Re: Security Breach in AD! Help!

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/11/05

• Next message: Roger Abell: "Re: File permissons"
• Previous message: Steven L Umbach: "Re: W2K Pro password files"
• In reply to: Todd: "Re: Security Breach in AD! Help!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 10 Feb 2005 18:27:02 -0600

OK. Todd. Let us know how it goes.

I can not emphasize the importance of being very careful using domain
credentials on computers that you are not 100 percent sure of being secured
both physically and for the operating system and use runas as much as
possible.. I would examine very carefully any computers that you use them on
regularly and personally do a fresh install. Keep in mind that any scripts
or commands run while you are logged on as a domain admin run in the context
of that account.

For example suppose an attacker knew that a domain admin used a particular
computer to logon as domain admin [any account with admin powers in the
domain]. If that computer was left unattended for a period of time while
logged on or the attacker could get physical access to in order to
compromise it he could put a simple script such as a logon script or logoff
script on it via local Group Policy [gpedit.msc]. That script could use the
net user /domain and net group /domain commands to create a user account and
add it to the domain admins/administrators group every time the legitimate
user logged on or off with a domain admin account without ever knowing the
password for the domain admin account and would still work after the domain
admin changed his password! Such a script could never be found with a virus
scan.

An attacker could also use social engineering to trick a domain admin to
logon to a domain computer with that account with a similar script on the
domain computer which the attacker had been able to easily get local admin
access via a free utility downloadable from the internet assuming the
attacker could boot the computer from floppy, cdrom, or other external drive
means. A good attacker would not do this on his computer, but do it to some
"favorite" person of the admins computer and muck it up just enough to
warrant him coming over to logon to it to see what the problem is as the
damsel in distress puts out the call. Anyhow do not rule out the option that
your attack maybe coming from a computer on the network where domain admin
credentials are used to logon/logoff. -- Steve

"Todd" <Todd@discussions.microsoft.com> wrote in message
news:216BE3A5-1715-4239-97A8-1B80CDBD92EB@microsoft.com...
> Thanks for your help Steven.
>
> I found the solution to the group policy refresh interval thing...sort of.
>
> I went to computer configuration, administrative templates, system, group
> policy...
> Then I changed the Group Policy refresh interval for computers and the
> Group
> Policy refresh interval for domain controllers both to 0.
> Then I enabled Scripts policy processing and marked the box next to
> "process
> even if the group policy objects have not changed"
> This was done in both the local security policy as well as the default
> domain controllers policy.
>
> This has set my GPO's to refresh about every 7 seconds at most. This was
> the temporary solution I was trying to obtain.
>
> I am looking further into the root kit stuff...that may also help us find
> a
> solution.
> For now, I think with your help (and others) we believe we have at least
> put
> a dent in the problem and can focus our attention less on getting rid of
> ghost admins and more on getting rid of the script or hack that caused it
> in
> the first place. If anyone reads this post and knows what could be
> causing
> this please post a reply to assist us. Even if the problem is long gone,
> I
> would like to know how they did it for next time.
>
> Thanks again for your help!
>
> Todd
>
>

---

• Next message: Roger Abell: "Re: File permissons"
• Previous message: Steven L Umbach: "Re: W2K Pro password files"
• In reply to: Todd: "Re: Security Breach in AD! Help!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: I need Ideas on securing a remote Win2k machine ... > * You can set security filtering on a group policy object. ... > * You can set a policy to run an application at logon (your kiosk app, ... Create a new Organizational Unit for the kiosk computers and move ... suggests that I need to get the domain admin to do a lot of this. ... (microsoft.public.win2000.security) Re: Error using LDAP query ... here) troubleshoot this. ... I have researched this script ... >>> Dim oADSysinfo ... >>> everyone cannot be a domain admin. ... (microsoft.public.windows.server.scripting) RE: SCW --> GPO ... we need the rights of Domain Admin or Group Policy Creator Owner ... check app event log & system event log to see if there is any GPO related ... Command completed with error. ... (microsoft.public.windows.group_policy) Re: Not able to edit Group Policy Objects, ... Uninstalling Director will fix the problem, installing it bound only to the ... > Make sure the client has "read" permissions so that the group policy can ... use a domain admin or ... (microsoft.public.windows.server.active_directory) Re: Security Filtering does not work correctly in GPO ... Deny apply only. ... where the domain admin was logged on. ... the settings in the "User Group Policy" were gone. ... "Scope-Setting" in the Group Policy object. ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)