Sign in with
Sign up | Sign in
Your question

Security Breach in AD W/2000 Server

Last response: in Windows 2000/NT
Share
February 7, 2005 11:51:11 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working for a
Computer Consulting business. One of our clients (our biggest one) has AD
running and we have had a heck of a time figuring out this problem:
The only 2 people with administrative permissions on the entire domain is
my boss (owner of company) and myself. However, we keep finding new users
that are being created and are being assigned to the built in administrators
group, giving them admin permissions. There appears to be no way to stop
them. We have changed our Administrator account psw (although I don't think
this would have helped anyway as the accounts that are being created have
admin rights...they don't need our account). We have removed all spyware /
adware and have run virus scans galore (although we periodically still have
to remove them from the system...even in the past couple of weeks). The only
ports open are those we are using...it seems to be a secure environment with
the exception of the ghost administrator running around. We have tried
deleting the accounts from the default admin group and have disabled the
accounts. They either reappear after being deleted in a few days or when we
disable the accounts they return with different names like "1" "2" "skip0"
and "dick".

Has anyone ever heard of a similar problem or hack that we could look for
that would allow someone without admin rights (or by using a system account
with those rights) to create admin accounts?

I know this is a complicated one, but this has been going on for over 2
months and we need help!

Thanks in advance

Todd
Anonymous
February 7, 2005 3:50:08 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Have you enabled auditing for "Account Management" events? This will tell
you when and where the accounts are being created, and what account is being
used to create them.

Have you checked for unusual services or program names listed in the
Services Applet, Task Manager or Run keys in the registry?

You can also set up Restricted Groups to control membership in the
Administrators, Domain Admins & Enterprise Admins group.

Unless you find that these accounts are being created by someone internal to
the network, I'd frankly recommend a complete rebuild of the server. Review
the 10 Immutable Laws of Security: if an outsider can get your computer to
do what he wants it to do without your consent, then it's not your computer
anymore. If someone has installed some type of back door into your
computer, then the only way to be certain that you've removed the
vulnerability is to "nuke and pave."


--
Laura E. Hunter
Microsoft MVP - Windows Server Networking
All information provided "AS-IS", no warranties expressed or implied.
Replies to newsgroup only.
"Todd" <Todd@discussions.microsoft.com> wrote in message
news:2AAB0B6F-5F7C-4327-ABE2-809074138730@microsoft.com...
> Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working for a
> Computer Consulting business. One of our clients (our biggest one) has AD
> running and we have had a heck of a time figuring out this problem:
> The only 2 people with administrative permissions on the entire domain
> is
> my boss (owner of company) and myself. However, we keep finding new users
> that are being created and are being assigned to the built in
> administrators
> group, giving them admin permissions. There appears to be no way to stop
> them. We have changed our Administrator account psw (although I don't
> think
> this would have helped anyway as the accounts that are being created have
> admin rights...they don't need our account). We have removed all spyware
> /
> adware and have run virus scans galore (although we periodically still
> have
> to remove them from the system...even in the past couple of weeks). The
> only
> ports open are those we are using...it seems to be a secure environment
> with
> the exception of the ghost administrator running around. We have tried
> deleting the accounts from the default admin group and have disabled the
> accounts. They either reappear after being deleted in a few days or when
> we
> disable the accounts they return with different names like "1" "2" "skip0"
> and "dick".
>
> Has anyone ever heard of a similar problem or hack that we could look for
> that would allow someone without admin rights (or by using a system
> account
> with those rights) to create admin accounts?
>
> I know this is a complicated one, but this has been going on for over 2
> months and we need help!
>
> Thanks in advance
>
> Todd
February 7, 2005 3:50:09 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello Laura, thanks so much for your quick response.
To answer a few of your questions...

first...We have enabled success and failure events for account management,
but I haven't seen anything unusual in the event viewer. I looked for the
event triggered by our most recent account that was created over the weekend,
but I didn't see it. Is there a good way that I can filter out the event
created by this audit? What would the source be?

second...we removed MANY processes and programs after virus scanning from
our Winnt/system32 folder that were malicious, but we thought we had solved
the problem after removing anything that we found to be suspicious or
malicious. i was actually kinda hoping someone would know of a similar
process that may have been installed somewhere that we haven't found yet.
But yes, everything has been removed that we are aware of.

third...I haven't heard of Restricted Groups and am unfamiliar with how that
would help me. Can I have more info on that b/c that sounds like it would be
a great solution for us.

We can't really just wipe the OS and start over on this b/c it's our SQL
database and we really need to just figure out the problem and fix it. We
haven't totally thrown that option out the window, but we must exhaust every
possible fix before we even consider as you probably understand.

Thanks again for your suggestions and patience. I'll look forward to
hearing from you again!

Todd


"Laura E. Hunter (MVP)" wrote:

> Have you enabled auditing for "Account Management" events? This will tell
> you when and where the accounts are being created, and what account is being
> used to create them.
>
> Have you checked for unusual services or program names listed in the
> Services Applet, Task Manager or Run keys in the registry?
>
> You can also set up Restricted Groups to control membership in the
> Administrators, Domain Admins & Enterprise Admins group.
>
> Unless you find that these accounts are being created by someone internal to
> the network, I'd frankly recommend a complete rebuild of the server. Review
> the 10 Immutable Laws of Security: if an outsider can get your computer to
> do what he wants it to do without your consent, then it's not your computer
> anymore. If someone has installed some type of back door into your
> computer, then the only way to be certain that you've removed the
> vulnerability is to "nuke and pave."
>
>
> --
> Laura E. Hunter
> Microsoft MVP - Windows Server Networking
> All information provided "AS-IS", no warranties expressed or implied.
> Replies to newsgroup only.
> "Todd" <Todd@discussions.microsoft.com> wrote in message
> news:2AAB0B6F-5F7C-4327-ABE2-809074138730@microsoft.com...
> > Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working for a
> > Computer Consulting business. One of our clients (our biggest one) has AD
> > running and we have had a heck of a time figuring out this problem:
> > The only 2 people with administrative permissions on the entire domain
> > is
> > my boss (owner of company) and myself. However, we keep finding new users
> > that are being created and are being assigned to the built in
> > administrators
> > group, giving them admin permissions. There appears to be no way to stop
> > them. We have changed our Administrator account psw (although I don't
> > think
> > this would have helped anyway as the accounts that are being created have
> > admin rights...they don't need our account). We have removed all spyware
> > /
> > adware and have run virus scans galore (although we periodically still
> > have
> > to remove them from the system...even in the past couple of weeks). The
> > only
> > ports open are those we are using...it seems to be a secure environment
> > with
> > the exception of the ghost administrator running around. We have tried
> > deleting the accounts from the default admin group and have disabled the
> > accounts. They either reappear after being deleted in a few days or when
> > we
> > disable the accounts they return with different names like "1" "2" "skip0"
> > and "dick".
> >
> > Has anyone ever heard of a similar problem or hack that we could look for
> > that would allow someone without admin rights (or by using a system
> > account
> > with those rights) to create admin accounts?
> >
> > I know this is a complicated one, but this has been going on for over 2
> > months and we need help!
> >
> > Thanks in advance
> >
> > Todd
>
>
>
Related resources
Anonymous
February 7, 2005 5:44:44 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

To filter events in an Event Log:
http://www.microsoft.com/resources/documentation/window...

Restricted Groups:
http://www.microsoft.com/resources/documentation/Window...

Both of these are topics that you should've seen when preparing for the
Microsoft Certification exams, and are certainly ones that you should be
aware of when administering a real-world network.

--
Laura E. Hunter
Microsoft MVP - Windows Server Networking
All information provided "AS-IS", no warranties expressed or implied.
Replies to newsgroup only.
"Todd" <Todd@discussions.microsoft.com> wrote in message
news:A64AF9F5-F930-41BD-8048-2E5CC0408183@microsoft.com...
> Hello Laura, thanks so much for your quick response.
> To answer a few of your questions...
>
> first...We have enabled success and failure events for account management,
> but I haven't seen anything unusual in the event viewer. I looked for the
> event triggered by our most recent account that was created over the
> weekend,
> but I didn't see it. Is there a good way that I can filter out the event
> created by this audit? What would the source be?
>
> second...we removed MANY processes and programs after virus scanning from
> our Winnt/system32 folder that were malicious, but we thought we had
> solved
> the problem after removing anything that we found to be suspicious or
> malicious. i was actually kinda hoping someone would know of a similar
> process that may have been installed somewhere that we haven't found yet.
> But yes, everything has been removed that we are aware of.
>
> third...I haven't heard of Restricted Groups and am unfamiliar with how
> that
> would help me. Can I have more info on that b/c that sounds like it would
> be
> a great solution for us.
>
> We can't really just wipe the OS and start over on this b/c it's our SQL
> database and we really need to just figure out the problem and fix it. We
> haven't totally thrown that option out the window, but we must exhaust
> every
> possible fix before we even consider as you probably understand.
>
> Thanks again for your suggestions and patience. I'll look forward to
> hearing from you again!
>
> Todd
>
>
> "Laura E. Hunter (MVP)" wrote:
>
>> Have you enabled auditing for "Account Management" events? This will
>> tell
>> you when and where the accounts are being created, and what account is
>> being
>> used to create them.
>>
>> Have you checked for unusual services or program names listed in the
>> Services Applet, Task Manager or Run keys in the registry?
>>
>> You can also set up Restricted Groups to control membership in the
>> Administrators, Domain Admins & Enterprise Admins group.
>>
>> Unless you find that these accounts are being created by someone internal
>> to
>> the network, I'd frankly recommend a complete rebuild of the server.
>> Review
>> the 10 Immutable Laws of Security: if an outsider can get your computer
>> to
>> do what he wants it to do without your consent, then it's not your
>> computer
>> anymore. If someone has installed some type of back door into your
>> computer, then the only way to be certain that you've removed the
>> vulnerability is to "nuke and pave."
>>
>>
>> --
>> Laura E. Hunter
>> Microsoft MVP - Windows Server Networking
>> All information provided "AS-IS", no warranties expressed or implied.
>> Replies to newsgroup only.
>> "Todd" <Todd@discussions.microsoft.com> wrote in message
>> news:2AAB0B6F-5F7C-4327-ABE2-809074138730@microsoft.com...
>> > Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working
>> > for a
>> > Computer Consulting business. One of our clients (our biggest one) has
>> > AD
>> > running and we have had a heck of a time figuring out this problem:
>> > The only 2 people with administrative permissions on the entire
>> > domain
>> > is
>> > my boss (owner of company) and myself. However, we keep finding new
>> > users
>> > that are being created and are being assigned to the built in
>> > administrators
>> > group, giving them admin permissions. There appears to be no way to
>> > stop
>> > them. We have changed our Administrator account psw (although I don't
>> > think
>> > this would have helped anyway as the accounts that are being created
>> > have
>> > admin rights...they don't need our account). We have removed all
>> > spyware
>> > /
>> > adware and have run virus scans galore (although we periodically still
>> > have
>> > to remove them from the system...even in the past couple of weeks).
>> > The
>> > only
>> > ports open are those we are using...it seems to be a secure environment
>> > with
>> > the exception of the ghost administrator running around. We have tried
>> > deleting the accounts from the default admin group and have disabled
>> > the
>> > accounts. They either reappear after being deleted in a few days or
>> > when
>> > we
>> > disable the accounts they return with different names like "1" "2"
>> > "skip0"
>> > and "dick".
>> >
>> > Has anyone ever heard of a similar problem or hack that we could look
>> > for
>> > that would allow someone without admin rights (or by using a system
>> > account
>> > with those rights) to create admin accounts?
>> >
>> > I know this is a complicated one, but this has been going on for over 2
>> > months and we need help!
>> >
>> > Thanks in advance
>> >
>> > Todd
>>
>>
>>
February 7, 2005 5:44:45 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have used event viewer many times, I was just unable to locate the event
triggered by the audit (ghost admin may have erased it actually).
I didn't remember having learned about Restricted Groups, although knowing
the training I went through it was probably explained in 1 sentence then
forgotten.
I have now configured Restricted Groups and I really hope that helps. It
just may do the trick.

Again I appreciate the assistance.

Todd

"Laura E. Hunter (MVP)" wrote:

> To filter events in an Event Log:
> http://www.microsoft.com/resources/documentation/window...
>
> Restricted Groups:
> http://www.microsoft.com/resources/documentation/Window...
>
> Both of these are topics that you should've seen when preparing for the
> Microsoft Certification exams, and are certainly ones that you should be
> aware of when administering a real-world network.
>
> --
> Laura E. Hunter
> Microsoft MVP - Windows Server Networking
> All information provided "AS-IS", no warranties expressed or implied.
> Replies to newsgroup only.
> "Todd" <Todd@discussions.microsoft.com> wrote in message
> news:A64AF9F5-F930-41BD-8048-2E5CC0408183@microsoft.com...
> > Hello Laura, thanks so much for your quick response.
> > To answer a few of your questions...
> >
> > first...We have enabled success and failure events for account management,
> > but I haven't seen anything unusual in the event viewer. I looked for the
> > event triggered by our most recent account that was created over the
> > weekend,
> > but I didn't see it. Is there a good way that I can filter out the event
> > created by this audit? What would the source be?
> >
> > second...we removed MANY processes and programs after virus scanning from
> > our Winnt/system32 folder that were malicious, but we thought we had
> > solved
> > the problem after removing anything that we found to be suspicious or
> > malicious. i was actually kinda hoping someone would know of a similar
> > process that may have been installed somewhere that we haven't found yet.
> > But yes, everything has been removed that we are aware of.
> >
> > third...I haven't heard of Restricted Groups and am unfamiliar with how
> > that
> > would help me. Can I have more info on that b/c that sounds like it would
> > be
> > a great solution for us.
> >
> > We can't really just wipe the OS and start over on this b/c it's our SQL
> > database and we really need to just figure out the problem and fix it. We
> > haven't totally thrown that option out the window, but we must exhaust
> > every
> > possible fix before we even consider as you probably understand.
> >
> > Thanks again for your suggestions and patience. I'll look forward to
> > hearing from you again!
> >
> > Todd
> >
> >
> > "Laura E. Hunter (MVP)" wrote:
> >
> >> Have you enabled auditing for "Account Management" events? This will
> >> tell
> >> you when and where the accounts are being created, and what account is
> >> being
> >> used to create them.
> >>
> >> Have you checked for unusual services or program names listed in the
> >> Services Applet, Task Manager or Run keys in the registry?
> >>
> >> You can also set up Restricted Groups to control membership in the
> >> Administrators, Domain Admins & Enterprise Admins group.
> >>
> >> Unless you find that these accounts are being created by someone internal
> >> to
> >> the network, I'd frankly recommend a complete rebuild of the server.
> >> Review
> >> the 10 Immutable Laws of Security: if an outsider can get your computer
> >> to
> >> do what he wants it to do without your consent, then it's not your
> >> computer
> >> anymore. If someone has installed some type of back door into your
> >> computer, then the only way to be certain that you've removed the
> >> vulnerability is to "nuke and pave."
> >>
> >>
> >> --
> >> Laura E. Hunter
> >> Microsoft MVP - Windows Server Networking
> >> All information provided "AS-IS", no warranties expressed or implied.
> >> Replies to newsgroup only.
> >> "Todd" <Todd@discussions.microsoft.com> wrote in message
> >> news:2AAB0B6F-5F7C-4327-ABE2-809074138730@microsoft.com...
> >> > Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working
> >> > for a
> >> > Computer Consulting business. One of our clients (our biggest one) has
> >> > AD
> >> > running and we have had a heck of a time figuring out this problem:
> >> > The only 2 people with administrative permissions on the entire
> >> > domain
> >> > is
> >> > my boss (owner of company) and myself. However, we keep finding new
> >> > users
> >> > that are being created and are being assigned to the built in
> >> > administrators
> >> > group, giving them admin permissions. There appears to be no way to
> >> > stop
> >> > them. We have changed our Administrator account psw (although I don't
> >> > think
> >> > this would have helped anyway as the accounts that are being created
> >> > have
> >> > admin rights...they don't need our account). We have removed all
> >> > spyware
> >> > /
> >> > adware and have run virus scans galore (although we periodically still
> >> > have
> >> > to remove them from the system...even in the past couple of weeks).
> >> > The
> >> > only
> >> > ports open are those we are using...it seems to be a secure environment
> >> > with
> >> > the exception of the ghost administrator running around. We have tried
> >> > deleting the accounts from the default admin group and have disabled
> >> > the
> >> > accounts. They either reappear after being deleted in a few days or
> >> > when
> >> > we
> >> > disable the accounts they return with different names like "1" "2"
> >> > "skip0"
> >> > and "dick".
> >> >
> >> > Has anyone ever heard of a similar problem or hack that we could look
> >> > for
> >> > that would allow someone without admin rights (or by using a system
> >> > account
> >> > with those rights) to create admin accounts?
> >> >
> >> > I know this is a complicated one, but this has been going on for over 2
> >> > months and we need help!
> >> >
> >> > Thanks in advance
> >> >
> >> > Todd
> >>
> >>
> >>
>
>
>
!