3. Server security settings-Component security settings (very important!!!) A. Uninstall and components, save the following code as a .BAT file to execute (particularly divided into 2000 and 2003 systems)
regsvr32/u C:\WINNT\System32\ C:\WINNT\System32\wshom.ocxregsvr32/u C:\WINNT\system32\ C:\WINNT\system32\
regsvr32/u C:\WINDOWS\System32\ C:\WINDOWS\System32\wshom.ocxregsvr32/u C:\WINDOWS\system32\ C:\WINDOWS\system32\
B. Rename an unsafe component. It is important to note that the name and Clsid of the component must be changed, and it must be changed thoroughly. Don’t copy it, you must change it yourself.
【Start → Run → Regedit → Enter】Open the Registry Editor
Then [Edit → Find → Fill in → Find Next]
This method can be used to find two registry entries:
{13709620-C279-11CE-A49E-444553540000} and .
Step 1: To ensure that everything is foolproof, export these two registry entries and save them as files.
Step 2: For example, we want to make such changes
13709620-C279-11CE-A49E-444553540000 Renamed to 13709620-C279-11CE-A49E-444553540001
Renamed to Shell.application_nohack
Step 3: Then, replace the content in the .reg file you just exported according to the corresponding relationship above, and then import the modified .reg file into the registry (just double-click). After importing the renamed registry key, don’t forget to delete the original two items. One thing to note here is that there can only be ten numbers and six letters in Clsid.
In fact, just export the corresponding registry key to backup, and then change the key name directly.
Improved examples
It is recommended to change it yourself
It should be successful in one go
Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}]@="Shell Automation Service"[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}\InProcServer32]@="C:\\WINNT\\system32\\""ThreadingModel"="Apartment"[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}\ProgID]@="Shell.Application_nohack.1"[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}\TypeLib]@="{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}\Version]@="1.1"[HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540001}\VersionIndependentProgID]@="Shell.Application_nohack"[HKEY_CLASSES_ROOT\Shell.Application_nohack]@="Shell Automation Service"[HKEY_CLASSES_ROOT\Shell.Application_nohack\CLSID]@="{13709620-C279-11CE-A49E-444553540001}"[HKEY_CLASSES_ROOT\Shell.Application_nohack\CurVer]@="Shell.Application_nohack.1"
Lao Du commented:
and components are an important part of increasing permissions during script intrusion. The uninstallation and modification of these two components can greatly improve the script security performance of virtual hosts. Generally speaking, the function of increasing permissions of ASP and php scripts cannot be realized. In addition, the settings of some system services, hard disk access rights, port filtering, and local security policies should be set. Because of the fact that the security performance of virtual hosts has been greatly improved, the possibility of hackers is very low. After logging out the shell component, the possibility of intruders running the upgrade tool is very small, but other scripting languages such as prel also have shell capabilities. To be careful, it is better to set it up. Below is another setting, similar.
1. Prohibit the use of FileSystemObject component. FileSystemObject can perform routine operations on files. You can modify the registry and rename this component to prevent the harm of such *s.
HKEY_CLASSES_ROOT\\
Change the name to other names, such as: change to FileSystemObject_ChangeName
You can call this component normally when you call it in the future
Also change the clsid value
HKEY_CLASSES_ROOT\\CLSID\Project value
It can also be deleted to prevent the harm of such *s.
2000 Logout this component command: RegSrv32/u C:\WINNT\SYSTEM\
2003 Logout of this component command: RegSrv32/u C:\WINDOWS\SYSTEM\
How to prevent this component from being called by the Guest user?
Use this command: cacls C:\WINNT\system32\/e /d guests
2. Prohibit the use of components
You can call the system kernel to run basic DOS commands
You can prevent the harm of such *s by modifying the registry and rename this component.
HKEY_CLASSES_ROOT\\ and HKEY_CLASSES_ROOT\.1\
Change name to other names, such as: change to WScript.Shell_ChangeName or .1_ChangeName
You can call this component normally when you call it in the future
Also change the clsid value
HKEY_CLASSES_ROOT\\CLSID\Project value
HKEY_CLASSES_ROOT\.1\CLSID\Project value
It can also be deleted to prevent the harm of such *s.
3. Prohibit the use of components
You can call the system kernel to run basic DOS commands
You can prevent the harm of such *s by modifying the registry and rename this component.
HKEY_CLASSES_ROOT\\
and
HKEY_CLASSES_ROOT\.1\
Change name to other names, such as: change to Shell.Application_ChangeName or .1_ChangeName
You can call this component normally when you call it in the future
Also change the clsid value
HKEY_CLASSES_ROOT\\CLSID\Project value
HKEY_CLASSES_ROOT\\CLSID\Project value
It can also be deleted to prevent the harm of such *s.
Disable Guest users from using it to prevent calls to this component.
2000 Use command: cacls C:\WINNT\system32\/e /d guests
2003 Use command: cacls C:\WINDOWS\system32\/e /d guests
Note: All operations need to restart the WEB service before taking effect.
4. Call
Disable Guests group user calls
2000 Use command: cacls C:\WINNT\system32\/e /d guests
2003 Use command: cacls C:\WINDOWS\system32\/e /d guests
The above four steps can basically prevent several popular *s, but the most effective way is to comprehensively set the server and program security to a certain standard, so that the security level can be set to be higher and prevent more illegal intrusions.
C. Prevent Serv-U permission escalation (suitable for previous versions of Serv-U6.0, you can directly set the password afterwards)
Stop Serv-U service first
Open with Ultraedit
Find Ascii: LocalAdministrator and #l@$ak#.lk;0@P
Just modify it to other characters of equal length, and the same is true.
Also, be careful to set the permissions of the folder where Serv-U is located, and do not allow IIS anonymous users to read. Otherwise, if you go down the file you modified, you can still analyze your administrator name and password.
Ajiang ASP probe
/products/aspcheck/ (can test component security)
Previous page123456789Next pageRead the full text