Tanet
This presentation is the property of its rightful owner.
Sponsored Links
1 / 98

TANET 網路安全技術 PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on
  • Presentation posted in: General

TANET 網路安全技術. 區域聯防之技術支援. WIN2000/NT. IIS 防護. 台南市 教育局電子資料中心 行政網路組 傅志雄 10/26/2001. 議程. 網路安全威脅類型分析 IIS 目前安全威脅及解決方案 Service Pack 種類及安裝 IIS 建置規劃 IIS 安全設定 Microsoft IIS Security Tools 結論. 基礎知識. 這研討會假設您已經具備以下基本知識 Windows 2000 Server 進階管理 IIS 建置及基礎管理 網路運作概念. 一、網路安全威脅類型分析.

Download Presentation

TANET 網路安全技術

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Tanet

TANET網路安全技術

區域聯防之技術支援

WIN2000/NT

IIS防護

台南市

教育局電子資料中心

行政網路組

傅志雄

10/26/2001


Tanet

議程

  • 網路安全威脅類型分析

  • IIS目前安全威脅及解決方案

  • Service Pack種類及安裝

  • IIS建置規劃

  • IIS安全設定

  • Microsoft IIS Security Tools

  • 結論


Tanet

基礎知識

這研討會假設您已經具備以下基本知識

  • Windows 2000 Server進階管理

  • IIS建置及基礎管理

  • 網路運作概念


Tanet

一、網路安全威脅類型分析

  • 偽裝/欺騙攻擊法(IP Spoofing)

  • 網路竊聽攻擊法(Sniffing)

  • 電腦病毒(Virus)

  • 通行碼暴力式猜測攻擊法(Brute Force)

  • 特洛伊木馬(Trojan House)

  • 阻絕服務(Denial of service-DoS)


Tanet

二、 IIS目前安全威脅及解決方案

  • 紅色警戒病毒

  • [email protected](簡稱Nimda)病毒

  • 其他


Tanet

紅色警戒病毒

  • 感染、繁殖、安裝木馬

    造成網路癱瘓

  • 下載並執行CodeRedCleanup.exe以清除Code Re

  • 下載相關修復程式

    (MS01-33)


W32 nimda@mm nimda

[email protected](簡稱Nimda)病毒影響

  • 竊取或改變系統密碼,或管理密碼的系統及檔案

  • ‧ 安裝遠端連線的軟體,例如木馬或後門程式(backdoors)

  • ‧ 安裝鍵盤輸入追蹤及記錄軟體(keystroke logging software)

  • ‧ 任意修改防火牆的規則(firewall rules)

  • ‧ 竊取信用卡帳號,銀行帳戶及個人的機密資料等等.

  • ‧ 修改或刪除重要的檔案(不重要的也會)

  • ‧ 盜用您的電子郵件,或利用您的郵件帳號發送為害您權益及名(商)譽的信件

  • ‧ 修改系統及檔案的存取權限

  • ‧ 刪除系統內建的事件檢示器的所有紀錄,讓您根本無法去作稽核與追蹤


W32 nimda@mm nimda1

[email protected](簡稱Nimda)解決

  • 更新病毒碼

  • 修正IE及OutLook

  • 修正IIS


Tanet

IIS其他安全威脅

  • NT 伺服器常見的攻擊或入侵漏洞

  • 透過URL對於Unicode編碼的漏洞

  • buffer overflow

  • 遠端使用者瀏覽Server ASP檔原始碼

  • 利用已發現安全漏洞入侵

  • 解決方式

  • 隨時安裝最新修正程式


Patch

三、 Patch種類及安裝

  • Security Bulletin Search網址:

  • http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp?productid=15


Patch1

目前Patch

  • August 2001

  • MS01-044 : 15 August 2001 Cumulative Patch for IIS

  • June 2001

  • MS01-033 : Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise

  • Code Red(六月十八公告)六月發現

  • May 2001

  • MS01-026 : 14 May 2001 Cumulative Patch for IISMS01-025 : Index Server Search Function Contains Unchecked BufferMS01-023 : Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server

  • March 2001

  • MS01-016 : Malformed WebDAV Request Can Cause IIS to Exhaust CPU ResourcesMS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000


Patch2

目前Patch

  • January 2001

  • MS01-004 : Malformed .HTR Request Allows Reading of File Fragments

  • December 2000

  • MS00-100 : Malformed Web Form Submission Vulnerability

  • November 2000

  • MS00-086 : Web Server File Request Parsing VulnerabilityMS00-084 : Indexing Services Cross Site Scripting Vulnerability

  • October 2000

  • MS00-080 : Session ID Cookie Marking VulnerabilityMS00-078 : Web Server Folder Traversal Vulnerability

  • *****( [email protected])

  • August 2000

  • MS00-060 : IIS Cross-Site Scripting Vulnerabilities MS00-058 : Specialized Header VulnerabilityMS00-057 : File Permission Canonicalization Vulnerability

  • July 2000

  • MS00-044 : Absent Directory Browser Argument Vulnerability


Patch3

Patch安裝

  • 比對Windows Service Pack最新版本出版時間與patch發佈時間,可簡化安裝工作(避免重複安裝)

  • 部份patch雖已經不需重新開機就可Run,但為了安全系統還是要重新啟動

  • 比對patch語系

  • 安裝前充分瞭解說明(KB)


Tanet

四、 IIS建置規劃

  • 認識IIS

  • 硬體考量

  • 軟體考量(強化OS安全)

  • IIS安裝

  • IIS設定


Tanet

認識IIS

服務介紹

  • IIS 5.0 只建置Windows 2000平台

  • WWW, FTP, SMTP, and NNTP

  • 三個額外的應用程式

    certificate server,

    index server,

    Microsoft transaction server.


Tanet

認識IIS

  • IIS系統安全特性

    IIS 5.0 緊密結合Windows 2000 Server作業系統之File permissions, registry settings, password usage, user rights,及其他Windows 2000 security,影響非常大,對於如此關係各有利弊。


Tanet

安裝考量

  • Server是否要提供Internet存取?

  • Server是否只提供Intranet存取?

  • Server將建構多少的web sites?

  • Will separate web sites share any content?

  • 需認證存取、只提供匿名者 (或兩者都有)?

  • 支援Secure Socket Layer (SSL) connections?

  • 只提供HTTP服務?

  • 支援FTP服務?

  • Server可允許特定使用者copy, open, delete, and write files?


Tanet

硬體安全

  • 放置安全場所(如加鎖防盜防火…..)

  • 移除floppies, CDs, ZIP drives

  • 開機選項為HD優先

  • 設定EEPROM boot password

  • 若與資料庫連接,建議設定兩張網卡

    一為Public IP對外,另一Private IP對內連接資料庫網段


Tanet

軟體考量(強化OS安全)

  • NTFS檔案系統

  • System、OS files與Data分開不同partitions.

  • 以最小需求安裝軟體,有需要再加裝

  • 若不支援Dynamice Update DNS,請去除登錄連線網址,避免不必要資訊外漏


Tanet

軟體考量(強化OS安全)

  • 移除LMHOSTS lookup

  • 移除NetBIOS Over TCP/IP

  • 最好設定workgroup角色,沒有信任其他網域

  • Because of this, the default permissions applied to the

  • 安裝目錄於C partition

  • 除了TCP/IP及client for Microsoft networking,減少不必要protocol stacks

  • 更新Service Pack

  • 使用SysKey tools強化password,加密成128-bit狀態,讓Hacker無法利用工具順利測試主機密碼 (使用方式參考下頁)


Syskey

參考:SYSKEY使用

  • 使用SYSKEY相當容易,只要在執行命令列打上syskey就可(注意--winnt4.0 sp3以後版本才支援)如右圖(NT4.0)及右下圖(windows2000)


Tanet

軟體考量(強化OS安全)

  • 安全範本設定使用方法

  • 經由MMC建立安全性設定及分析及安全性範本步驟如下

  • 1.開啟MMC

  • 2.新增嵌入[安全性設定及分析]及安全性範本

  • 3.編修安全性範本


Tanet

軟體考量(強化OS安全)

  • 4.編輯完後可由本機安全設定(如下圖)


Tanet

軟體考量(強化OS安全)

  • 下載Hisecweb.inf

    http://download.microsoft.com/download/win2000srv/SCM/1.0/NT5/EN-US/hisecweb.exe

  • 下載後,使用[安全性設定及分析]工具匯入並設定


Tanet

軟體考量(強化OS安全)

  • IIS需要的Service

  • Event Log

  • IIS Admin Service

  • License Logging Service

  • MSDTC

  • Protected Storage

  • Remote Procedure Call (RPC) Service

  • Server

  • Windows NT Server or Windows NT Workstation

  • Windows NTLM Security Support Provider

  • Workstation

  • World Wide Web Publishing Service


Tanet

軟體考量(強化OS安全)

  • IIS不需要的Service

  • Alerter

  • ClipBook Server

  • Computer Browser

  • DHCP Client

  • Messenger

  • NetBIOS Interface

  • Net Logon

  • Network DDE & Network DDE DSDM

  • Network Monitor Agent

  • NWLink NetBIOS

  • NWLink IPX/SPX Compatible Transport (not required unless you don't have TCP/IP or another transport)

  • Simple TCP/IP Services

  • Spooler

  • TCP/IP NetBIOS Helper

  • WINS Client (TCP/IP)


Tanet

軟體考量(強化OS安全)

  • 以下工具程式移除” LocalSystem 及 Administrators group權限,只給工具程式管理者 (Read 及 Execute)權限

  • arp.exe ipconfig.exe Nbtstat.exe at.exe net.exe Netstat.exe atsvc.exe nslookup.exe ping.exe cacls.exe posix.exe Qbasic.exe Cmd.exe rcp.exe rdisk.exe debug.exe regedit.exe Regedt32.exe edit.com rexec.exe route.exe edlin.exe rsh.exe Runonce.exe finger.exe secfixup.exe Syskey.exe ftp.exe telnet.exe Tracert.exe xcopy.exe tftp.exe command.com clipsrv.exe dialer.exe hypertrm.exe

  • attrib.exe ping.exe sysedit.exe cscript.exe wscript.exe


Tanet

軟體考量(強化OS安全)

  • TCP/IP Filtering(選項)


Tanet

IIS安裝

安裝前檢視

IUSR_computername. 確定無法變更Password 及Password永久有效

  • 為本機帳號,非網域帳號

  • 若網站不允許匿名者存取,設定帳戶停用


Tanet

IIS安裝

  • 目錄安全


Tanet

IIS安裝

  • 目錄安全


Iis log file acls

IIS Log File ACLs

  • 變更路徑:

  • %systemroot%\system32\LogFiles

  • 設定權限:

  • Administrators (Full Control)

  • System (Full Control)

  • Everyone (RWC)

  • 避免檔案被刪除


Sample

移除Sample


Tanet

IIS安裝

  • 不使用的服務啟動設定由自動設為手動或停用


Tanet

IIS安裝

  • Metabase安全設定

  • Metabase為儲存IIS所有設定檔,提供IIS載入記憶體快速存取,有別Windows Registry.

  • IIS啟動時會載入Metabase ,IIS關閉時回存

  • Metabase為儲存特殊格式名稱為 MetaBase.bin,路徑為 \Winnt\system32\inetsrv

  • 避開非授權使用者


Tanet

五、 IIS安全設定

  • Internet Services Manager – Master Properties


Internet services manager master properties

Internet Services Manager – Master Properties

Snap-Ins

Microsoft Management Console (MMC)


Internet services manager master properties1

Internet Services Manager – Master Properties

  • Internet Service Manager


Internet services manager master properties2

Internet Services Manager – Master Properties


Internet services manager master properties3

Internet Services Manager – Master Properties

WWW Master Properties

  • Web Site Tab

    Ensure Enable logging is selected

  • Home Directory Tab

    Disable (uncheck) Read, Write, Directory browsing options

    Ensure Log visits is selected

    Ensure None is selected for the Execute Permissions drop down box

  • Directory Security Tab

    If any site hosted by this server will NOT allow Anonymous access, Disable(uncheck) Anonymous access, under Authentication methods and select appropriate authentication method


Internet services manager master properties4

Internet Services Manager – Master Properties

FTP Master Properties

  • FTP Site Tab

    Set appropriate number of connections for max users on FTP server

    Set maximum seconds for timeout (inactivity), 600 seconds is reasonable

    Ensure Enable logging is selected

  • Security Accounts Tab

    Ensure Allow Anonymous Connections is selected

    Select Allow only anonymous connections

  • Home Directory Tab

    Ensure Log visits is selected


Internet services manager master properties5

Internet Services Manager – Master Properties

Server Extensions Master Properties

  • Ensure Log authoring actions is selected

  • Ensure Require SSL for authoring is selected

  • Ensure manage permissions manually is selected

  • Ensure Allow authors to upload executable is DISABLED (UNCHECKED)


Internet services manager master properties6

Internet Services Manager – Master Properties


Microsoft iis security tools

六、 Microsoft IIS Security Tools

  • IIS Lockdown Tool

  • URLScan

  • HFNetChk

  • Microsoft Personal Security Advisor (MPSA)


Microsoft iis security tools1

Microsoft IIS Security Tools使用前注意事項

  • 1.詳細閱讀說明(尤其是Note)

  • 2.使用前先找實驗機器試驗

  • 3.備份IIS設定檔(儲存電腦上您管理的所有 Web

    站台、FTP 站台、虛擬目錄、目錄與檔案的設定值)


Tanet

備份IIS設定檔步驟


Iis lockdown tool

IIS Lockdown Tool

  • 功能說明

    快速簡易及無誤的設定網站,讓管理者即時保護網站遠離威脅

    提供兩種操作方式

    Express Lockdown mode:

    提供基本功能網站最高安全設定

    Advanced Lockdown mode:

    提供最適當輔助說明及推薦最佳的設定方式,讓管理者自訂安全設定,並提供”還原”設定功能


Iis lockdown tool1

IIS Lockdown Tool安裝

  • 下載IISLockD.exe - 184 Kb

  • 網址:

    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32362

  • Release Date - 23 Aug 2001


Iis lockdown tool2

IIS Lockdown Tool安裝

  • 安裝IIS Lockdown步驟

  • 1.點選如右圖開始安裝程序

  • 2.接受Microsoft EULA.

  • (END-USER LICENSE AGREEMENT)

  • 3.輸入安裝路徑


Iis lockdown tool3

IIS Lockdown Tool安裝結果

IISLockd.exe-----執行程式

Iislockd.chm------說明文件

404.dll-------------執行Lockdown後對映檔


Iis lockdown tool4

IIS Lockdown Tool使用目的

  • Remove Script Mappings

    Index Server Web Interface (.IDQ)

    Server-Side Includes (.SHTML, .SHTM, .STM)

    Internet Data Connector (.IDC)

    Internet Printing (.printer)

    HTR Scripting (.HTR)

  • Remove sample Web files

  • Remove the Scripts virtual directory

  • Remove the MSADC virtual directory

  • Disable Distributed Authoring and Versioning (WebDAV)

  • Set file permissions to prevent the IIS anonymous user account from executing system utilities

  • Set file permissions to prevent the IIS anonymous user account from writing to Web content directories


Iis lockdown tool5

IIS Lockdown Tool使用前

原對應Script Mappings


Iis lockdown tool6

IIS Lockdown Tool操作

點選IISLockd.exe執行程式


Iis lockdown tool7

IIS Lockdown Tool操作

  • 選擇操作模式(Express Lockdown )


Iis lockdown tool8

IIS Lockdown Tool操作

  • 執行前確認動作


Iis lockdown tool9

IIS Lockdown Tool操作

  • 快速執行各項預設設定


Iis lockdown tool10

IIS Lockdown Tool操作

  • 繼續快速執行各項預設設定(到出現Finished…….)


Iis lockdown tool11

IIS Lockdown Tool操作

  • 完成畫面


Iis lockdown tool12

IIS Lockdown Tool操作使用後

  • 檢視成果


Iis lockdown tool13

IIS Lockdown Tool回復操作

  • 再次點選IISLockd.exe執行程式,可以進行回復設定


Iis lockdown tool14

IIS Lockdown Tool操作

  • 執行回復(Undo)動作


Iis lockdown tool15

IIS Lockdown Tool操作

  • 完成執行回復(Undo)動作


Iis lockdown tool16

IIS Lockdown Tool操作

  • 檢視對應Script Mappings 是否回復


Iis lockdown tool17

IIS Lockdown Tool操作

  • 選擇操作模式(Advanced Lockdown )


Iis lockdown tool18

IIS Lockdown Tool操作

  • 管理者自定操作的選項(第一頁)


Iis lockdown tool19

IIS Lockdown Tool操作

  • 管理者自定操作的選項(第二頁)


Iis lockdown tool20

IIS Lockdown Tool操作

  • 執行前確認動作


Iis lockdown tool21

IIS Lockdown Tool操作

  • 依照選擇項目快速執行設定


Iis lockdown tool22

IIS Lockdown Tool操作

  • 完成……


Iis lockdown tool23

IIS Lockdown Tool完成報告

  • Backed up metabaseLocked httpext.dllLocked idq.dllRemoved script map: .htw, C:\WINNT\System32\webhits.dllRemoved script map: .ida, C:\WINNT\System32\idq.dllRemoved script map: .idq, C:\WINNT\System32\idq.dllRemoved script map: .htr, C:\WINNT\System32\inetsrv\ism.dllRemoved script map: .idc, C:\WINNT\System32\inetsrv\httpodbc.dllRemoved script map: .shtm, C:\WINNT\System32\inetsrv\ssinc.dllRemoved script map: .shtml, C:\WINNT\System32\inetsrv\ssinc.dllRemoved script map: .stm, C:\WINNT\System32\inetsrv\ssinc.dllRemoved script map: .printer, C:\WINNT\System32\msw3prt.dllRemoved printer virtual dir (/LM/W3SVC/1/ROOT/Printers)Removed samples (/LM/W3SVC/1/ROOT/IISSamples)Removed MSADC virtual dir (/LM/W3SVC/1/ROOT/MSADC)Removed scripts virtual dir (/LM/W3SVC/1/ROOT/Scripts)Set Deny All ACE for anonymous web users on system utilities under C:\WINNTSet Deny Write ACE for anonymous web users under c:\winnt\help\iishelpSet Deny Write ACE for anonymous web users under


Urlscan

URLScan功能說明

  • 功能說明

    ISAPI filter to provide powerful filtering for HTTP Requests

    The tool, URLScan, screens all incoming requests to the server, and filters them based on rules set by the administrator.


Urlscan1

URLScan使用注意及下載

  • 使用注意:

    Microsoft recommends that the tool only be used by experienced web administrators.

  • 下載網址及KB(Knowledge Base)

    The tool is available for downloading at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32571.

    Detailed instructions for installing and using it are available in the download package, or in Microsoft Knowledge Base article Q307608.

  • Release Date - 11 Sep 2001


Urlscan2

URLScan安裝

  • 安裝URL Scan步驟

  • 1.點選如右圖UrlScan.exe開始安裝程序

  • 2.接受Microsoft EULA.

  • (END-USER LICENSE AGREEMENT)


Urlscan3

URLScan安裝

  • 3.Tthe UrlScan ISAPI filter is installed to the Master Web Site properties of the IIS Web Server the filter is installed as a High priority filter.

  • 4. During the installation you will be prompted to restart IIS.

  • 5. 安裝路徑%windir%\system32\inetsrv\urlscan which is normally c:\winnt\system32\inetsrv\urlscan.


Urlscan4

URLScan安裝

  • 檢視安裝結果(1). ISAPI filter安裝在master web site properties ISAPI filters如下圖


Urlscan5

URLScan安裝

  • 檢視安裝結果(2). %windir%\system32\inetsrv\urlscan folder.如下圖


Configuring urlscan

Configuring UrlScan

  • UrlScan.ini (UrlScan設定檔)

    IIS啟動使才讀取(效能考量)

    修改後,要重啟動IIS才能生效

    三種啟動方式:

    1.使用IISReset2.NET STOP W3SVC and then NET START W3SVC

    3. Right clicking the server name in Internet Service Manager and selecting to Restart IIS. Selecting "Restart internet services on <pcname>"

    the default options built into UrlScanl.dll will result in a configuration that will reject all requests to the server.  It is necessary to provide a UrlScan.ini file for UrlScan to pass requests to be served


Configuring urlscan1

Configuring UrlScan

  • [AllowVerbs] default值=1HTTP methods----GET、HEAD、POST[DenyVerbs] default值=0包括WebDAV

  • [AllowExtensions] UseAllowExtensions=1".asp .htm .html .txt .jpg .jpeg .gif[DenyExtensions] UseAllowExtensions=0".htw   .ida   .idq   .htr   .idc   .shtm  [DenyUrlSequences]

    ..   ./   \   :   %   &  


Configuring urlscan2

Configuring UrlScan

  • urlscan.log

    記錄ISAPI filter每次載入之設定及實施結果

    [Thu, Sep 27 2001 - 06:28:41] ---------- UrlScan.dll Initializing ----------[Thu, Sep 27 2001 - 06:28:41] URLs will be normalized before analysis.[Thu, Sep 27 2001 - 06:28:41] URL normalization will be verified.[Thu, Sep 27 2001 - 06:28:41] URLs may contain OEM, international and UTF-8 characters.[Thu, Sep 27 2001 - 06:28:41] URLs must not contain any dot except for the file extension.[Thu, Sep 27 2001 - 06:28:41] Only the following verbs will be allowed (case sensitive):[Thu, Sep 27 2001 - 06:28:41] 'GET'[Thu, Sep 27 2001 - 06:28:41] 'HEAD'[Thu, Sep 27 2001 - 06:28:41] 'POST'[Thu, Sep 27 2001 - 06:28:41] Requests for following extensions will be rejected:[星期一, 九月 17 2001 - 17:10:32] Client at 211.244.166.4: URL contains extension '.ida', which is disallowed. Request will be rejected. Raw URL='/default.ida'


Urlscan6

UrlScan攻防


Hfnetchk

HFNetChk

  • 功能說明:

    HFNetChk工具為command-line,主要幫助使用者檢查windows NT4.0或Windows2000作業系統Patch檔更新狀況,除此之外也Check hotfixes for IIS 4.0, IIS 5.0, SQL Server 7.0, and SQL Server 2000 (including MSDE), and Internet Explorer 5.01 or later

  • 工作原理:

    啟動HFNetChk工具時,會找尋或自動下載XML檔案(Mssecure.xml),原XML是被壓縮成.cab(由Microsoft數位簽証),HFNetChk會Scan系統所有product並比對XML記錄的hotfixes資訊,比對資訊提供系統是否缺少更新Patch或hotfixes.


Hfnetchk1

HFNetChk安裝

  • 下載Microsoft Network Security Hotfix Checker (HFNetChk) version 3.1網址如下(nshc.exe - 204 Kb )

    http://www.microsoft.com/downloads/release.asp?releaseid=31154

  • Release Date - 2 Jul 2001

  • 點選圖示(如右圖)

  • 出現Microsoft EULA(END-USER LICENSE AGREEMENT)


Hfnetchk2

HFNetChk安裝

  • 選擇安裝路徑

  • (如右圖)

  • 安裝完畢

  • 題示使用Command-line方式執行程式


Hfnetchk3

HFNetChk使用語法

  • HFNETCHK.exe /?|more 查詢語法

  • HFNETCHK.exe -h hostname

  • HFNETCHK.exe -h h1,h2,h3

  • HFNETCHK.exe -i 192.168.1.1 -a m -t 10 -v

  • HFNETCHK.exe -i 192.168.1.1,192.168.1.8 -h hostname -x mssecure.xml

  • HFNETCHK.exe -d domain_name -a b -o tab -x c:\temp\mssecure.xml

  • HFNETCHK.exe -r 192.168.1.1-192.168.1.254 -a i -t 20

  • HFNETCHK.exe -x http://www.xyz.abc/mssecure.xml

  • HFNETCHK.exe -x "c:\Space In Path\mssecure.xml"


Hfnetchk4

HFNetChk執行

  • C:\Documents and Settings\Administrator\桌面\新資料夾\Microsoft Network Security

  • Hotfix Checker>hfnetchk -i 127.0.0.1

  • 下載最新XML檔(經微軟數位認證)


Hfnetchk5

HFNetChk執行

  • Microsoft Network Security Hotfix Checker, 3.1

    Developed for Microsoft by Shavlik Technologies, LLC

    [email protected] (www.shavlik.com)

    ** Attempting to download the XML from http://download.microsoft.com/download/x

    ml/security/1.0/NT5/EN-US/mssecure.cab. **

    ** File was successfully downloaded. **


Hfnetchk6

HFNetChk執行結果

  • ** Attempting to load C:\Documents and Settings\Administrator\Using XML data version = 1.0.1.155 Last modified on 10/20/2001.

    Scanning 127.0.0.1

    ..............

    Done scanning 127.0.0.1

    ----------------------------

    127.0.0.1

    ----------------------------

    WINDOWS 2000 SERVER SP2

    Patch NOT Found MS00-077 Q299796

    Patch NOT Found MS00-079 Q276471

    Patch NOT Found MS01-007 Q285851

    Patch NOT Found MS01-013 Q285156

    WARNING MS01-022 Q296441

    Patch NOT Found MS01-025 Q296185

    Patch NOT Found MS01-031 Q299553

    Patch NOT Found MS01-036 Q299687

    Patch NOT Found MS01-037 Q302755

    Patch NOT Found MS01-040 Q292435

    Patch NOT Found MS01-041 Q298012

    Patch NOT Found MS01-046 Q252795

    Internet Information Services 5.0

    Patch NOT Found MS01-025 Q296185

    Patch NOT Found MS01-044 Q301625


Hfnetchk7

HFNetChk實作

  • hfnetchk -o tab > scan.txt

  • hfnetchk -i 127.0.0.1,163.26.1.110 > scan2.txt

  • 若不具Admin權限會有以下訊息

    ----------------------------

    163.26.1.x

    ----------------------------

    INFORMATION

    Admin rights are required to scan.


Microsoft personal security advisor mpsa

Microsoft Personal Security Advisor (MPSA)

  • 說明

  • MPSA是容易使用Web application,可幫助Windows NT4.0及Windows2000使用者安全上的資訊.

  • 當使用者進入MPSA site後,點選”Scan Now”按鈕,將可以收到有關您系統上之安全上的設定報告,並提供更好的安全改善建議

  • 例如:尚未Update之patches或密碼的安全性, Internet Explorer和Outlook Express安全設定、Office巨集保護設定等


Microsoft personal security advisor mpsa1

Microsoft Personal Security Advisor (MPSA)

  • 網址:http://www.microsoft.com/technet/mpsa/start.asp


Microsoft personal security advisor mpsa2

Microsoft Personal Security Advisor (MPSA)

  • 注意事項:

  • 1)目前MPSA hotfix檢測只支援英文版本.

  • 2) MPSA支援Windows NT 4.0 Workstation and Windows 2000 Professional

  • 3) MPSA 也不支援web server相關patches


Tanet

MPSA使用

開始Scan時下載XML安全資訊


Tanet

MPSA使用

  • 掃瞄完畢


Tanet

MPSA掃瞄結果說明

  • 如下圖說明


Tanet

MPSA掃瞄各項結果

  • 如下圖


Tanet

MPSA掃瞄總結評等

  • 如下圖


Tanet

資源

  • 訂閱安全Maillist [email protected]

  • 瀏覽Microsoft Security Web Sites

    Microsoft Security: http://www.microsoft.com/security

    The Microsoft TechNet Security: http://www.microsoft.com/technet/security/default.asp


Tanet

七、結論

  • 建立管理原則,技術不是萬靈單

  • 安全防禦困難度與網路複雜性成正比

  • 必定有人會侵入您的系統,大部份人不相信自己系統出問題,直到被入侵

  • 最安全的網路系統必定有良好的管理

  • 網路安全是危機管理

  • 持續性的警覺性是維護高安全要付出的代價

  • 安全與生產力是相對,簡單安全防護達不到所要安全

  • 不存在絕對安全的平台或系統


  • Login