According to the research and analysis of the security department, there have been more incidents of using the NTLM replay mechanism to intrude into the Windows system recently. The intruders mainly use the Potato program to attack ports with SYSTEM privileges to forge the network identity authentication process, use the NTLM replay mechanism to defraud the SYSTEM identity token, and finally obtain the system Permissions, this security risk Microsoft does not believe that there is a vulnerability, so it will not fix it. For the security of your server, we recommend that you make the following security adjustments:
1. Turn off the DCOM function
What does DCOM mean? A DCOM service is actually a protocol that enables software components to communicate directly over a network in a reliable, secure and efficient manner. Formerly known as Web OLE, DCOM is designed to work with a variety of network transports including Internet protocols such as HTTP. DCOM is based on the Open Software Foundation's DCERPC specification and can be used for Java language applets and ActiveXreg components through the Component Object Model COM.
(win2008/2012/2016/2019 are applicable)
1. Open Control Panel -> Administrative Tools -> Component Services
2. Expand Component Services-Computer, right-click My Computer and select Properties
3. Click the Default Properties tab, uncheck "Enable Distributed COM on this computer", and then confirm
It is recommended to turn off this option when using windows to reduce the risk of intrusion.
4. You can also execute reg add HKLM\SOFTWARE\Microsoft\Ole /v EnableDCOM /t REG_SZ /d N /f directly on the command line to close it.
2. If you are using iis, it is recommended to delete the IIS6 management compatibility in IIS
Server Management-Management-Delete Roles and Functions
Please be sure to pay attention to the security settings. If you have any questions that you don’t understand, you can leave a message and private message me. Thank you for reading. If you want to know more about server technology dry goods, follow my homepage for more exciting