| Back to logs list
135462 2008 年 11 月 23 日 19:28 Reading (loading. ..) Comments (0) Category: Technology Category
Here I use the example, it will be a standard virtual host.
System: Windows2003
Service: [IIS] [SERV-U] [IMAIL] [SQL SERVER 2000] [php] [MYSQL]
Description: To demonstrate, bound up service, we can screen based on the actual situation, and so reduce
1. WINDOWS local security policy port restrictions
A. For our example, need to open the following ports
outside -> Local 80
outside -> Local 20
outside -> Local 21
outside -> use some of the local PASV Port
outside -> Local 25
outside -> Local 110
outside -> Local 3389
and then follow the specific circumstances, open the SQL SERVER and MYSQL
outside the port -> Local 1433
outside -> Local 3306
B. is open from the inside out and then need to open ports
in accordance with the actual situation, if no mail service, do not open the following two rules
local -> outside the 53 TCP, UDP
local -> external 25
light of specific conditions, if the need to access web pages on the server, try not to open the following ports
local -> external 80
C. In addition to be explicitly allowed to stop,
coach handbags, this is the safety rules outside the key
-> local all protocols to prevent
2. User Account
A. renamed the administrator, example to root
B . Cancel all outside root for all users except administrators attribute
Remote Control -> enable remote control and
Terminal Services Configuration Files -> Allow log on to Terminal Server
C. will be renamed as the administrator and change the guest password
D. In addition to the administrator root, IUSER and IWAM and the ASPNET user, but disable all other users, including SQL DEBUG and TERMINAL USER so
3. directory permissions
rights of all letters, all read only
administrators group full access
ystem All rights
to C disk all subdirectories and files inherit the C disk sub-administrator (or user group) and all the permissions of the two permissions SYSTEM
and then make the following changes
C: Program Files Common Files Open Everyone listed in default read and run the file directory permissions to read the three
C: WINDOWS open Everyone listed in default directory to read and run permissions to read the three
C: WINDOWS Temp Open Everyone Modify, Read and Run, listing file directory,
coach purses, read,
coach outlet online, write permissions
WebShell now in the system directory will not be able to write files. Of course, you can use a more restrictive permission, in the WINDOWS directory to set permissions, respectively. But the more complex, the effect is not obvious.
4. IIS
in IIS 6, the application file types within a corresponding expansion of the type of ISAPI has been removed IDQ, PRINT, and so the script type of risk ,
under IIS 5 in addition to ASP, and we need all types other than ASA deleted.
install URLSCAN
in [DenyExtensions] generally add the following. cer
. cdx
. mdb
. bat
. cmd
. com
. htw
. ida
. idq
. htr
. idc
. shtm
. shtml
. stm
. printer
so intruders can not download. mdb database, this method than the outside number of special characters in the file header by adding the method more thoroughly.
because even if the file header by adding special characters, or can be constructed by encoding the
5. WEB directory permissions
as a virtual host, there will be many independent clients. Safer approach is for each customer to create a Windows user, then the response of the site in the IIS item executed within the IIS anonymous user, binds as the user and his point of directories, permissions for the administrators to change all the permissions
system to establish full authority
individual user (or IUSER) Select Advanced -> Open In addition to full control, Traverse Folder / run the program, made outside ownership of three other permissions
If the server is not much on the site, and there are forums, each forum we can get rid of the upload directory execute permissions for this user, only read and write permissions so that even if an intruder detection of file types to bypass the forum is uploaded webshell can not run.
6. MS SQL SERVER2000
Log Query Analyzer using the system account to run the following script use master
exec sp_dropextendedproc 'xp_cmdshell'
exec sp_dropextendedproc 'xp_dirtree '
exec sp_dropextendedproc' xp_enumgroups'
exec sp_dropextendedproc 'xp_fixeddrives'
exec sp_dropextendedproc' xp_loginconfig '
exec sp_dropextendedproc' xp_enumerrorlogs'
exec sp_dropextendedproc 'xp_getfiledetails'
exec sp_dropextendedproc 'Sp_OACreate'
exec sp_dropextendedproc 'Sp_OADestroy'
exec sp_dropextendedproc 'Sp_OAGetErrorInfo'
exec sp_dropextendedproc 'Sp_OAGetProperty'
exec sp_dropextendedproc 'Sp_OAMethod'
exec sp_dropextendedproc 'Sp_OASetProperty'
exec sp_dropextendedproc 'Sp_OAStop'
exec sp_dropextendedproc 'Xp_regaddmultistring'
exec sp_dropextendedproc 'Xp_regdeletekey'
exec sp_dropextendedproc 'Xp_regdeletevalue'
exec sp_dropextendedproc 'Xp_regenumvalues'
exec sp_dropextendedproc 'Xp_regread'
exec sp_dropextendedproc 'Xp_regremovemultistring'
exec sp_dropextendedproc 'Xp_regwrite'
drop procedure sp_makewebtask
go remove all the dangerous expansion of 7. NET.EXE permission to modify
CMD.EXE and the two permission to modify files to a specific administrator can access, such as in this case, we modified as follows
cmd.exe root user all the privileges of ownership
et.exe root user is
This would prevent unauthorized access to
can also use the example provided comlog program com.exe renamed _com.exe, then replace the com file, so you can record all executed command-line instructions
8.
use ntbackup backup software backup system state, the use of reg.exe critical data backup system,
coach bags, such as reg export
LM SOFTWARE ODBC e: backup system odbc.reg / y
to back up the system ODBC
9. antivirus
Here MCAFEE 8i Enterprise Edition Chinese, because this version of the domestic many of the malware and Trojans are able to timely updates.
such as Hai Duong has been able to detect the top of 2006, and can kill other than IMAIL SMTP queue software viruses MIME-encoded file,
coach outlet,
信阳好吃的地儿!!!! - Qzone日志, and many people like to install Norton Corporate Edition and Norton Corporate Edition, for WEBSHELL are basically no response. And can not be MIME-encoded files for antivirus.
in MCAFEE, we are also able to add rules to stop the windows directory to create and modify EXE.DLL documents, we have added to the WEB directory software antivirus program once a day,
coach women shoes, and open real-time monitoring.
10.
off useless services we generally turn off the following services
Computer Browser
Help and Support
Messenger
Print Spooler
Remote Registry
TCP / IP NetBIOS Helper
for the domain if the server does not control,
什么是五大管理职能? - Qzone日志, we can disable the Workstation
11 . cancel the dangerous components
If the server does not require FSO,
Life!, regsvr32 / uc: windows system32 scrrun.dll unregister the component, use regedit to / HKEY_CLASSES_ROOT under
WScript.Network
WScript.Network.1
WScript.Shell
WScript.Shell.1
Shell.Application
Shell.Application.1
key rename or delete these keys is included under the CLSID string
such as {72C24DD5-D70A-438B-8A42-98424B88AFB8}
to / HKEY_CLASSES_ROOT / CLSID name to find the key to these strings
Remove All
12. Audit
Local Security Policy -> Local Policies -> ; audit policy
open the following changes to audit policy success, failure
Audit system events Success, Failure Audit account login events
success, failure
Audit account management Success, Failure
Linear Mode
