Re: Finding a Hacker

---

• From: "scott" <sbailey@xxxxxxxxxxxxxxx>
• Date: Sat, 19 May 2007 17:53:54 -0500

---

one last question, without going in depth, can you tell me what exactly is
IPSec and where it fits into securing your domain?

Many thanks for the previous info.


"Anthony" <anthony.spam@xxxxxxxxxxxxxx> wrote in message
news:%23B8MwSmmHHA.3980@xxxxxxxxxxxxxxxxxxxxxxx

You could set a rule in the firewall to allow RDP only from your
IPaddress. But to use RDP from outside the hacker must have guessed a
username and password. Make the password complex and this is highly
unlikely. Or else use a VPN to connect.

In GPO, set the auditing policies in Computer Configuration, Windows
Settings, Security Settings, Local Policies. See here for policies:
http://technet2.microsoft.com/windowsserver/en/library/d9fea7ea-61e5-43b1-98cd-b02a09f101561033.mspx?mfr=true
and here for guidance:
http://www.microsoft.com/technet/security/guidance/auditingandmonitoring/securitymonitoring/smpgappb.mspx

Anthony
http://www.airdesk.co.uk



"scott" <sbailey@xxxxxxxxxxxxxxx> wrote in message
news:e3CRB4lmHHA.1340@xxxxxxxxxxxxxxxxxxxxxxx

Is there a way to restrict remote desktop from allowing access except
from my home ip address?

Where is "logging for logon success and failure" located? I assume it's a
GPO?
Can you give me some good keywords to search or linnks for info about
using these logs?

Thanks for your input.

"Anthony" <anthony.spam@xxxxxxxxxxxxxx> wrote in message
news:Oup$hhkmHHA.4120@xxxxxxxxxxxxxxxxxxxxxxx

Scott,
If that PC has been hacked, you will need to rebuild the whole domain.
Its really a question of whether someone is pulling your leg or you have
been truly hacked.
1) If you have set logging for logon success and failure then the the
logon will be in the security log.
2) You can't
3) No. I guess if someone had domain admin rights they may be able to
create an account you couldn't see, but if you thought they may have
domain admin rights you would have to rebuild anyway. Is there a local
account on the PC?
4) No.
Your problem is not restricting remote desktop connections. It is what
people are able to do on your domain. Your best case is that users are
local admins of their machines and someone has done this for fun. Your
worst case is that a hacker has found the remote desktop opening and
cracked a password.
Anthony
http://www.airdesk.co.uk




"scott" <sbailey@xxxxxxxxxxxxxxx> wrote in message
news:Oir593jmHHA.1624@xxxxxxxxxxxxxxxxxxxxxxx

One of my clients has a Win 2003 standard PDC with about 10 winXP
clients. I've had AD setup and been running fine for years. Last week,
I was sitting at one of the XP clients on the domain and suddenly I got
logged off and a user "userHacker" logged back in. I had to hit
ctrl-alt-delete and logged myself back in.

After about 60 seconds, it happened again. So I cut off access to the
net and looked at the pc's user profiles and noticed their was a local
account for "userHacker". I deleted the profile and left the pc off
line.

I should mention that I have Remote Desktop and pcAnywhere ports open
in the firewall for this XP machine.

1. Is there a log within the PDC AD that would show a record of users
that logged into the WinXP machine?
2. How can I determine which port the hacker is coming through?
3. Although I searched AD's Users and Computers applet, I couldn't find
a "userHacker" account. I'm assuming the account was a local account on
the XP machine. Is there anyway for him to have created an "hidden"
account?
4. Does "Remote Desktop" keep any type of activity log that would help
me?

Any ideas on restricting remote desktop connections by user account or
ip address would be appreciated.

.

---

• Follow-Ups:
  • Re: Finding a Hacker
    • From: Anthony
  • Re: Finding a Hacker
    • From: Herb Martin

• References:
  • Finding a Hacker
    • From: scott
  • Re: Finding a Hacker
    • From: Anthony
  • Re: Finding a Hacker
    • From: scott
  • Re: Finding a Hacker
    • From: Anthony

• Prev by Date: Re: Finding a Hacker
• Next by Date: Re: exchange 2003 sever on main DC
• Previous by thread: Re: Finding a Hacker
• Next by thread: Re: Finding a Hacker
• Index(es):
  • Date
  • Thread

---

Relevant Pages Risks Digest 25.73 ... German electronic health card system failure ... Risks of the Cloud: Liquid Motors ... Oakland 2010, IEEE Symposium on Security and Privacy, CFP ... A friend's facebook account was hacked recently (a neat little short-term ... (comp.risks) Re: Finding a Hacker ... Settings, Security Settings, Local Policies. ... create an account you couldn't see, but if you thought they may have ... Your problem is not restricting remote desktop connections. ... got logged off and a user "userHacker" logged back in. ... (microsoft.public.windows.server.active_directory) Re: MBSA, Office Update, Versions, Failures ... I apologize for posting this to three groups (MBSA, Windows Update, ... with Domain User account. ... Microsoft Baseline Security Advisor (? ... Office 2000 Security Patches - Red X's, ... (microsoft.public.officeupdate) Re: write with cURL ... you can stop making excuses. ... up an account for you, process the billing, etc. ... possible features from a web site to make up for the security issues. ... Nothing you have told me shows me you know how to lock down a server ... (alt.php) Re: Finding a Hacker ... Settings, Security Settings, Local Policies. ... I guess if someone had domain admin rights they may be able to ... create an account you couldn't see, but if you thought they may have ... Your problem is not restricting remote desktop connections. ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)