Server Security Settings

I. FileSystemObject component

FileSystemObject can perform regular operations on files

You can modify the registry and rename this component to prevent the dangers of such Trojans.

HKEY_CLASSES_ROOTScripting.FileSystemObject

Change the name to another name, for example, FileSystemObject_ChangeName.

You can call this component normally when you call it later.

Also change the clsid value.

HKEY_CLASSES_ROOTScripting.FileSystemObjectCLSID project value

You can also delete the Trojan to prevent its harm.

Run RegSrv32/u C: WINNTSYSTEMscrrun. dll to unregister this component.

Disable the use of scrrun. dll by Guest users to prevent calling this component.

Run cacls C: WINNTsystem32scrrun. dll/e/d guests

Three methods to disable the FileSystemObject (FSO) Component

As we all know, the powerful and destructive feature of the FileSystemObject component is that it is often used as a free homepage.

I sorted out the reasons for disabling the service provider (which supports ASP). I found only two methods.

When someone is excited, it is hard to think of the third unknown method.

First, use RegSrv32/u C: WINDOWSSYSTEMscrrun. dll to log out the component.

This method is too cool and belongs to the same method, which is useless to everyone.

Type 2: Modify the value of Progid. The method for calling components in ASP is usually Set object name = Server.

CreateObject ("Progid"), then we can modify the Progid value in the registry from

To disable this component. In start-run, enter regedit and find HKEY_CLASSES_ROO.

TScripting. FileSystemObject. Now we can change the value of this Progid, such

To Scripting. FileSystemObject8. The following code is called on the ASP page:

The following is a code snippet:

<% @ Language = Vbscript %>

<%

Set Fs = Server. CreateObject ("Scripting. FileSystemObject8 ")

%>

(If you have not called this component before, you do not need to restart it to see the effect. Otherwise, please re-

Check the effect after startup .)

Third: Careful experts will think that since the component can be disabled by modifying the Progid value, Clsid is

Can it be modified? (OK, you want to be the same as me) We know that except for the CreateObject method

You can also create a component using the general annotation. We can use HTM in ASP.

L annotation to add a component to the webpage. The method is:

The following is a code snippet:

<Object runat = server id = fs1 scope = page progid = "Scripting. FileSystemObj

Ect "> </object>

Runat indicates that the task is executed on the server, and Scope indicates the life cycle of the component. You can select Session and Appl.

Ication or page (indicating the current page, or by default)

This method is useless to us. Another method is:

The following is a code snippet:

<Object runat = server id = fs1 scope = page classid = "clsid: clsid value"> </obj

Ect>

You can also disable this component by modifying the value of this Clsid. For example, you can disable HKEY_CLASSES_RO in the registry.

OTScripting. FileSystemObjectCLSID value 0D43FE01-F093-11CF-8940-00A0C90

54228 changed to 0D43FE01-F093-11CF-8940-00A0C9054229 (changed the last one ).

Written:

The following is a code snippet:

<Object runat = server id = fs1 scope = page classid = "clsid: 0D43FE01-F093-11

CF-8940-00A0C9054229 & gt; </object & gt;

Check the running result. No problem. OK. At this time, we use

The following is a code snippet:

<Object runat = server id = fs1 scope = page classid = "clsid: 0D43FE01-F093-11

CF-8940-00A0C9054228 & gt; </object & gt;

At this time, an error occurs.

Create a user: iusr_domain

Set the site's anonymous user IUSR_DOMAIN in IIS

CACLS: Set Directory Permissions

In this way, FSO is available, but it will not affect others.

Ii. WScript. Shell component WScript. Shell.1 WScript. Network.1 WScript. Network

WScript. Shell can call the system kernel to run basic dos Commands

You can modify the registry and rename this component to prevent the dangers of such Trojans.

HKEY_CLASSES_ROOTWScript.Shell and HKEY_CLASSES_ROOTWScript.Shell.1

Change the name to another name, for example, WScript. Shell_ChangeName or WScript. Shell.1 _ ChangeName.

You can call this component normally when you call it later.

Also change the clsid value.

Value of the HKEY_CLASSES_ROOTWScript.ShellCLSID Project

 
Value of the HKEY_CLASSES_ROOTWScript.Shell.1CLSID Project

You can also delete the Trojan to prevent its harm.

Disable NET USER

In HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames, create an item named space and double-click the key value on the right.

Disable net user/ADD

Net user v/add

Open the Registry HKEY_LOCAL_MACHINESAMSAM and delete the C key value from the right side ~~

Iii. Shell. Application Component Shell. Application.1

Shell. Application can call the system kernel to run basic dos commands.

You can modify the registry and rename this component to prevent the dangers of such Trojans.

HKEY_CLASSES_ROOTShell.Application

And HKEY_CLASSES_ROOTShell.Application.1

Change the name to another name, for example, Shell. Application_ChangeName or Shell. Application.1 _ ChangeName.

You can call this component normally when you call it later.

Also change the clsid value.

Value of the HKEY_CLASSES_ROOTShell.ApplicationCLSID Project

Value of the HKEY_CLASSES_ROOTShell.ApplicationCLSID Project

You can also delete the Trojan to prevent its harm.

Disable Guest users from using shell32.dll to prevent calling this component.

Run cacls C: WINNTsystem32shell32. dll/e/d guests.

Note: All operations take effect only after the WEB Service is restarted.

Iv. Cmd.exe WScript. Shell. application wscript. network

Disable the use of cmd.exe for guests

Cacls C: winntsystem322.16.exe/e/d guests

Completely Delete WScript. Shell and Shell. application. The command is regsvr32/u wshom. ocx and regsvr32/u wshext. dll,

Uninstall the Shell. Application Object regsvr32.exe shell32.dll/u

V. ADODB. STREAM

Disable ADODB. STREAM

I have seen many web Trojans use this to list file directories. Some ASP Trojans use CLASSID to create Script objects,

If you know how to ban this object, you should be able to block the ASP Trojan completely,

Like SHELL execution is disabled

-------------------------------------------------------

Obtain the CLASSID based on the value of HKEY_CLASSES_ROOTADODB.StreamCLSID,

On my XP server, it should be the same on each host.

Find the dll corresponding to this ActiveX according to the value of HKEY_CLASSES_ROOTCLSID \ InprocServer32.

My XP is C: Program FilesCommon FilesSystemadomsado15.dll

Then regsvr32/s/u "C: Program FilesCommon FilesSystemadomsado15.dll"

So we uninstalled ADODB. STREAM.

---------------------------------------------------------

But this will unmount the entire ado (probably ).

If there are some ado applications on the machine, problems may occur.

If HKEY_CLASSES_ROOTADODB.StreamCLSID is deleted, OK ????

The dll is retained better.

---------------------------------------------------------

What is the relationship between the ASP Trojan running on the server and the IE patch?

ASP trojan uses FSO, ADODB. STREAM, and a DICTIONARY script object. I think the most important thing is that the first two are not the first two objects. Is there a way for ASP Trojan to run?

--------------------------------------------------------

Disabled ??

My 2000sp4, xp sp1, and xp sp2 can all use adodb. stream.

Maybe it's just not allowed to be called by IE, even if the security level is lower

Vi. Workstation

Block webshell to view system processes. Right-click my computer, choose "manage"> "service application"> "service"> "workstation", and double-click "stop. this service is the second-to-last workstation”--svchost.exe -- used to manage networks. It supports networking and print/file sharing. If it is disabled, it will be useful to the ocean.

7. Blocking serv-u and SQL

Blocking serv-u and SQL, because serv-u and SQL are both system permissions, that is, system users. Our goal is to convert them into user users, so that they do not have the permission to add the administrator account. Here, ftp "net user leilei3 leilei3/add" successfully added the leilei2 account and the serv-u Local Elevation of Privilege Vulnerability. solution, add a user with the user permission first. I will use leilei3 as the user, right-click my computer and choose "manage"> "service application"> "service"> "Serv-u ftp server"> "Log on"> "this account" to change the default account,

Or change the password of the SU administrator, and then change the directory permission.