Re: Security Breach in AD! Help!

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 02/08/05 

Date: Tue, 8 Feb 2005 00:44:28 -0700

If this has been going on for a couple months, I would suggest that
you consider that the forest is no longer yours. Finding all and any
things that might be running as System can be virtually impossible,
and there may be codes in place by now such that it is trivial for
a normal account to effect elevation.

You said that only the ports you use are open. But how do you
know that is actually so?

As a test, one could isolate the entire system from the internet,
such that the only people accessing the system in any way must
be logging into an internal machine. Then, remove those accounts
and wait. If they do not appear it is a pretty safe bet that what you
think is a port restriction is not what you think. Consider: you
want port 80 open inbound and out - but did you know it is possible
to plant a software layer that gets first crack at what travels in on
the port, decides if it is a special message for it, and if not passes
it on as if it was not there ? 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Todd" <Todd@discussions.microsoft.com> wrote in message
news:10C4CF0D-C6FB-4678-AFBC-D8DBDEB97003@microsoft.com...
> Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working for a
> Computer Consulting business.  One of our clients (our biggest one) has AD
> running and we have had a heck of a time figuring out this problem:
>    The only 2 people with administrative permissions on the entire domain
is
> my boss (owner of company) and myself.  However, we keep finding new users
> that are being created and are being assigned to the built in
administrators
> group, giving them admin permissions.  There appears to be no way to stop
> them.  We have changed our Administrator account psw (although I don't
think
> this would have helped anyway as the accounts that are being created have
> admin rights...they don't need our account).  We have removed all spyware
/
> adware and have run virus scans galore (although we periodically still
have
> to remove them from the system...even in the past couple of weeks).  The
only
> ports open are those we are using...it seems to be a secure environment
with
> the exception of the ghost administrator running around.  We have tried
> deleting the accounts from the default admin group and have disabled the
> accounts.  They either reappear after being deleted in a few days or when
we
> disable the accounts they return with different names like "1" "2" "skip0"
> and "***".
>
> Has anyone ever heard of a similar problem or hack that we could look for
> that would allow someone without admin rights (or by using a system
account
> with those rights) to create admin accounts?
>
> I know this is a complicated one, but this has been going on for over 2
> months and we need help!
>
> Thanks in advance
>
> Todd
>
>
>
>
>