|
Posted by Al Dunbar on May 26, 2007, 2:51 pm
Please log in for more thread options
Unfortunately, leaving the trojan horses outside of the walls is your best
defence, unfortunately it is a bit too late for this now.
But, further to Svyatoslav's suggestion, I would recommend creating a set of
domain accounts and adding them to the "administrators" group on the server.
The actual administrator account should be:
a) renamed;
b) have its password set;
c) never be used except in the direst circumstances.
All server admin should be done using the accounts I suggested - that way no
one individual need know the password to the administrator account. This
provides for much more accountability and manageability in the event of a
rogue administrator. All you need do to cut of the person's access is to
disable or delete his personal administrator account, and not set the
administrator password, which, in some cases you would need to convey to the
other users of that account.
/Al
> Thank you! One more question: What is the best way to remove trojans? Any
> recommended software for this?
>
>
>
>
>
>> It is okay to delete the rubbish.
>> Create a new administrative account; change password for existing, and
>> alert on every logon attempt using that account.
>> The danjer is - if you have a trojan that runs as system, the intruder
>> will be aware f your actions, and control new account as well.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>>> If I open "C:\Documents and Settings\superwayne$" and look at the owner
>>> of the files it is "Administrator". Does this mean that the "hacker" has
>>> used my administrator account? Is it smart to disable this account and
>>> make a new administrator account (example called "Admin" with a new
>>> password)? Is it ok to delete (from Command / cmd.exe) the folder
>>> "C:\Documents and Settings\superwayne$" with all content?
>>>
>>>
>>>
>>>
>>>> Maybe there is no user and Superwayne just used Documents and Settings
>>>> folder to create a share. Look at the owner of the files to see who has
>>>> created those - you'll get idea what accounts were compromised.
>>>>
>>>> At this stage you can start monitoring Superwayne's activity and
>>>> perhaps even catch the guy (or gal) - useful experience but not very
>>>> rewarding in most cases. Another alternative is cleaning out your
>>>> system - most likely it is infected with a trojan as well.
>>>>
>>>> --
>>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>>>> -= F1 is the key =-
>>>>
>>>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>>>
>>>>>I need urgent help! My windows 2003 server has been hacked. When I was
>>>>>defragmentating my disks some files could not be defragmentated. I
>>>>>discovered that the reason is because these files is created on a
>>>>>userprofile called "superwayne$" at this location C:\Documents and
>>>>>Settings\superwayne$. If I open this address in Explorer, I see folders
>>>>>like "desktop", "Favorites", "Local Settings", "superwaynes$'s
>>>>>Documents" and so on. There is alot of hacked software, movies and
>>>>>other stuff in these folders.
>>>>> If I open Active Directory Users and Computers, the user
>>>>> "superwaynes$" is not there. In Server Management/Users I cant find
>>>>> this either. It seems like the user "superwaynes$" has been created
>>>>> outside my domain or something. How can I find and delete this user
>>>>> profile (not only the files in C:\Documents and Settings\superwayne$)?
>>>>> How could this happen, what can I do prevent this in future? My
>>>>> server has only licensed software (no hacks), only I got access to it?
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
| 
XML Sitemap