Ajiang's WINDOWS server security settings

Basic server security settings

Install patches

After installing the operating system, it is best to complete the installation of the patch before hosting. After configuring the network, if it is 2000, it is sure that SP4 is installed. If it is 2003, it is best to install SP1, and then click Start → Windows Update to install all key updates.

Install antivirus software

Although antivirus software sometimes cannot solve the problem, antivirus software avoids many problems. I have been using Norton 2004, and it is said that 2005 can kill *s, but I haven't tried it. Some people use Rising, Rising is sure to kill *s. More people say that the Kaba driver is good, but I haven't used it.

Don't expect antivirus software to kill all *s, because the characteristic of ASP *s is that they can avoid the detection and killing of antivirus software through certain means.

Set port protection and firewall, delete default share

These are all server anti-black measures. Even if you don’t have IIS on your server, it’s best to do these security measures. This is Ajiang's blind spot. I probably know that blocking ports uses local security strategies, but there are many online strategies for this. You can come out and have a look. I may copy some to my website later.

Permission settings

Ajiang feels that this is the key to preventing ASP vulnerability attacks. Excellent permission settings can reduce the harm in an IIS site or even a virtual directory. I will talk about the principles and setting ideas here. Smart friends should be able to solve the problem after reading this.

Principle of permission setting

• WINDOWS users, most of the time in the WINNT system, permissions are divided according to users (groups). Manage system users and user groups in [Start → Programs → Administrative Tools → Computer Management → Local Users and Groups].
• NTFS permission settings, please remember to divide all hard disks into NTFS partitions when partitioning, and then we can determine the permissions that each partition has to each user. [Right-click on file (folder) → Properties → Security] Manage NTFS file (folder) permissions here.
• IIS anonymous user, each IIS site or virtual directory can set an anonymous access user (now called it "IIS anonymous user" for the time being). When a user accesses the .ASP file of your website, the permissions that this .ASP file has are the permissions that this "IIS anonymous user" has.

Ideas for permission setting

• Create a system user for each individual to be protected (such as a website or a virtual directory), so that the site has a unique identity in the system that can set permissions.
• Fill in the user name you just created in IIS [Site Properties or Virtual Directory Properties → Directory Security → Anonymous Access and Verification Control → Edit → Anonymous Access → Edit].
• Set all partitions to prohibit access by this user, and the folder corresponding to the home directory of this site just now allows access by this user (remove the inheritance parent permissions, and add a super-management group and a SYSTEM group).

After this setting, the ASP program in this site only has the permissions of the current folder. Judging from the probe, all hard disks are red crosses.

My setup method

I first create a user group, and then all users of the site will be built in this group, and then set this group to have no permissions or reject them in each partition. Then set the permissions of each IIS user in their folders.

Because there are a lot of them, I don’t want to write them. In fact, if I know the above principle, most people should understand it, unless I don’t know how to add system users and groups, how to set folder permissions, and where the IIS site attributes are. If there are really people like that, don’t worry, you should keep calm and take your time. You can actually figure out the specific methods yourself, and that’s what I am. Of course, if I have time, I will write my specific settings method, and I will also attach pictures.

Rename or uninstall unsafe components

Unsafe components are not amazing

I added an unsafe component detection function to Ajiang Probe 1.9 (actually, this was written in reference to the code of 7i24, but the interface was modified to be a little more friendly, and the detection method was basically the same as it). This function surprised many webmasters because he found that his server supports many unsafe components.

In fact, as long as the above permission settings are done, FSO, XML, and strem are no longer unsafe components, because they do not have permission to step out of their folders or sites. You don’t have to be afraid of that happy time. If you have antivirus software, why are you afraid of?

The most dangerous components are WSH and Shell, because it can run programs such as EXE on your hard drive. For example, it can run elevated programs to increase SERV-U permissions or even use SERVU to run higher privileged system programs.

Be cautious about uninstalling a component

Components appear for application, not for insecurity. All components have their uses, so before uninstalling a component, you must confirm that this component is not needed by your website program, or even if it is removed, it is not important. Otherwise, you can only keep this component and work on your ASP program itself to prevent others from coming in, rather than preventing others from coming in.

For example, FSO and XML are one of the most commonly used components, and many programs will use them. WSH components will be used by some host management programs, and some package programs will also be used.

Uninstall the most insecure components

The easiest way is to uninstall and delete the corresponding program file directly. Save the following code as a .BAT file (The following are all taken WIN2000 as an example. If you use 2003, the system folder should be C:\WINDOWS\ )

regsvr32/u C:\WINNT\System32\
del C:\WINNT\System32\
regsvr32/u C:\WINNT\system32\
del C:\WINNT\system32\

Then run it, and it will be uninstalled. It may prompt that the file cannot be deleted. Don’t worry about it. Restart the server and you will find that all three prompts "×Safe".

Rename unsafe component

It should be noted that the component name and Clsid must be changed, and it must be changed thoroughly. Let’s introduce the method as an example below.

Open the registry editor [Start → Run → Regedit Enter], and then [Edit → Find → Fill in → Find Next]. You can find two registry entries: "{13709620-C279-11CE-A49E-444553540000}" and "". To ensure foolproof, export these two registry entries and save them as .reg files.

For example, we want to make such changes

13709620-C279-11CE-A49E-444553540000 Renamed to 13709620-C279-11CE-A49E-444553540001
Renamed to Shell.application_ajiang

Then, replace the content in the .reg file you just exported according to the corresponding relationship above, and then import the modified .reg file into the registry (just double-click). After importing the renamed registry key, don’t forget to delete the original two items. One thing to note here is that there can only be ten numbers and six letters in Clsid.

Here is my modified code (I have combined the two files):

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}]
@="Shell Automation Service"

[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}\InProcServer32]
@="C:\\WINNT\\system32\\"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}\ProgID]
@="Shell.Application_ajiang.1"

[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}\TypeLib]
@="{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"

[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}\Version]
@="1.1"

[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}\VersionIndependentProgID]
@="Shell.Application_ajiang"

[HKEY_CLASSES_ROOT\Shell.Application_ajiang]
@="Shell Automation Service"

[HKEY_CLASSES_ROOT\Shell.Application_ajiang\CLSID]
@="{13709620-C279-11CE-A49E-444553540001}"

[HKEY_CLASSES_ROOT\Shell.Application_ajiang\CurVer]
@="Shell.Application_ajiang.1"

You can save this as a .reg file and try it, but don't let it go, because if a hacker reads my article, he will test the name I changed.

Prevent user groups and system processes from being listed

I used getobject("WINNT") to combine the 7i24 method in Ajiang ASP probe 1.9 to obtain a list of system users and system processes. This list may be exploited by hackers. We should hide it. The method is:

【Start → Programs → Administrative Tools → Services】, find Workstation, stop it, and disable it.

Prevent Serv-U permission escalation

In fact, after logging out the shell component, the possibility of intruders running the upgrade tool is very small, but other scripting languages ​​such as prel also have shell capabilities. To be careful, it is better to set it up.

Use Ultraedit to open and find Ascii: LocalAdministrator, and #l@$ak#.lk;0@P, and modify it to other characters of equal length, and the same processing is also done.

Also, be careful to set the permissions of the folder where Serv-U is located, and do not allow IIS anonymous users to read. Otherwise, if you go down the file you modified, you can still analyze your administrator name and password.

Common methods and prevention of exploiting ASP vulnerability attacks

Generally speaking, hackers always target programs such as forums, because these programs have upload functions, they can easily upload ASP *s. Even if permissions are set, the *s can control all files on the current site. In addition, with the * horse, then upload the upgrade tool to gain higher permissions. The purpose of our closing shell components is largely to prevent attackers from running the upgrade tool.

If the forum administrator turns off the upload function, the hacker will find a way to obtain a super-management password. For example, if you use the Dongwang forum and the database forgets to change its name, people can directly download your database, and then it is not far from finding the forum administrator password.

As administrators, we must first check our ASP programs and make necessary settings to prevent the website from being hacked. The other is to prevent attackers from using a hacked website to control the entire server, because if your server also opens a site for friends, you may not be sure that your friend will set up the security settings for the forums he uploaded. This uses the lot of things mentioned above. After doing the permission settings and prevention improvements, even if the hacker enters a site, he cannot destroy anything other than the site.

postscript

Maybe some security experts or sabotage experts will laugh at or be happy after reading my articles, but I think there are still many correct places in my experience. There are thousands of people who know less than me, who are eager for such an article like when I didn’t understand it at first, so I have to write it. No matter what others say to me, I am not afraid that thousands of people will curse me in the future. If I take it alone, I have no wife who needs to explain...

Because this is actually just a way to throw a brick and attract jade. From the laughter of others, my readers and I can learn more useful things.