Re: How could I find invisible user in admin group?

From: Olaf Engelke [MVP Windows Server] (oenews01_at_mvps.org)
Date: 08/12/05

  • Next message: Lara: "Re: Sytem restarts after 60 seconds"
    Date: Fri, 12 Aug 2005 15:09:32 +0200
    
    

    Hi James,
    there is no such thing like an invisible user in a group.
    There are some possibilities how a user can have Administrator permissions,
    without you are being aware of it.
    For example:
    He is member of another group, which is member of the Administrators group.
    Check for such groups and their members.

    The account/password combo of one of the Administrator accounts is known to
    an unauthorized person.
    Change the passwords for all accounts, which are member of the Administrator
    group.

    Some Scheduled task which is accessible for him is running in the context of
    an Administrator (maybe by swapping the started file you could elevate
    administrator permissions for that process).
    Run Scheduled tasks with an account, which has the necessary permissions and
    not more. Protect the called batches etc.

    Some malware is used to break in to the system and work with the permissions
    of the system account (so not really Administrator, but the system account
    has also high level permissions).
    Keep the patch level up to date and protect your machines against malware.
    Limit the user permissions (especially software installation/execution,
    drive access to external drives and data sources (CD, floppy, USB,
    Internet).

    Intensive auditing and studying of event logs on clients and server would be
    the only way with Windows to discover such internal attacks.
    Best greetings from Germany
    Olaf.


  • Next message: Lara: "Re: Sytem restarts after 60 seconds"

    Relevant Pages

    • Re: Help Please re. User Rights???
      ... file ownership and permissions supersede administrator rights. ... This is not your administrator account, ... > "Michael Solomon " wrote:>>> First, if you downloaded QuickBooks, is this a legal version? ...
      (microsoft.public.windowsxp.accessibility)
    • Re: Need Help regarding "send AS"
      ... and user B has Send As rights on user A's account in the ... Does Administrator or any group to which Administrator belongs have Send As ... all of them, except "Special Permissions". ... Ben Winzenz skrev: ...
      (microsoft.public.exchange.admin)
    • Re: Need Help regarding "send AS"
      ... and user B has Send As rights on user A's account in the ... Does Administrator or any group to which Administrator belongs have Send As ... all of them, except "Special Permissions". ... Ben Winzenz skrev: ...
      (microsoft.public.exchange.admin)
    • SP2 - Access Denied error when installing software
      ... we'll repair Windows and then install SP2. ... > Okay here's what I've found in the registry looking at the permissions in the ... So I added my account and "Users " groups. ... > By the way I did all this from safe mode under the "Administrator" account. ...
      (microsoft.public.games)
    • Re: WinXP Pro "Users" Group Restrictions Affect Administrator Accounts
      ... >then removed the Users group from the permissions. ... >administrator password that's in the text file, ... under an account with just regular User ... >Thanks for the tip on the special deny group. ...
      (microsoft.public.windowsxp.security_admin)