We are now starting with the first step of the intruder. The corresponding start to strengthen the existing Windows system.
1. Scan
This is the first step that intruders have to take at the beginning. Search for vulnerable services, for example.
Corresponding measures: Port restrictions
All of the following rules. You need to select a mirror or you will not be able to connect
All we need to do is open the port that the service needs. And all the other ports are blocked
2. Download Information
This is mainly through URL SCAN. To filter some illegal requests.
Corresponding measures: Filter the corresponding package
We scan through the secure URL and set the DenyExtensions field in Urlscan.ini
To block the execution of a file at a particular end
3. Upload file
Intruders through this step upload Webshell, power software, run cmd command and so on.
Corresponding measures: cancel the corresponding services and functions, set ACL permissions
If there is a condition can not use the FSO.
Log off the associated DLL by regsvr32/u C:\windows\system32\scrrun.dll.
If you need to use.
Then create a user for each site
The corresponding directory for each site. Only read, write, execute, and give administrators all permissions to the user
Install antivirus software. Kill the malicious code that is uploaded in real time.
Personally recommend McAfee or Kaspersky
If you are using McAfee. Block all additions and modifications to the files in the Windows directory.
4.WebShell
After the intruder uploads the file, you need to use Webshell to execute the executable program. or use Webshell for more convenient file operation.
Countermeasures: Canceling the corresponding services and functions
General Webshell Use the following components
Wscript.Network
Wscript.network.1
Wscript.Shell
Wscript.shell.1
Shell.Application
Shell.application.1
We rename or delete the above key values in the registry
Also pay attention to the contents of the CLSID keys under these key values
Delete the corresponding key values from the/hkey_classes_root/clsid below
5. Execute shell
Intruders get Shell to execute more instructions
Response: Set ACL permissions
The command line console for WINDOWS is located in \windows\system32\cmd. Exe
We'll change this file's ACL revision to
A specific administrator account, such as the administrator, has full permissions.
Other users. Includes system users, administrators groups, and so on. Access to this file is not granted.
6. Use existing users or add users
Intruders are using the modify existing user or adding Windows official users. To get Administrator privileges
Response: Set ACL permissions. Modify User
Remove terminal access rights for all users except administrators.
Restrict the access rights of CMD.EXE.
restricting xp_cmdshell in SQL Server
7. Landing Graphics Terminal
Intruders login to Terminal Server or Radmin and so on graphics terminals,
Get permission to run many graphics programs. Because most of the applications under Windows systems are GUI.
So this step is what every intruder who invades windows wants to get
Corresponding measures: Port restrictions
Intruders may use 3389 or other Trojans to gain access to the graphical interface.
We are in the first step of the port limit. All access from inside to outside is blocked to prevent the rebound Trojan.
So in the port limit. The less ports that are locally accessible to the external network, the better.
If it is not a mail SERVER. You can do without any port outside of the introversion.
Block all the bounce Trojans.
8. Erase Footprints
Once the intruder has obtained full Administrator privileges on a single machine
is to erase footprints to hide themselves.
Corresponding measures: Audit
First we want to make sure that we open enough audit entries in the Windows log.
If the audit project is insufficient. Intruders do not even have to delete Windows events.
Second, we can replace the system with our own Cmd.exe and Net.exe.
Save the running instructions. Understand the actions of the intruders.
For Windows log
We can guarantee the integrity of records by sending logs to a remote log server.
Evtsys Tool (Https://engineering.purdue.edu/ECN/Resources/Documents)
Provides the ability to convert Windows logs to syslog format and to send to a remote server.
Use this appliance. and open syslogd on the remote server if the remote server is a Windows system.
The use of Kiwi syslog Deamon is recommended.
The goal we're going to achieve is
Do not allow intruders to scan host vulnerabilities
You can't upload files even if you scan them.
You can't manipulate files in other directories even if you upload files
The shell cannot be executed even if a file is operating on another directory
Cannot add a user even if the shell is executed
Can not login to the graphics terminal even if the user is added
Even if the graphics terminal is logged. Have control of the system. His actions will still be recorded.
Additional measures:
We can further enhance the security of the system by adding some equipment and measures.
1. Proxy type firewall. such as ISA2004
Agent-type firewalls can filter the contents of incoming and outgoing packets.
Set filter request string or form content within HTTP request
Filter out the SELECT.DROP.DELETE.INSERT and so on.
Because these keywords are not likely to occur in the form or content that the customer submits.
Filtered out can be said to eliminate the SQL injection at all
2. Set up IDs with snort
Create a snort with another server.
Analyze and record all packets entering and leaving the server
In particular, FTP upload instructions and HTTP requests for ASP files
The command line console for WINDOWS is located in \windows\system32\cmd. Exe
We'll change this file's ACL revision to
A specific administrator account, such as the administrator, has full permissions.
Other users. Includes system users, administrators groups, and so on. Access to this file is not granted.
6. Use existing users or add users
Intruders are using the modify existing user or adding Windows official users. To get Administrator privileges
Response: Set ACL permissions. Modify User
Remove terminal access rights for all users except administrators.
Restrict the access rights of CMD.EXE.
restricting xp_cmdshell in SQL Server
7. Landing Graphics Terminal
Intruders login to Terminal Server or Radmin and so on graphics terminals,
Get permission to run many graphics programs. Because most of the applications under Windows systems are GUI.
So this step is what every intruder who invades windows wants to get
Corresponding measures: Port restrictions
Intruders may use 3389 or other Trojans to gain access to the graphical interface.
We are in the first step of the port limit. All access from inside to outside is blocked to prevent the rebound Trojan.
So in the port limit. The less ports that are locally accessible to the external network, the better.
If it is not a mail SERVER. You can do without any port outside of the introversion.
Block all the bounce Trojans.
8. Erase Footprints
Once the intruder has obtained full Administrator privileges on a single machine
is to erase footprints to hide themselves.
Corresponding measures: Audit
First we want to make sure that we open enough audit entries in the Windows log.
If the audit project is insufficient. Intruders do not even have to delete Windows events.
Second, we can replace the system with our own Cmd.exe and Net.exe.
Save the running instructions. Understand the actions of the intruders.
For Windows log
We can guarantee the integrity of records by sending logs to a remote log server.
Evtsys Tool (Https://engineering.purdue.edu/ECN/Resources/Documents)
Provides the ability to convert Windows logs to syslog format and to send to a remote server.
Use this appliance. and open syslogd on the remote server if the remote server is a Windows system.
The use of Kiwi syslog Deamon is recommended.
The goal we're going to achieve is
Do not allow intruders to scan host vulnerabilities
You can't upload files even if you scan them.
You can't manipulate files in other directories even if you upload files
The shell cannot be executed even if a file is operating on another directory
Cannot add a user even if the shell is executed
Can not login to the graphics terminal even if the user is added
Even if the graphics terminal is logged. Have control of the system. His actions will still be recorded.
Additional measures:
We can further enhance the security of the system by adding some equipment and measures.
1. Proxy type firewall. such as ISA2004
Agent-type firewalls can filter the contents of incoming and outgoing packets.
Set filter request string or form content within HTTP request
Filter out the SELECT.DROP.DELETE.INSERT and so on.
Because these keywords are not likely to occur in the form or content that the customer submits.
Filtered out can be said to eliminate the SQL injection at all
2. Set up IDs with snort
Create a snort with another server.
Analyze and record all packets entering and leaving the server
In particular, FTP upload instructions and HTTP requests for ASP files
Can pay special attention to.
Current 1/2 page
12 Next read the full text
