WindowsServer2003 + IIS6.0 + ASP Server security Settings--component security Settings Chapter A, uninstall the Wscript.Shell and Shell.Application components, save the following code as one. BAT file Execution (minutes 2000 and 2003 systems) Windows2000.bat
Copy Code code as follows:
Regsvr32/u C:/winnt/system32/wshom.ocx
Del C:/winnt/system32/wshom.ocx
Regsvr32/u C:/winnt/system32/shell32.dll
Del C:/winnt/system32/shell32.dll
Windows2003.bat
Regsvr32/u C:/windows/system32/wshom.ocx
Del C:/windows/system32/wshom.ocx
Regsvr32/u C:/windows/system32/shell32.dll
Del C:/windows/system32/shell32.dll
B, renamed unsafe Components, it is necessary to note that the name of the component and CLSID must be changed, and to change thoroughly, do not copy, to change their own
Start → Run →regedit→ return "open Registry Editor
Then "edit → find → fill shell.application→ Find Next"
You can find two registry entries in this way:
{13709620-c279-11ce-a49e-444553540000} and shell.application.
First step:
To ensure that it is foolproof, export the two registry keys and save them as xxxx.reg files.
Step two: For example, we want to make this change
13709620-c279-11ce-a49e-444553540000 renamed as 13709620-c279-11ce-a49e-444553540001
Shell.Application renamed as Shell.application_nohack
Step three: So, replace the contents of the. reg file that you just exported with the corresponding relationship above, and then import the modified. reg file into the registry (double-click), and after you import the renamed registry key, don't forget to delete the original two items. It should be noted here that the CLSID can only be 10 digits and abcdef six letters.
In fact, just export the corresponding registry keys to back up, and then directly change the key name on it,
A good example suggests that one should be successful:
Windows Registry Editor Version 5.00
[hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}]
@= "Shell Automation Service"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/inprocserver32]
@= "C://winnt//system32//shell32.dll"
"ThreadingModel" = "Apartment"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/progid]
@= "Shell.application_nohack.1"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/typelib]
@= "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/version]
@= "1.1"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/versionindependentprogid]
@= "Shell.application_nohack"
[Hkey_classes_root/shell.application_nohack]
@= "Shell Automation Service"
[Hkey_classes_root/shell.application_nohack/clsid]
@= "{13709620-c279-11ce-a49e-444553540001}"
[Hkey_classes_root/shell.application_nohack/curver]
@= "Shell.application_nohack.1"
Comments: Wscript.Shell and Shell.Application Components is a script intrusion process, the promotion of the important link, the two components of the uninstall and modify the corresponding registry key, can greatly improve the virtual host script security performance, in general, ASP and PHP class script elevation of the function is not possible, coupled with some system services, hard disk access, port filtering, local Security policy settings, the virtual host should say, security can have a very big increase, the possibility of hacking is very low. After the shell component is logged off, the intruder is less likely to run the promotion tool, but Prel and other scripting languages also have shell capabilities, which is better for protection. Here is another setting, which is very similar.
First, prohibit the use of FileSystemObject components FileSystemObject can be normal operation of the file, you can modify the registry, the component renamed to prevent the harm of such Trojans.
hkey_classes_root/scripting.filesystemobject/
Renamed to other names, such as: Change to Filesystemobject_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/scripting.filesystemobject/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
2000 Unregister this component command: regsrv32/u c:/winnt/system/scrrun.dll
2003 Unregister this component command: regsrv32/u c:/windows/system/scrrun.dll
How do I prevent the guest user from using Scrrun.dll to avoid calling this component?
Use this command: cacls c:/winnt/system32/scrrun.dll/e/d Guests
Ii. prohibit the use of Wscript.Shell components
Wscript.Shell can invoke the system kernel to run DOS basic commands
This can be prevented by modifying the registry to rename this component.
Hkey_classes_root/wscript.shell/and HKEY_CLASSES_ROOT/WSCRIPT.SHELL.1/
Change to a different name, such as: Wscript.shell_changename or Wscript.shell.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/wscript.shell/clsid/the value of the project
Hkey_classes_root/wscript.shell.1/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
Third, prohibit the use of shell.application components
Shell.Application can invoke the system kernel to run DOS basic commands
This can be prevented by modifying the registry to rename this component.
hkey_classes_root/shell.application/
And
Hkey_classes_root/shell.application.1/
Change to a different name, such as: Shell.application_changename or Shell.application.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/shell.application/clsid/the value of the project
Hkey_classes_root/shell.application/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
Prevents the guest user from using Shell32.dll to prevent calls to this component.
2000 use command: cacls c:/winnt/system32/shell32.dll/e/d Guests
2003 use command: cacls c:/windows/system32/shell32.dll/e/d Guests
Note: The operation will not take effect until the Web service is restarted.
Iv. Call Cmd.exe
Disable Guests group user call Cmd.exe
2000 use command: cacls c:/winnt/system32/cmd.exe/e/d Guests
2003 use command: cacls c:/windows/system32/cmd.exe/e/d Guests
Through the above four steps to set the basic can prevent the current more popular Trojans, but the most effective way or through comprehensive security settings, the server, the security of the program to achieve a certain standard, the security level may be set higher to prevent more illegal intrusion.
C, prevent serv-u privilege elevation (applicable to previous version of serv-u6.0, then you can set the password directly)
Stop the Serv-u service first.
Open ServUDaemon.exe with UltraEdit
Find Ascii:localadministrator and #l @ $ak #.lk;0@p
Change to equal length of other characters on it, ServUAdmin.exe also deal with the same.
Also note that you set the permissions of the folder in which Serv-u is located, and do not let IIS anonymous users have read permissions, or else you may be able to analyze your administrator name and password as you modify the file. The Arjunolic ASP probe can be used to detect the security status of the system.
WindowsServer2003 + IIS6.0 + ASP Server security Settings--component security Settings Chapter A, uninstall the Wscript.Shell and Shell.Application components, save the following code as one. BAT file Execution (minutes 2000 and 2003 systems) Windows2000.bat
Regsvr32/u C:/winnt/system32/wshom.ocx
Del C:/winnt/system32/wshom.ocx
Regsvr32/u C:/winnt/system32/shell32.dll
Del C:/winnt/system32/shell32.dll
Windows2003.bat
Regsvr32/u C:/windows/system32/wshom.ocx
Del C:/windows/system32/wshom.ocx
Regsvr32/u C:/windows/system32/shell32.dll
Del C:/windows/system32/shell32.dll
B, renamed unsafe Components, it is necessary to note that the name of the component and CLSID must be changed, and to change thoroughly, do not copy, to change their own
Start → Run →regedit→ return "open Registry Editor
Then "edit → find → fill shell.application→ Find Next"
You can find two registry entries in this way:
{13709620-c279-11ce-a49e-444553540000} and shell.application.
First step:
To ensure that it is foolproof, export the two registry keys and save them as xxxx.reg files.
Step two: For example, we want to make this change
13709620-c279-11ce-a49e-444553540000 renamed as 13709620-c279-11ce-a49e-444553540001
Shell.Application renamed as Shell.application_nohack
Step three: So, replace the contents of the. reg file that you just exported with the corresponding relationship above, and then import the modified. reg file into the registry (double-click), and after you import the renamed registry key, don't forget to delete the original two items. It should be noted here that the CLSID can only be 10 digits and abcdef six letters.
In fact, just export the corresponding registry keys to back up, and then directly change the key name on it,
A good example suggests that one should be successful:
Windows Registry Editor Version 5.00
[hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}]
@= "Shell Automation Service"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/inprocserver32]
@= "C://winnt//system32//shell32.dll"
"ThreadingModel" = "Apartment"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/progid]
@= "Shell.application_nohack.1"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/typelib]
@= "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/version]
@= "1.1"
[Hkey_classes_root/clsid/{13709620-c279-11ce-a49e-444553540001}/versionindependentprogid]
@= "Shell.application_nohack"
[Hkey_classes_root/shell.application_nohack]
@= "Shell Automation Service"
[Hkey_classes_root/shell.application_nohack/clsid]
@= "{13709620-c279-11ce-a49e-444553540001}"
[Hkey_classes_root/shell.application_nohack/curver]
@= "Shell.application_nohack.1"
Comments: Wscript.Shell and Shell.Application Components is a script intrusion process, the promotion of the important link, the two components of the uninstall and modify the corresponding registry key, can greatly improve the virtual host script security performance, in general, ASP and PHP class script elevation of the function is not possible, coupled with some system services, hard disk access, port filtering, local Security policy settings, the virtual host should say, security can have a very big increase, the possibility of hacking is very low. After the shell component is logged off, the intruder is less likely to run the promotion tool, but Prel and other scripting languages also have shell capabilities, which is better for protection. Here is another setting, which is very similar.
First, prohibit the use of FileSystemObject components FileSystemObject can be normal operation of the file, you can modify the registry, the component renamed to prevent the harm of such Trojans.
hkey_classes_root/scripting.filesystemobject/
Renamed to other names, such as: Change to Filesystemobject_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/scripting.filesystemobject/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
2000 Unregister this component command: regsrv32/u c:/winnt/system/scrrun.dll
2003 Unregister this component command: regsrv32/u c:/windows/system/scrrun.dll
How do I prevent the guest user from using Scrrun.dll to avoid calling this component?
Use this command: cacls c:/winnt/system32/scrrun.dll/e/d Guests
Ii. prohibit the use of Wscript.Shell components
Wscript.Shell can invoke the system kernel to run DOS basic commands
This can be prevented by modifying the registry to rename this component.
Hkey_classes_root/wscript.shell/and HKEY_CLASSES_ROOT/WSCRIPT.SHELL.1/
Change to a different name, such as: Wscript.shell_changename or Wscript.shell.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/wscript.shell/clsid/the value of the project
Hkey_classes_root/wscript.shell.1/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
Third, prohibit the use of shell.application components
Shell.Application can invoke the system kernel to run DOS basic commands
This can be prevented by modifying the registry to rename this component.
hkey_classes_root/shell.application/
And
Hkey_classes_root/shell.application.1/
Change to a different name, such as: Shell.application_changename or Shell.application.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root/shell.application/clsid/the value of the project
Hkey_classes_root/shell.application/clsid/the value of the project
It can also be deleted to prevent the harm of such Trojans.
Prevents the guest user from using Shell32.dll to prevent calls to this component.
2000 use command: cacls c:/winnt/system32/shell32.dll/e/d Guests
2003 use command: cacls c:/windows/system32/shell32.dll/e/d Guests
Note: The operation will not take effect until the Web service is restarted.
Iv. Call Cmd.exe
Disable Guests group user call Cmd.exe
2000 use command: cacls c:/winnt/system32/cmd.exe/e/d Guests
2003 use command: cacls c:/windows/system32/cmd.exe/e/d Guests
Through the above four steps to set the basic can prevent the current more popular Trojans, but the most effective way or through comprehensive security settings, the server, the security of the program to achieve a certain standard, the security level may be set higher to prevent more illegal intrusion.
C, prevent serv-u privilege elevation (applicable to previous version of serv-u6.0, then you can set the password directly)
Stop the Serv-u service first.
Open ServUDaemon.exe with UltraEdit
Find Ascii:localadministrator and #l @ $ak #.lk;0@p
Change to equal length of other characters on it, ServUAdmin.exe also deal with the same.
Also note that you set the permissions of the folder in which Serv-u is located, and do not let IIS anonymous users have read permissions, or else you may be able to analyze your administrator name and password as you modify the file. The Arjunolic ASP probe can be used to detect the security status of the system.
One Key Shutdown service batch
Copy Code code as follows:
Cls
MODE con:cols=80 lines=18
COLOR 70
Echo.
Echo is doing system service optimization, please wait a moment ...
@:: Alerter
@:: Notifies selected users and computers to manage alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that directly depend on it will not start.
sc config Alerter start= DISABLED
sc stop Alerter
@:: Application Experience Lookup Service
@:: Handles application compatibility lookup requests for applications at application startup.
@:: Recommended: Disable
sc config aelookupsvc start= DISABLED
sc stop Aelookupsvc
@:: Background Intelligent Transfer Service
@:: The data between the client and server is transferred in the background. If BITS is disabled, some features, such as Windows Update, do not work correctly.
@:: Recommended: Disable
@:: sc config BITS start= DEMAND
@:: sc stop BITS
@:: DHCP Client
@:: Registers and updates the IP address for this computer. If this service is stopped, the computer will not be able to receive dynamic IP addresses and DNS updates. If this service is disabled, all services that explicitly depend on it will not start.
@:: Recommended: Disable
@:: sc config Dhcp start= DISABLED
@:: sc stop DHCP
@:: Network Location Awareness (NLA)
@:: Collects and saves network configuration and location information and notifies the application when information changes.
@:: Recommended: Disable
sc config Nla start= DISABLED
sc stop Nla
@:: Secondary Logon
@:: Enables the enabling process under alternate credentials. If this service is terminated, this type of logon access will not be available. If this service is disabled, any services that depend on it will fail to start.
@:: Recommended: Disable
sc config Seclogon start= DISABLED
sc stop Seclogon
@:: TCP/IP NetBIOS Helper
@:: Provides NetBIOS on TCP/IP (NetBT) services and NetBIOS name resolution support for clients on the network, enabling users to share files, print, and log on to the network. If this service is deactivated, these features may not be available. If this service is banned
, any service that relies on it will fail to start.
@:: Recommended: Disable
sc config LmHosts start= DISABLED
sc stop LmHosts
@:: Wireless Configuration
@:: Automatic configuration of IEEE 802.11 adapters is enabled. If this service is stopped, automatic configuration will not be available. If this service is disabled, all services that explicitly depend on it will not start.
@:: Recommended: Disable
sc config wzcsvc start= DISABLED
sc stop WZCSVC
@:: Smart card (smart cards)
@:: Microsoft: Manages access to smart cards that are read by this computer. If this service is stopped, the computer will not be able to read the smart card. If this service is deactivated, any services that explicitly depend on it will fail to start.
@:: Add: If you don't use Smart card, you can turn it off.
@:: Dependencies: Plug and Play
@:: Recommended: Disable
sc config scardsvr start= DISABLED
sc stop SCardSvr
@:: Windows firewall/internet Connection Sharing (ICS)
@:: Microsoft: Provides network address translation, addressing, and name resolution and/or intrusion prevention services for home or small office networks.
@:: Add: If you do not use Internet online sharing (ICS) or XP-included Internet firewall (ICF) you can turn off
@:: Dependencies: Application Layer Gateway Service, network Connections, network Location (awareness), remote Access NLA Ma Nager
@:: Suggestion: Manual, some users in the local test intranet drop line is because this service stopped, just need to start this service!
@:: sc config sharedaccess start= DEMAND
@:: sc stop sharedaccess
@:: Windows Image Acquisition (WIA) (Windows Image Acquisition program)
@:: Microsoft: Provides image capture services for scanners and digital cameras.
@:: Add: If the scanner and digital camera has the ability to support WIA, then you can directly see the image file, no other drivers, so no scanners and digital camera users can be turned off
@:: Dependencies: Remote Procedure call (RPC)
@:: Recommended: Disable
sc config stisvc start= DISABLED
sc stop stisvc
@:: MS Software Shadow Copy provider[for XP]
@:: Microsoft: Manages the disk area Shadow Copy service to obtain software-focused shadow copy. If you stop this service, you cannot manage a software-focused shadow copy of the disk area.
@:: Add: As mentioned above, the things that are used for backup, such as MS Backup, require this service
@:: Dependencies: Remote Procedure call (RPC)
@:: Recommended: Disable
sc config SWPRV start= DISABLED
sc stop SWPRV
@:: Performance Logs and Alerts (performance record files and alerts)
@:: Microsoft: Collects performance data for local or remote computers based on preconfigured schedule parameters, and then writes this data to the log or triggers an alert. If this service is terminated, performance information will not be collected. If this service is disabled, any services that depend on it will not be able to be restarted
Move.
@:: Added: No value for service
@:: Recommended: Disable
sc config SysmonLog start= DISABLED
sc stop SysmonLog
@:: Telephony (telephone voice)
@: Microsoft: provides telephony API (TAPI) support for programs that control the telephony device and IP primary voice online for local computers and via a local area network to a server that is performing this service.
@:: Add: A general dial-up modem or some dsl/cable may use
@:: Dependencies: Plug and play, remote Procedure call (RPC), remote access Connection Manager, remote access Auto Connection Manager
@:: Suggestion: Manual
@:: sc config tapisrv start= DISABLED
@:: sc stop tapisrv
@:: Distributed Link Tracking Client (distributed Link Tracking clients)
@:: Microsoft: maintains links between NTFS files in computers or on different computers in the network domain.
@:: Supplement: Maintain the file links between different computers in the area network
@:: Dependencies: Remote Procedure call (RPC)
@:: Recommended: Disable
sc config Trkwks start= DISABLED
sc stop Trkwks
@:: Portable Media serial Number
@:: Microsoft: Retrieves the serial number of any portable music player connected to your computer
@:: Add: Re-obtain any music dialing serial number through the online computer? A service of little value
@:: Recommended: Disable
sc config wmdmpmsn start= DISABLED
sc stop Wmdmpmsn
@:: WMI performance Adapter
@:: Microsoft: Provides performance link library information from wmihiperf providers.
@:: Add: As mentioned above
@:: Dependencies: Remote Procedure call (RPC)
@:: Recommended: Disable
sc config wmiapsrv start= DISABLED
sc stop Wmiapsrv
@:: Automatic Updates
@:: Microsoft: Enable download and installation of critical Windows updates. If you deactivate this service, you can manually update the operating system from the Windows Update Web site.
@:: Add: Allow Windows to automatically check and download update patches to Microsoft Servers under Background Auto Online
@:: Recommended: Disable
@:: sc config wuauserv start= DISABLED
@:: sc stop wuauserv
@:: Fast User switching compatibility[for XP]
@:: Provides management for applications that require assistance under multiple users. relies on RPC.
sc config fastuserswitchingcompatibility start= DEMAND
sc stop fastuserswitchingcompatibility
@:: System Restore service[for XP]
@:: Perform System Restore function. To stop the service, turn off System Restore from the System Restore tab in the properties of my computer.
sc config Srservice start= DISABLED
sc stop Srservice
@:: SSDP Discovery service[for XP]
@:: Start the discovery of UPnP devices on your home network.
sc config ssdpsrv start= DISABLED
sc stop SSDPSRV
@:: Telnet
@: Allow remote users to log on to this computer and run programs, and support multiple TCP/IP Telnet clients, including unix-based and Windows based computers. If this service is stopped, remote users cannot access the program, and any services that depend directly on it will start
Failed.
sc config tlntsvr start= DISABLED
sc stop Tlntsvr
@:: Universal Plug and play Device host[for XP]
@:: Provides support for hosting Universal Plug and Play devices.
sc config Upnphost start= DEMAND
sc stop Upnphost
@:: Security center[for XP]
@:: Monitor system security settings and configuration.
sc config wscsvc start= DISABLED
sc stop Wscsvc
@:: System Event Notification
@:: Monitor system events and notify COM + Event System subscribers (subscriber). If this service is deactivated, the COM + Event System subscriber will not receive system event notifications. If this service is disabled, any services that depend on it will not be enabled.
@:: Recommended: Disable
@:: sc config SENS start= DISABLED
@:: sc stop SENS
@:: COM + Event System
@:: Support for System event Notification Service (SENS), which provides automatic distribution of event functionality for subscribed Component Object Model (COM) components. If this service is stopped, SENS will close and cannot provide logon and logoff notifications. If this service is disabled, explicitly relies on this
All other services for the service will not start.
@:: Recommended: Disable
@:: sc config eventsystem start= DISABLED
@:: sc stop EventSystem
@:: Windows Audio
@:: Manages audio devices for windows-based programs. If this service is terminated, the audio device and its sound effects will not work properly. If this service is disabled, any services that depend on it will fail to start.
@:: Add: On the server with what sound card ah, removed!
@:: Recommended: Disable
@:: sc config audiosrv start= DISABLED
@:: sc stop audiosrv
@:: Computer Browser
@:: Maintains an updated list of computers on the network and provides the list to the computer to specify browsing. If the service is stopped, the list is not updated or maintained. If the service is disabled, any services that are directly dependent on this service will not start.
@:: Recommended: Disable
sc config Browser start= DISABLED
sc stop Browser
@:: Task Scheduler
@:: Enables users to configure and schedule automatic tasks on this computer. If this service is terminated, these tasks will not run during the scheduled time. If this service is disabled, any services that depend on it will fail to start.
@:: Recommended: Disable
@:: sc config Schedule start= DISABLED
@:: sc stop Schedule
@:: Routing and Remote Access
@:: Provides routing services to enterprises in LAN and WAN environments.
@:: Recommended: Disable
sc config remoteaccess start= DISABLED
sc stop RemoteAccess
@:: Removable Storage
@:: Manage and catalog removable media and operate automated removable media devices. If this service is stopped, programs that rely on removable storage, such as backup and Remote Storage, will slow down. If this service is disabled, all services that are dependent on this service will not start.
@:: Recommended: Disable
sc config ntmssvc start= DISABLED
sc stop ntmssvc
@:: Remote Registry
@:: Enables remote users to modify registry settings on this computer. If this service is terminated, only users on this computer can modify the registry. If this service is disabled, any services that depend on it will fail to start.
@:: Recommended: Disable
sc config remoteregistry start= DISABLED
sc stop RemoteRegistry
@:: Print Spooler
@:: Manage local and network print queues and control all print jobs. If this service is disabled, printing on the local computer will not be available. If this service is disabled, any services that depend on it will not be enabled.
@:: Recommended: Disable
sc config Spooler start= DISABLED
sc stop Spooler
@:: Error Reporting Service
@:: Collect, store, and report exception application crashes to Microsoft. If this service is deactivated, error reporting occurs only when kernel errors and certain types of user-mode errors occur. If this service is disabled, any services that depend on it will not be enabled.
@:: Recommended: Disable
sc config ersvc start= DISABLED
sc stop Ersvc
@:: Workstation
@:: Create and maintain a client network connection to a remote service. If the service is stopped, these connections will not be available. If the service is disabled, any services that are directly dependent on this service will not start. Hackers can use this service to see all computer users.
@:: Recommended: Disable
sc config lanmanworkstation start= DISABLED
sc stop LanmanWorkstation
@:: Help and Support
@:: Enable Help and Support Center to run on this computer. If you stop the service, Help and Support Center will not be available. If you disable a service, any services that are directly dependent on this service will not start.
@:: Recommended: Disable
sc config helpsvc start= DISABLED
sc stop helpsvc
Echo System service Optimization setup is complete! Please press any key to return and select 4 to continue ...
Pause >nul
Goto start
