Re: Security Breach in AD! Help!

From: Roger Abell [MVP] (
Date: 02/09/05

Date: Tue, 8 Feb 2005 22:12:52 -0700

see reply in your new thread . . .
it is computer policy

"Todd" <> wrote in message
>I have a question regarding Restricted Groups...
> I am trying to make the changes that I've set for Restricted Groups to be 
> as
> close to real time as possible.  We had another user created today and in
> about 5 minutes the user was removed from the built in admin group.  I 
> have
> changed the default domain policy, the default domain controller policy, 
> and
> the local machine policy all to reflect the following changes trying to 
> make
> this a real time restriction:
> I have enabled the... refresh interval for computers to 0, refresh 
> interval
> for domain controllers to 0 for the computer policies
> as well as the refresh interval for users to 0 for the user policies.
> I obviously do not know what I am doing since I don't know what Group 
> policy
> to apply and on what interface to get my desired results.
> Please help!
> thanks
> Todd
> "Steven L Umbach" wrote:
>> For the domain check the membership of the administrators group, the 
>> domain
>> admins, and enterprise admins groups. Make sure it is what it is supposed 
>> to
>> be and if there are any non default groups as members of these groups
>> evaluate why they are there and check their memberships. Reset the 
>> passwords
>> on every user account [ including yours and your bosses] in any of those
>> groups. Make sure you are using hard to guess passwords. Also enable
>> auditing of account logon for success and failure and account management 
>> for
>> success and failure in Domain Controller Security Policy. Auditing of
>> account management will tell you if group membership has been changed [by
>> normal means] and by who. You can also look and see when any user has 
>> logged
>> onto the domain and from what computer. Be sure to increase the size of 
>> your
>> security logs quite a bit to sat at least 10mb. You can use the filter 
>> view
>> in Event Viewer or Event Comb to narrow searches.
>> Check all of your GPO's at the domain and domain controller level to see 
>> if
>> "restricted groups" is configured in a way that could cause such a 
>> problem
>> and also check for any GPO that can apply to domain controllers and Local
>> Security Policy of each for any startup scripts that may be used to add
>> accounts to admins/domain admins admins group. Gpresult /v on the domain
>> controllers can help you do such. Also check Scheduled Tasks and the AT
>> command on each domain controller for anything unusual. If you are using 
>> a
>> domain account that is in the administrators/domain admins group for any
>> service authentication in the domain, that accounts passwords is easily
>> recovered from any domain computer using that account, so check out that 
>> as
>> a possibility.
>> Your domain controller must be physically secured to some degree or 
>> someone
>> could obtain passwords from them. If nothing else a sturdy locking case 
>> that
>> blocks access to the drives must be used. Configure the cmos of your 
>> domain
>> controllers to boot only from the system drive and password protect the 
>> cmos
>> settings. Also disable USB on the domain controllers in cmos if not 
>> needed.
>> Another possibility is that your passwords are being captured by keyboard
>> loggers installed on computers that you use. These can be hardware 
>> plugged
>> into the back of the computer keyboard port or in the keyboard cable, or
>> installed as software. Some programs such as Pest Patrol do a pretty good
>> job of checking for software keyboard loggers. The Microsoft Spyware 
>> program
>> will check for many also. Be VERY careful on what computers you use 
>> domain
>> admin credentials on. Spy cameras are another way to try and capture user
>> credentials. Note that telnet connections may be in clear text and ftp
>> connections will be in clear text so be careful when you use admin
>> credentials.
>> I would also examine the domain controllers very carefully and do full
>> malware scans with at least two different products. Trend Micro has the 
>> free
>> Sysclean package which I would use also along with it's matching pattern
>> file. Use the free tools from SysInternals - TCPView, Autoruns, and 
>> Process
>> Explorer to examine port usage and process usage on your domain 
>> controllers.
>> Be extremely suspicious of any remote control software, processes that 
>> map
>> to an executable that does not have a publisher name associated with it, 
>> and
>> any process that is not related to anything that should be running on the
>> domain controller [which can be hard to do if you do not have a known 
>> clean
>> like install to compare to]. Check for root kits by using Plist from
>> SysInternals to compare the processes running locally to those when you
>> check processes running from a remote computer. Also run the Microsoft
>> Baseline Security Analyzer on your domain controllers to check for basic
>> vulnerabilities including unneeded services and missing critical updates.
>> That should give you a start. The links below should help.  --- Steve
>>  -- Link to
>> SysInterals Process Explorer and other utilities.
>> "Todd" <> wrote in message
>> > Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working 
>> > for a
>> > Computer Consulting business.  One of our clients (our biggest one) has 
>> > AD
>> > running and we have had a heck of a time figuring out this problem:
>> >   The only 2 people with administrative permissions on the entire 
>> > domain
>> > is
>> > my boss (owner of company) and myself.  However, we keep finding new 
>> > users
>> > that are being created and are being assigned to the built in
>> > administrators
>> > group, giving them admin permissions.  There appears to be no way to 
>> > stop
>> > them.  We have changed our Administrator account psw (although I don't
>> > think
>> > this would have helped anyway as the accounts that are being created 
>> > have
>> > admin rights...they don't need our account).  We have removed all 
>> > spyware
>> > /
>> > adware and have run virus scans galore (although we periodically still
>> > have
>> > to remove them from the system...even in the past couple of weeks). 
>> > The
>> > only
>> > ports open are those we are seems to be a secure environment
>> > with
>> > the exception of the ghost administrator running around.  We have tried
>> > deleting the accounts from the default admin group and have disabled 
>> > the
>> > accounts.  They either reappear after being deleted in a few days or 
>> > when
>> > we
>> > disable the accounts they return with different names like "1" "2" 
>> > "skip0"
>> > and "dick".
>> >
>> > Has anyone ever heard of a similar problem or hack that we could look 
>> > for
>> > that would allow someone without admin rights (or by using a system
>> > account
>> > with those rights) to create admin accounts?
>> >
>> > I know this is a complicated one, but this has been going on for over 2
>> > months and we need help!
>> >
>> > Thanks in advance
>> >
>> > Todd
>> >
>> >
>> >
>> >
>> >

Relevant Pages

  • Re: Security Breach in AD! Help!
    ... For the domain check the membership of the administrators group, ... on every user account in any of those ... success and failure in Domain Controller Security Policy. ... admin credentials on. ...
  • Re: Re-occuring error message SceClient 1202 Application Log error
    ... rights assignments. ... IUSER_EEHQ-f001 is not my account, but probably> some system created account. ... >>> SeNetworkLogonRight must be assigned to Enterprise Controllers account for>>> policy propagation and replication to succeed. ... Looks like the default>> domain controller GPO. ...
  • Re: Domain users unable to change password
    ... are not configured to not allow user to change password in account ... I can't think of a Group Policy setting offhand but if you have a Windows ... 2003 domain controller try running the Resultant Set of Policy mmc snapin in ... connectivity, replication, and secure channel/computer account integrity. ...
  • Re: Policy enforcement- Admin accounts
    ... Then in my test user group created a new gpo with a a different password length and as long as i block policy inheritance on the OU It does what i am talking about by allowing a stronger password policy for the OU. ... I can see why you wouldn't want to block policy inheritance for alot of users but for one ou of admin users i don't see the problem. ... account not being able to be locked. ...
  • Re: Stand-alone (non-networked) computer - restrict one account but not another
    ... you can edit the policy when logged in as an admin and then deny the admin read permissions on %windir%\system32\GroupPolicy. ... the local policy won't apply to them because they can't read it. ... The danger is then that the policy may apply while you're in the middle of editing and depending on the settings, the admin account may be restricted to a point where they can no longer function. ... I want to lock down the User account to disable stuff like the Control ...