user profiles on a dc

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

we discovered lately created profiles of a few normal users on our DC (w2k
sp4, patched upto june)! is there some vulnerability we have overseen? The DC
is also fileserver, no IIS, we use TS only in admin mode. We are worried as
there were already rumours of security breaches.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Did these people log on to the DC? The only way profiles can be
created is if they logged on either through RDP or locally....I am
assuming that you mean the profiles are located at c:\documents and
settings\[profile name]....or do you mean that you are using roaming
profiles and these profiles are on the server?

1.8cup, I am trying to understand how the profiles got there. Do you
know? Or are you asking us how they got there?

Regards,

Patty
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

The dc is in a protected area so no user can reach it (and besides that a
normal user cannot login on a dc). de profiles are indeed located at
c:\documents and
settings\ and show up the system properties. I'm afraid the profiles are
put there by an illegal utility using some vulnerability.

"Patty Calcaterra" wrote:

> Did these people log on to the DC? The only way profiles can be
> created is if they logged on either through RDP or locally....I am
> assuming that you mean the profiles are located at c:\documents and
> settings\[profile name]....or do you mean that you are using roaming
> profiles and these profiles are on the server?
>
> 1.8cup, I am trying to understand how the profiles got there. Do you
> know? Or are you asking us how they got there?
>
> Regards,
>
> Patty
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

These profiles that were created, I assume they are actual employees. I
would check their security group membership right away. Then create another
user for test, see if they can logon to a domain controller through terminal
services.


"8cup" <8cup@discussions.microsoft.com> wrote in message
news:2ABC5038-E41F-4A2B-9FD4-907F14DE43C9@microsoft.com...
> The dc is in a protected area so no user can reach it (and besides that a
> normal user cannot login on a dc). de profiles are indeed located at
> c:\documents and
> settings\ and show up the system properties. I'm afraid the profiles are
> put there by an illegal utility using some vulnerability.
>
> "Patty Calcaterra" wrote:
>
>> Did these people log on to the DC? The only way profiles can be
>> created is if they logged on either through RDP or locally....I am
>> assuming that you mean the profiles are located at c:\documents and
>> settings\[profile name]....or do you mean that you are using roaming
>> profiles and these profiles are on the server?
>>
>> 1.8cup, I am trying to understand how the profiles got there. Do you
>> know? Or are you asking us how they got there?
>>
>> Regards,
>>
>> Patty
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

it are actual (domain-)users, and indeed i did check their security group
membership right away. With one account i tried to log on with terminal
services but the user is not "allowed to login locally". Are there other
possibilities for creation of profiles? We also noticed that at the same date
a profile was created named <Computername>$, maybe this gives a clue?

"Brandon Baker" wrote:

> These profiles that were created, I assume they are actual employees. I
> would check their security group membership right away. Then create another
> user for test, see if they can logon to a domain controller through terminal
> services.
>
>
> "8cup" <8cup@discussions.microsoft.com> wrote in message
> news:2ABC5038-E41F-4A2B-9FD4-907F14DE43C9@microsoft.com...
> > The dc is in a protected area so no user can reach it (and besides that a
> > normal user cannot login on a dc). de profiles are indeed located at
> > c:\documents and
> > settings\ and show up the system properties. I'm afraid the profiles are
> > put there by an illegal utility using some vulnerability.
> >
> > "Patty Calcaterra" wrote:
> >
> >> Did these people log on to the DC? The only way profiles can be
> >> created is if they logged on either through RDP or locally....I am
> >> assuming that you mean the profiles are located at c:\documents and
> >> settings\[profile name]....or do you mean that you are using roaming
> >> profiles and these profiles are on the server?
> >>
> >> 1.8cup, I am trying to understand how the profiles got there. Do you
> >> know? Or are you asking us how they got there?
> >>
> >> Regards,
> >>
> >> Patty
> >>
> >>
>
>
>