Re: Security Breach in AD! Help!

From: Roger Abell [MVP] (
Date: 02/09/05

Date: Tue, 8 Feb 2005 22:12:52 -0700

see reply in your new thread . . .
it is computer policy

"Todd" <> wrote in message
>I have a question regarding Restricted Groups...
> I am trying to make the changes that I've set for Restricted Groups to be 
> as
> close to real time as possible.  We had another user created today and in
> about 5 minutes the user was removed from the built in admin group.  I 
> have
> changed the default domain policy, the default domain controller policy, 
> and
> the local machine policy all to reflect the following changes trying to 
> make
> this a real time restriction:
> I have enabled the... refresh interval for computers to 0, refresh 
> interval
> for domain controllers to 0 for the computer policies
> as well as the refresh interval for users to 0 for the user policies.
> I obviously do not know what I am doing since I don't know what Group 
> policy
> to apply and on what interface to get my desired results.
> Please help!
> thanks
> Todd
> "Steven L Umbach" wrote:
>> For the domain check the membership of the administrators group, the 
>> domain
>> admins, and enterprise admins groups. Make sure it is what it is supposed 
>> to
>> be and if there are any non default groups as members of these groups
>> evaluate why they are there and check their memberships. Reset the 
>> passwords
>> on every user account [ including yours and your bosses] in any of those
>> groups. Make sure you are using hard to guess passwords. Also enable
>> auditing of account logon for success and failure and account management 
>> for
>> success and failure in Domain Controller Security Policy. Auditing of
>> account management will tell you if group membership has been changed [by
>> normal means] and by who. You can also look and see when any user has 
>> logged
>> onto the domain and from what computer. Be sure to increase the size of 
>> your
>> security logs quite a bit to sat at least 10mb. You can use the filter 
>> view
>> in Event Viewer or Event Comb to narrow searches.
>> Check all of your GPO's at the domain and domain controller level to see 
>> if
>> "restricted groups" is configured in a way that could cause such a 
>> problem
>> and also check for any GPO that can apply to domain controllers and Local
>> Security Policy of each for any startup scripts that may be used to add
>> accounts to admins/domain admins admins group. Gpresult /v on the domain
>> controllers can help you do such. Also check Scheduled Tasks and the AT
>> command on each domain controller for anything unusual. If you are using 
>> a
>> domain account that is in the administrators/domain admins group for any
>> service authentication in the domain, that accounts passwords is easily
>> recovered from any domain computer using that account, so check out that 
>> as
>> a possibility.
>> Your domain controller must be physically secured to some degree or 
>> someone
>> could obtain passwords from them. If nothing else a sturdy locking case 
>> that
>> blocks access to the drives must be used. Configure the cmos of your 
>> domain
>> controllers to boot only from the system drive and password protect the 
>> cmos
>> settings. Also disable USB on the domain controllers in cmos if not 
>> needed.
>> Another possibility is that your passwords are being captured by keyboard
>> loggers installed on computers that you use. These can be hardware 
>> plugged
>> into the back of the computer keyboard port or in the keyboard cable, or
>> installed as software. Some programs such as Pest Patrol do a pretty good
>> job of checking for software keyboard loggers. The Microsoft Spyware 
>> program
>> will check for many also. Be VERY careful on what computers you use 
>> domain
>> admin credentials on. Spy cameras are another way to try and capture user
>> credentials. Note that telnet connections may be in clear text and ftp
>> connections will be in clear text so be careful when you use admin
>> credentials.
>> I would also examine the domain controllers very carefully and do full
>> malware scans with at least two different products. Trend Micro has the 
>> free
>> Sysclean package which I would use also along with it's matching pattern
>> file. Use the free tools from SysInternals - TCPView, Autoruns, and 
>> Process
>> Explorer to examine port usage and process usage on your domain 
>> controllers.
>> Be extremely suspicious of any remote control software, processes that 
>> map
>> to an executable that does not have a publisher name associated with it, 
>> and
>> any process that is not related to anything that should be running on the
>> domain controller [which can be hard to do if you do not have a known 
>> clean
>> like install to compare to]. Check for root kits by using Plist from
>> SysInternals to compare the processes running locally to those when you
>> check processes running from a remote computer. Also run the Microsoft
>> Baseline Security Analyzer on your domain controllers to check for basic
>> vulnerabilities including unneeded services and missing critical updates.
>> That should give you a start. The links below should help.  --- Steve
>>  -- Link to
>> SysInterals Process Explorer and other utilities.
>> "Todd" <> wrote in message
>> > Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working 
>> > for a
>> > Computer Consulting business.  One of our clients (our biggest one) has 
>> > AD
>> > running and we have had a heck of a time figuring out this problem:
>> >   The only 2 people with administrative permissions on the entire 
>> > domain
>> > is
>> > my boss (owner of company) and myself.  However, we keep finding new 
>> > users
>> > that are being created and are being assigned to the built in
>> > administrators
>> > group, giving them admin permissions.  There appears to be no way to 
>> > stop
>> > them.  We have changed our Administrator account psw (although I don't
>> > think
>> > this would have helped anyway as the accounts that are being created 
>> > have
>> > admin rights...they don't need our account).  We have removed all 
>> > spyware
>> > /
>> > adware and have run virus scans galore (although we periodically still
>> > have
>> > to remove them from the system...even in the past couple of weeks). 
>> > The
>> > only
>> > ports open are those we are seems to be a secure environment
>> > with
>> > the exception of the ghost administrator running around.  We have tried
>> > deleting the accounts from the default admin group and have disabled 
>> > the
>> > accounts.  They either reappear after being deleted in a few days or 
>> > when
>> > we
>> > disable the accounts they return with different names like "1" "2" 
>> > "skip0"
>> > and "dick".
>> >
>> > Has anyone ever heard of a similar problem or hack that we could look 
>> > for
>> > that would allow someone without admin rights (or by using a system
>> > account
>> > with those rights) to create admin accounts?
>> >
>> > I know this is a complicated one, but this has been going on for over 2
>> > months and we need help!
>> >
>> > Thanks in advance
>> >
>> > Todd
>> >
>> >
>> >
>> >
>> >