window| Security | Trojan Horse | hard disk Special NOTE: Under the Win2000 of the set of permissions, in Win2003 does not apply, that is why there are so many write about 2000 of the following permission settings, and I am here to be in 2003 again to bring the reasons
Foreword, our courtyard made a Web server is specially to the university each society opens, before some days server almost all website homepage All was modified, the classmate some people exclaimed, wow! Who did the real Cow fork, I dizzy ~ ~ ~ In my opinion this is to happen sooner or later, and the intrusion process and simple, did not look at the server before the thought of only two possibilities, one is the server password leaked out; the second is, through the site itself loophole (hehe, The server is configured by me, but I do not have the IIS specific permissions set. I n years ago to the teacher reflected that the community's food safety awareness is very poor, will only use ready-made dongdong, this will go down sooner or later, the teacher did not listen to, I also did not tube so much. After the problem, I carefully studied the log file and the date of the uploaded file, found that there is a sea top 2006 in March has been sent to the server, but did not make any changes, Khan a ~ ~ ~ is probably the eldest brother forget, some days ago and hard to find a half-day Web site loophole, I looked at, This Sichuan xx University's fellow loves the night work, moreover is the overnight, really has the hacker spirit. Well, no nonsense, first from his invasion through the beginning: The man is placed on the server in one of the community Web site entered, the site is the use of dynamic 3. The x version, as far as I know, is not patched, upload is open, I did not guess the wrong words he is through the easy to upload a Trojan horse (oh, he uploaded here is Guilin Veterans Webmaster Assistant), and then the Webmaster Assistant found the other site directory, so that the server's corporate website to modify.
Afterwards, the teacher said that will be disabled off the FSO is all right, I see otherwise, not to mention that there are many sites without FSO support can not run.
So, what can be done to prevent the ASP Trojan Horse on your server malicious damage? I have consulted more than n data, summed up a relatively perfect solution. Here, I take the ocean top 2006 for example, to briefly introduce how to set up to prevent the ASP Trojan Horse.
I installed a Windows2003 Enterprise Edition, did not play SP1 patch.
As shown in the following illustration:
Use the default settings, the Ocean top 2006 to the Web directory, running the sea top Trojan as shown in the system default settings, all operations are available, that is, as long as the intruder through some way to obtain Webshell, Then use the sea top Trojan can modify and delete the Web server inside the vast majority of files, and even elevated permissions.
Let's take a look at what's going on at the top of the ocean. 6,7,8,9, you can run the program on the server and modify the file. FSO We don't care, we first uninstall Wscript.Shell, shell.application
These two components.
Select Start-----Run
Regsvr32/u Wshom.ocx
regsvr32/u Shell32.dll
You can also set to prevent Guests user group access, and then set the default account for accessing the Web directory to the Guests group
cacls%systemroot%system32shell32.dll/e/d Guests
If you are prompted not to delete the file in use, deactivate IIS to delete the associated process before you delete it
It's also possible to rename these builds, but remember that you need to change two of places.
1.wscript.shell Component Modification Method
Hkey_classes_rootwscript.shell
And
Hkey_classes_rootwscript.shell.1
Change to a different name, such as: Wscript.shell_changename or Wscript.shell.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_rootwscript.shellclsid the value of the project
Hkey_classes_rootwscript.shell.1clsid the value of the project
2.
Shell.Application Component Modification Method
Hkey_classes_rootshell.application
And
Hkey_classes_rootshell.application.1
Change to a different name, such as: Shell.application_changename or Shell.application.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_rootshell.applicationclsid the value of the project
Hkey_classes_rootshell.applicationclsid the value of the project
This prevents the Trojan file from invoking these builds.
For further security, we can also set the%systemroot%system32 under the Net.exe,cmd.exe,ftp.exe,tftp.exe,telnet.exe to allow only administrator access.
Disk Permissions
Tip: If permissions are set to error, you can use Microsoft's Secedit tool to restore the default
First, remove everyone who is on all the disks. System disk other users to keep the default, the other disk will be left system and administrator, the installation of Service software folder specific permissions need to set up additional.
Then, give each Web site a default anonymous access account, and give the appropriate permissions to the virtual directory folder that corresponds to it.
Online on this aspect of the setting more, temporarily borrow the favored. His is set in 2000, this aspect 2003 is basically the same, but in, folder permissions are different, remember ~ ~ ~ Run ASP's default permissions, I will give in the appendix.
We build a local directory for the user, which is the root directory of the user's Web site, and we build it to f:8660.net.
To the Control Panel----management Tools---Server Management--Local users or groups---users----new user_8660.net users
Select User_8660.net User--attributes---Modification to the gusets group
Assign permissions to the user's folder F:8660.net (User_8660.net is the guest account that controls the change of user ASPNET due to support on the server.) NET so also to the ASPNET account permissions to him, otherwise the implementation of ASP. NET will not have enough permissions).
Set the User_8660.net and ASPNET account permissions as follows (remember that you must not assign fully controlled permissions to the user)
Then we set up IIS to point to that user's directory
Open IIS---Create a new Web site---
"/>
Select Web Server (8660.NET)--Property---directory security
----Anonymous access and validation control---Edit
Anonymous Access---Edit
Select User_8660.net user name as the user account to access this site
At this point, even if someone made a website of the Webshell, can only modify the site (deserved, who called you have a hole), and can not cause a cross-station attack, hehe ~ ~ ~
Appendix I:
Our permission settings for installing the software:
C:Program Filesliweiwensoft
Everyone reads and runs, lists folder directories, reads
Administrators All
IIS_WPG reads and runs, lists folder directories, reads
C:Program Filesdimac (If you have this directory)
Everyone reads and runs, lists folder directories, reads
Administrators All
C:Program Filescomplus Applications (if any)
Administrators All
C:Program FILESGFLSDK (if any)
Administrators All
Creator owner
Not inherited.
Subfolders and files only
Completely
Power Users
Modify, read and run, List folder directories, read, write
System All
TERMINAL SERVER Users
Modify, read and run, List folder directories, read, write
Users Read and run, List folder directories, read
Everyone reads and runs, lists folder directories, reads
C:Program Filesinstallshield Installation Information (if any)
C:Program filesinternet Explorer (if available)
C:Program filesnetmeeting (if any)
Administrators All
Appendix II:
Default permissions required by IIS 6.0
NTFS Permissions
Directory usersgroups Permissions
%windir%helpiishelpcommon Administrators Full Control
%windir%helpiishelpcommon System Full Control
%windir%helpiishelpcommon IIS_WPG Read
%windir%helpiishelpcommon Users (note 1.) Read, execute
%windir%iis Temporary compressed Files Administrators Full Control
%windir%iis Temporary compressed Files System Full Control
%windir%iis Temporary Compressed Files IIS_WPG List, read, write
%windir%iis Temporary Compressed Files Creator owner Control
%windir%system32inetsrv Administrators Full Control
%windir%system32inetsrv System Full Control
%windir%system32inetsrv Users Read, execute
%windir%system32inetsrv*.vbs Administrators Full Control
%windir%system32inetsrvasp compiled templates Administrators Full Control
%windir%system32inetsrvasp Compiled Templates IIS_WPG Read
%windir%system32inetsrvhistory Administrators Full Control
%windir%system32inetsrvhistory System Full Control
%windir%system32logfiles Administrators Full Control
%windir%system32inetsrvmetaback Administrators Full Control
%windir%system32inetsrvmetaback System Full Control
Inetpubadminscripts Administrators Full Control
Inetpubwwwroot (or content Directories) Administrators Full Control
Inetpubwwwroot (or content Directories) System Full Control
Inetpubwwwroot (or content directories) IIS_WPG Read, execute
Inetpubwwwroot (or content directories) IUSR_machinename Read, execute
Inetpubwwwroot (or content directories) ASPNET (Note 2.) Read, execute
Note 1 The must have permissions to this directory when you use Basic authentication or integrated authentication and Custom errors are configured. For example, where error 401.1 occurs, the logged-on user sees the expected detailed custom error only if permissions to re Ad the 4011.htm file have been granted to that user.
Note 2 By default, asp.net are used as the ASP.net process identity in IIS 5.0 isolation mode. If asp.net is switched to IIS 5.0 isolation mode, asp.net must have access to the content areas. ASP.net process isolation is detailed in IIS help. For additional information, visit following Microsoft Web site:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.