Component security Settings for server security Settings
- 2020-05-07 20:39:06
- OfStack
WindowsServer2003 + IIS6.0 + ASP server security Settings - component security Settings A, uninstall WScript.Shell and Shell.application components, save the following code as 1.BAT file (2000 and 2003 systems) windows2000.bat
B, rename unsafe component, it is important to note that the name of the component and Clsid should be changed, and to be completely changed, do not copy, to change
Start → run →regedit→ enter open the registry editor
Then [edit → find → fill in Shell.application→ find the next one]
In this way, you can find two registry keys:
{13709620 - C279 CE - A49E - 444553540000-11} and Shell application.
Step 1:
To ensure that nothing is lost, export the two registry keys and save them as xxxx.reg.
Step 2: let's say we want to make this change
13709602-C279-11CE-A49es4553540000 was renamed to 13709602-C279-11CE-A4953540001
Shell.application was renamed Shell.application_nohack
Step 3: so, just replace the contents of the exported.reg file with the corresponding relation above, and then import the modified.reg file into the registry (double-click), after importing the renamed registry key, don't forget to delete the original two items. One thing to note here is that Clsid can only have 10 Numbers and ABCDEF6 letters.
In fact, just export the corresponding registry key to backup, and then directly change the key name,
I suggest that I can change the good examples successfully once:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}]
@="Shell Automation Service"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/InProcServer32]
@="C://WINNT//system32//shell32.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/ProgID]
@="Shell.Application_nohack.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/TypeLib]
@="{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/Version]
@="1.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/VersionIndependentProgID]
@="Shell.Application_nohack"
[HKEY_CLASSES_ROOT/Shell.Application_nohack]
@="Shell Automation Service"
[HKEY_CLASSES_ROOT/Shell.Application_nohack/CLSID]
@="{13709620-C279-11CE-A49E-444553540001}"
[HKEY_CLASSES_ROOT/Shell.Application_nohack/CurVer]
@="Shell.Application_nohack.1"
Comment on: WScript. Shell and Shell. application component is script invasion process, improve the important link of the permissions, these two components of unloading and modify the corresponding registry key, can greatly improve the performance of the script for the virtual host security, like 1 ASP and php script lift access function could not be achieved, plus 1 some system services, hard disk access, ports, filtering, local security policy Settings, virtual host for the said, safety performance has very big enhancement, the possibility of hacking is very low. Once the Shell component is logged off, the chances of an intruder running the promotion tool are small, but other scripting languages such as prel also have shell capabilities, so it's best to set it to 1 to protect against 10,000. Here's another setup, much the same.
FileSystemObject component FileSystemObject can be used to perform regular operations on files. This component can be renamed by modifying the registry to prevent this type of Trojan.
HKEY_CLASSES_ROOT/Scripting FileSystemObject /
Change your name to something else such as FileSystemObject_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/Scripting FileSystemObject CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
2000 logged off this component command: RegSrv32 / u C:. / WINNT SYSTEM/scrrun dll
2003 logged off this component command: RegSrv32 / u C:. / WINDOWS SYSTEM/scrrun dll
How do I prevent Guest users from using scrrun.dll to prevent this component from being invoked?
Use this command: cacls C: / WINNT system32 / scrrun dll e/d guests
2. WScript.Shell components are not allowed
WScript.Shell can call the system kernel to run the DOS basic command
You can prevent this type of Trojan by modifying the registry to rename this component.
HKEY_CLASSES_ROOT/WScript Shell/and HKEY_CLASSES_ROOT/WScript Shell. 1 /
Change your name to something else, such as WScript.Shell_ChangeName or WScript.Shell.1_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/WScript Shell CLSID/value of the project
HKEY_CLASSES_ROOT/WScript. Shell. 1 / CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
3. Shell.Application components are prohibited
Shell.Application can call the system kernel to run the DOS basic command
You can prevent this type of Trojan by modifying the registry to rename this component.
HKEY_CLASSES_ROOT/Shell Application /
and
HKEY_CLASSES_ROOT/Shell. Application. 1 /
Change your name to Shell.Application_ChangeName or Shell.Application.1_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/Shell Application CLSID/value of the project
HKEY_CLASSES_ROOT/Shell Application CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
Guest users are prohibited from using shell32.dll to prevent this component from being invoked.
2000 using the command: cacls C: / WINNT system32 / shell32 dll e/d guests
2003 using the command: cacls C: / WINDOWS system32 / shell32 dll e/d guests
Note: operations will not take effect until the WEB service is restarted.
4. Call Cmd. exe
Disable Guests group users from calling cmd.exe
2000 using the command: cacls C: / WINNT system32 / Cmd exe e/d guests
2003 using the command: cacls C: / WINDOWS system32 / Cmd exe e/d guests
Through the above 4 steps of the basic Settings can prevent the current relatively popular several trojans, but the most effective way or through the comprehensive security Settings, the server, the program security will reach 1 standard, it is possible to set a higher level of security, to prevent more illegal invasion.
C, prevent Serv-U privilege promotion (applicable to Serv-U 6.0, after which you can directly set the password)
First stop the Serv-U service
Open ServUDaemon.exe with Ultraedit
Find Ascii: LocalAdministrator and #l@$ak#.lk; 0 @ P
Change it to other characters of the same length. ServUAdmin.exe is also treated as one.
In addition, be careful to set the permissions of the folder where Serv-U is located. Do not let the anonymous user of IIS have the read permission. Otherwise, the user will drop the file you have modified and you can still analyze your administrator name and password. An ASP probe can be used to detect the safety status of the system.
WindowsServer2003 + IIS6.0 + ASP server security Settings A, uninstall WScript.Shell and Shell.application components, save the following code as one BAT file
regsvr32/u C:/WINNT/System32/wshom.ocx
del C:/WINNT/System32/wshom.ocx
regsvr32/u C:/WINNT/system32/shell32.dll
del C:/WINNT/system32/shell32.dll
windows2003.bat
regsvr32/u C:/WINDOWS/System32/wshom.ocx
del C:/WINDOWS/System32/wshom.ocx
regsvr32/u C:/WINDOWS/system32/shell32.dll
del C:/WINDOWS/system32/shell32.dll
B, rename unsafe component, note that the name of the component and Clsid should be changed, and to be completely changed, do not copy, to change
Start → run →regedit→ enter open the registry editor
Then [edit → find → fill in Shell.application→ find the next one]
In this way, you can find two registry keys:
{13709620 - C279 CE - A49E - 444553540000-11} and Shell application.
Step 1:
To ensure that nothing is lost, export the two registry keys and save them as xxxx.reg.
Step 2: let's say we want to make this change
13709620-C279-11CE-A49E-444553540000 was renamed to 13709620-C279-11CE-A49E-444553540001
Shell.application was renamed Shell.application_nohack
Step 3: then, replace the contents of the exported.reg file with the corresponding relation above, and then import the modified.reg file into the registry (double-click). After importing the renamed registry key, don't forget to delete the original two items. One thing to note here is that Clsid can only have 10 Numbers and ABCDEF6 letters.
In fact, just export the corresponding registry key to backup, and then directly change the key name,
I suggest that I can change the good examples successfully once:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}]
@="Shell Automation Service"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/InProcServer32]
@="C://WINNT//system32//shell32.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/ProgID]
@="Shell.Application_nohack.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/TypeLib]
@="{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/Version]
@="1.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/VersionIndependentProgID]
@="Shell.Application_nohack"
[HKEY_CLASSES_ROOT/Shell.Application_nohack]
@="Shell Automation Service"
[HKEY_CLASSES_ROOT/Shell.Application_nohack/CLSID]
@="{13709620-C279-11CE-A49E-444553540001}"
[HKEY_CLASSES_ROOT/Shell.Application_nohack/CurVer]
@="Shell.Application_nohack.1"
Comment on: WScript. Shell and Shell. application component is script invasion process, improve the important link of the permissions, these two components of unloading and modify the corresponding registry key, can greatly improve the performance of the script for the virtual host security, like 1 ASP and php script lift access function could not be achieved, plus 1 some system services, hard disk access, ports, filtering, local security policy Settings, virtual host for the said, safety performance has very big enhancement, the possibility of hacking is very low. Once the Shell component is logged off, the chances of an intruder running the upgrade tool are small, but other scripting languages such as prel also have shell capabilities, so it's best to set it to 1 to protect against 10,000. Here's another setup, much the same.
FileSystemObject component FileSystemObject can be used to perform routine operations on files. This component can be renamed by modifying the registry to prevent this type of Trojan.
HKEY_CLASSES_ROOT/Scripting FileSystemObject /
Change your name to something else, such as FileSystemObject_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/Scripting FileSystemObject CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
2000 logged off this component command: RegSrv32 / u C:. / WINNT SYSTEM/scrrun dll
2003 logged off this component command: RegSrv32 / u C:. / WINDOWS SYSTEM/scrrun dll
How do I prevent Guest users from using scrrun.dll to prevent this component from being invoked?
Use this command: cacls C: / WINNT system32 / scrrun dll e/d guests
2. WScript.Shell components are not allowed
WScript.Shell can call the system kernel to run DOS basic commands
You can prevent this type of Trojan by modifying the registry to rename this component.
HKEY_CLASSES_ROOT/WScript Shell/and HKEY_CLASSES_ROOT/WScript Shell. 1 /
Change your name to WScript.Shell_ChangeName or WScript.Shell.1_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/WScript Shell CLSID/value of the project
HKEY_CLASSES_ROOT/WScript. Shell. 1 / CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
3. Shell.Application components are prohibited
Shell.Application can call the system kernel to run the DOS basic command
You can prevent this type of Trojan by modifying the registry to rename this component.
HKEY_CLASSES_ROOT/Shell Application /
and
HKEY_CLASSES_ROOT/Shell. Application. 1 /
Change your name to Shell.Application_ChangeName or Shell.Application.1_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/Shell Application CLSID/value of the project
HKEY_CLASSES_ROOT/Shell Application CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
Guest users are prohibited from using shell32.dll to prevent this component from being invoked.
2000 using the command: cacls C: / WINNT system32 / shell32 dll e/d guests
2003 using the command: cacls C: / WINDOWS system32 / shell32 dll e/d guests
Note: operations will not take effect until the WEB service is restarted.
4. Call Cmd. exe
Disable the Guests group user to call cmd.exe
2000 using the command: cacls C: / WINNT system32 / Cmd exe e/d guests
2003 using the command: cacls C: / WINDOWS system32 / Cmd exe e/d guests
Through the above 4 steps of the basic Settings can prevent the current relatively popular several trojans, but the most effective way or through the comprehensive security Settings, the server, the program security will reach 1 standard, it is possible to set a higher level of security, to prevent more illegal invasion.
C, prevent Serv-U permission promotion (applicable to Serv-U6.0, after which you can directly set the password)
First stop the Serv-U service
Open ServUDaemon.exe with Ultraedit
Find Ascii: LocalAdministrator and #l@$ak#.lk; 0 @ P
Change it to other characters of the same length. ServUAdmin.exe is the same as ServUAdmin.
In addition, be careful to set the permissions of the folder where Serv-U is located. Do not let the anonymous user of IIS have the permissions to read. Otherwise, they will download the files you have modified, and they can still analyze your administrator name and password. An ASP probe can be used to detect the safety status of the system.
regsvr32/u C:/WINNT/System32/wshom.ocx
del C:/WINNT/System32/wshom.ocx
regsvr32/u C:/WINNT/system32/shell32.dll
del C:/WINNT/system32/shell32.dll
windows2003.bat
regsvr32/u C:/WINDOWS/System32/wshom.ocx
del C:/WINDOWS/System32/wshom.ocx
regsvr32/u C:/WINDOWS/system32/shell32.dll
del C:/WINDOWS/system32/shell32.dll
B, rename unsafe component, it is important to note that the name of the component and Clsid should be changed, and to be completely changed, do not copy, to change
Start → run →regedit→ enter open the registry editor
Then [edit → find → fill in Shell.application→ find the next one]
In this way, you can find two registry keys:
{13709620 - C279 CE - A49E - 444553540000-11} and Shell application.
Step 1:
To ensure that nothing is lost, export the two registry keys and save them as xxxx.reg.
Step 2: let's say we want to make this change
13709602-C279-11CE-A49es4553540000 was renamed to 13709602-C279-11CE-A4953540001
Shell.application was renamed Shell.application_nohack
Step 3: so, just replace the contents of the exported.reg file with the corresponding relation above, and then import the modified.reg file into the registry (double-click), after importing the renamed registry key, don't forget to delete the original two items. One thing to note here is that Clsid can only have 10 Numbers and ABCDEF6 letters.
In fact, just export the corresponding registry key to backup, and then directly change the key name,
I suggest that I can change the good examples successfully once:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}]
@="Shell Automation Service"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/InProcServer32]
@="C://WINNT//system32//shell32.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/ProgID]
@="Shell.Application_nohack.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/TypeLib]
@="{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/Version]
@="1.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/VersionIndependentProgID]
@="Shell.Application_nohack"
[HKEY_CLASSES_ROOT/Shell.Application_nohack]
@="Shell Automation Service"
[HKEY_CLASSES_ROOT/Shell.Application_nohack/CLSID]
@="{13709620-C279-11CE-A49E-444553540001}"
[HKEY_CLASSES_ROOT/Shell.Application_nohack/CurVer]
@="Shell.Application_nohack.1"
Comment on: WScript. Shell and Shell. application component is script invasion process, improve the important link of the permissions, these two components of unloading and modify the corresponding registry key, can greatly improve the performance of the script for the virtual host security, like 1 ASP and php script lift access function could not be achieved, plus 1 some system services, hard disk access, ports, filtering, local security policy Settings, virtual host for the said, safety performance has very big enhancement, the possibility of hacking is very low. Once the Shell component is logged off, the chances of an intruder running the promotion tool are small, but other scripting languages such as prel also have shell capabilities, so it's best to set it to 1 to protect against 10,000. Here's another setup, much the same.
FileSystemObject component FileSystemObject can be used to perform regular operations on files. This component can be renamed by modifying the registry to prevent this type of Trojan.
HKEY_CLASSES_ROOT/Scripting FileSystemObject /
Change your name to something else such as FileSystemObject_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/Scripting FileSystemObject CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
2000 logged off this component command: RegSrv32 / u C:. / WINNT SYSTEM/scrrun dll
2003 logged off this component command: RegSrv32 / u C:. / WINDOWS SYSTEM/scrrun dll
How do I prevent Guest users from using scrrun.dll to prevent this component from being invoked?
Use this command: cacls C: / WINNT system32 / scrrun dll e/d guests
2. WScript.Shell components are not allowed
WScript.Shell can call the system kernel to run the DOS basic command
You can prevent this type of Trojan by modifying the registry to rename this component.
HKEY_CLASSES_ROOT/WScript Shell/and HKEY_CLASSES_ROOT/WScript Shell. 1 /
Change your name to something else, such as WScript.Shell_ChangeName or WScript.Shell.1_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/WScript Shell CLSID/value of the project
HKEY_CLASSES_ROOT/WScript. Shell. 1 / CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
3. Shell.Application components are prohibited
Shell.Application can call the system kernel to run the DOS basic command
You can prevent this type of Trojan by modifying the registry to rename this component.
HKEY_CLASSES_ROOT/Shell Application /
and
HKEY_CLASSES_ROOT/Shell. Application. 1 /
Change your name to Shell.Application_ChangeName or Shell.Application.1_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/Shell Application CLSID/value of the project
HKEY_CLASSES_ROOT/Shell Application CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
Guest users are prohibited from using shell32.dll to prevent this component from being invoked.
2000 using the command: cacls C: / WINNT system32 / shell32 dll e/d guests
2003 using the command: cacls C: / WINDOWS system32 / shell32 dll e/d guests
Note: operations will not take effect until the WEB service is restarted.
4. Call Cmd. exe
Disable Guests group users from calling cmd.exe
2000 using the command: cacls C: / WINNT system32 / Cmd exe e/d guests
2003 using the command: cacls C: / WINDOWS system32 / Cmd exe e/d guests
Through the above 4 steps of the basic Settings can prevent the current relatively popular several trojans, but the most effective way or through the comprehensive security Settings, the server, the program security will reach 1 standard, it is possible to set a higher level of security, to prevent more illegal invasion.
C, prevent Serv-U privilege promotion (applicable to Serv-U 6.0, after which you can directly set the password)
First stop the Serv-U service
Open ServUDaemon.exe with Ultraedit
Find Ascii: LocalAdministrator and #l@$ak#.lk; 0 @ P
Change it to other characters of the same length. ServUAdmin.exe is also treated as one.
In addition, be careful to set the permissions of the folder where Serv-U is located. Do not let the anonymous user of IIS have the read permission. Otherwise, the user will drop the file you have modified and you can still analyze your administrator name and password. An ASP probe can be used to detect the safety status of the system.
WindowsServer2003 + IIS6.0 + ASP server security Settings A, uninstall WScript.Shell and Shell.application components, save the following code as one BAT file
regsvr32/u C:/WINNT/System32/wshom.ocx
del C:/WINNT/System32/wshom.ocx
regsvr32/u C:/WINNT/system32/shell32.dll
del C:/WINNT/system32/shell32.dll
windows2003.bat
regsvr32/u C:/WINDOWS/System32/wshom.ocx
del C:/WINDOWS/System32/wshom.ocx
regsvr32/u C:/WINDOWS/system32/shell32.dll
del C:/WINDOWS/system32/shell32.dll
B, rename unsafe component, note that the name of the component and Clsid should be changed, and to be completely changed, do not copy, to change
Start → run →regedit→ enter open the registry editor
Then [edit → find → fill in Shell.application→ find the next one]
In this way, you can find two registry keys:
{13709620 - C279 CE - A49E - 444553540000-11} and Shell application.
Step 1:
To ensure that nothing is lost, export the two registry keys and save them as xxxx.reg.
Step 2: let's say we want to make this change
13709620-C279-11CE-A49E-444553540000 was renamed to 13709620-C279-11CE-A49E-444553540001
Shell.application was renamed Shell.application_nohack
Step 3: then, replace the contents of the exported.reg file with the corresponding relation above, and then import the modified.reg file into the registry (double-click). After importing the renamed registry key, don't forget to delete the original two items. One thing to note here is that Clsid can only have 10 Numbers and ABCDEF6 letters.
In fact, just export the corresponding registry key to backup, and then directly change the key name,
I suggest that I can change the good examples successfully once:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}]
@="Shell Automation Service"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/InProcServer32]
@="C://WINNT//system32//shell32.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/ProgID]
@="Shell.Application_nohack.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/TypeLib]
@="{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/Version]
@="1.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/VersionIndependentProgID]
@="Shell.Application_nohack"
[HKEY_CLASSES_ROOT/Shell.Application_nohack]
@="Shell Automation Service"
[HKEY_CLASSES_ROOT/Shell.Application_nohack/CLSID]
@="{13709620-C279-11CE-A49E-444553540001}"
[HKEY_CLASSES_ROOT/Shell.Application_nohack/CurVer]
@="Shell.Application_nohack.1"
Comment on: WScript. Shell and Shell. application component is script invasion process, improve the important link of the permissions, these two components of unloading and modify the corresponding registry key, can greatly improve the performance of the script for the virtual host security, like 1 ASP and php script lift access function could not be achieved, plus 1 some system services, hard disk access, ports, filtering, local security policy Settings, virtual host for the said, safety performance has very big enhancement, the possibility of hacking is very low. Once the Shell component is logged off, the chances of an intruder running the upgrade tool are small, but other scripting languages such as prel also have shell capabilities, so it's best to set it to 1 to protect against 10,000. Here's another setup, much the same.
FileSystemObject component FileSystemObject can be used to perform routine operations on files. This component can be renamed by modifying the registry to prevent this type of Trojan.
HKEY_CLASSES_ROOT/Scripting FileSystemObject /
Change your name to something else, such as FileSystemObject_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/Scripting FileSystemObject CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
2000 logged off this component command: RegSrv32 / u C:. / WINNT SYSTEM/scrrun dll
2003 logged off this component command: RegSrv32 / u C:. / WINDOWS SYSTEM/scrrun dll
How do I prevent Guest users from using scrrun.dll to prevent this component from being invoked?
Use this command: cacls C: / WINNT system32 / scrrun dll e/d guests
2. WScript.Shell components are not allowed
WScript.Shell can call the system kernel to run DOS basic commands
You can prevent this type of Trojan by modifying the registry to rename this component.
HKEY_CLASSES_ROOT/WScript Shell/and HKEY_CLASSES_ROOT/WScript Shell. 1 /
Change your name to WScript.Shell_ChangeName or WScript.Shell.1_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/WScript Shell CLSID/value of the project
HKEY_CLASSES_ROOT/WScript. Shell. 1 / CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
3. Shell.Application components are prohibited
Shell.Application can call the system kernel to run the DOS basic command
You can prevent this type of Trojan by modifying the registry to rename this component.
HKEY_CLASSES_ROOT/Shell Application /
and
HKEY_CLASSES_ROOT/Shell. Application. 1 /
Change your name to Shell.Application_ChangeName or Shell.Application.1_ChangeName
You can use this to call the component normally when you call it later
I'm also going to change clsid by 1
HKEY_CLASSES_ROOT/Shell Application CLSID/value of the project
HKEY_CLASSES_ROOT/Shell Application CLSID/value of the project
It can also be deleted to prevent this kind of Trojan damage.
Guest users are prohibited from using shell32.dll to prevent this component from being invoked.
2000 using the command: cacls C: / WINNT system32 / shell32 dll e/d guests
2003 using the command: cacls C: / WINDOWS system32 / shell32 dll e/d guests
Note: operations will not take effect until the WEB service is restarted.
4. Call Cmd. exe
Disable the Guests group user to call cmd.exe
2000 using the command: cacls C: / WINNT system32 / Cmd exe e/d guests
2003 using the command: cacls C: / WINDOWS system32 / Cmd exe e/d guests
Through the above 4 steps of the basic Settings can prevent the current relatively popular several trojans, but the most effective way or through the comprehensive security Settings, the server, the program security will reach 1 standard, it is possible to set a higher level of security, to prevent more illegal invasion.
C, prevent Serv-U permission promotion (applicable to Serv-U6.0, after which you can directly set the password)
First stop the Serv-U service
Open ServUDaemon.exe with Ultraedit
Find Ascii: LocalAdministrator and #l@$ak#.lk; 0 @ P
Change it to other characters of the same length. ServUAdmin.exe is the same as ServUAdmin.
In addition, be careful to set the permissions of the folder where Serv-U is located. Do not let the anonymous user of IIS have the permissions to read. Otherwise, they will download the files you have modified, and they can still analyze your administrator name and password. An ASP probe can be used to detect the safety status of the system.