Re: Disable %logonserver% browsing

I am in 100 percent agreement with Roger in that you have a much bigger
problem and there are too many ways anyhow to determine domain controllers.
One possible way that this could have happened is that you have domain
administrators logging onto domain workstations other than known secured
administrative workstations of which there should be few and they need to be
physically secured to some degree. It can be trivial for a skilled user on a
domain computer to capture credentials or use then to take over the domain.
Common methods would be software and hardware keyboard loggers, and scripts
that use the administrator account to elevate privileges of a user in the
domain when the domain administrator logs onto their computer. Another
possible problem is domain level administrators not locking or logging off
of their computer when not at the computer.

Steve


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:ulyrxY7yGHA.4548@xxxxxxxxxxxxxxxxxxxxxxx
There are numerous ways to determine the DCs of a domain, particularly
if logged into that domain even as a limited user.
Trashing the environment variable that shows the DC that authenticated
the current login would adversely impact anything relying on that
variable.

Just locating a DC was not your problem. Letting them have the ability
to define accounts, manage group memberships, was your mediate problem.
Just how they managed to do that, whether directly having logged in as an
account that was Domain Admins member in the forestroot domain, or
whether they exploited some unpatched vulnerability, etc. is what you do
need to determine. Until you can be sure of you immediate problem that
enabled the breach you cannot have confidence that you have prevented
it from being repeated. All the same, blocking one way of determining the
DC in use, is a relatively unimportant part of the fix, and preventing one
way for that to be done by a domain user is completely unimportant..

Roge
"Steve" <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3AE29979-EB45-40FC-8F7F-6958EAA04448@xxxxxxxxxxxxxxxx
Hello,

I was wondering if there is a group policy setting that can be applied
that would prevent users from typing %logonserver% at the Internet
Explorer
adrress bar displaying the authenticating server? We had somebody
penetrate
our system and we believe that the person doing the hacking used this
method
to find a domain conroler, logged into it and then created an account and
put
it into the enterprise admins group. Is there a such policy that could
prevent this from happening in the future?




.

Relevant Pages

  • Re: Group Policy
    ... administrators. ... Trying to perform that in Group Policy setting window - User ... Administrative Templates the result is applied to my account (member of ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Group Policy
    ... administrators. ... Trying to perform that in Group Policy setting window - User ... Administrative Templates the result is applied to my account (member of ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Group Policy
    ... administrators. ... Trying to perform that in Group Policy setting window - User ... Administrative Templates the result is applied to my account (member of ...
    (microsoft.public.windowsxp.customize)
  • Re: Event ID: 1202
    ... No mapping between account names and security IDs was ... SeIncreaseBasePriorityPrivilege = Administrators ... "Meinolf Weber" wrote: ... A user account in one or more Group policy objects (GPOs) could not ...
    (microsoft.public.win2000.active_directory)
  • Re: Group Policy
    ... >>> group without applyint them to my account as a memeber ... >>> administrators. ... >>> Trying to perform that in Group Policy setting window - User ...
    (microsoft.public.windowsxp.help_and_support)