Security considerations for Windows server management

Web Server

1. The web server turns off unnecessary IIS components, such as disabling wev, cgi and asp functions
2. Hide the physical path of the website, delete the default website, and change the physical path of the website
3. Delete useless virtual directories and IIS mappings, and only keep the mappings of files that require suffixes.
4. Enable IIS logging and review the logs daily
5. Set the web site directory access permissions to read permissions, remove write and directory browsing; try not to give execution permissions

6. Prevent the access database from being downloaded. The specific operation is: add the mapping of the .mdb extension as prohibited (the default is POST, GET,)

7. Disable vbscript execution permissions

Database Server

1. SQLSERVER disables the xpcmd.. command
2. For SQL Server servers, it is forbidden to use sa as the access account. The access account permissions can be granted to public permissions (read, write).
3. To ensure the secure connection of the database server, do IP access restrictions and modify the default port

4. It is best to run with low permissions

Prevention of Web Trojan Backdoors

1. Disable FSO objects to prevent virus scripts from copying and spreading
regsvr32 /u scrrun.dll
2. Disable adodb.stream object
3. Set up Trojan Finder

4. Prevent php, asp and other files from being modified, you can cooperate with mcafee

Web Server Vulnerabilities

1. IIS6 parsing vulnerability If a directory is named "xxx.asp", all types of files in the directory will be parsed and executed as asp files

If a file extension is in the form of ".asp;*.jpg", then the file will also be parsed and executed as an asp file. * Anything can be written, or it can be left blank. Principle: IIS cannot recognize the suffix, and the first suffix is ​​used by default.

2. Windows naming mechanism vulnerability In the Windows environment, xx.jpg[space] or xx.jpg. These two types of files are not allowed to exist. If named like this, Windows will remove the space or dot by default, which can also be exploited!
When uploading data to a Windows host, you can capture the packet and modify the file name, adding a space or a period at the end to try to bypass the blacklist. If the upload is successful, the last period or space will be removed, and you can get the shell. For example, when you create a new file "asp.asp." and save it, the file name will automatically become asp.asp, and the file name is "asp.asp..","asp.asp口" (口 marks a space). When uploading a file, you can change the file suffix to asp.xx. to avoid verification.

3. IIS6, 7, 7.5 mapping issues

IIS maps files of the .asp, .cer, .asa, and .cdx types in the same way as ASP.

4.IIS 7.0/IIS 7.5/Nginx <=0.8.37 FastCGI Issue

When Fast-CGI is enabled by default, adding /xx.php after a file path (/xx.jpg) will parse /xx.jpg/xx.php as a php file.

Common exploitation methods: Merge a picture with a text file with backdoor code written in it. Write the malicious text after the binary code of the picture to avoid damaging the header and tail of the picture file.

eg copy xx.jpg/b + yy.txt/a xy.jpg

######################################

/b means binary mode

/a means ascii mode xx.jpg normal picture file

yy.txt content');?>

It means writing a file named shell.php.

######################################

Find a place to upload xy.jpg, then find the address of xy.jpg, and add /xx.php after the address to execute the malicious text.

Then generate a sentence Trojan shell.php password cmd in the picture directory

For more security issues, please refer to the articles previously published by 123WORDPRESS.COM.