Principles of Windows Internet Server Security Configuration Guide page 1/2

Source: Internet
Author: User
Tags syslog kiwi syslog

Now we start from the first step of the intruder. The corresponding start is to reinforce the existing windows system.

1. Scan
This is the first step for intruders to do at the beginning, such as searching for vulnerable services.
Corresponding Measures: Port restrictions
All of the following rules. Select an image. Otherwise, the connection will fail.
What we need to do is to open the port required by the Service, and shield all other ports.

2. download information
Here, we mainly use url scan to filter illegal requests.
Action: filter the corresponding package
We use secure url scan and set the DenyExtensions field in urlscan. ini.
To prevent execution of specific end files

3. upload files
Intruders upload webshells, escalate permissions, run cmd commands, and so on.
Measure: cancel the services and functions and set ACL permissions.
If there are conditions, you can not use FSO.
Use regsvr32/u c: \ windows \ system32 \ scrrun. dll to cancel the related DLL.
If you want to use.
Create a user for each site.
Only read, write, and execute permissions on the corresponding directory of each site, and grant all permissions to administrators
Install anti-virus software. Remove uploaded malicious code in real time.
Personal recommendations for MCAFEE or Kaspersky
If MCAFEE is used, all files added and modified in the WINDOWS directory will be blocked.

4. WebShell
After an attacker uploads a file, the attacker needs to use WebShell to execute executable programs or use WebShell to perform more convenient file operations.
Corresponding Measures: cancel the corresponding services and functions
Generally, WebShell uses the following components:
WScript. Network
WScript. Network.1
WScript. Shell
WScript. Shell.1
Shell. Application
Shell. Application.1
We renamed or deleted the above key values in the registry.
Pay attention to the content of the CLSID key under these key values.
Delete the key value from/HKEY_CLASSES_ROOT/CLSID

5. execute SHELL
Intruders get shell to execute more commands
Measure: Set ACL permissions.
The command line console for windows is located in \ WINDOWS \ SYSTEM32 \ CMD. EXE
Modify the ACL of this file
A specific administrator Account (such as administrator) has all permissions.
Other users, including system users and administrators groups, do not have permission to access this file.

6. Use existing users or add users
By modifying existing users or adding formal windows users, intruders are stepping forward to obtaining administrator permissions.
Measure: Set ACL permissions. Modify users.
Remove the terminal access permissions of all users except the administrator.
Restrict access to CMD. EXE.
Restrict XP_CMDSHELL in SQL SERVER

7. log on to the graphics Terminal
Intruders log on to the terminal server, RADMIN, and other graphic terminals,
Obtain the running permissions of many graphics programs, because most applications in WINDOWS are GUI.
So this step is what every hacker who intrude into WINDOWS wants
Corresponding Measures: Port restrictions
Intruders may use 3389 or other Trojans to obtain access to the graphic interface.
In step 1 port restrictions, all inbound and outbound access is blocked to prevent trojans from rebounding.
Therefore, in Port restrictions, the fewer ports for local access to the external network, the better.
If it is not used as a mail server, you do not need to add any internal or external ports.
Block all bounce Trojans.

8. Erase footprints
After the intruder has obtained full administrator permissions for a machine
It is to erase footprints to hide itself.
Corresponding Measures: Audit
First, make sure that sufficient audit items are enabled in windows logs.
If the audit project is insufficient, intruders do not even need to delete windows events.
In other words, we can use the latest release. exeand net.exe to replace the built-in release.
Save the running commands to learn about the actions of intruders.
For windows logs
We can ensure the integrity of records by sending logs to the remote log server.
Evtsys tool (https://engineering.purdue.edu/ECN/Resources/Documents)
Provides the function of converting windows logs to the syslog Format and sending them to a remote server.
Use this tool and open syslogd on the remote server if the remote server is a windows system.
We recommend that you use kiwi syslog deamon.

What we want to achieve is
Prevent intruders from scanning host Vulnerabilities
Files cannot be uploaded even after scanning.
Files in other directories cannot be operated even after files are uploaded.
Shell cannot be executed even if files in other directories are operated.
Users cannot be added even if shell is executed.
You cannot log on to the graphic terminal even if you have added a user.
Even if you log on to the graphic terminal and have system control, what he does will still be recorded.

Additional measures:
We can add some devices and measures to further enhance system security.
1. proxy firewall. For example, ISA2004
The proxy firewall can filter the incoming and outgoing packets.
Sets to filter the REQUEST string or form Content in the HTTP request.
Filter out SELECT. DROP. DELETE. INSERT and so on.
These keywords cannot appear in the form or content submitted by the customer.
After filtering, SQL injection is eliminated.
2. Use SNORT to create IDS
Create an SNORT with another server.
Analyze and record all incoming and outgoing packets
In particular, commands for FTP uploads and HTTP requests for ASP files
The command line console for windows is located in \ WINDOWS \ SYSTEM32 \ CMD. EXE
Modify the ACL of this file
A specific administrator Account (such as administrator) has all permissions.
Other users, including system users and administrators groups, do not have permission to access this file.

6. Use existing users or add users
By modifying existing users or adding formal windows users, intruders are stepping forward to obtaining administrator permissions.
Measure: Set ACL permissions. Modify users.
Remove the terminal access permissions of all users except the administrator.
Restrict access to CMD. EXE.
Restrict XP_CMDSHELL in SQL SERVER

7. log on to the graphics Terminal
Intruders log on to the terminal server, RADMIN, and other graphic terminals,
Obtain the running permissions of many graphics programs, because most applications in WINDOWS are GUI.
So this step is what every hacker who intrude into WINDOWS wants
Corresponding Measures: Port restrictions
Intruders may use 3389 or other Trojans to obtain access to the graphic interface.
In step 1 port restrictions, all inbound and outbound access is blocked to prevent trojans from rebounding.
Therefore, in Port restrictions, the fewer ports for local access to the external network, the better.
If it is not used as a mail server, you do not need to add any internal or external ports.
Block all bounce Trojans.

8. Erase footprints
After the intruder has obtained full administrator permissions for a machine
It is to erase footprints to hide itself.
Corresponding Measures: Audit
First, make sure that sufficient audit items are enabled in windows logs.
If the audit project is insufficient, intruders do not even need to delete windows events.
In other words, we can use the latest release. exeand net.exe to replace the built-in release.
Save the running commands to learn about the actions of intruders.
For windows logs
We can ensure the integrity of records by sending logs to the remote log server.
Evtsys tool (https://engineering.purdue.edu/ECN/Resources/Documents)
Provides the function of converting windows logs to the syslog Format and sending them to a remote server.
Use this tool and open syslogd on the remote server if the remote server is a windows system.
We recommend that you use kiwi syslog deamon.

What we want to achieve is
Prevent intruders from scanning host Vulnerabilities
Files cannot be uploaded even after scanning.
Files in other directories cannot be operated even after files are uploaded.
Shell cannot be executed even if files in other directories are operated.
Users cannot be added even if shell is executed.
You cannot log on to the graphic terminal even if you have added a user.
Even if you log on to the graphic terminal and have system control, what he does will still be recorded.

Additional measures:
We can add some devices and measures to further enhance system security.
1. proxy firewall. For example, ISA2004
The proxy firewall can filter the incoming and outgoing packets.
Sets to filter the REQUEST string or form Content in the HTTP request.
Filter out SELECT. DROP. DELETE. INSERT and so on.
These keywords cannot appear in the form or content submitted by the customer.
After filtering, SQL injection is eliminated.
2. Use SNORT to create IDS
Create an SNORT with another server.
Analyze and record all incoming and outgoing packets
In particular, commands for FTP uploads and HTTP requests for ASP files
Please pay special attention to it.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.