RE: w2k server compromised

• Previous message: defaillance@hushmail.com: "Win2k log management"
• Maybe in reply to: Dan Uscatu: "w2k server compromised"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: james@leafgrove.com (James D. Stallard)
To: "'Ronald Balk'" <rbalk@borland.com>, "'Dan Uscatu'" <duscatu@lunatech.ro>, <focus-ms@securityfocus.com>
Date: Fri, 24 Jan 2003 17:50:37 -0000

Ronald/Dan

Very good point there, however if you follow the procedure then DCPROMO
will do that for you (thankfully). Laura posted a good export/import
fix, but as she rightly says, this will not bring the SIDS across and
therefore Dan would have to Re-ACL everything again. Pretty unpleasant,
but very nice and clean afterwards!

I have asked around our W2k chaps here and everyone agrees, if the AD is
not damaged by the compromise, then a second DC is the way to go.

HTH

JamesD

-----Original Message-----
From: Ronald Balk [mailto:rbalk@borland.com]
Sent: 24 January 2003 15:12
To: James D. Stallard; Dan Uscatu; focus-ms@securityfocus.com
Subject: RE: w2k server compromised

Don't forget to move the "Operation Masters Roles" to the new DC .. !

-----Original Message-----
From: James D. Stallard [mailto:james@leafgrove.com]
Sent: 23 January 2003 23:08
To: 'Dan Uscatu'; focus-ms@securityfocus.com
Subject: RE: w2k server compromised

Dan

Regardless of the security implications and reasons of having an
apparently compromised DC you can use the following procedure to get you
AD databases copied:

Build new W2k server box
Harden new server
Use DCPROMO to make it a DC in the current domain/forest
Await replication to complete, check by directing AD Users and computers
at the new server. Check your login scripts and policies have also come
across by looking in SYSVOL DCPROMO old server to remove DC
functionality Power off old server Remove entries in sites and services
relating to the the old server if still there Remove old server computer
account Rebuild old server Harden old server DCPROMO old server to make
it a DC in the current domain/forest Await replication to complete,
check by directing AD Users and computers at the old server. Check your
login scripts and policies have also come across by looking in SYSVOL
DCPROMO new server to remove DC functionality Power off new server
Remove entries in sites and services relating to the the new server if
still there Remove new server computer account Done

Good luck and don't forget to check the rest of your LAN for pesky
malware Of course if the compromise is AD aware you may not be able to
get rid it this way, but that is pretty unlikely. Anyone else comment??

Cheers

JamesD

-----Original Message-----
From: Dan Uscatu [mailto:duscatu@lunatech.ro]
Sent: 23 January 2003 08:17
To: focus-ms@securityfocus.com
Subject: w2k server compromised

hey all

i just found one of the w2k servers to be infected and acting very
strangely. unfortunately it is a domain controller and it has all the
users/computers lists.

how can i export these before reinstall in order to keep the exact same
configuration (everything except passwords of course) ? i suppose this
could be usefull to be done on a regular basis too...

TIA

• Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #122"
• Previous message: defaillance@hushmail.com: "Win2k log management"
• Maybe in reply to: Dan Uscatu: "w2k server compromised"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]