|
Posted by Chris M on December 3, 2007, 8:56 am
Please log in for more thread options Zaheer Jassat wrote:
> Its the DC, file & print server, runs SQL for a couple of (lightweight)
> database applications. We also store userprofiles on this server.
> However the server isn't a DHCP server.
>
> In so far as Windows Services, its running what I assume Windows 2003
> Service Pack 1 runs by default. Are there any specific services that I
> should be looking out for?
I think first of all, I would have a look at the profile and see if you
can determine when it was created. Then you can have a look in the event
logs and see if anything out of the ordinary was happening during this
time. Look for lots of failure audits in the security logs, things like
that.
--
Chris.
>> Zaheer Jassat wrote:
>>> We have a Windows 2003 Domain Controller. Some time last week I found
>>> the name of an 'ordinary' user in the C:\Document & Settings
>>> directory, which seems to indicate that this user found a way to log
>>> onto the server. He also has a user profile set up on the server
>>> (Roaming, which is what it normally is).
>>>
>>> I'm trying to work out how he managed to do this, and fix the
>>> security breach so that no-one can do this again.
>>>
>>> From what I can see, only "Administrators" can remote desktop into
>>> the server, and the console session was locked with the administrator
>>> password (which I am fairly certain he is unaware of). He is not
>>> listed as part of the "administrators" group within Active
>>> Directory. I've tried to 'remote desktop' in with the account in
>>> question, and I was denied access.
>>
>> That would cause me to be suspicious too...
>>
>> Is the server just a DC or does it provide any other services?
>>
>> --
>> Chris M.
>>
>> Remove pants to email me.
>
--
Chris M.
Remove pants to email me.
| 
XML Sitemap