Learn how to handle overflow Elevation of Privilege attacks

Despite the frequent attacks by malicious users and the emergence of system vulnerabilities, network administrators and system administrators have made great efforts in server security, such as timely patching of system security and some conventional security configurations, but sometimes still insecure. Therefore, before malicious user intrusion, some series of Security Settings must be used to block intruders out of the "security door". below, the simplest and most effective protection (Overflow) will be implemented) overflow and local access attack solutions are provided to you.

I. How to prevent overflow attacks

1. Install patches for system vulnerabilities as much as possible. For example, the system of Microsoft Windows Server can enable the automatic update service, then, the server is automatically connected to the Microsoft Update Website for patch updates within a specified period of time. If your server prohibits Internet connections for security reasons, you can use the Microsoft WSUS service to upgrade your server over the Intranet.

2. Stop all unwanted system services and applications, and minimize the number of attacks on servers. For example, MSDTC overflows a few days ago, causing many servers to crash. In fact, if a WEB server does not use the MSDTC service at all, you can stop the MSDTC Service so that MSDTC Overflow does not pose any threat to your server.

3. Enable TCP/IP port filtering. Only common TCP ports such as 21, 80, 25, 110, and 3389 are opened. If the security requirement is higher, you can disable the UDP port, of course, if this problem occurs, it is inconvenient to connect to the external server. We recommend that you use IPSec to block UDP. In protocol filtering, "only allow" TCP protocol (Protocol Number: 6), UDP protocol (Protocol Number: 17), and RDP protocol (Protocol Number: 27; other useless items are not open.

4. Enable the IPSec Policy: Perform Security Authentication for the server connection and add double insurance to the server. As mentioned in ③, some dangerous end products can be banned here, such: 135 145 139 445 as well as UDP external connections, as well as the encryption of passthrough and communication with only trusted IP addresses or networks. (Note: in fact, the anti-bounce trojan uses IPSec to simply prohibit external access from UDP or non-commonly used TCP ports. The application of IPSec will not be continued here, you can go to server security to discuss Search "IPSec" and there will be N more information about IPSec applications ..)

5. Delete, move, rename, or use the Access Control table column Access Control Lists (ACLs) to Control key system files, commands, and folders:

(12.16.black often comes to shellwith the help of net.exe net1.exe ipconfig.exe user.exe query.exe regedit.exe regsvr32.exe to further control the server, for example, adding an account, cloning an administrator, etc. Here you can delete or rename these command programs. (Note: When deleting or renaming a file, stop the File Replication Service (FR) or delete or rename the corresponding file under % windir % system32dllcache .)

(22.16.txt) also moves these. EXE files to the specified folder, which is convenient for later use by the Administrator.

(3 ). access control table column ACLS control: Find the files commonly used by hackers, such as. exe00000000000032.exe net.exe net1.exe ipconfig.exe tftp.exe ftp.exe user.exe reg.exe regedit.exe regedt32.exe regsvr32.exe, under %windir1_system32, define the ACLs users they access in "properties" → "security", for example, only the administrator has the right to access, to prevent overflow attacks and illegal exploitation of these files after the overflow is successful, you only need to deny access to the system user in ACLs.

(42.16.if you think it is too annoying to use the system command cacls.exeto edit and modify the Acls of the. exe file, or write it as a. bat batch file to execute and modify the commands. (For details, see cacls /? Help, because there are too many commands here, I will not list and write batch processing code for you !!)

(5 ). it is also necessary to set the Security ACLS for disks such as C, D, E, and F. In addition, especially for win2k, for folders such as Winnt, WinntSystem, Document and Setting.