Windows Internet Server Security Configuration principle article

We will step by step to strengthen the Windows system from the various aspects of intruder intrusion, which are attributed to the following:

1. Port Restrictions

2. Set ACL permissions

3. Close a service or component

4. Packet filter

5. The Audit

We are now starting with the first step of the intruder, the corresponding start to strengthen the existing Windows system:

1. Scan

This is the first step for intruders to start with, like searching for vulnerable services.

Corresponding measures: Port restrictions

All of the following rules require you to select a mirror or you will not be able to connect what we need to do is open the port that the service requires. All other ports are blocked.

2. Download Information

This is mainly through URL SCAN. To filter some illegal requests.

Corresponding measures: Filter the corresponding package

We scan the security URL and set the DenyExtensions field in Urlscan.ini to block the execution of a particular end of the file

3. Upload file

Intruders through this step upload Webshell, power software, run cmd command, etc.

Corresponding measures: cancel the corresponding services and functions, set ACL permissions

If there is a condition to not use the FSO

by regsvr32/u C:\windows\system32\scrrun.dll to log off the associated DLL, if necessary, create a user-per-site directory for each site, giving the user read, write, execute permissions, Give administrators full permissions. Install anti-virus software, real-time kill in addition to upload the malicious code, personal recommendation McAfee or Kaspersky. If you are using McAfee. Block all additions and modifications to the files in the Windows directory.

4. Webshell

After the intruder uploads the file, it is necessary to use Webshell to execute the executable program, or to use the Webshell for more convenient file operation.

Countermeasures: Canceling the corresponding services and functions

General Webshell Use the following components

Wscript.Network
　　
Wscript.network.1
　　
Wscript.Shell
　　
Wscript.shell.1
　　
Shell.Application
　　
Shell.application.1
　　
We rename or delete the above key values in the registry, and we need to note that the key values of the CLSID keys under these keys are deleted from the corresponding keys below the/HKEY_CLASSES_ROOT/CLSID.

5. Execute shell

Intruders get Shell to execute more instructions

Response: Set ACL permissions

The command line console for WINDOWS is located in \windows\system32\cmd. Exe

We modify the ACL for this file to have full permissions for a particular administrator account, such as Administrator.

Other users, including system users, administrators groups, and so on, have no access to this file.

6. Use existing users or add users

Intruders have moved on to gaining administrator privileges by using modifications to existing users or by adding Windows official users.

Corresponding measures: Set ACL permissions, modify user

Remove terminal access rights for all users except administrators, restrict CMD.EXE access, and limit xp_cmdshell in SQL Server

7. Landing Graphics Terminal

Intruders login to Terminal Server or Radmin and so on graphics terminals, get many graphics programs run permissions. Because most of the applications under Windows system are GUI, this step is what every intruder with Windows wants to get.

Corresponding measures: Port restrictions

Intruders may use 3389 or other Trojans to gain access to the graphical interface. In the first step of the port limit, all access from the inside to the block is to prevent the rebound Trojan, so in the port restrictions, the local access to the external network port less the better. If you are not a mail SERVER, you can block all bounce Trojans without adding any inbound ports.

8. Erase Footprints

After acquiring the full administrator privileges of a machine, an intruder erases the footprint to hide itself.
　　
Corresponding measures: Audit

First, we want to make sure that there are enough auditing entries in the Windows log and that intruders do not even need to delete Windows events if the audit project is not sufficient. Second, we can use our own Cmd.exe and Net.exe to replace the system with the instructions that will be running, to understand the actions of the intruder. For Windows logs, we can guarantee the integrity of records by sending logs to a remote log server. The Evtsys tool (Https://engineering.purdue.edu/ECN/Resources/Documents) provides the ability to convert Windows logs into syslog format and send to a remote server, using this appliance, and open syslogd on a remote server, and Kiwi syslog Deamon is recommended if the remote server is a Windows system. We want to achieve the goal is not to allow intruders to scan the host weaknesses, even if the scan can not upload files, even if the upload file can not operate other directory files, even if the operation of other directory files can not execute the shell, even if the shell can not add users, Even if you add users can not login graphics terminal, even if the graphics terminal, with system control, his actions will still be recorded.

Additional measures: We can further enhance the security of the system by adding some equipment and measures.

1. Proxy type firewall, such as ISA2004

The proxy firewall can filter the incoming and outgoing packets, filter the request string or form content in the HTTP request, and filter the Select, DROP, DELETE, insert, etc. Because these keywords are not likely to occur in the form or content that the customer submits. After filtering, it can be said that the SQL injection is eliminated from the root.

2. Set up IDs with snort

Use another server to create snort, for all incoming and outgoing packets are analyzed and recorded, especially the FTP upload instructions and HTTP requests for ASP files, you can pay special attention to. Some of the software mentioned in this article is included in the RAR provided downloads:

Include COM command line execution records

URLSCAN 2.5 and configured configuration files

Port rules for IPSec export

Evtsys

Registry keys for some registry reinforcement