Windows security is easy to ignore

Nowadays, users are becoming more and more aware of security and their security skills are gradually improved. However, some security details in Windows are ignored or unknown by many people. Perhaps it is because of these details that we have built a security line of defense, so let us bask in these forgotten corners.

　　1. Expose privacy index. dat

We know that temporary files of IE will bring security risks and cause leakage of personal privacy. Because of this, you can clear temporary files, coolies, history records, form records, and so on in the window using the IE browser's "Tools> Interent Options> General. Is that all right? As you may not know, there is a Content. IE5 subfolder in the temporary IE folder C: Documents and SettingsUser NameLocal SettingsTemporary Internet Files, where an Index. dat file is saved ., This file records the history of your IE browsing, because the index. dat file is not deleted in the above operation.

Hackers can use third-party software such as the index. dat file viewer to view records left in index. dat. Your browsing records are exposed. You can first Delete the history under IE, Run "Index. DAT File Viewer", and click "execute" to view the URL addresses of web pages that have been browsed online. There is still browsing time on the right side of the url. Click "automatic positioning" on the right of "view online page" and click a url address to open the corresponding webpage in a simple browser embedded below. Click "include image" and click the url address starting with "http" above. All the images are in use. (Figure 1)

Figure 1 Index. dat file record

The solution is to delete the index. dat file, but this file is a system file that cannot be deleted normally, but we can use third-party tools, such as Tracks Eraser Pro, after running the program, you can see many items that can be deleted in the "Task" Task list on the left, where Index. dat File is also listed in it. To do this, you only need to click the "Erase Now" button, so that the program will be cleared. After clearing, the Index will be opened again. dat File Viewer, you will find that the search results are blank, which indicates that we have successfully cleared them. (Figure 2)

Figure 2 clear a file2. Leaked Thumbs. db

Thumbs. db is a thumbnail cache file in the windws system. If you view the image file in the form of a thumbnail, a Thumbs will be generated in the same directory. db file, which saves the thumbnail of all images in the folder. When you delete image files, you will not delete Thumgs. db files because you are always confused about system files. Do not think it is because the image cache cannot be viewed, so you are wrong. Attackers can use third-party tools and ThumbsDBViewer. We first use the "thumbnail" method to view the images under C: WINDOWSWebWallpaper, delete all the images, run the software, and open Thumbs in the folder. db, the original deleted image file is reproduced again. (Figure 3)

Figure 3 thumbnail Viewer

Solution: Open "my computer", execute "Tools → Folder Options", and deselect the "no cache thumbnail" check box on the "View" tab, as shown in figure 4, in this way, the system will not automatically generate a thumbnail file. For the previously generated Thumbs. db files in the system, you can delete them in batches using the following batch processing to save the code as lst. bat. (Figure 4)

Figure 4 Folder Options

@ Echo off

Del c: Thumbs. db/f/s/q/

Del d: Thumbs. db/f/s/q/

Del e: Thumbs. db/f/s/q/

Del f: Thumbs. db/f/s/q/

Exit

You can modify or add relevant code based on your disk partition.3. "System Volume Information"

System Volume Information "folder. The Chinese name can be translated into" System Volume label Information ". This folder stores the backup information restored by the system. It was originally a backup system, but it was also targeted by viruses and Trojans and became their habitat. Because this folder has only the system permission and other users do not have the permission, some anti-virus software cannot hide the virus. How can we clean up viruses and Trojans?

(1) manually clear. Because the folder has the system permission, you must first obtain the permission to open it and perform the virus cleaning. The operation method is: Open "my computer" and execute "Tools → Folder Options → View ", deselect "OK" on "use simple file sharing" and "Hide protected operating system files" to go to the disk root directory. For example, drive C, right-click the "System Volume Information" folder and select "properties". On the "Security" tab, click "add> advanced> Search now" to select and add the current user, and then grant it the "full control" permission. Finally, enter c: System Volume Information to delete the virus and Trojan Horse. (Figure 5)

Figure 5 System Volume Information

(2). system method. Since the file is caused by "System Restoration", if the system backup is completed, you can disable "System Restoration", the folder will be automatically deleted. We can use the Group Policy to completely disable System Restoration: Enter "gpedit. msc, open the Group Policy Editor, go to "Computer Configuration> management template> system> System Restore", double-click "Disable System Restore" on the right and select "enabled ". Go to "Computer Configuration> management template> Windows Components> Terminal Services> windows Installer", double-click "Disable system creation checkpoint" on the right, and select "enabled. (Figure 6)

Figure 6 disable System Restoration4. "backdoors" hidden in group policies"

Adding the corresponding key values to the table is a common method of Trojan horse running when the system starts. In fact, this function can also be implemented in the most policy. In addition, it can also perform some operations when the system is shut down. This is through the "script (start/shut down)" item of the most policy. The specific location is under "Computer Configuration> Windows Settings. Because of its high concealment, it is often ignored and more dangerous.

For example, if a local user temporarily obtains the operation right of a machine, the user can use this backdoor to implement long-term control over the host. It can run some programs or scripts through this backdoor. The simplest one is to create an administrator user who can do this:

(1). Create a script

Create a batch file add. bat, add. the content of bat is: @ echo off & net user gslw $ test168/add & netlocalgroup administrators gslw $/add & exit (create an administrator user whose username is gslw $ and whose password is test168 ).

(2) backdoor Exploitation

In the "run" dialog box, enter gpedit. msc, go to "Computer Configuration 1> Windows Settings 1> script (start/shut down)", double-click "Shut Down" in the right window, and add. bat. That is to say, when the system is shut down, a gslw $ user is created. A general user does not know that there is a hidden user in the system, that is, he sees and deletes the user. When the system is shut down or restarted, the user will be created again. Therefore, if the user does not know the location in the Group Policy, he will be puzzled. (Figure 7)

Figure 7 set policy scripts

In fact, there are still many exploitation methods for this "backdoor" in the Group Policy. Some remote attackers use it to run scripts or programs, sniff administrator passwords, and so on. After obtaining the administrator password, they do not need to create an account in the system. They directly use the Administrator account to remotely log on to the system. Therefore, it is also a double-edged sword, and we hope you will pay attention to it. When you are attacked, attackers may implement it.5. Cold folders

(1). system Folder

% Windir % system used to be the core folder in the windows 98 era. system32 has replaced it since Windows 2000. Most of today's viruses and Trojans are aimed at occupying system32, so everyone pays special attention to it. After the system is poisoned, first check whether there are any suspicious targets under it. It is based on users' habits that some viruses and Trojans target the system folder. There are many driver files in the system folder, and some very powerful driver-level viruses are often mixed in. Therefore, this should also be a corner of system security. (Figure 8)

Figure 8 viruses in the System directory

(2). dllcache folder

The dllcache folder is located in C: WINDOWSsystem32. It is a backup of system files, so the occupied space is relatively large. Because of this, it has become a so-called "slimming" system. But we do not know, dllcac