Reinforcing IIS makes Webshell useless

Creating a WEB server with Microsoft IIS is very simple, but its security is not flattering. Attackers obtain the Webshell of a website through injection, upload, and bypass techniques, and then penetrate and escalate permissions until they control the entire server. As for how to prevent attackers from using Webshell, this is part of the code. as an administrator, how should we reinforce the Web server so that attackers can return without success after obtaining Webshell?

I,Set Command Permissions

By default, webshell can call some system commands that pose a risk to the server. Therefore, you must restrict the permissions of these commands.

Commands that require permission restriction include:

Cmd.exe net.exe net1.exe ping.exe netstat.exe ftp.exe tftp.exe telnet.exe

These commands are set separately to allow only access to the administrators group, which prevents attackers from creating new users to modify the system, you can also prevent these key programs from running through the Serv-U Local Elevation of Privilege Vulnerability. The special note is to delete the cacls.exe program to prevent users from modifying permissions through the command line. (Figure 1)

　　

Figure 1

Personal tips: Put a monitor program with the same name as cmd.exe in the system directory, and grant it the eventone operation permission. In this case, the attacker can use cmd.exe in websehllto trigger the monitoring program, record and trace the attacker's traces, and prevent him from stealing rice. This helps us discover intrusions until attackers are ready. II,Set directory permissions (take windows 2003 as an example)

The Setting principle is to allow IIS to run with minimum permissions, but it will not be bound by itself.

1. Select the entire hard disk:

System: full control

Administrator: full control

(Inherited permissions from the parent can be propagated to objects) (figure 2)

　　

Figure 2

2. c: program filescommon files:

Everyone: Read and run

List file directories

Read

(Allowed to spread inherited permissions from the parent to objects)

3. c: inetpubwwwroot:

Iusr_machinename: Read and run

List file directories

Read

(Allowed to spread inherited permissions from the parent to objects)

4. c: windowssystem32:

Select all directories except inetsrv and centsrv,

Remove the select box "allow the inherited permissions from the parent to be propagated to the object" and copy it.

5. c:> windows:

In addition to downloaded program files, help, iis temporary compressed files,

All directories except offline web pages, system32, tasks, temp, and web

Remove the select box "allow the inherited permissions from the parent to be propagated to the object" and copy it.

6. c: windows:

Everyone: Read and run

List file directories

Read

(Allowed to spread inherited permissions from the parent to objects)

7. c: windowsemp :( allow access to the database and display it on the asp page)

Everyone: Modify

(Inheritance permissions from the parent can be transmitted to objects) 3,Settings related to components

1. Delete the shell. application Component

Remove some components required by asp webshell. These components are not used by common VM users.

Many Articles on Prevention of ASP Trojans have mentioned that the FileSystemObject component should be deleted. However, after this component is deleted, many ASP programs may fail to run. In fact, as long as the previous work is completed, the FileSystemObject component can operate only files in its own directory, which constitutes no threat!

Now, Shell is a more threatening component. application and Wscript. shell, Shell. the Application can perform some operations on the file and execute the program, but it cannot contain parameters, while Wscript. shell can operate the registry and execute doscommands.

2. How to Prevent Wscript. Shell components:

You can change the component name by modifying the registry.

HKEY_CLASSES_ROOTWScript.Shell and HKEY_CLASSES_ROOTWScript.Shell.1

Change the name to another name, for example, change WScript. Shell_ChangeName or WScript. Shell.1 _ ChangeName to call this component later (Figure 3)

　　

Figure 3

Also change the clsid value.

Value of the HKEY_CLASSES_ROOTWScript.ShellCLSID Project

Value of the HKEY_CLASSES_ROOTWScript.Shell.1CLSID Project

You can also delete the Trojan to prevent its harm.

3. methods to prevent Shell. Application components:

You can change the component name by modifying the registry.

HKEY_CLASSES_ROOTShell.Application and

HKEY_CLASSES_ROOTShell.Application.1

Change the name to another name, for example, Shell. Application_ChangeName or Shell. Application.1 _ ChangeName.

You can call this component normally when you call it later.

Also change the clsid value.

Value of the HKEY_CLASSES_ROOTShell.ApplicationCLSID Project (Figure 4)

　　

Figure 4

You can also delete the Trojan to prevent its harm. IV,Comprehensive settings (for virtual hosts)

Note: The FileSystemObject (FS0) component provides powerful file system access capabilities for ASP to read, write, copy, delete, and rename any files on the server's hard disk, however, if this component is disabled, all ASP nodes that use this component cannot run and cannot meet our needs. How can we allow the FileSystemObject component without affecting the security of the server?

1. directory permission settings.

Open the resource manager on the server, right-click the drive letter of each hard disk partition or volume, select "properties" in the pop-up menu, and select the "Security" tab, now you can see which accounts can access this partition (volume) and access permissions. After the default installation, "Everyone" has full control permissions. Click "add" to add "Administrators", "Backup Operators", "Power Users", and "Users" groups, and grant "Full Control" or corresponding permissions, note: do not grant the "Guests" group or "IUSR _ machine name" account any permissions. Then, remove the "Everyone" group from the list. In this way, only authorized groups and users can access the hard disk partition. When ASP is executed, access the hard disk as "IUSR _ machine name". ASP cannot read or write files on the hard disk because the user account is not authorized. (Figure 5)

　　

Figure 5

2. Create a customer account

Set a separate user account for each VM user, and assign each account a directory that allows its full control.

Step 1: Open "Computer Management"> "local users and groups"> "users", right-click on the right bar, and select "new user" in the pop-up menu ": in the pop-up "new user" dialog box, enter "User Name", "Full name", "Description", "password", and "Confirm Password" as needed ", remove the check box before "the user must change the password upon next login", and select "the user cannot change the password" and "the password will never expire ". In this example, the user of the first VM is created with the built-in account "lw1" for anonymous access to Internet information services, that is, all clients use htt