RE: w2k server compromised
From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 01/24/03
- Previous message: Marc Fossi: "Administrivia"
- In reply to: Thomas Cameron: "RE: w2k server compromised"
- Next in thread: Brothers, Sam (OCTO): "RE: w2k server compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Laura A. Robinson" <larobins@bellatlantic.net> To: "'Thomas Cameron'" <ThomasC@mip.com>, <focus-ms@securityfocus.com> Date: Fri, 24 Jan 2003 16:19:07 -0500
This is a good point, but since the server will be reformatted or otherwise
murdered, it is a simple procedure to seize the roles on the other DC. I do
agree that it's really something that should be done beforehand, however.
Laura
> -----Original Message-----
> From: Thomas Cameron [mailto:ThomasC@mip.com]
> Sent: Friday, January 24, 2003 10:40 AM
> To: focus-ms@securityfocus.com
> Subject: RE: w2k server compromised
>
>
> Don't forget to transfer the FSMO roles to the new server!
> You can shoot yourself in the foot if you just power off the
> old DC without transferring the FSMO roles.
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> hnet/prodtechn
> ol/windows2000serv/reskit/distsys/part1/dsgch07.asp
>
> Thomas Cameron, RHCE, CNE, MCSE, MCT
> Best Software
>
> -----Original Message-----
> From: james@leafgrove.com [mailto:james@leafgrove.com]
> Sent: Thursday, January 23, 2003 4:08 PM
> To: 'Dan Uscatu'; focus-ms@securityfocus.com
> Subject: RE: w2k server compromised
>
>
> Dan
>
> Regardless of the security implications and reasons of having
> an apparently compromised DC you can use the following
> procedure to get you AD databases
> copied:
>
> Build new W2k server box
> Harden new server
> Use DCPROMO to make it a DC in the current domain/forest
> Await replication to complete, check by directing AD Users
> and computers at the new server. Check your login scripts and
> policies have also come across by looking in SYSVOL DCPROMO
> old server to remove DC functionality Power off old server
> Remove entries in sites and services relating to the the old
> server if still there Remove old server computer account
> Rebuild old server Harden old server DCPROMO old server to
> make it a DC in the current domain/forest Await replication
> to complete, check by directing AD Users and computers at the
> old server. Check your login scripts and policies have also
> come across by looking in SYSVOL DCPROMO new server to remove
> DC functionality Power off new server Remove entries in sites
> and services relating to the the new server if still there
> Remove new server computer account Done
>
> Good luck and don't forget to check the rest of your LAN for
> pesky malware Of course if the compromise is AD aware you may
> not be able to get rid it this way, but that is pretty
> unlikely. Anyone else comment??
>
> Cheers
>
> JamesD
>
> -----Original Message-----
> From: Dan Uscatu [mailto:duscatu@lunatech.ro]
> Sent: 23 January 2003 08:17
> To: focus-ms@securityfocus.com
> Subject: w2k server compromised
>
>
> hey all
>
> i just found one of the w2k servers to be infected and acting
> very strangely. unfortunately it is a domain controller and
> it has all the users/computers lists.
>
> how can i export these before reinstall in order to keep the
> exact same configuration (everything except passwords of
> course) ? i suppose this could be usefull to be done on a
> regular basis too...
>
> TIA
>
>
>
> For the protection of our internal systems and those of our
> customers, MIP/Best Software blocks most email attachments.
> Please use plain text when corresponding via email with
> MIP/Best Software.
>
>
- Next message: Peter Snell: "RE: Bypass Traverse Checking?"
- Previous message: Marc Fossi: "Administrivia"
- In reply to: Thomas Cameron: "RE: w2k server compromised"
- Next in thread: Brothers, Sam (OCTO): "RE: w2k server compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
