Re: Possible inside security breach

From: Paul Adare - MVP - Microsoft Virtual PC (padare_at_newsguy.com)
Date: 08/28/04 

Date: Sat, 28 Aug 2004 05:21:20 -0400

In article <1c8f01c48cde$b45f7680$a501280a@phx.gbl>, in the
microsoft.public.win2000.security news group, G. Lentz
<anonymous@discussions.microsoft.com> says...

> 1) I need to clarify that only an account with
> Administrative privilages can create new user and
> computer accounts in an AD domain?

User accounts yes, computer accounts, no. This, to be quite honest, is a
pretty basic AD concept, and I'd certainly expect any consultant working
for me (that was doing anything at all with AD) to know this. In AD,
every domain user account can add 10 workstations to the domain. Since
the person in question obviously already has a domain user account, it
is really just a matter of connecting to the domain through the VPN, and
then adding his computer to the domain.

>
> 2) Any possible ideas on how the hell they could have
> done this? Don't need specifics, just could/can it be
> done? I understand by the user having VPN access to the
> network he basically had a key so to speak, allowing them
> to bypass the normal things that discourage external
> attacks (i.e firewalls).

See above. If this wasn't supposed to be allowed, it certainly wasn't
the contractor's fault. It was whomever setup the remote access and
allowed this to happen.

>
> I am going to try and speak to the client principla that
> if they circumvented network security, then his network
> is basically open at this point. Unfortunetely the
> pricipal is high on this person and their abilities so I
> may be creating an acrimonius situation by bringin it up.
> My thinking is I don't want to be blamed for something
> down the line as I feel I no longer have control over the
> network. Thanks.

Again, as above. Given what you've told of the story here, you _are_
responsible for this situation already. 

-- 
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Relevant Pages

  • Re: ADMT Question / Migration Question
    ... If you have any updates or need any further assistance on this ... >> Are you migrating computer accounts? ... >> It is recommended to perform the migration in the following ... >> User Account ...
    (microsoft.public.windows.server.migration)
  • Re: Possible inside security breach
    ... In fact, if you have a user account, you wouldn't even need to have your ... network is all that's needed and a VPN connection gave him that. ... > User accounts yes, computer accounts, no. ...
    (microsoft.public.win2000.security)
  • Re: Pulling a computer into a domain?
    ... > What is the purpose of creating computer accounts on a domain (as in ... adding a computer's user account by using adding a new computer account ... You can use netdom to remotely join a computer to the domain. ...
    (microsoft.public.win2000.active_directory)
  • Re: Pulling a computer into a domain?
    ... > What is the purpose of creating computer accounts on a domain (as in ... adding a computer's user account by using adding a new computer account ... You can use netdom to remotely join a computer to the domain. ...
    (microsoft.public.windows.server.general)
  • Re: Pulling a computer into a domain?
    ... > What is the purpose of creating computer accounts on a domain (as in ... adding a computer's user account by using adding a new computer account ... You can use netdom to remotely join a computer to the domain. ...
    (microsoft.public.windowsxp.setup_deployment)