RE: w2k server compromised
From: Thomas Cameron (ThomasC@mip.com)
Date: 01/24/03
- Previous message: Ed Sunder: "Re: Stopping Admin Alert SPAM"
- Maybe in reply to: Dan Uscatu: "w2k server compromised"
- Next in thread: Laura A. Robinson: "RE: w2k server compromised"
- Reply: Laura A. Robinson: "RE: w2k server compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Thomas Cameron <ThomasC@mip.com> To: focus-ms@securityfocus.com Date: Fri, 24 Jan 2003 09:40:18 -0600
Don't forget to transfer the FSMO roles to the new server! You can shoot
yourself in the foot if you just power off the old DC without transferring
the FSMO roles.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windows2000serv/reskit/distsys/part1/dsgch07.asp
Thomas Cameron, RHCE, CNE, MCSE, MCT
Best Software
-----Original Message-----
From: james@leafgrove.com [mailto:james@leafgrove.com]
Sent: Thursday, January 23, 2003 4:08 PM
To: 'Dan Uscatu'; focus-ms@securityfocus.com
Subject: RE: w2k server compromised
Dan
Regardless of the security implications and reasons of having an apparently
compromised DC you can use the following procedure to get you AD databases
copied:
Build new W2k server box
Harden new server
Use DCPROMO to make it a DC in the current domain/forest
Await replication to complete, check by directing AD Users and computers at
the new server. Check your login scripts and policies have also come across
by looking in SYSVOL DCPROMO old server to remove DC functionality Power off
old server Remove entries in sites and services relating to the the old
server if still there Remove old server computer account Rebuild old server
Harden old server DCPROMO old server to make it a DC in the current
domain/forest Await replication to complete, check by directing AD Users and
computers at the old server. Check your login scripts and policies have also
come across by looking in SYSVOL DCPROMO new server to remove DC
functionality Power off new server Remove entries in sites and services
relating to the the new server if still there Remove new server computer
account Done
Good luck and don't forget to check the rest of your LAN for pesky malware
Of course if the compromise is AD aware you may not be able to get rid it
this way, but that is pretty unlikely. Anyone else comment??
Cheers
JamesD
-----Original Message-----
From: Dan Uscatu [mailto:duscatu@lunatech.ro]
Sent: 23 January 2003 08:17
To: focus-ms@securityfocus.com
Subject: w2k server compromised
hey all
i just found one of the w2k servers to be infected and acting very
strangely. unfortunately it is a domain controller and it has all the
users/computers lists.
how can i export these before reinstall in order to keep the exact same
configuration (everything except passwords of course) ? i suppose this could
be usefull to be done on a regular basis too...
TIA
For the protection of our internal systems and those of our customers,
MIP/Best Software blocks most email attachments. Please use plain text when
corresponding via email with MIP/Best Software.
- Next message: Brothers, Sam (OCTO): "RE: w2k server compromised"
- Previous message: Ed Sunder: "Re: Stopping Admin Alert SPAM"
- Maybe in reply to: Dan Uscatu: "w2k server compromised"
- Next in thread: Laura A. Robinson: "RE: w2k server compromised"
- Reply: Laura A. Robinson: "RE: w2k server compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
