Re: Security - Compromised!

From: Steven L Umbach (n9rou_at_attbi.com)
Date: 05/24/03 

Date: Sat, 24 May 2003 20:24:09 GMT

        That is hard to say if new server will be compromised. I would say
it would be worth a try. First thing is you need to find out why this all
happened and take measures to prevent it in the future before you try to
rebuild anything (I am sure this is nothing new to you, but I feel I should
never assume anything). Usually it boils down to poor control at the
perimeter, lack of up to date virus protection, failure to keep up to date
patches/service packs, lack of physical security, excessive user rights and
permissions, lazy/inept and too many administrators, poor account/password
policy, abuse of internet privileges, no/inadequate/unenforced employee
policy, no auditing/intrusion detection, etc. So I would say top things are
to have properly configured firewall (test with external security scanner)
that controls inbound AND outbound access, virus control on everything that
scans in/out email (unplug computers from network while cleansing them),
review all administrator groups for the domain for proper membership and
change passwords, patch/SP all computers, review user status - they should
only be regular users and not have administrator/power user access to their
computers unless absolutely necessary, review physical security/availability
of boot devices on all computers, harden/lockdown/remove unathorized
software from workstations including securing Internet Explorer settings,
perform Security and Configuration Analysis mmc snap in on a domain
controller against setup security template and review results carefully -
if these have been weakened they will be propagated to any new domain
controller. Changes could have been made at domain or domain controller
level. Implement/update to a strict user policy with consequences and
enforce it - refer to HR and Legal dept for help on this. Visit TechNet home
page and select security on the left for a lot of good and free info on how
to secure your network including printable guides and checklists.

http://www.microsoft.com/technet/

    Assuming you have made good progress on all that you could try to
rebuild your domain controllers - if you were able to clean existing ones
from virus/trojans and they have been updated and patched. You state you
want to attempt to start out building a pristine domain controller that will
have the fsmo roles. I would suggest building that server offline and apply
all service packs, hotfixes, and up to date antivirus software. Then disable
unneeded services. I would suggest disabling these if they are installed
while documenting changes - ftp, snmp, telnet, and World Wide Web
publishing. Run Microsoft Baseline Security Analyzer on it You will need to
configure it to point to another dc for dns before running the dcpromo
process. I would also suggest doing the dcpromo at a time when all or most
other non essential computers are shut down. It might be worth a try to
configure an ipsec filtering policy (or software firewall - but I think that
would be more difficult) that would allow your new computer to communicate
only with other domain controllers during the dcpromo process - in other
words a default block rule and explicit allow rules for all traffic to from
domain controllers based on ip addresses. I mentioned running SCA tool
against setup security template. This is important to do before the dcpromo
process to make sure your new dc is not vulnerable right away. You will need
to check domain and domain controller security policy and reconfigure any
weaknesses - for instance there is a user right for taking ownership of
files. Can you imagine if a virus/trojan/hacker added the users group to
that? By default domain policy only has configurations for account
policies, and domain controller policy only has configurations for user
rights. If you see any configurations for registry, file system, or services
I would be very suspicious and examine carefully and document any changes.
When looking at user rights, by default there are no individual users (other
that administrator) and you should not see guest anywhere.

http://www.securityfocus.com/infocus/1649

    When you are confident that the other domain controllers are secured and
clean it would be time to run dcpromo on your new server. After running
dcpromo and rebooting, give it five minutes to "get up tp date" and check
event viewer for any problems and tranfer the fsmo roles. Then I would run
viruscan on it right away to see what it reports. If all looks good then
immediately back up the system state to have a clean copy in case you need
to do it over again. To allow it to be a domain controller to domain
computers you would need to disable ipsec policy or firewall if you decided
to use it while running dcpromo. Good luck. --- Steve

http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#virus

"John J." <lgm_rambone@hotmail.com> wrote in message
news:uQD15HVIDHA.3280@tk2msftngp13.phx.gbl...
> Hello,
>
> I've started a new job (7th day on the job) in a 2000
> envi, but my experience is mostly NT 4.0. This company is
> heavily infected with a dozen different viri and trojans.
> We've purchased Virus Software for the exchange server,
> regular servers, and desktops. I consider this network
> 100% compromised and unsecured. The servers are missing
> hot fixes and patches.
>
> I want to rebuild the network, but can't decide on the
> best way to go.
>
> I was thinking of building a new DC get service packs, hot
> fixes, iis lockdown, and virus protection and bring it up
> on the current network then transfer all the FSMO roles to
> this server. It's much easier than a building a new
> forest, but I don't know if I could say this server will
> be secure. Would this new server be considered still
> compromised, since it is going to be placed on the same
> network?
>
> Thoughts? Ideas?
>
>