Re: Windows 2003 remote admin access

Hello Roger,

Thanks for clarifying your points on this one.

Unfortunately the only reason this guy has admin rights is a political one.
My stand point is that he doesn't need admin rights to this new install but
as he's higher up in the company he has the Director's backing to have full
admin rights to all of our kit. The uploading of scripts theory to IIS is
interesting as he does have (and need) at least Advanced Author rights to
the websites hosted on this box. There are areas that will allow script and
execute. I think I will need to monitor the upload and deletion activity
for the IIS webs to see if this is indeed what's happening?

Many thanks for you help on this one.

Regards,
John

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:ut0IPYSnGHA.376@xxxxxxxxxxxxxxxxxxxxxxx
John,
I think that prior post ended up sounding confusing.
What I was intending to say is that if indeed the firewall is
only allowing those ports and the state of what is installed
as stated is correct, then you have to look for how it could
be done over the ports that are allowed.
IIS ftp will contain it usage to areas within ftp defined as vdirs,
while this is possibly also true for w3svc websites depending
on the config and whether parent paths are enabled.
If posting of web content to areas enabled for script or for
execute privilege is allowed, then it is possible to load any
code within limits of whether script or execute is allowed in
the area. If there are web areas that are set to not allow
anonymous access then code placed there would be triggered
by browsing to run as the account that authenticates for the
browsing. etc. There is code one could place there that is
intended for remote management of some aspects of the
server, and/or, of the IIS install as one example, or simple
asp could be used to walk around in the filesystem outside
of the vdir areas defined to IIS. Etc.

I have to ask. Why is this account an admin anyway?
It seem not needed if there were really no way to use
the admin privs. But if there was a need with a way to
use the privs, then perhaps that is where you should
begin looking.

"John Collins" <jc1998@xxxxxxxxx> wrote in message
news:e82m6l$g02$1@xxxxxxxxxxxxxxxxxxxxxx
Hello Roger,

The server sits behind a hardware firewall which is only allowing those
particular ports inbound so access on any other ports shouldn't be
possible. The user does have HTTP and FTP web authoring access but this
should (as I understand it) only be for the areas defined in IIS under
the website and FTP sites? DCOM proxying certainly hasn't been enabled
manually by myself. I'm assuming that this wouldn't be enabled by
default? How can I check to see if it is enabled and if so how can this
be used to gain access?

Many thanks,
John

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:Oi%239fQ%23mGHA.3544@xxxxxxxxxxxxxxxxxxxxxxx
Are they allowed to author web content ? particularly if it is in
and IIS defined application area ??
Has DCOM proxying over HTTP been enabled ?
How are you certain that there are no other allowed ports ?


"John Collins" <jc1998@xxxxxxxxx> wrote in message
news:e80ucu$d86$1@xxxxxxxxxxxxxxxxxxxxxx
Hello,

I have a query which is only apparent due to politics in the work
place. On a technical level I can quite easily stop this issue but am
intrigued as to how this can be happening?..

One of our Windows 2003 servers is being accessed by a user who does
have an administrator account, but does not have local access to the
server. From outside the local network the only permitted inbound
access is for HTTP, HTTPS, SMTP and FTP, all using the standard ports.
There is no remote access software installed, e.g. Remote Desktop,
NetOp etc. How can it be possible for files to be added / removed,
permissions changed etc on this server via these protocols? (Obviously
the user can interact with the services that are provided, but things
are changing outside of these locations).

Any ideas at all, anyone?

Thanks,
John









.

Relevant Pages

  • Re: HP Web JetAdmin and SBS2K3
    ... ports 8000 and 8443 if you are otherwise a default SBS ... Then, if a port is listening, then run FPort or the new MS ... LAN IP address and add it to the IIS IP listeners ... have to work pretty hard to add listeners), then install ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA SERVER
    ... do you mean i should not install the ISA and IIS on the same machine..? ... >> occupy the same ports? ...
    (microsoft.public.isa.configuration)
  • Re: XP and netlogon script privilages
    ... I looked into Power Users, but even on some of the basic packages we use, they complained about Admin rights then failed to install. ... Hence I've stuck with the logon scripts which I can control to the n'th degree. ... Group Policy Software Deployment Background: ...
    (microsoft.public.windows.server.general)
  • Re: XP and netlogon script privilages
    ... they complained about Admin rights then failed to install. ... This seems a crappy way of giving users local admin rights. ... Most of my deployment applications work via Netlogon scripts. ... Group Policy Software Deployment Background: ...
    (microsoft.public.windows.server.general)
  • Re: Local Administrators
    ... rights the user can't install new apps but the apps have already been ... Administrator ie if you later install MS OFFICE or something else. ... > wrong) it repeating until the user had admin rights. ... >> the second reboot you login as Domain Administrator so that the Client ...
    (microsoft.public.windows.server.sbs)
Loading