We're going to make a response from every step of the intruder.
Step-by-step reinforcement of the Windows system.
strengthen the Windows system. In a few ways.
1. Port Restrictions
2. Set ACL permissions
3. Close a service or component
4. Packet filter
5. The Audit
We are now starting with the first step of the intruder. The corresponding start to strengthen the existing Windows system.
1. Scan
This is the first step that intruders have to take at the beginning. Search for vulnerable services, for example.
Corresponding measures: Port restrictions
All of the following rules. You need to select a mirror or you will not be able to connect
All we need to do is open the port that the service needs. And all the other ports are blocked
2. Download Information
This is mainly through URL SCAN. To filter some illegal requests.
Corresponding measures: Filter the corresponding package
We scan through the secure URL and set the DenyExtensions field in Urlscan.ini
To block the execution of a file at a particular end
3. Upload file
Intruders through this step upload Webshell, power software, run cmd command and so on.
Corresponding measures: cancel the corresponding services and functions, set ACL permissions
If there is a condition can not use the FSO.
Log off the associated DLL by regsvr32/u C:\windows\system32\scrrun.dll.
If you need to use.
Then create a user for each site
The corresponding directory for each site. Only read, write, execute, and give administrators all permissions to the user
Install antivirus software. Kill the malicious code that is uploaded in real time.
Personally recommend McAfee or Kaspersky
If you are using McAfee. Block all additions and modifications to the files in the Windows directory.
4.WebShell
After the intruder uploads the file, you need to use Webshell to execute the executable program. or use Webshell for more convenient file operation.
Countermeasures: Canceling the corresponding services and functions
General Webshell Use the following components
Wscript.Network
Wscript.network.1
Wscript.Shell
Wscript.shell.1
Shell.Application
Shell.application.1
We rename or delete the above key values in the registry
Also pay attention to the contents of the CLSID keys under these key values
Delete the corresponding key values from the/hkey_classes_root/clsid below
5. Execute shell
Intruders get Shell to execute more instructions
Response: Set ACL permissions
The command line console for WINDOWS is located in \windows\system32\cmd. Exe
We'll change this file's ACL revision to
A specific administrator account, such as the administrator, has full permissions.
Other users. Includes system users, administrators groups, and so on. Access to this file is not granted.
6. Use existing users or add users
Intruders are using the modify existing user or adding Windows official users. To get Administrator privileges
Response: Set ACL permissions. Modify User
Remove terminal access rights for all users except administrators.
Restrict the access rights of CMD.EXE.
restricting xp_cmdshell in SQL Server
7. Landing Graphics Terminal
Intruders login to Terminal Server or Radmin and so on graphics terminals,
Get permission to run many graphics programs. Because most of the applications under Windows systems are GUI.
So this step is what every intruder who invades windows wants to get
Corresponding measures: Port restrictions
Intruders may use 3389 or other Trojans to gain access to the graphical interface.
We are in the first step of the port limit. All access from inside to outside is blocked to prevent the rebound Trojan.
So in the port limit. The less ports that are locally accessible to the external network, the better.
If it is not a mail SERVER. You can do without any port outside of the introversion.
Block all the bounce Trojans.
8. Erase Footprints
Once the intruder has obtained full Administrator privileges on a single machine
is to erase footprints to hide themselves.
Corresponding measures: Audit
First we want to make sure that we open enough audit entries in the Windows log.
If the audit project is insufficient. Intruders do not even have to delete Windows events.
Second, we can replace the system with our own Cmd.exe and Net.exe.
Save the running instructions. Understand the actions of the intruders.
For Windows log
We can guarantee the integrity of records by sending logs to a remote log server.
Evtsys Tool (Https://engineering.purdue.edu/ECN/Resources/Documents)
Provides the ability to convert Windows logs to syslog format and to send to a remote server.
Use this appliance. and open syslogd on the remote server if the remote server is a Windows system.
The use of Kiwi syslog Deamon is recommended.
The goal we're going to achieve is
Do not allow intruders to scan host vulnerabilities
You can't upload files even if you scan them.
You can't manipulate files in other directories even if you upload files
The shell cannot be executed even if a file is operating on another directory
Cannot add a user even if the shell is executed
Can not login to the graphics terminal even if the user is added
Even if the graphics terminal is logged. Have control of the system. His actions will still be recorded.
Additional measures:
We can further enhance the security of the system by adding some equipment and measures.
1. Proxy type firewall. such as ISA2004
Agent-type firewalls can filter the contents of incoming and outgoing packets.
Set filter request string or form content within HTTP request
Filter out the SELECT.DROP.DELETE.INSERT and so on.
Because these keywords are not likely to occur in the form or content that the customer submits.
Filtered out can be said to eliminate the SQL injection at all
2. Set up IDs with snort
Create a snort with another server.
Analyze and record all packets entering and leaving the server
In particular, FTP upload instructions and HTTP requests for ASP files
Can pay special attention to.
Some of the software mentioned in this article is included in the RAR provided download
Include COM command line execution records
URLSCAN 2.5 and configured configuration files
Port rules for IPSec export
Evtsys
Some registry keys that reinforce the registry.
Practice article
Here's the example I used. will be a standard virtual host.
System: Windows2003
Services: [IIS] [serv-u] [IMAIL] [SQL SERVER] [PHP] [MYSQL]
Description: For demonstration, bind the most services. We can do screen reduction according to the actual situation.
1.WINDOWS Local Security Policy port restrictions
A. For our example, the following ports need to be opened
External-> Local 80
External-> Local 20
External-> Local 21
Some ports used by the external-> local PASV
External-> Local 25
External-> Local 110
External-> local 3389
And then follow the specifics. Open the SQL Server and MySQL ports
External-> Local 1433
External-> Local 3306
B. Then open ports that need to be open from the inside out
According to the actual situation, if you do not need mail services, do not open the following two rules
Local-> outside TCP,UDP
Local-> outside 25
According to the specific situation. If you do not need to access the Web page on the server. Try not to open the following ports
Local-> outside 80
C. This is the key to the safety rules, except for those expressly permitted.
External-> local all protocol blocking
2. User account number
A. Change the name of the administrator to root in the example
B. Cancel all user properties in all except administrator root
Remote control-> enable remote control and
Terminal Services Profile-> allows you to log on to a terminal server
C. Renaming guest as Administrator and changing the password
D. Other than Administrator Root,iuser and IWAM and the ASPNET user. Disables all other users. including SQL Debug and terminal user, etc.
3. Directory Permissions
Change the permissions for all the drive characters to only
Administrators group full permissions
System Full Permissions
Two permissions to inherit all subdirectories and subfolders of C disk from the administrator (Group or user) of the C disk and all of the system's permissions
Then make the following modifications
C:\Program Files\Common Files Open Everyone default read and run list files directory read three permissions
C:\WINDOWS\ Open Everyone default read and run list files directory read three permissions
C:\WINDOWS\Temp Open Everyone modify, read and run, list file directories, read, write permissions
Now Webshell cannot write files in the system directory.
You can, of course, use more restrictive permissions.
Set permissions on separate directories under Windows.
But it's more complicated. The effect is not obvious.
4.IIS
Under IIS 6. File types within an application extension the type of the ISAPI has removed the Idq,print and other dangerous script types.
Under IIS 5 we need to remove all types except ASP and ASA.
Install URLScan
in [DenyExtensions]
Generally add the following content
. cer
. CDX
. mdb
. bat
. cmd
. com
. htw
. Ida
. idq
. htr
. IDC
. shtm
. shtml
. stm
. Printer
This way the intruder will not be able to download the. mdb database. This method is more thorough than some other methods of adding special characters to a file header.
Because even if a file header is added to a special character, it can be constructed by encoding.
5.WEB Directory Permissions
As a virtual host. There will be many independent clients
A more insurance approach is to create a Windows user for each customer
Then in the site entry for the response of IIS
An anonymous user who executes IIS. bind to this user
And point him to the directory
Permissions Change more
Administrators all permissions
System Full Permissions
Individually established users (or Iuser) Select Advanced-> to open in addition to Full Control, traverse folders/Run programs, take ownership of 3 other permissions outside.
If there are not many sites on the server. And there are forums
We can put the upload directory for each forum
Remove the execution permissions for this user.
Only Read and Write permissions
So the intruder even bypasses the forum file type detection uploaded Webshell
is not able to run.
7. Modify CMD.EXE and NET.EXE permissions
Permissions for two files. Modify to a specific administrator to access, such as in this case. We modify the following
Cmd.exe Root user All rights
Net.exe Root user ownership is now
This will prevent illegal access.
You can also use the Comlog program provided in the example
Rename the Com.exe to _com.exe, and then replace the COM file. This allows you to record all command line directives that are executed
8. Backup
Use Ntbackup software. Back up the system state.
Use Reg.exe to back up system critical data
such as Reg export HKLM\SOFTWARE\ODBC e:\backup\system\odbc.reg/y
To back up your system's ODBC
9. Antivirus
Here is a description of McAfee 8i Chinese Enterprise Edition
Because this version of the domestic many malicious code and Trojans can be updated in a timely manner.
For example, has been able to detect Haiyang top 2006
And able to kill MIME-encoded virus files in queues used by SMTP software such as IMail
And a lot of people like to install Norton Enterprise Edition. and Norton Enterprise Edition, for Webshell. Basically, there is no response.
And the MIME-encoded file cannot be antivirus.
In McAfee.
We can also add rules. Prevent the creation and modification of EXE.DLL files in Windows directories, etc.
We add antivirus programs to the Web directory in the software.
Execute once a day
and turn on real-time monitoring.
10. Turn off useless services
We generally close the following services
Computer Browser
Help and Support
Messenger
Print Spooler
Remote Registry
TCP/IP NetBIOS Helper
If the server does not need to be domain-controlled, we can also disable
Workstation
11. Elimination of Dangerous components
If the server does not require an FSO
Regsvr32/u C:\windows\system32\scrrun.dll
Unregister components
Using regedit
Will/hkey_classes_root under the
Wscript.Network
Wscript.network.1
Wscript.Shell
Wscript.shell.1
Shell.Application
Shell.application.1
Renaming or deleting key values
String that is contained in the CLSID under these key values
such as {72C24DD5-D70A-438B-8A42-98424B88AFB8}
The key values named with these strings are found under/hkey_classes_root/clsid
Delete all
12. The Audit
Local Security Policy-> Local policy-> Audit policy
Open the following content
Audit policy Change succeeded, failed
Audit system event succeeded, failed
Audit Account Login Event succeeded, failed
Audit account management Success, failure
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.