Principles
We will take corresponding measures from every stage of intrusion by intruders.
Step by step to reinforce the Windows system.
Harden the Windows system.
1. Port restrictions
2. Set ACL Permissions
3. Disable services or components
4. package filtering
5. Audit
Now we start from the first step of the intruder. The corresponding start is to reinforce the existing Windows system.
1. Scan
This is the first step for intruders to do at the beginning, such as searching for vulnerable services.
Corresponding Measures: Port restrictions
All of the following rules. Select an image. Otherwise, the connection will fail.
What we need to do is to open the port required by the Service, and shield all other ports.
2. download information
Here, we mainly use URL scan to filter illegal requests.
Action: filter the corresponding package
We use secure URL scan and set the DenyExtensions field in URLScan. ini.
To prevent execution of specific end files
3. upload files
Intruders upload webshells, escalate permissions, run cmd commands, and so on.
Measure: cancel the services and functions and set ACL permissions.
If there are conditions, you can not use FSO.
Use regsvr32/u c:/Windows/system32/scrrun. DLL to cancel the related DLL.
If you want to use.
Create a user for each site.
Only read, write, and execute permissions on the corresponding directory of each site, and grant all permissions to administrators
Install anti-virus software. Remove uploaded malicious code in real time.
Personal recommendations for MCAFEE or Kaspersky
If MCAFEE is used, all files added and modified in the WINDOWS directory will be blocked.
4. WebShell
After an attacker uploads a file, the attacker needs to use WebShell to execute executable programs or use WebShell to perform more convenient file operations.
Corresponding Measures: cancel the corresponding services and functions
Generally, WebShell uses the following components:
WScript. Network
WScript. Network.1
WScript. Shell
WScript. Shell.1
Shell. Application
Shell. Application.1
We renamed or deleted the above key values in the registry.
Pay attention to the content of the CLSID key under these key values.
Delete the key value from/HKEY_CLASSES_ROOT/CLSID
5. execute SHELL
Intruders get shell to execute more commands
Measure: Set ACL permissions.
The command line console for windows is located in/WINDOWS/SYSTEM32/CMD. EXE
Modify the ACL of this file
A specific administrator Account (such as administrator) has all permissions.
Other users, including system users and administrators groups, do not have permission to access this file.
6. Use existing users or add users
By modifying existing users or adding formal Windows users, intruders are stepping forward to obtaining administrator permissions.
Measure: Set ACL permissions. Modify users.
Remove the terminal access permissions of all users except the administrator.
Restrict access to cmd. EXE.
Restrict xp_cmdshell in SQL Server
7. log on to the graphics Terminal
Intruders log on to the terminal server, Radmin, and other graphic terminals,
Obtain the running permissions of many graphics programs, because most applications in windows are GUI.
So this step is what every hacker who intrude into windows wants
Corresponding Measures: Port restrictions
Intruders may use 3389 or other Trojans to obtain access to the graphic interface.
In step 1 port restrictions, all inbound and outbound access is blocked to prevent trojans from rebounding.
Therefore, in Port restrictions, the fewer ports for local access to the external network, the better.
If it is not used as a mail server, you do not need to add any internal or external ports.
Block all bounce Trojans.
8. Erase footprints
After the intruder has obtained full administrator permissions for a machine
It is to erase footprints to hide itself.
Corresponding Measures: Audit
First, make sure that sufficient audit items are enabled in Windows logs.
If the audit project is insufficient, intruders do not even need to delete windows events.
In other words, we can use the latest release. exeand net.exe to replace the built-in release.
Save the running commands to learn about the actions of intruders.
For Windows logs
We can ensure the integrity of records by sending logs to the remote log server.
Evtsys tool (https://engineering.purdue.edu/ECN/Resources/Documents)
Provides the function of converting windows logs to the Syslog Format and sending them to a remote server.
Use this tool and open syslogd on the remote server if the remote server is a Windows system.
We recommend that you use kiwi syslog deamon.
What we want to achieve is
Prevent intruders from scanning host Vulnerabilities
Files cannot be uploaded even after scanning.
Files in other directories cannot be operated even after files are uploaded.
Shell cannot be executed even if files in other directories are operated.
Users cannot be added even if shell is executed.
You cannot log on to the graphic terminal even if you have added a user.
Even if you log on to the graphic terminal and have system control, what he does will still be recorded.
Additional measures:
We can add some devices and measures to further enhance system security.
1. proxy firewall. For example, isa2004
The proxy firewall can filter the incoming and outgoing packets.
Sets to filter the request string or Form Content in the HTTP request.
Filter out select. Drop. Delete. insert and so on.
These keywords cannot appear in the form or content submitted by the customer.
After filtering, SQL injection is eliminated.
2. Use snort to create IDS
Create an snort with another server.
Analyze and record all incoming and outgoing packets
In particular, commands for FTP uploads and HTTP requests for ASP files
Please pay special attention to it.
Some of the software mentioned in this article include
Including COM command line execution records
URLSCAN 2.5 and configured configuration files
Port rules exported by IPSEC
Evtsys
Registry Key for some registry reinforcement.
Practice
The following is an example of a standard VM.
System: windows2003
Service: [IIS] [SERV-U] [IMAIL] [SQL SERVER 2000] [PHP] [MYSQL]
Description: The most services are bound for demonstration. You can perform screening and subtraction based on the actual situation.
1. WINDOWS Local Security Policy port restrictions
A. For our example, we need to activate the following ports:
External> Local 80
-> Local 20
-> Local 21
-> Some ports used by the local PASV
-> Local 25
-> Local 110
-> Local 3389
Then, open the ports of SQL SERVER and MYSQL according to the actual situation.
-> Local 1433
-> Local 3306
B. Then open the ports to be opened from the inside out.
Based on the actual situation, do not open the following two rules if no email service is required
Local> outside 53 TCP, UDP
Local> external 25
According to the specific situation. If you do not need to access the webpage on the server, try not to open the following port
Local> external 80
C. In addition to explicit blocking, this is the key to security rules.
-> All local protocols are blocked.
2. User Account
A. Rename the administrator. In this example, change it to root.
B. Cancel all user attributes except administrator root
Remote Control-> enable remote control and
Terminal service configuration file-> allow login to Terminal Server
C. Change the name of guest to administrator and change the password.
D. In addition to the administrator root, IUSER, IWAM, and ASPNET, disable all other users, including SQL DEBUG and TERMINAL USER.
3. directory permission
Change the permissions of all drive letters to only
All permissions for the administrators group
All system Permissions
Inherit All Sub-directories and sub-files of drive C from the administrator (group or user) and SYSTEM permissions of drive C.
Then make the following changes:
C:/Program Files/Common Files enable the default Everyone permission to read and run the list file directories.
C:/WINDOWS/open the default three permissions for reading and running the list file directory of Everyone
C:/WINDOWS/Temp open Everyone for modification, reading and running, listing file directories, reading and writing Permissions
Now WebShell cannot write files in the system directory.
You can also use stricter permissions.
In WINDOWS, Set permissions for directories.
However, it is complicated and the effect is not obvious.
4. IIS
Under IIS 6, the ISAPI type corresponding to the file type in the application extension has removed dangerous script types such as IDQ and PRINT,
In IIS 5, we need to delete all types except ASP and ASA.
Install URLSCAN
In [DenyExtensions]
Add the following content
. Cer
. Cdx
. Mdb
. Bat
. Cmd
. Com
. Htw
. Ida
. Idq
. Htr
. Idc
. Shtm
. Shtml
. Stm
. Printer
In this way, intruders cannot download the. mdb database. This method is more thorough than some other methods that add special characters to the file header.
Because even if the file header is added with special characters, it can still be constructed by encoding.
5. WEB directory permissions
As a virtual host, there will be many independent customers
It is safer to create a windows user for each customer.
Then, in the site of the IIS response
Bind the anonymous user executed by IIS to this user
And direct it to the directory
Permission changed
All permissions for Administrators
All system Permissions
Select advanced for a user (or iuser) created separately-> open all permissions except full control, traverse folders/run programs, and obtain three permissions of ownership.
If there are not many sites on the server and there are forums
We can upload directories for each Forum
Remove the execution permission of this user.
Only read and write permissions
In this way, intruders upload webshells even if they bypass the Forum file type detection.
It cannot run.
6. ms SQL Server2000
Log on to the query analyzer using a system account
Run the following script
Use master
Exec sp_dropextendedproc 'xp _ export shell'
Exec sp_dropextendedproc 'xp _ dirtree'
Exec sp_dropextendedproc 'xp _ enumgroups'
Exec sp_dropextendedproc 'xp _ fixeddrives'
Exec sp_dropextendedproc 'xp _ loginconfig'
Exec sp_dropextendedproc 'xp _ enumerrorlogs'
Exec sp_dropextendedproc 'xp _ getfiledetails'
Exec sp_dropextendedproc 'SP _ oacreate'
Exec sp_dropextendedproc 'SP _ oadestroy'
Exec sp_dropextendedproc 'SP _ oageterrorinfo'
Exec sp_dropextendedproc 'SP _ oagetproperties'
Exec sp_dropextendedproc 'SP _ oamethod'
Exec sp_dropextendedproc 'SP _ oasetproperties'
Exec sp_dropextendedproc 'SP _ oastop'
Exec sp_dropextendedproc 'xp _ regaddmultistring'
Exec sp_dropextendedproc 'xp _ regdeletekey'
Exec sp_dropextendedproc 'xp _ regdeletevalue'
Exec sp_dropextendedproc 'xp _ regenumvalues'
Exec sp_dropextendedproc 'xp _ regread'
Exec sp_dropextendedproc 'xp _ regremovemultistring'
Exec sp_dropextendedproc 'xp _ regwrite'
Drop procedure sp_makewebtask
Go
Delete all dangerous extensions.
7. Modify cmd. EXE and net. Exe Permissions
Modify the permissions of the two files to a specific administrator. For example, in this example, modify the permissions of the two files as follows:
Cmd.exe root user all Permissions
Net.exe root user ownership
This prevents unauthorized access.
You can also use the comlog program provided in the example.
Rename com.exe_com.exe and replace the com file. In this way, all command line commands executed can be recorded.
8. Backup
Use ntbackup software. Back up system status.
Use reg.exe to back up key system data
For example, reg export HKLM/SOFTWARE/ODBC e:/backup/system/odbc. reg/y
To back up the ODBC OF THE SYSTEM
9. Anti-Virus
Here we will introduce the Chinese enterprise version of MCAFEE 8i
This version can be updated in a timely manner for many malicious codes and Trojans in China.
For example, the top 2006 of Haiyang is detected.
Besides, it can remove the MIME-encoded virus files in the queues used by SMTP software such as IMAIL.
Many people prefer to install the Norton Enterprise Edition, while Norton Enterprise Edition does not respond to WEBSHELL.
In addition, MIME-encoded files cannot be antivirus.
In MCAFEE.
We can also add rules to prevent creating and modifying EXE. DLL files in the windows directory.
We add the anti-virus program for the WEB directory to the software.
Run once a day
And enable real-time monitoring.
10. Disable useless services
We usually disable the following services:
Computer Browser
Help and Support
Messenger
Print Spooler
Remote Registry
TCP/IP NetBIOS Helper
If the server does not require domain control, we can also disable it.
Workstation
11. Remove dangerous components
If the server does not require FSO
Regsvr32/u c:/windows/system32/scrrun. dll
Logout component
Use regedit
Set/HKEY_CLASSES_ROOT
WScript. Network
WScript. Network.1
WScript. Shell
WScript. Shell.1
Shell. Application
Shell. Application.1
Rename or delete a key value
Remove the strings contained in CLSID from these key values.
For example, {72c24dd5-d70a-438b-8a42-98108b88afb8}
Find the key values named after these strings under/HKEY_CLASSES_ROOT/CLSID.
Delete all
12. Audit
Local Security Policy-> local policy-> Audit Policy
Open the following content
Audit policy changed successfully, failed
System Event Review successful, failed
Account Logon review successful, failed
Account Management review successful, failed