Re: Possible compromise of Windows Server 2003 security risk & unknown users

If any computer is connected to the Internet before you've enabled a
hardware- or software-based firewall and installed all available patches
from Windows Update or SUS/WSUS, then it is certainly a target for potential
compromise.

I would recommend running the Microsoft Malicious Software Removal Tool
against your server, as well as a full scan by your anti-virus and the
Microsoft anti-spyware client. However, it sounds like you're already
displaying symptoms of compromise, and you would probably be better off
reformatting and reinstalling the box to remove any trace of the compromise.
Place the box behind a hardware firewall before re-connecting it to the
network to download Service Pack 1 and other patches to reduce the chance of
a recurrence of the compromise.

HTH


--
Laura E. Hunter: MVP Windows Server - Networking
All replies to newsgroup, please
Post provided as-is, no warranties expressed or implied


"Chris" <chris.jones@xxxxxxxxxxxxx> wrote in message
news:OP$Xgt0%23FHA.140@xxxxxxxxxxxxxxxxxxxxxxx
> Hi Everyone,
>
>
>
> I wanted to find out if anybody is aware of how a Windows Server 2003
> Terminal Server out of the box environment can ever become
> compromised/hacked?
>
>
>
> We have recently received a security report stating that the server we are
> running has been performing other tasks, such as the polling of websites,
> and the scanning of other networks also being hosted. Our server is on
> the Internet.
>
>
>
> We noticed in our user list an unknown username named 'tsadmin' had been
> created and was logging in, with full access rights just like an
> administrator, they were also a member of the backup users group, however
> none of us ever recall creating this user. We are careful who we create
> onto the server and never allow them to have a desktop environment.
>
>
>
> Is this a coincidence?
>
>
>
> We have now deleted the tsadmin user.
>
>
>
> If anybody could advise of this, or recommend any additional security
> checks or security logging software then this would be ideal.
>
>
>
> How can we check if our server has been compromised? Do we need to fix
> anything? What can we do to prevent it from happening again.
>
>
>
> We currently use an up to date version of AVG server edition scanner, but
> if anybody knows of a more dedicated server security product this would be
> greatly appreciated.
>
>
>
> Thanking you in advance
>
> Chris
>


.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #164
    ... Got Storage Security Risks? ... MICROSOFT VULNERABILITY SUMMARY ... Chat Client FTP Server Default Username Credential Weak... ... NetServe Web Server is a compact web server for Microsoft Windows ...
    (Focus-Microsoft)
  • Re: im being held in memory
    ... How can I harden my computer or server to secure it from hackers? ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ...
    (microsoft.public.security)
  • MS and security: good effort but no cigar
    ... build upon the progress it's already made in security. ... The low-hanging fruit of millions of insecure Windows machines ... Then there's the issue of poorly secured server applications. ... and execute external virus and filtering ...
    (microsoft.public.windowsxp.general)
  • SecurityFocus Microsoft Newsletter #167
    ... MICROSOFT VULNERABILITY SUMMARY ... Multiple Vendor XML Parser SOAP Server Denial Of Service Vul... ... Proactive Windows Security Explorer ...
    (Focus-Microsoft)
  • Re: Group Policy broke my DCs
    ... to be very careful with tweaking services on domain controllers. ... Group Policy - security policy at the OU level which makes it much easier to ... complied from the Windows 2003 Server Security guide for baseline core ... Server - automatic ...
    (microsoft.public.windows.group_policy)