEdit open ServUDaemon.exe find Ascii:localadministrator, and #l@ $ak #.lk;0@p, modified to equal length of other characters on it, ServUAdmin.exe the same treatment.
Also note that you set the permissions of the folder in which Serv-u is located, and do not let IIS anonymous users have read permissions, or else you may be able to analyze your administrator name and password as you modify the file.
Common methods and precautions of exploiting ASP vulnerabilities
In general, hackers always aim at forums and other programs, because these programs have upload function, they can easily upload ASP trojan, even if set permissions, Trojan can also control the current site of all files. In addition, there is a Trojan horse and then upload the lifting tool to obtain higher privileges, we shut down the shell component is to a large extent to prevent the attacker to run the lifting tool.
If the Forum administrator turned off the upload function, the hacker will find a way to get the super tube password, for example, if you use the Dynamic Network forum and the database forgot to rename, people can directly download your database, and then distance to find the forum administrator password is not far away.
As an administrator, we first need to check our ASP program, do the necessary settings to prevent the site from being hacked into. The other is to prevent attackers from using a hacked web site to control the entire server, because if your server has a site for friends, you may not be sure that your friends will be able to put the forums he uploaded into the security settings. This is used to say that a lot of things, do those permissions settings and prevent the promotion, the hacker even entered a site, can not destroy the site outside of things.
Postscript
Perhaps a security master or a master of destruction to read my article will laugh or secretly happy, but I think in my experience, after all, there are many right places, there are tens of thousands of people than I know the same as I did not understand the beginning of the time in the desire for such an article, so I have to write, I do not care what others say I, I am not afraid of future generations will have tens of thousands of people to me, I am a person to bear down, I have no wife to explain ...
Because this is actually a way of doing something, from the laughter of others, I and my readers can learn more useful things.