|
Posted by Steven L Umbach on September 28, 2005, 12:08 pm
Please log in for more thread options OK. I also want to add that I should have clarified something. To allow a
domain user to be a local administrator on a domain computer add that domain
user account to the local administrators group on the domain computers. You
can use Restricted Groups as described in the link below to do this with a
global group. This allows a domain user such as a domain administrator to
administer domain computers, other than domain controllers, with that
regualr domain user account without being logged on as a domain
administrator. --- Steve
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
> Thanks Steve,
>
> Will try out as mentioned below and post back the resluts
>
> Mike
>
>> It would seem that someone/something is using administrator credentials
>> for the domain. If a domain administrator logs onto a domain workstation
>> and the computer is infected it is possible that the malware use domain
>> administrator credentials to compromise the domain. Keyboard loggers are
>> another risk. See if the security logs on the domain controller can
>> pinpoint the computer that the administrator deleted the account from and
>> you may have to correlate logon events in the security log to the account
>> deletion event which may be close in time. Also look in the security logs
>> to see if it shows logons from any account in the administrators group or
>> domain admins group from domain computers at times that would be
>> suspicious.
>>
>> What I would do is to shutdown the problem computer, make sure that
>> membership in Active Directory Users and Computers for administrators
>> group, domain admins, and enterprise admins is what it should be, have
>> any users in these groups change their passwords and force such by
>> checking that user must change password at next logon , make sure that
>> the use of password complexity is enabled in the domain, and instruct
>> anyone that is in any administrator group in the domain to never logon to
>> a domain computer with their domain administrator account other then know
>> secured domain workstations used for administrating the domain. Such
>> workstations would be restricted by security policy to allow only domain
>> administrators to logon to [including their normal domain accounts that
>> do NOT use the same password as their admin accounts], be hardened,
>> physically secured from all other users, and never used for internet
>> browsing. Then I would isolate the problem computer from the network
>> before you turn it back on and do a fresh install of the operating system
>> to a formatted hard drive, install security updates, antivirus, etc and
>> then put it back on the network to see what happens.
>>
>> Scanning for malware will not always insure a computer is clean. Root
>> usually escape detection by malware detection programs. SysInternals has
>> a free tool called RooKitRevealer that may be helpful in detecting a
>> rootkit compromise. The other thing to remember is that malware detection
>> tools can not detect if a computer has been hacked which is a big
>> difference. A hacked computer could be completely clean but have hard to
>> detect instructions or scripts on it that can still do damage such as you
>> describe. If problems continue other computers on the network would also
>> be suspect and I would use the security logs on domain controllers and
>> possibly domain computers [enable auditing of "logon" events in Domain
>> Security Policy] to try and track down the offending computers. Event
>> Comb free from MS can be used to scan domain computers for Event ID's and
>> text strings such as user names. A software or hardware problem on a
>> client computer simply does not delete accounts in AD. The links below
>> may elp. --- Steve
>>
>> http://www.sysinternals.com/utilities/rootkitrevealer.html --- RootKit
>> Revealer
>>
http://www.microsoft.com/downloads/details.aspx?FamilyId=F24A8CE3-63A4-45A1-97B6-3FEF52F63ABB&displaylang=en
>> --- Anti Virus in Depth Guide from Microsoft
>>
>> ttp://www.microsoft.com/smallbusiness/support/computer-security.mspx ---
>> MS Small Business Security Guidance
>>
>>> My client has a Win2003 file/print server with SP1 and latest updates.
>>> AD, DNS + DHCP installed and configured. It is the only domain
>>> controller on the network. All workstations run WinXP SP2. It uses the
>>> standard "default domain policy" installed with AD.
>>>
>>> PROBLEM
>>> 1 x Winxp machine keeps on losing its network shares (these are
>>> administrative shares).
>>> When this happens the data gets "deleted" from the server. The LAN
>>> settings gets disabled (No TCP/IP or Client for Mic Net)
>>> The "change" and "Network ID" buttons are disabled.
>>> The user account in Active Directory is deleted
>>>
>>> I have tried the following
>>> 1. Rebuild user domain profile on wks, to no success
>>> 2. Reinstalled AD + rejoined all wks to domain
>>> 3. No errors in Event log as to why this happens. In Security log it
>>> show that acocunt was removed by administrator. But no one has
>>> administrator password and wks are not setup with admin rights.
>>> 4. Tried: Different NIC, Power Supply, another WinXP pc (different model
>>> as to those on site), different power point, Network point and UTP
>>> flylead
>>> 5. Scanned for viruses using Trend, McAfee = pc was clean (as well as
>>> domain)
>>> 6. Scanned for spyware and malware = pc clean (as well as domain)
>>>
>>> If anyone can assist with this it would greatly be appreciated. (Ek is
>>> raadop)
>>>
>>> Thanks
>>> Mike
>>>
>>>
>>
>>
>
>
| 
XML Sitemap