RE: w2k server compromised
From: James D. Stallard (james@leafgrove.com)
Date: 01/23/03
- Previous message: Kurt Seifried: "Re: w2k server compromised"
- In reply to: Dan Uscatu: "w2k server compromised"
- Next in thread: Sarbjit Singh Gill: "IIS 5.0 and Digest Authentication"
- Reply: Sarbjit Singh Gill: "IIS 5.0 and Digest Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: james@leafgrove.com (James D. Stallard) To: "'Dan Uscatu'" <duscatu@lunatech.ro>, <focus-ms@securityfocus.com> Date: Thu, 23 Jan 2003 22:07:41 -0000
Dan
Regardless of the security implications and reasons of having an
apparently compromised DC you can use the following procedure to get you
AD databases copied:
Build new W2k server box
Harden new server
Use DCPROMO to make it a DC in the current domain/forest
Await replication to complete, check by directing AD Users and computers
at the new server.
Check your login scripts and policies have also come across by looking
in SYSVOL
DCPROMO old server to remove DC functionality
Power off old server
Remove entries in sites and services relating to the the old server if
still there
Remove old server computer account
Rebuild old server
Harden old server
DCPROMO old server to make it a DC in the current domain/forest
Await replication to complete, check by directing AD Users and computers
at the old server.
Check your login scripts and policies have also come across by looking
in SYSVOL
DCPROMO new server to remove DC functionality
Power off new server
Remove entries in sites and services relating to the the new server if
still there
Remove new server computer account
Done
Good luck and don't forget to check the rest of your LAN for pesky
malware
Of course if the compromise is AD aware you may not be able to get rid
it this way, but that is pretty unlikely. Anyone else comment??
Cheers
JamesD
-----Original Message-----
From: Dan Uscatu [mailto:duscatu@lunatech.ro]
Sent: 23 January 2003 08:17
To: focus-ms@securityfocus.com
Subject: w2k server compromised
hey all
i just found one of the w2k servers to be infected and acting very
strangely. unfortunately it is a domain controller and it has all the
users/computers lists.
how can i export these before reinstall in order to keep the exact same
configuration (everything except passwords of course) ? i suppose this
could be usefull to be done on a regular basis too...
TIA
- Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #121"
- Previous message: Kurt Seifried: "Re: w2k server compromised"
- In reply to: Dan Uscatu: "w2k server compromised"
- Next in thread: Sarbjit Singh Gill: "IIS 5.0 and Digest Authentication"
- Reply: Sarbjit Singh Gill: "IIS 5.0 and Digest Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
