Re: Disable %logonserver% browsing

There are numerous ways to determine the DCs of a domain, particularly
if logged into that domain even as a limited user.
Trashing the environment variable that shows the DC that authenticated
the current login would adversely impact anything relying on that variable.

Just locating a DC was not your problem. Letting them have the ability
to define accounts, manage group memberships, was your mediate problem.
Just how they managed to do that, whether directly having logged in as an
account that was Domain Admins member in the forestroot domain, or
whether they exploited some unpatched vulnerability, etc. is what you do
need to determine. Until you can be sure of you immediate problem that
enabled the breach you cannot have confidence that you have prevented
it from being repeated. All the same, blocking one way of determining the
DC in use, is a relatively unimportant part of the fix, and preventing one
way for that to be done by a domain user is completely unimportant..

Roge
"Steve" <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3AE29979-EB45-40FC-8F7F-6958EAA04448@xxxxxxxxxxxxxxxx
Hello,

I was wondering if there is a group policy setting that can be applied
that would prevent users from typing %logonserver% at the Internet
Explorer
adrress bar displaying the authenticating server? We had somebody
penetrate
our system and we believe that the person doing the hacking used this
method
to find a domain conroler, logged into it and then created an account and
put
it into the enterprise admins group. Is there a such policy that could
prevent this from happening in the future?


.

Relevant Pages

  • Re: Disable %logonserver% browsing
    ... that use the administrator account to elevate privileges of a user in the ... possible problem is domain level administrators not locking or logging off ... DC in use, is a relatively unimportant part of the fix, and preventing one ... I was wondering if there is a group policy setting that can be applied ...
    (microsoft.public.windows.group_policy)
  • Re: ADMIN Shut Down
    ... is there anyway of preventing a user shutting down the pc ... logged on whilst an admin account is logged on but locked. ... >> but their workstation is locked. ... >> it possible to create a warning instead stating they do ...
    (microsoft.public.windowsxp.security_admin)
  • SUMMARY: Allow group of users to su to a locked administrative account.
    ... This will allow users to su to the account, ... >Preventing application account access ... >Switch to Netscape Internet Service. ...
    (Tru64-UNIX-Managers)
  • Allow group of users to su to a locked administrative account.
    ... I have already tried locking a test account then attempting to su to the test account. ... Preventing application account access ... Switch to Netscape Internet Service. ...
    (Tru64-UNIX-Managers)
  • How to delete ghost preference file?
    ... causing an error which prevented me from migrating my account to a new ... But now this file is in the trash, and I still can't get rid of ... it no matter what I do, and it's STILL preventing me from migrating ... the account to the new computer. ...
    (comp.sys.mac.system)