Security Considerations for windows Server Administration

web Server

1. The web server shuts down unnecessary IIS components, such as disabling wev, disabling cgi, and asp functionality
2. Hide the physical path of the website, delete the default website, and change the physical path of the website
3. Delete useless virtual directories and iis mappings, leaving only mappings that require suffix files,
4. Enable IIS logging and review logs daily
5. Set the web site directory access permission to read permission, remove writing and directory browsing; Do not give execution permission as much as possible

6. Prevent access database from being downloaded. The specific operation is: Add the mapping of. mdb extension as prohibited (default is POST, GET,)

7. Disable vbscript Execute Permission

Database server

1. SQLSERVER Disable xpcmd... Command
2. sqlserver server, it is forbidden to use sa as the access account, and the access authority to the account can be granted to public authority (read, write)
3. In order to ensure the safe connection of database server, do ip access restriction and modify the default port

4. It's best to run with low privileges

Prevention of Back Door of Page Trojan Horse

1. Disable FSO objects to prevent virus scripts from copying and spreading
regsvr32 /u scrrun.dll
2. Disable the adodb. stream object
3. Set up Trojan Horse Finder

4. Prevent php, asp and other files from being modified. You can cooperate with mcafee

web Server Vulnerability

1. IIS6 Parsing Vulnerability
If a directory is named "xxx. asp", all types of files in that directory will be parsed and executed as asp files

If the extension of 1 file is ". asp;"; *. jpg ", then this file will also be parsed and executed as an asp file * Anything, or not
Principle: IIS can't recognize the suffix, so the first suffix is used by default

2. windows naming mechanism vulnerability
In windows environment, xx. jpg [space] or xx. jpg. These two types of files are not allowed to exist, if so named, windows will remove spaces or points by default, which can also be used!
When uploading data to an windows host, you can grab the packet and modify the file name, add a space or point after it, and try to bypass the blacklist. If the upload is successful, the last point or space will be eliminated, so that you can get shell. For example, when a new file "asp. asp." is saved, the file name will automatically change to asp. asp, and the file names will be "asp. asp..." and "asp. asp port" (port identification space). When uploading the file, the file suffix can be changed to asp. xx to avoid verification

3. IIS6, 7, 7.5 mapping problem

. asp,. cer,. asa,. cdx type files, IIS to its mapping processing more asp1-like, will be executed according to asp

4.IIS 7.0/IIS 7.5/Nginx < = 0.8. 37 FastCGI problem

With the default Fast-CGI on, adding/xx. php after 1 file path (/xx. jpg) parses/xx. jpg/xx. php into an php file.

Common use method: After merging a picture and a text file written into the backdoor code to write malicious text into the binary code of the picture, avoid destroying the header and tail of the picture file

e.g. copy xx.jpg/b + yy.txt/a xy.jpg

######################################

/b is binary [binary] mode

/a is ascii mode xx. jpg normal picture file

yy. txt content '); ? >

Write 1 file with the name shell. php

######################################

Find a place to upload xy. jpg, then find the address of xy. jpg, and append/xx. php to execute malicious text.

Then generate a sentence Trojan shell. php password cmd in the picture directory

More security issues can be seen in previous articles published on this site.