Re: Security Breach in AD! Help!

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 02/07/05 

Date: Mon, 7 Feb 2005 15:47:05 -0600

For the domain check the membership of the administrators group, the domain
admins, and enterprise admins groups. Make sure it is what it is supposed to
be and if there are any non default groups as members of these groups
evaluate why they are there and check their memberships. Reset the passwords
on every user account [ including yours and your bosses] in any of those
groups. Make sure you are using hard to guess passwords. Also enable
auditing of account logon for success and failure and account management for
success and failure in Domain Controller Security Policy. Auditing of
account management will tell you if group membership has been changed [by
normal means] and by who. You can also look and see when any user has logged
onto the domain and from what computer. Be sure to increase the size of your
security logs quite a bit to sat at least 10mb. You can use the filter view
in Event Viewer or Event Comb to narrow searches.

Check all of your GPO's at the domain and domain controller level to see if
"restricted groups" is configured in a way that could cause such a problem
and also check for any GPO that can apply to domain controllers and Local
Security Policy of each for any startup scripts that may be used to add
accounts to admins/domain admins admins group. Gpresult /v on the domain
controllers can help you do such. Also check Scheduled Tasks and the AT
command on each domain controller for anything unusual. If you are using a
domain account that is in the administrators/domain admins group for any
service authentication in the domain, that accounts passwords is easily
recovered from any domain computer using that account, so check out that as
a possibility.

Your domain controller must be physically secured to some degree or someone
could obtain passwords from them. If nothing else a sturdy locking case that
blocks access to the drives must be used. Configure the cmos of your domain
controllers to boot only from the system drive and password protect the cmos
settings. Also disable USB on the domain controllers in cmos if not needed.
Another possibility is that your passwords are being captured by keyboard
loggers installed on computers that you use. These can be hardware plugged
into the back of the computer keyboard port or in the keyboard cable, or
installed as software. Some programs such as Pest Patrol do a pretty good
job of checking for software keyboard loggers. The Microsoft Spyware program
will check for many also. Be VERY careful on what computers you use domain
admin credentials on. Spy cameras are another way to try and capture user
credentials. Note that telnet connections may be in clear text and ftp
connections will be in clear text so be careful when you use admin
credentials.

I would also examine the domain controllers very carefully and do full
malware scans with at least two different products. Trend Micro has the free
Sysclean package which I would use also along with it's matching pattern
file. Use the free tools from SysInternals - TCPView, Autoruns, and Process
Explorer to examine port usage and process usage on your domain controllers.
Be extremely suspicious of any remote control software, processes that map
to an executable that does not have a publisher name associated with it, and
any process that is not related to anything that should be running on the
domain controller [which can be hard to do if you do not have a known clean
like install to compare to]. Check for root kits by using Plist from
SysInternals to compare the processes running locally to those when you
check processes running from a remote computer. Also run the Microsoft
Baseline Security Analyzer on your domain controllers to check for basic
vulnerabilities including unneeded services and missing critical updates.
That should give you a start. The links below should help. --- Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml -- Link to
SysInterals Process Explorer and other utilities.
http://www.trendmicro.com/download/dcs.asp
http://www.trendmicro.com/download/pattern.asp
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://www.microsoft.com/technet/security/bestprac/bpent/sec3/monito.mspx

"Todd" <Todd@discussions.microsoft.com> wrote in message
news:10C4CF0D-C6FB-4678-AFBC-D8DBDEB97003@microsoft.com...
> Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working for a
> Computer Consulting business. One of our clients (our biggest one) has AD
> running and we have had a heck of a time figuring out this problem:
> The only 2 people with administrative permissions on the entire domain
> is
> my boss (owner of company) and myself. However, we keep finding new users
> that are being created and are being assigned to the built in
> administrators
> group, giving them admin permissions. There appears to be no way to stop
> them. We have changed our Administrator account psw (although I don't
> think
> this would have helped anyway as the accounts that are being created have
> admin rights...they don't need our account). We have removed all spyware
> /
> adware and have run virus scans galore (although we periodically still
> have
> to remove them from the system...even in the past couple of weeks). The
> only
> ports open are those we are using...it seems to be a secure environment
> with
> the exception of the ghost administrator running around. We have tried
> deleting the accounts from the default admin group and have disabled the
> accounts. They either reappear after being deleted in a few days or when
> we
> disable the accounts they return with different names like "1" "2" "skip0"
> and "***".
>
> Has anyone ever heard of a similar problem or hack that we could look for
> that would allow someone without admin rights (or by using a system
> account
> with those rights) to create admin accounts?
>
> I know this is a complicated one, but this has been going on for over 2
> months and we need help!
>
> Thanks in advance
>
> Todd
>
>
>
>
>