Preface
As a matter of fact, although I have some experience in server security settings, I still cannot talk about research, so I am not very steadfast in my mind when I write this article, I am always afraid that mistakes will lead to mistakes of others.
This article focuses more on the prevention of ASP Vulnerability attacks, so the server black protection and other aspects may be slightly less explained.
Basic Server Security Settings
Install patches
After the operating system is installed, it is best to install the patch before hosting. After the network is configured, if it is 2000, it is determined that SP4 is installed, if it is 2003, then it is best to install SP1, and then click Start → Windows Update to install all the key updates.
Install anti-virus software
Although anti-virus software sometimes cannot solve the problem, anti-virus software can avoid many problems. I have been using Norton 2004. It is said that 2005 can kill Trojans, but I have never tried it. Another person uses rising, which is determined to be able to kill Trojans. More people say that the Kaspersky driver is good, but I have never used it.
Do not expect anti-virus software to kill all Trojans, because ASP Trojans can be prevented by some means.
Set Port Protection and firewall, delete default share
These are all server anti-Black measures. Even if your server does not have IIS, these security measures are best performed. This is the blind zone of a river. We probably know that local security policies are used to block ports. However, there are many online strategies for this. You can refer to them for details, later, I may copy some files to my website.
Permission settings
Jiang feels that this is the key to preventing ASP Vulnerability attacks. Excellent permission settings can reduce the damage to an IIS Site or even a virtual directory. Here I will talk about the principles and setup ideas. After reading this, smart friends can solve the problem.
How permissions are set
Windows users generally divide permissions by users in the WINNT system. Choose Start> program> Administrative Tools> Computer Management> local users and groups to manage system users and user groups.
Set NTFS permissions. Remember to divide all hard disks into NTFS partitions when partitioning. Then we can determine the permissions that each partition has for each user. Right-click a file (folder) and choose Properties> Security> here to manage the NTFS file (folder) permission.
For IIS Anonymous Users, you can set an anonymous access user for each IIS Site or virtual directory (now it is called "IIS Anonymous user") when the user accesses your website. ASP file, this. the permissions of ASP files are the permissions of this "IIS Anonymous user.
How to Set permissions
Create a system user for each independent individual (such as a website or a virtual directory) so that the website has a unique identity that can be set in the system.
In IIS, enter the created user name in site or virtual directory properties → Directory Security → anonymous access and authentication control → edit → Anonymous Access → edit.
All partitions are set to prohibit access by this user, and the folder setting corresponding to the Home Directory of the site just now allows access by this user (to remove the parent permission, and add the hypervisor group and system group ).
After this setting, the ASP program in this site only has the permissions of the current folder. From the probe, all hard disks are Red Cross forks.
My settings
I create a user group first, and all the users of the site will be created in this group, and then set this group to have no permissions or reject it completely in each partition. Then, set the permissions of each IIS user in each folder.
I don't want to write because there are many, so most people should understand the above principles unless they don't know how to add system users and groups, I don't know how to set folder permissions, but I don't know where the IIS Site property is. If there are such people, don't worry too much. Take it easy and take a long time. You can find out the specific methods yourself. That's what I do. Of course, if I have time, I will write down my specific setting method, and I am proud to be able to play more.
Rename or uninstall insecure Components
Insecure components are not amazing
I added the unsafe component detection function in the ah Jiang probe 1.9 (in fact, this was written in reference to the 7i24 code, but the interface was changed a little more friendly, the detection method is basically the same as him). This function surprised many webmasters because he found that his server supports many insecure components.
In fact, as long as the above permission settings are completed, FSO, XML, and strem are no longer insecure components, because they do not have the permission to cross-folder or site. You don't have to worry about that happy time, but what time is there for anti-virus software.
The most dangerous components are wsh and shell, because it can run EXE and other programs on your hard disk, for example, it can run the elevation program to raise SERV-U permissions or even use ServU to run a higher-privilege system program.
Exercise caution when deciding whether to uninstall a component
Components appear for the purpose of application, not for the sake of insecurity. All components are useful, so before you detach a component, you must confirm that this component is not required by your website program, or even if it is removed, it is not general. Otherwise, you can only keep this component and work on your ASP program to prevent others from coming in, rather than preventing others from coming in to shell.
For example, FSO and XML are one of the most commonly used components and many programs use them. Wsh components will be used by some host management programs, and some packaging programs will also be used.
Unmount the most insecure Components
The simplest way is to directly Unmount and delete the corresponding program file. Save the following code as a. BAT file (the following uses Win2000 as an example. If 2003 is used, the system folder should be C:/Windows /)
Regsvr32/u c:/winnt/system32/wshom. ocx
Del C:/winnt/system32/wshom. ocx
Regsvr32/u c:/winnt/system32/shell32.dll
Del C:/winnt/system32/shell32.dll
Run wscript. Shell, Shell. Application, and wscript. Network. You may be prompted that the file cannot be deleted, so you don't have to worry about it. Restart the server and you will find that all three prompts "X Security.
Renamed insecure component
It should be noted that both the component name and CLSID must be modified and completely changed. The following describes how to use Shell. Application.
Open the Registry Editor [start → run → Regedit press enter], and then [edit → search → fill in shell. application → find next]. Two registry keys can be found using this method: "{13709620-c279-11ce-a49e-444553540000}" and "shell. application ". To ensure that the two registry keys are safe, export them and save them as the. reg file.
For example, we want to make such a change.
13709620-c279-11ce-a49e-444553540000 renamed 13709620-c279-11ce-a49e-444553540001
Shell. Application is renamed as shell. application_ajiang
Then, just export. the contents in the reg file are replaced by the above correspondence, and modified. import the reg file to the Registry (double-click it). After importing the renamed registry key, do not forget to delete the original two items. Note that the CLSID can only contain ten numbers and six abcdef letters.
The following is my modified code (two files are merged together ):
Windows Registry Editor Version 5.00
[Hkey_classes_root/CLSID/{13709620-c279-11ce-a49e-444553540001}]
@ = "Shell Automation Service"
[Hkey_classes_root/CLSID/{13709620-c279-11ce-a49e-444553540001}/inprocserver32]
@ = "C: // winnt // system32 // shell32.dll"
"Threadingmodel" = "apartment"
[Hkey_classes_root/CLSID/{13709620-c279-11ce-a49e-444553540001}/progid]
@ = "Shell. application_ajiang.1"
[Hkey_classes_root/CLSID/{13709620-c279-11ce-a49e-444553540001}/typelib]
@ = "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe }"
[Hkey_classes_root/CLSID/{13709620-c279-11ce-a49e-444553540001}/version]
@ = "1.1"
[Hkey_classes_root/CLSID/{13709620-c279-11ce-a49e-444553540001}/versionindependentprogid]
@ = "Shell. application_ajiang"
[Hkey_classes_root/shell. application_ajiang]
@ = "Shell Automation Service"
[Hkey_classes_root/shell. application_ajiang/CLSID]
@ = "{13709620-c279-11ce-a49e-444553540001 }"
[Hkey_classes_root/shell. application_ajiang/curver]
@ = "Shell. application_ajiang.1"
You can save this as. run the reg file, but don't worry about it, because if a hacker reads this article, he will test the name I changed.
Prevent listing user groups and System Processes
I used the 7i24 method in ASP probe 1.9 to use GetObject ("winnt") to obtain a list of system users and system processes. This list may be exploited by hackers, we should hide it:
Choose Start> program> Administrative Tools> service. Find workstation, stop it, and disable it.
Prevents Serv-U permission escalation
In fact, after the shell component is deregistered, the possibility of the attacker to run the lifting tool is very small, but other script languages such as prel also have shell capabilities. It is better to set it to prevent such attacks.
Use ultraeditto open servudaemon.exe to search for ASCII: localadministrator, and modify it to the desired value of the same length. The process is the same as that of servuadmin.exe.
In addition, pay attention to setting the ACL for the folder where Serv-U is located. do not grant anonymous IIS users the permission to read the files. Otherwise, the files you modified will be stored, you can also analyze your Administrator name and password.
Common methods and prevention of ASP Vulnerability attacks
Generally, hackers always aim at forums and other programs. Because these programs have the upload function, they can easily upload ASP Trojans, even if they have set permissions, the Trojan can also control all files on the current site. In addition, with the trojan, we can use the trojan upload elevation tool to obtain higher permissions. The purpose of disabling the shell component is to prevent attackers from running the elevation tool.
If the forum administrator disables the upload function, the hacker will find a way to obtain the super-administrator password. For example, if you use the online forum and forget to change the name of the database, you can directly download your database, then it is not far from finding the password of the forum administrator.
As an administrator, we must first check our ASP program and make necessary settings to prevent the website from being hacked. The other is to prevent attackers from using a hacked website to control the entire server, because if your server also opens a site for friends, you may not be sure that your friend will set security settings for the Forum he uploaded. This uses the many things mentioned above. After the permission settings and anti-improvement measures are made, hackers can't destroy anything other than this website even if they enter a website.
Postscript
Maybe some security experts or corrupt experts may laugh at or steal joy when reading my articles, but I think there are still many correct points in my experience, there are thousands of people who know less than me who are eager for such an article as I did not understand at first, so I have to write, No matter what others say to me, I am not afraid that there will be more than a thousand people who will scold me. I am alone, and I don't have anything to say to my mother ......
In fact, this is just an example. From the laughter of others, I and my readers can learn more useful things.