WindowsServer2003 + IIS6.0 + ASP Server security Settings--component security Settings Chapter A, uninstall the Wscript.Shell and Shell.Application components, save the following code as one. BAT file Execution (minutes 2000 and 2003 systems) Windows2000.bat
Copy Code code as follows:
Regsvr32/u C:/winnt/system32/wshom.ocx
Del C:/winnt/system32/wshom.ocx
Regsvr32/u C:/winnt/system32/shell32.dll
Del C:/winnt/system32/shell32.dll
Windows2003.bat
Regsvr32/u C:/windows/system32/wshom.ocx
Del C:/windows/system32/wshom.ocx
Regsvr32/u C:/windows/system32/shell32.dll
Del C:/windows/system32/shell32.dll
B, renamed unsafe Components, it is necessary to note that the name of the component and CLSID must be changed, and to change thoroughly, do not copy, to change their own
Start → Run →regedit→ return "open Registry Editor
Then "edit → find → fill shell.application→ Find Next"
You can find two registry entries in this way:
{13709620-c279-11ce-a49e-444553540000} and shell.application.
First step:
To ensure that it is foolproof, export the two registry keys and save them as xxxx.reg files.
Step two: For example, we want to make this change
13709620-c279-11ce-a49e-444553540000 renamed as 13709620-c279-11ce-a49e-444553540001
Shell.Application renamed as Shell.application_nohack
Step three: So, replace the contents of the. reg file that you just exported with the corresponding relationship above, and then import the modified. reg file into the registry (double-click), and after you import the renamed registry key, don't forget to delete the original two items. It should be noted here that the CLSID can only be 10 digits and abcdef six letters.
In fact, just export the corresponding registry keys to back up, and then directly change the key name on it,
A good example suggests that one should be successful:
Windows Registry Editor Version 5.00
[hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}]
@= "Shell Automation Service"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/inprocserver32]
@= "C://winnt//system32//shell32.dll"
"ThreadingModel" = "Apartment"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/progid]
@= "Shell.application_nohack.1"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/typelib]
@= "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/version]
@= "1.1"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/versionindependentprogid]
@= "Shell.application_nohack"
[Hkey_classes_root/shell.application_nohack]
@= "Shell Automation Service"
[Hkey_classes_root/shell.application_nohack/clsid]
@= "{13709620-c279-11ce-a49e-444553540001}"
[Hkey_classes_root/shell.application_nohack/curver]
@= "Shell.application_nohack.1"
Comments: Wscript.Shell and Shell.Application Components is a script intrusion process, the promotion of the important link, the two components of the uninstall and modify the corresponding registry key, can greatly improve the virtual host script security performance, in general, ASP and PHP class script elevation of the function is not possible, coupled with some system services, hard disk access, port filtering, local Security policy settings, the virtual host should say, security can have a very big increase, the possibility of hacking is very low. After the shell component is logged off, the intruder is less likely to run the promotion tool, but Prel and other scripting languages also have shell capabilities, which is better for protection. Here is another setting, which is very similar.
First, prohibit the use of FileSystemObject components FileSystemObject can be normal operation of the file, you can modify the registry, the component renamed to prevent the harm of such Trojans.
hkey_classes_root/scripting.filesystemobject/
Renamed to other names, such as: Change to Filesystemobject_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/scripting.filesystemobject/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
2000 Unregister this component command: regsrv32/u c:/winnt/system/scrrun.dll
2003 Unregister this component command: regsrv32/u c:/windows/system/scrrun.dll
How do I prevent the guest user from using Scrrun.dll to avoid calling this component?
Use this command: cacls c:/winnt/system32/scrrun.dll/e/d Guests
Ii. prohibit the use of Wscript.Shell components
Wscript.Shell can invoke the system kernel to run DOS basic commands
This can be prevented by modifying the registry to rename this component.
Hkey_classes_root/wscript.shell/and HKEY_CLASSES_ROOT/WSCRIPT.SHELL.1/
Change to a different name, such as: Wscript.shell_changename or Wscript.shell.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/wscript.shell/clsid/the value of the project
Hkey_classes_root/wscript.shell.1/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
Third, prohibit the use of shell.application components
Shell.Application can invoke the system kernel to run DOS basic commands
This can be prevented by modifying the registry to rename this component.
hkey_classes_root/shell.application/
And
Hkey_classes_root/shell.application.1/
Change to a different name, such as: Shell.application_changename or Shell.application.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/shell.application/clsid/the value of the project
Hkey_classes_root/shell.application/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
Prevents the guest user from using Shell32.dll to prevent calls to this component.
2000 use command: cacls c:/winnt/system32/shell32.dll/e/d Guests
2003 use command: cacls c:/windows/system32/shell32.dll/e/d Guests
Note: The operation will not take effect until the Web service is restarted.
Iv. Call Cmd.exe
Disable Guests group user call Cmd.exe
2000 use command: cacls c:/winnt/system32/cmd.exe/e/d Guests
2003 use command: cacls c:/windows/system32/cmd.exe/e/d Guests
Through the above four steps to set the basic can prevent the current more popular Trojans, but the most effective way or through comprehensive security settings, the server, the security of the program to achieve a certain standard, the security level may be set higher to prevent more illegal intrusion.
C, prevent serv-u privilege elevation (applicable to previous version of serv-u6.0, then you can set the password directly)
Stop the Serv-u service first.
Open ServUDaemon.exe with UltraEdit
Find Ascii:localadministrator and #l @ $ak #.lk;0@p
Change to equal length of other characters on it, ServUAdmin.exe also deal with the same.
Also note that you set the permissions of the folder in which Serv-u is located, and do not let IIS anonymous users have read permissions, or else you may be able to analyze your administrator name and password as you modify the file. The Arjunolic ASP probe can be used to detect the security status of the system.
WindowsServer2003 + IIS6.0 + ASP Server security Settings--component security Settings Chapter A, uninstall the Wscript.Shell and Shell.Application components, save the following code as one. BAT file Execution (minutes 2000 and 2003 systems) Windows2000.bat
Regsvr32/u C:/winnt/system32/wshom.ocx
Del C:/winnt/system32/wshom.ocx
Regsvr32/u C:/winnt/system32/shell32.dll
Del C:/winnt/system32/shell32.dll
Windows2003.bat
Regsvr32/u C:/windows/system32/wshom.ocx
Del C:/windows/system32/wshom.ocx
Regsvr32/u C:/windows/system32/shell32.dll
Del C:/windows/system32/shell32.dll
B, renamed unsafe Components, it is necessary to note that the name of the component and CLSID must be changed, and to change thoroughly, do not copy, to change their own
Start → Run →regedit→ return "open Registry Editor
Then "edit → find → fill shell.application→ Find Next"
You can find two registry entries in this way:
{13709620-c279-11ce-a49e-444553540000} and shell.application.
First step:
To ensure that it is foolproof, export the two registry keys and save them as xxxx.reg files.
Step two: For example, we want to make this change
13709620-c279-11ce-a49e-444553540000 renamed as 13709620-c279-11ce-a49e-444553540001
Shell.Application renamed as Shell.application_nohack
Step three: So, replace the contents of the. reg file that you just exported with the corresponding relationship above, and then import the modified. reg file into the registry (double-click), and after you import the renamed registry key, don't forget to delete the original two items. It should be noted here that the CLSID can only be 10 digits and abcdef six letters.
In fact, just export the corresponding registry keys to back up, and then directly change the key name on it,
A good example suggests that one should be successful:
Windows Registry Editor Version 5.00
[hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}]
@= "Shell Automation Service"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/inprocserver32]
@= "C://winnt//system32//shell32.dll"
"ThreadingModel" = "Apartment"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/progid]
@= "Shell.application_nohack.1"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/typelib]
@= "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/version]
@= "1.1"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/versionindependentprogid]
@= "Shell.application_nohack"
[Hkey_classes_root/shell.application_nohack]
@= "Shell Automation Service"
[Hkey_classes_root/shell.application_nohack/clsid]
@= "{13709620-c279-11ce-a49e-444553540001}"
[Hkey_classes_root/shell.application_nohack/curver]
@= "Shell.application_nohack.1"
Comments: Wscript.Shell and Shell.Application Components is a script intrusion process, the promotion of the important link, the two components of the uninstall and modify the corresponding registry key, can greatly improve the virtual host script security performance, in general, ASP and PHP class script elevation of the function is not possible, coupled with some system services, hard disk access, port filtering, local Security policy settings, the virtual host should say, security can have a very big increase, the possibility of hacking is very low. After the shell component is logged off, the intruder is less likely to run the promotion tool, but Prel and other scripting languages also have shell capabilities, which is better for protection. Here is another setting, which is very similar.
First, prohibit the use of FileSystemObject components FileSystemObject can be normal operation of the file, you can modify the registry, the component renamed to prevent the harm of such Trojans.
hkey_classes_root/scripting.filesystemobject/
Renamed to other names, such as: Change to Filesystemobject_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/scripting.filesystemobject/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
2000 Unregister this component command: regsrv32/u c:/winnt/system/scrrun.dll
2003 Unregister this component command: regsrv32/u c:/windows/system/scrrun.dll
How do I prevent the guest user from using Scrrun.dll to avoid calling this component?
Use this command: cacls c:/winnt/system32/scrrun.dll/e/d Guests
Ii. prohibit the use of Wscript.Shell components
Wscript.Shell can invoke the system kernel to run DOS basic commands
This can be prevented by modifying the registry to rename this component.
Hkey_classes_root/wscript.shell/and HKEY_CLASSES_ROOT/WSCRIPT.SHELL.1/
Change to a different name, such as: Wscript.shell_changename or Wscript.shell.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/wscript.shell/clsid/the value of the project
Hkey_classes_root/wscript.shell.1/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
Third, prohibit the use of shell.application components
Shell.Application can invoke the system kernel to run DOS basic commands
This can be prevented by modifying the registry to rename this component.
hkey_classes_root/shell.application/
And
Hkey_classes_root/shell.application.1/
Change to a different name, such as: Shell.application_changename or Shell.application.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/shell.application/clsid/the value of the project
Hkey_classes_root/shell.application/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
Prevents the guest user from using Shell32.dll to prevent calls to this component.
2000 use command: cacls c:/winnt/system32/shell32.dll/e/d Guests
2003 use command: cacls c:/windows/system32/shell32.dll/e/d Guests
Note: The operation will not take effect until the Web service is restarted.
Iv. Call Cmd.exe
Disable Guests group user call Cmd.exe
2000 use command: cacls c:/winnt/system32/cmd.exe/e/d Guests
2003 use command: cacls c:/windows/system32/cmd.exe/e/d Guests
Through the above four steps to set the basic can prevent the current more popular Trojans, but the most effective way or through comprehensive security settings, the server, the security of the program to achieve a certain standard, the security level may be set higher to prevent more illegal intrusion.
C, prevent serv-u privilege elevation (applicable to previous version of serv-u6.0, then you can set the password directly)
Stop the Serv-u service first.
Open ServUDaemon.exe with UltraEdit
Find Ascii:localadministrator and #l @ $ak #.lk;0@p
Change to equal length of other characters on it, ServUAdmin.exe also deal with the same.
Also note that you set the permissions of the folder in which Serv-u is located, and do not let IIS anonymous users have read permissions, or else you may be able to analyze your administrator name and password as you modify the file. The Arjunolic ASP probe can be used to detect the security status of the system.