|
Posted by Steven L Umbach on December 8, 2005, 12:52 am
Please log in for more thread options
Since auditing of account management is already enabled on Windows 2003
Server you should be able to find an event that indicated when the user was
created and by what user. Information of the user object also may have given
you much of that information including the owner but you already deleted
that. Beyond that make sure your server does not have any other ports
exposed to the internet and may sure that all users must use complex
passwords to logon to the computer. Since you can not explain what happened
I would consider doing a total rebuild of the server since that is the only
way to make sure it is clean but that is your call. Also read the security
guides for Windows 2003 Server Security and Threats and Countermeasure for
steps to take to secure your server. I would also run the free tool
Microsoft Baseline Security Analyzer on it to check for basic
vulnerabilities and take a look using the Windows Security Configuration
Wizard to help in hardening your server assuming you are using SP1. Weak
passwords, inept and/or lazy administrators, and lack of physical security
are the biggest threats to your computer's security. Also NEVER allow any
administrator to read email or browse the internet on a production server.
If other users can access the computer then keyboard loggers, etc can also
be a threat. --- Steve
http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx
--- W2003 Security Configuration Wizard
http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
--- Windows 2003 Server Security Guide
> Hi Everyone,
>
>
>
> I wanted to find out if anybody is aware of how a Windows Server 2003
> Terminal Server out of the box environment can ever become
> compromised/hacked?
>
>
>
> We have recently received a security report stating that the server we are
> running has been performing other tasks, such as the polling of websites,
> and the scanning of other networks also being hosted. Our server is on
> the Internet.
>
>
>
> We noticed in our user list an unknown username named 'tsadmin' had been
> created and was logging in, with full access rights just like an
> administrator, they were also a member of the backup users group, however
> none of us ever recall creating this user. We are careful who we create
> onto the server and never allow them to have a desktop environment.
>
>
>
> Is this a coincidence?
>
>
>
> We have now deleted the tsadmin user.
>
>
>
> If anybody could advise of this, or recommend any additional security
> checks or security logging software then this would be ideal.
>
>
>
> How can we check if our server has been compromised? Do we need to fix
> anything? What can we do to prevent it from happening again.
>
>
>
> We currently use an up to date version of AVG server edition scanner, but
> if anybody knows of a more dedicated server security product this would be
> greatly appreciated.
>
>
>
> Thanking you in advance
>
> Chris
>
| 
XML Sitemap