Re: How could I find invisible user in admin group?

From: Olaf Engelke [MVP Windows Server] (oenews01_at_mvps.org)
Date: 08/12/05

  • Next message: Lara: "Re: Sytem restarts after 60 seconds"
    Date: Fri, 12 Aug 2005 15:09:32 +0200
    
    

    Hi James,
    there is no such thing like an invisible user in a group.
    There are some possibilities how a user can have Administrator permissions,
    without you are being aware of it.
    For example:
    He is member of another group, which is member of the Administrators group.
    Check for such groups and their members.

    The account/password combo of one of the Administrator accounts is known to
    an unauthorized person.
    Change the passwords for all accounts, which are member of the Administrator
    group.

    Some Scheduled task which is accessible for him is running in the context of
    an Administrator (maybe by swapping the started file you could elevate
    administrator permissions for that process).
    Run Scheduled tasks with an account, which has the necessary permissions and
    not more. Protect the called batches etc.

    Some malware is used to break in to the system and work with the permissions
    of the system account (so not really Administrator, but the system account
    has also high level permissions).
    Keep the patch level up to date and protect your machines against malware.
    Limit the user permissions (especially software installation/execution,
    drive access to external drives and data sources (CD, floppy, USB,
    Internet).

    Intensive auditing and studying of event logs on clients and server would be
    the only way with Windows to discover such internal attacks.
    Best greetings from Germany
    Olaf.


  • Next message: Lara: "Re: Sytem restarts after 60 seconds"