Windows Server Component Security Settings Policy

                  A, uninstall the WScript.Shell and Shell.application components, save the following code as a .BAT file execution (2000 and 2003 systems) windows2000.batregsvr32/u C:\\WINNT\\System32\\wshom.ocx del C:\\WINNT \\System32\\wshom.ocx regsvr32/u C:\\WINNT\\system32\\shell32.dll del C:\\WINNT\\system32\\shell32.dllwindows2003.batregsvr32/u C:\\WINDOWS\\System32\\wshom.ocx del C:\\WINDOWS\\ System32\\wshom.ocx regsvr32/u C:\\WINDOWS\\system32\\shell32.dll del C:\\WINDOWS\\system32\\shell32.dllB, renamed unsafe components, need to pay attention to the name of the component and Clsid must be changed, and changed completely, do not copy, to change
own [start → run → regedit → Enter] to open the registry editor

then [edit → Find → fill Shell.application → Find next】 < BR>
In this way, you can find two registry entries:

{13709620-C279-11CE-A49E-444553540000} and Shell.application.

first step: to be sure, these two registry keys guide out xxxx.reg saved as a file.

Second Step: For example, we want to make such a change

13709620-C279-11CE-A49E-444553540000 Renamed 13709620-C279-11CE-A49E-444553540001

Shell .application renamed Shell.application_nohack

Step 3: Then, replace the contents of the .reg file just exported according to the above corresponding relationship, and then import the modified .reg file into the registry. In the middle (double-click), after importing the renamed registry key, don't forget to delete the original two items. One thing to note here is that there are only ten numbers in Clsid and six letters in ABCDEF.

In fact, as long as the corresponding registry entries Export to backup, and then directly change the key name on it, change a good example
recommend it ourselves
should be a successful Windows Registry Editor Version 5.00 [ ,null,null,0],HKEY_CLASSES_ROOT\\CLSID\\{13709620-C279-11CE-A49E-444553540001}] @="Shell Automation Service" [HKEY_CLASSES_ROOT\\CLSID\\{13709620-C279-11CE-A49E-444553540001}\\InProcServer32] @="C:\\\\WINNT \\\\system32\\\\shell32.dll" "ThreadingModel"="Apartment" [HKEY_CLASSES_ROOT\\CLSID\\{13709620-C279-11CE-A49E-444553540001}\\ProgID] @="Shell.Application_nohack.1" [HKEY_CLASSES_ROOT\\CLSID\\{ 13709620-C279-11CE-A49E-444553540001}\\TypeLib] @="{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}" [HKEY_CLASSES_ROOT\\CLSID\\{13709620-C279-11CE-A49E-444553540001}\\Version] @=" 1.1" [HKEY_CLASSES_ROOT\\CLSID\\{13709620-C279-11CE-A49E-444553540001}\\VersionIndependentProgID] @="Shell.Application _nohack" [HKEY_CLASSES_ROOT\\Shell.Application_nohack] @="Shell Automation Service" [HKEY_CLASSES_ROOT\\Shell.Application_nohack\\CLSID] @="{13709620-C279-11CE-A49E-444553540001}" [HKEY_CLASSES_ROOT\\Shell.Application_nohack\\CurVer] @ ="Shell.Application_nohack.1" Old Du Comments: WScript.Shell and Shell.application components are important links in the process of script intrusion, the uninstallation and modification of these two components corresponds to the registration key name, can be a large degree Improve the script security performance of virtual hosts. Generally speaking, the functions of ASP and php scripts to enhance permissions cannot be realized. Coupled with some system services, hard disk access rights, port filtering, and local security policy settings, virtual hosts should That said, the security performance has been greatly improved, and the possibility of hacking is very low. After logging out of the Shell component, the possibility of the intruder running the promotion tool is very small, but other scripting languages ​​such as prel also have shell capabilities, just in case, it is better to set it up. Here's another setup that's pretty much the same. First, the use of FileSystemObject component is prohibited.

FileSystemObject can perform normal operations on files. You can change the name of this component by modifying the registry to prevent such Trojans.

HKEY_CLASSES_ROOT\\Scripting.FileSystemObject\\

Renamed other names, such as: changed to FileSystemObject_ChangeName

You can use this component to call this component when you call it later. BR>
Also change the clsid value

The value of the HKEY_CLASSES_ROOT\\Scripting.FileSystemObject\\CLSID\\ project

can also be deleted to prevent such Trojans from harming.

2000 Unregister this component command: RegSrv32 /u C:\\WINNT\\SYSTEM\\scrrun.dll

2003 Unregister this component command: RegSrv32 /u C:\\WINDOWS\\SYSTEM\\scrrun.dll

How do I prevent Guest users from using scrrun.dll to prevent this component from being called?

Use this command: cacls C:\\WINNT\\system32\\scrrun.dll /e /d guests

Second, prohibit the use of WScript.Shell components

WScript.Shell can Calling the system kernel to run DOS basic commands

You can change the name of this component by modifying the registry to prevent such Trojans.

HKEY_CLASSES_ROOT\\WScript.Shell\\ and HKEY_CLASSES_ROOT\\WScript.Shell.1\\

Renamed another name, such as: WScript.Shell_ChangeName or WScript.Shell.1_ChangeName

You can call this component normally when you call it later.

Also change the clsid value

HKEY_CLASSES_ROOT\\WScript.Shell\\CLSID\\Item value

The value of the HKEY_CLASSES_ROOT\\WScript.Shell.1\\CLSID\\ project

can also be removed to prevent such Trojans from harming.

Third, the use of Shell.Application component is prohibited

Shell.Application can call the system kernel to run DOS basic commands

You can rename this component by modifying the registry to prevent The hazards of such Trojans.

HKEY_CLASSES_ROOT\\Shell.Application\\

and

HKEY_CLASSES_ROOT\\Shell.Application.1\\

Renamed to another name, such as: changed to Shell .Application_ChangeName or Shell.Application.1_ChangeName

When you call this later, you can call this component normally.

Also change the clsid value

HKEY_CLASSES_ROOT\\ The value of the Shell.Application\\CLSID\\ project

The value of the HKEY_CLASSES_ROOT\\Shell.Application\\CLSID\\ project

can also be removed to prevent such Trojans from harming.

Prevent guest users from using shell32.dll to prevent this component from being called.

2000 use the command: cacls C:\\WINNT\\system32\\shell32.dll /e /d guests
2003 use the command: cacls C:\\WINDOWS\\system32\\shell32.dll /e /d guests< BR>
Note: The operation will take effect only after the WEB service is restarted.

Fourth, call Cmd.exe

Disable the Guest group user call cmd.exe

2000 use the command: cacls C:\\WINNT\\system32\\Cmd.exe /e /Dclient
2003 use the command: cacls C:\\WINDOWS\\system32\\Cmd.exe /e /d guests

The above four steps can basically prevent several popular Trojans, but most The effective method is to achieve a certain level of security for the server and program through comprehensive security settings, and it is possible to set the security level higher and prevent more illegal intrusions.
C, Serv-U to prevent privilege escalation (applicable to Serv-U6.0 the previous version, then you can directly set the password) first stopped Serv-U service

open ServUDaemon.exe
with Ultraedit
Find Ascii: LocalAdministrator and #l@$ak#.lk;0@P

Modify to other characters of equal length, ServUAdmin.exe also handles the same.

Also pay attention to the permissions of the folder where Serv-U is located. Do not let IIS anonymous users have the right to read. Otherwise, people can go through your modified files and analyze your administrator name and password.