Re: Security Breach in AD W/2000 Server

From: Todd (Todd_at_discussions.microsoft.com)
Date: 02/07/05 

Date: Mon, 7 Feb 2005 13:47:07 -0800

I have used event viewer many times, I was just unable to locate the event
triggered by the audit (ghost admin may have erased it actually).
I didn't remember having learned about Restricted Groups, although knowing
the training I went through it was probably explained in 1 sentence then
forgotten.
I have now configured Restricted Groups and I really hope that helps. It
just may do the trick.

Again I appreciate the assistance.

Todd

"Laura E. Hunter (MVP)" wrote:

> To filter events in an Event Log:
> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nt_filteringevents_how_ev.mspx
>
> Restricted Groups:
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/611.asp
>
> Both of these are topics that you should've seen when preparing for the
> Microsoft Certification exams, and are certainly ones that you should be
> aware of when administering a real-world network.
>
> --
> Laura E. Hunter
> Microsoft MVP - Windows Server Networking
> All information provided "AS-IS", no warranties expressed or implied.
> Replies to newsgroup only.
> "Todd" <Todd@discussions.microsoft.com> wrote in message
> news:A64AF9F5-F930-41BD-8048-2E5CC0408183@microsoft.com...
> > Hello Laura, thanks so much for your quick response.
> > To answer a few of your questions...
> >
> > first...We have enabled success and failure events for account management,
> > but I haven't seen anything unusual in the event viewer. I looked for the
> > event triggered by our most recent account that was created over the
> > weekend,
> > but I didn't see it. Is there a good way that I can filter out the event
> > created by this audit? What would the source be?
> >
> > second...we removed MANY processes and programs after virus scanning from
> > our Winnt/system32 folder that were malicious, but we thought we had
> > solved
> > the problem after removing anything that we found to be suspicious or
> > malicious. i was actually kinda hoping someone would know of a similar
> > process that may have been installed somewhere that we haven't found yet.
> > But yes, everything has been removed that we are aware of.
> >
> > third...I haven't heard of Restricted Groups and am unfamiliar with how
> > that
> > would help me. Can I have more info on that b/c that sounds like it would
> > be
> > a great solution for us.
> >
> > We can't really just wipe the OS and start over on this b/c it's our SQL
> > database and we really need to just figure out the problem and fix it. We
> > haven't totally thrown that option out the window, but we must exhaust
> > every
> > possible fix before we even consider as you probably understand.
> >
> > Thanks again for your suggestions and patience. I'll look forward to
> > hearing from you again!
> >
> > Todd
> >
> >
> > "Laura E. Hunter (MVP)" wrote:
> >
> >> Have you enabled auditing for "Account Management" events? This will
> >> tell
> >> you when and where the accounts are being created, and what account is
> >> being
> >> used to create them.
> >>
> >> Have you checked for unusual services or program names listed in the
> >> Services Applet, Task Manager or Run keys in the registry?
> >>
> >> You can also set up Restricted Groups to control membership in the
> >> Administrators, Domain Admins & Enterprise Admins group.
> >>
> >> Unless you find that these accounts are being created by someone internal
> >> to
> >> the network, I'd frankly recommend a complete rebuild of the server.
> >> Review
> >> the 10 Immutable Laws of Security: if an outsider can get your computer
> >> to
> >> do what he wants it to do without your consent, then it's not your
> >> computer
> >> anymore. If someone has installed some type of back door into your
> >> computer, then the only way to be certain that you've removed the
> >> vulnerability is to "nuke and pave."
> >>
> >>
> >> --
> >> Laura E. Hunter
> >> Microsoft MVP - Windows Server Networking
> >> All information provided "AS-IS", no warranties expressed or implied.
> >> Replies to newsgroup only.
> >> "Todd" <Todd@discussions.microsoft.com> wrote in message
> >> news:2AAB0B6F-5F7C-4327-ABE2-809074138730@microsoft.com...
> >> > Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working
> >> > for a
> >> > Computer Consulting business. One of our clients (our biggest one) has
> >> > AD
> >> > running and we have had a heck of a time figuring out this problem:
> >> > The only 2 people with administrative permissions on the entire
> >> > domain
> >> > is
> >> > my boss (owner of company) and myself. However, we keep finding new
> >> > users
> >> > that are being created and are being assigned to the built in
> >> > administrators
> >> > group, giving them admin permissions. There appears to be no way to
> >> > stop
> >> > them. We have changed our Administrator account psw (although I don't
> >> > think
> >> > this would have helped anyway as the accounts that are being created
> >> > have
> >> > admin rights...they don't need our account). We have removed all
> >> > spyware
> >> > /
> >> > adware and have run virus scans galore (although we periodically still
> >> > have
> >> > to remove them from the system...even in the past couple of weeks).
> >> > The
> >> > only
> >> > ports open are those we are using...it seems to be a secure environment
> >> > with
> >> > the exception of the ghost administrator running around. We have tried
> >> > deleting the accounts from the default admin group and have disabled
> >> > the
> >> > accounts. They either reappear after being deleted in a few days or
> >> > when
> >> > we
> >> > disable the accounts they return with different names like "1" "2"
> >> > "skip0"
> >> > and "***".
> >> >
> >> > Has anyone ever heard of a similar problem or hack that we could look
> >> > for
> >> > that would allow someone without admin rights (or by using a system
> >> > account
> >> > with those rights) to create admin accounts?
> >> >
> >> > I know this is a complicated one, but this has been going on for over 2
> >> > months and we need help!
> >> >
> >> > Thanks in advance
> >> >
> >> > Todd
> >>
> >>
> >>
>
>
>