Enhanced protection against overflow and Privilege Escalation

Source: Internet
Author: User
Tags echo command

Today, as hackers frequently attack and system vulnerabilities emerge in an endless stream, as network administrators and system administrators, we have made a lot of effort in server security: for example, install system security patches and perform some regular security configurations in a timely manner. However, it is unlikely that each server will immediately patch the system. Therefore, we need to block intruders from the "security door" through a series of security settings before they are intruded; the following describes the simplest and most effective solution to Overflow and local access attack. 1. How can we prevent overflow hacker attacks?

① Install patches for system vulnerabilities as much as possible. For example, the system of the Microsoft Windows Server series can enable the automatic update service, then, the server is automatically connected to the Microsoft Update Website for patch updates within a specified period of time. If your server prohibits Internet connections for security reasons, you can use the Microsoft WSUS service to upgrade the internet.

② Stop all unwanted system services and applications, and minimize the attack coefficient of servers. For example, MSDTC overflows a few days ago, causing many servers to crash. In fact, if a WEB server does not use the MSDTC service at all, you can stop the MSDTC Service so that MSDTC Overflow does not pose any threat to your server.

③ Enable TCP/IP port filtering: only common TCP ports such as 21, 80, 25, 110, and 3389 are opened. If the security requirement is higher, you can disable the UDP port, of course, if this problem occurs, it is inconvenient to connect to the external server. We recommend that you use IPSec to block UDP. In protocol filtering, "only allow" TCP protocol (Protocol Number: 6), UDP protocol (Protocol Number: 17), and RDP protocol (Protocol Number: 27) and so on.

④ Enable the IPSec Policy: Perform Security Authentication for the server connection and add double insurance to the server. As mentioned in ③, some dangerous end products can be banned here, such: 135 145 139 445 as well as UDP external connections, as well as the encryption of passthrough and communication with only trusted IP addresses or networks. (Note: in fact, the anti-bounce trojan uses IPSec to simply prohibit external access from UDP or non-commonly used TCP ports. The application of IPSec will not be continued here, you can go to server security to discuss Search "IPSec" and there will be N more information about IPSec applications ..)

⑤ Delete, move, rename, or use the Access Control table column Access Control Lists (ACLs) to Control key system files, commands, and folders:

1.The hacker often uses the following methods to further control the server, such as net.exe net1.exe ipconfig.exe user.exe query.exe regedit.exe regsvr32.exe. Here we can delete or rename these command programs. (Note: When deleting or renaming a file, stop the File Replication Service (FR) or delete or rename the corresponding file under % windir % system32dllcache .)

2.alternatively, you can move these. EXE files to the specified folder, which is convenient for later administrators.

3. access control table column ACLS control: Find the files commonly used by hackers, such as. exe00000000000032.exe net.exe net1.exe ipconfig.exe tftp.exe ftp.exe user.exe reg.exe regedit.exe regedt32.exe regsvr32.exe, under %windir1_system32, define the ACLs users they access in "properties" → "security", for example, only the administrator has the right to access, if you need to prevent overflow attacks and illegal exploitation of these files after the overflow is successful, you only need to deny access to the system users in ACLs.

4.if you think guiis too annoying, you can also use the system command cacls.exeto edit and modify the Acls of the. exe file, or write it as a. bat batch file to execute and modify the commands. (For details, see cacls /? I will not list and write batch processing code for you because there are too many commands here !!)

5. it is also necessary to set the Security ACLS for disks such as C, D, E, and F. In addition, especially for win2k, for folders such as Winnt, WinntSystem, Document and Setting.

6. Modify the registry and disable the command interpreter: (if you think the method ⑤ is too cumbersome, try the following method to disable CMD operation once and for all)

By modifying the registration table, you can disable the use of the command interpreter (cmd.exe) and run the batch processing file (. bat file ). Specific Method: Create a New Dual-byte (REG_DWORD) and execute HKEY_CURRENT_USERSoftwarePolicies MicrosoftWindowsSystemDisableCMD. Change the value to 1. Neither the command interpreter nor the batch file can be run. If the value is changed to 2, the command interpreter is disabled. If the value is changed to 0, the CMS command interpreter is enabled. If you are making too much effort, save the following code as the *. reg file and import it.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem]

"DisableCMD" = dword: 00000001

7. Downgrade some System services that run with the System permission. (For example, replace a series of services or applications running with System permissions, such as Serv-U, Imail, IIS, Php, Mssql, and Mysql, with the permissions of other administrators or even users, this will be much safer... however, the premise is that you need to know more about these basic running statuses and calling APIs .)

In fact, in addition to using the preceding methods to prevent Overflow attacks such as Overflow, there are also N methods: for example, using group policies for restrictions, the write protection filtering program uses DLL to load windows to related SHell and dynamic link programs. Of course, writing code to verify encryption requires a deep Win32 programming Foundation and a lot of research on Shellcode. This article only discusses simple solutions, therefore, other methods are not described here.

2. How can we further intrude into the system after preventing hacker overflow and obtaining Shell?

① After completing the above work in step 1, it basically prevents the hacker from getting shell after Overflow; because even if Overflow overflows successfully, however, it gets stuck when calling mongoshell and external connections. (Why, because: 1.once the program is out of control, it can be called again. We have banned system1_cmd.exe. 2. After the overflow, the external IP address cannot be connected when the bounce occurs. Therefore, it is more difficult to bounce the shell through the system permission ...)

② Of course, there is no absolute security in the world. Suppose that the intruders have obtained our shell, what should they do? Generally, after obtaining the shell, intruders can further control the server by transmitting files through tftp, ftp, and vbs using system commands and accounts. Here we use the above method to limit the command. Intruders cannot transmit files through tftp or ftp, but they can still write the batch through echo, use batchcompute scripts such as BAT, VBS, and VBA to download files from the WEB and modify files of other disks. Therefore, we need to restrict the echo command and the permission to write and modify files on other disks. Disable or restrict the running right of the system by using VBS/VBA scripts and XMLhttp components. In this way, other users will not be able to delete the files on the server and control the system for step-by-step operations; and Local Elevation of Privilege will reverse the Shell.

Note: the security of other servers and systems is a general concept. It is possible that your website or even the server may be compromised by a small amount of negligence. Therefore, security policies must be taken to prevent problems before they occur.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.