Anti-intrusion - make service service better

At present, the operating system released by Microsoft has built-in "service" function. For us, the "service" that is not used will not only occupy system resources, but more importantly, some When the service is started, the system will be invaded (such as 33889 "Terminal Serices" terminal service, "Remote Registry" support remote connection registry service...). Some readers may have thought of "disabling" these services. Setting these services to "disable" prevents others from invading your system, but as long as the other party gets your username and password, there is still a way to change these services to "start", in addition to enhancing the user password, What is a good way to prevent the other party from using the open service to invade? Use the following methods to effectively prevent the other party from using certain services to invade your system.

Method 1: Disabling the Service

At present, the operating system released by Microsoft has built-in "service" function. For us, the "service" that is not used will not only occupy system resources. More importantly, some services will cause the system to be invaded (such as 33889 "Terminal Serices" terminal service, "Remote Registry" support remote connection registry service...), and some readers may have thought of "disabling" these services. Is it ok? Setting these services to "disable" prevents others from invading your system, but as long as the other party gets your username and password, there is still a way to change these services to "start", in addition to enhancing the user password, What is a good way to prevent the other party from using the open service to invade? Use the following methods to effectively prevent the other party from using certain services to invade your system.

"Disable" the services that are likely to cause the system to be compromised, and then delete the registry keys corresponding to these services, so that even if the other party connects to your system service list, the properties of the service cannot be modified and cannot be modified. The service attribute cannot start the service. Open the registry editor, and then find the "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Serices" item. Each subkey under it is the corresponding "service" in the system. For example, the subkey corresponding to the "Messenger" service is "Messenger", but Some services will not have the same name, but it is easy to find. The key value of "DisplayName" is the display name of the service. Here is an example of deleting the "Messenger" service. The other service methods are the same, except that the items deleted in the registry are different. Before deleting the item, you must first export it to the backup, then click the "Messenger" item and press the right mouse button to select " Delete the "(rename can also be) command. Double-clicking "Messenger" in the service list will bring up an error message. Of course, when the other party connects to your service list, double-clicking will also cause such a prompt instead of the property box. If you want to restore this service, just import the registry file you just backed up into the registry.
Method 2: Rename the "display name"

If the other party gets the username and password, and your system has the "Remote Registry Connection" service enabled, then the other party can also connect to you remotely. The system registry restores the modification settings in "Method One". Now try the following method to rename the display name of "Service" to another name, so that the other party wants to open the "service" and does not find it. As fast as usual.

Also take the "Messenger" service as an example, open the registry editor, find the "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Serices\\Messenger" item, find the "Description" button in the right window, this button corresponds to The description of "service", delete its value, and then find the "DisplayName" key, this key corresponds to the name displayed by the "service" in the list, double-click the "DisplayName" button to change its value to another name such as (Gsn ), press the "OK" button to exit the Registry Editor, this modification will take effect after restarting the system. Run "Serice.msc" to view the modified effect. You will find a service with "Display Name" of "Gsn" in the "Service List", and this "Service" is the previous "Messenger" service. Use the same method to change the "service" that needs to be modified to another name. Of course, you should record the modified name and the corresponding "service" when you modify it. Otherwise, you don't know when you need to open this service later. Which service, the service that should be "disabled" should also be set to "disabled". After such modification, the other party wants to open the "service", it is quite difficult to find it, but if the other party here is "service" Double-click to view, then you will find the "service" you need, because the real name of the "service" will be displayed in the "Services" property box. The other party can identify the "service" to be found based on this name. How to modify the "service name" here, please refer to "method three".
Method 3: Modify the "service name"

To modify the name of the "service", here are two tools, "Srinstw.exe" and "Srany.exe". Tools can be found in the Windows 2000 Resource Kit, or take the "Messenger" service as an example. After getting these two tools, double-click the "Srinstw.exe" tool and click the "Install a serice" option in "Serice". In the Name field, enter the name you renamed the “Messenger” service (Gsnsr). In the path of selecting the path, fill in the path of the “Srany.exe” file. Other settings can be used by default. After the addition is completed, the original “Messenger” will be added. The registry key of the service is exported and backed up (method 1 has been backed up), then the "Messenger" service is "disabled", the "Srinstw.exe" tool is run again, and the "Remoe a serice" option is selected to remove the original "Messenger" service. Delete in the list, now find the registry file you just backed up and open the edit, and modify the line [[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Serices\\Messenger]" to

"[HKEY_LOCAL _MACHINE\\SYSTEM\\CurrentControlSet\\Serices\\gsnsr]", where "Gsnsr" is the name renamed by the "Messenger" service in the wizard, save the exit file, then import it into the registry, now run "Serice.msc" to open The service list looks at the properties of the "Messenger" service. It can be seen from Figure 2 that the name has been modified to "Gsnsr", and then the method is modified in conjunction with the "Method One" and "Method Two" methods or simply the service is listed from the list. Delete it, and finally delete the default share, so it is even harder for the other party to invade your system.

Tip: Before performing the above operations, you must do a related backup, such as the registry, the display name in the service properties box, the service name, the path to the executable file, and the path to the executable file. That program must be backed up and recorded before it can be executed. It is recommended that the above operations be performed only for those services that are not used and that are likely to cause the system to be compromised. After all, some services may fail after the above modifications.