How to prevent attacks by exploiting vulnerabilities

Attacks exploiting vulnerabilities are a type of attacks that can cause headaches to network administrators. How can we prevent such attacks?
Improve Defense Awareness
Administrators usually pay attention to Windows vulnerabilities released by Microsoft and install patches for the system in a timely manner. However, third-party service programs running on the system are often ignored. For example, the remote overflow vulnerability of the Serv-U service caused many servers to become "bots" of hackers some time ago ".
Remote access or database services running in the system all have vulnerabilities to varying degrees. administrators should also pay attention to these third-party service programs and pay attention to vulnerabilities released by vendors, install patches or upgrade service programs in a timely manner. In addition, a type of vulnerability exists in file processing applications, such as Microsoft Word documents, graphic files, Adobe Pdf files, and Realplay video files. When the Administrator opens these files with malicious code overflow, the system opens the door for hackers.
To deal with such vulnerabilities, administrators must first improve their awareness of the vulnerabilities. Common users are also required not to easily open emails with unknown origins, and install patch files in a timely manner.
A simple and effective method is to strictly control the programs installed on the server, ensure the simplicity of the server, and disable unnecessary system services.
Note abnormal connections and system logs
According to a misunderstanding, the system can effectively defend against vulnerability attacks by installing firewall and anti-virus programs. However, from the perspective of TCP/IP layered structure, Firewalls work at the transport layer, while the code for vulnerability overflow attacks is often targeted at application-layer programs. Therefore, such attacks cannot be detected.

The firewall is capable of controlling all inbound and outbound connections. It is not safe to rely only on the default configuration rules of the firewall. The administrator needs to set strict access rules and only open the ports that need to provide external services. In this way, even if a hacker can open a system port through the vulnerability, the hacker cannot establish a connection because the port is blocked by the firewall.
In addition, some attack programs are port bounce. After the program overflows, it actively connects to a port on the hacker's computer, so that the hacker can control the attacked computer through a reverse connection. Generally, firewalls have strict control over inbound connections and loose management over outbound connections. Therefore, Hackers often perform attacks successfully. Therefore, when an abnormal outbound connection is found, the administrator needs to analyze it carefully to find out the Process initiating the connection and check the User Name of the Process and the target port of the connection (such as using the Process Explorer program ), determine whether the connection is a normal connection or an illegal reverse connection based on experience.
When an overflow attack occurs, the service program may encounter unexpected errors. The administrator can also check the application log records to learn the sources, frequency, time, type, and other details of the error, determine whether the website is under attack.
Reasonable restrictions on service program Permissions
After a hacker successfully exploits the vulnerability, the hacker obtains a remotely connected mongoshell. the permissions of this mongoshell often inherit the initial permissions of the overflows service program, most services run under the System account permission, and the account permission even exceeds the Administrator account in the System. That is to say, if the overflow succeeds, the hacker will become the administrator in the system.
Although a large part of the System's built-in service programs need to be started with the System account permission, many service programs can choose the user account at startup. For such a service program, we can create an account with lower permissions in the system and use this account to start the service program. In this way, even if a vulnerability occurs, the hacker can only obtain a small-privilege mongoshell.
Modify the security attributes of an application
When a hacker obtains a small-privilege mongoshell, the hacker often does not give up, and may upload a local overflow attack program to further expand its permissions. Therefore, it is dangerous to use mongoshell with lower permissions. So, how can we prevent hackers from getting mongoshell?
We can start by modifying the Security Attribute of Cmd to prevent hackers from accessing the cmd.exe file in the shellenvironment.
In the NTFS file system, you can set permissions for different applications for different accounts. Here, you can add an account with the minimum permission to restrict the use of cmd commands.
(1) Add an account
Run the "Net user hidden $/add" command to add a "hidden" account belonging to the "users" group. At the same time, set strong passwords for the "hidden" account.
Tip: You can add the "$" symbol after the account name to create a hidden account, which is not displayed under the "net user" command.
(2)modify the security attributes of cmd.exe
Find the cmd.exe file in the system32directory of windows, right-click the file, and select the "Security" column in "properties" of the file to delete the permissions of all users shown in 1. Add the "hidden" user and assign permissions.
Hosts file.
In this way, the hacker cannot destroy it through mongoshell, but it cannot completely stop him.
A clever hacker can add the following commands in the code of the overflow program: "net user hack 123/add" and "net localgroup administrators hack/add". When the overflow succeeds, A hacker adds a "hack" account with a password of "123" to the Administrator group. Likewise, hackers can run commands to start the Telnet service, terminate anti-virus software processes, or download trojan files. For this reason, we also need to modify the permissions for the net.exe00000000net1.exe files under the "system32directory" and "“ftp.exe0000000000000000tftp.exe" files using the "latest" directory.
Note: why not simply rename or delete these programs using this complex method? This is because these files are protected by the Windows system and cannot be deleted directly. Even after deletion, the system will generate a new file.