Windows Server

Mike · Guest

My client has a Win2003 file/print server with SP1 and latest updates. AD,
DNS + DHCP installed and configured. It is the only domain controller on the
network. All workstations run WinXP SP2. It uses the standard "default
domain policy" installed with AD.

PROBLEM
1 x Winxp machine keeps on losing its network shares (these are
administrative shares).
When this happens the data gets "deleted" from the server. The LAN settings
gets disabled (No TCP/IP or Client for Mic Net)
The "change" and "Network ID" buttons are disabled.
The user account in Active Directory is deleted

I have tried the following
1. Rebuild user domain profile on wks, to no success
2. Reinstalled AD + rejoined all wks to domain
3. No errors in Event log as to why this happens. In Security log it show
that acocunt was removed by administrator. But no one has administrator
password and wks are not setup with admin rights.
4. Tried: Different NIC, Power Supply, another WinXP pc (different model as
to those on site), different power point, Network point and UTP flylead
5. Scanned for viruses using Trend, McAfee = pc was clean (as well as
domain)
6. Scanned for spyware and malware = pc clean (as well as domain)

If anyone can assist with this it would greatly be appreciated. (Ek is
raadop)

Thanks
Mike

Steven L Umbach · Guest

It would seem that someone/something is using administrator credentials for
the domain. If a domain administrator logs onto a domain workstation and the
computer is infected it is possible that the malware use domain
administrator credentials to compromise the domain. Keyboard loggers are
another risk. See if the security logs on the domain controller can pinpoint
the computer that the administrator deleted the account from and you may
have to correlate logon events in the security log to the account deletion
event which may be close in time. Also look in the security logs to see if
it shows logons from any account in the administrators group or domain
admins group from domain computers at times that would be suspicious.

What I would do is to shutdown the problem computer, make sure that
membership in Active Directory Users and Computers for administrators group,
domain admins, and enterprise admins is what it should be, have any users in
these groups change their passwords and force such by checking that user
must change password at next logon , make sure that the use of password
complexity is enabled in the domain, and instruct anyone that is in any
administrator group in the domain to never logon to a domain computer with
their domain administrator account other then know secured domain
workstations used for administrating the domain. Such workstations would be
restricted by security policy to allow only domain administrators to logon
to [including their normal domain accounts that do NOT use the same password
as their admin accounts], be hardened, physically secured from all other
users, and never used for internet browsing. Then I would isolate the
problem computer from the network before you turn it back on and do a fresh
install of the operating system to a formatted hard drive, install security
updates, antivirus, etc and then put it back on the network to see what
happens.

Scanning for malware will not always insure a computer is clean. Root
usually escape detection by malware detection programs. SysInternals has a
free tool called RooKitRevealer that may be helpful in detecting a rootkit
compromise. The other thing to remember is that malware detection tools can
not detect if a computer has been hacked which is a big difference. A hacked
computer could be completely clean but have hard to detect instructions or
scripts on it that can still do damage such as you describe. If problems
continue other computers on the network would also be suspect and I would
use the security logs on domain controllers and possibly domain computers
[enable auditing of "logon" events in Domain Security Policy] to try and
track down the offending computers. Event Comb free from MS can be used to
scan domain computers for Event ID's and text strings such as user names. A
software or hardware problem on a client computer simply does not delete
accounts in AD. The links below may help. --- Steve

http://www.sysinternals.com/utilities/rootkitrevealer.html --- RootKit
Revealer
http://www.microsoft.com/downloads/details.aspx?FamilyId=F24A8CE3-63A4-45A1-97B6-3FEF52F63ABB&displaylang=en
--- Anti Virus in Depth Guide from Microsoft
http://www.microsoft.com/smallbusiness/support/computer-security.mspx ---
MS Small Business Security Guidance

"Mike" <mikeg452@hotmail.com> wrote in message
news:uS1phg$wFHA.1412@TK2MSFTNGP09.phx.gbl...

Mike · Guest

Thanks Steve,

Will try out as mentioned below and post back the resluts

Mike

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OiZe1IAxFHA.2960@tk2msftngp13.phx.gbl...

Steven L Umbach · Guest

OK. I also want to add that I should have clarified something. To allow a
domain user to be a local administrator on a domain computer add that domain
user account to the local administrators group on the domain computers. You
can use Restricted Groups as described in the link below to do this with a
global group. This allows a domain user such as a domain administrator to
administer domain computers, other than domain controllers, with that
regualr domain user account without being logged on as a domain
administrator. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

"Mike" <mikeg452@hotmail.com> wrote in message
news:%23QGTqUAxFHA.3892@TK2MSFTNGP12.phx.gbl...

Mike · Guest

done as you mentioned below and even used the rootkitrevealer tool, but no
luck

my main problem is still that the AD user account gets deleted (and security
log show administrator did it)
I even went as far to setup 2 machines, each with their own profiles. One
machine accesses "home data" and "company data"(everyone has access) on
server. These shares are administrative shares $, The other machine accesses
only a copy of the pst and "company data" share.

I went as far as to create a mandatory profile for the user, which seams to
keep the profile stored on the server (previously the local profile on XP
also disappeared), but the AD account still gets deleted.

any other suggestions?

mike

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OiZe1IAxFHA.2960@tk2msftngp13.phx.gbl...

Steven L Umbach · Guest

It sounds like the problem may be related to users having more access than
needed. The administrative shares normally are not used as general shares as
users need to be local administrators [or domain admins for a domain
controller] to access and administrative share and that means the users can
do anything they want on the server including deleting user accounts,
changing passwords for the built in administrator account to logon as that
acount, and just about anything else. It is much more likely that a server
could be hacked or have malware if all users are administrators. Users that
are administrators do not have to be malicious to do damage but can through
ineptness, laziness, or being careless.

I understand that in small businesses that one server is often jack of all
trades as it sounds like here but unless it can be configured to be
functional with users not being administrators [particualry domain
administrators] it is going to be very difficult to impossible to figure out
exactly what is going on and prevent future problems. Having said that I
would change the password on the built in administrator account and look for
account management events [ 628 and 642 I believe] that indicate that the
password for the built in administrator accound was changed/reset and by
what user that may give you a clue as to what is going on. --- Steve

"Mike" <mikeg452@hotmail.com> wrote in message
news:ud%238T8nzFHA.1252@TK2MSFTNGP09.phx.gbl...
[quote]done as you mentioned below and even used the rootkitrevealer tool, but no
luck

my main problem is still that the AD user account gets deleted (and
security log show administrator did it)
I even went as far to setup 2 machines, each with their own profiles. One
machine accesses "home data" and "company data"(everyone has access) on
server. These shares are administrative shares $, The other machine
accesses only a copy of the pst and "company data" share.

I went as far as to create a mandatory profile for the user, which seams
to keep the profile stored on the server (previously the local profile on
XP also disappeared), but the AD account still gets deleted.

any other suggestions?

mike

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OiZe1IAxFHA.2960@tk2msftngp13.phx.gbl...
It would seem that someone/something is using administrator credentials
for the domain. If a domain administrator logs onto a domain workstation
and the computer is infected it is possible that the malware use domain
administrator credentials to compromise the domain. Keyboard loggers are
another risk. See if the security logs on the domain controller can
pinpoint the computer that the administrator deleted the account from and
you may have to correlate logon events in the security log to the account
deletion event which may be close in time. Also look in the security logs
to see if it shows logons from any account in the administrators group or
domain admins group from domain computers at times that would be
suspicious.

What I would do is to shutdown the problem computer, make sure that
membership in Active Directory Users and Computers for administrators
group, domain admins, and enterprise admins is what it should be, have
any users in these groups change their passwords and force such by
checking that user must change password at next logon , make sure that
the use of password complexity is enabled in the domain, and instruct
anyone that is in any administrator group in the domain to never logon to
a domain computer with their domain administrator account other then know
secured domain workstations used for administrating the domain. Such
workstations would be restricted by security policy to allow only domain
administrators to logon to [including their normal domain accounts that
do NOT use the same password as their admin accounts], be hardened,
physically secured from all other users, and never used for internet
browsing. Then I would isolate the problem computer from the network
before you turn it back on and do a fresh install of the operating system
to a formatted hard drive, install security updates, antivirus, etc and
then put it back on the network to see what happens.

Scanning for malware will not always insure a computer is clean. Root
usually escape detection by malware detection programs. SysInternals has
a free tool called RooKitRevealer that may be helpful in detecting a
rootkit compromise. The other thing to remember is that malware detection
tools can not detect if a computer has been hacked which is a big
difference. A hacked computer could be completely clean but have hard to
detect instructions or scripts on it that can still do damage such as you
describe. If problems continue other computers on the network would also
be suspect and I would use the security logs on domain controllers and
possibly domain computers [enable auditing of "logon" events in Domain
Security Policy] to try and track down the offending computers. Event
Comb free from MS can be used to scan domain computers for Event ID's and
text strings such as user names. A software or hardware problem on a
client computer simply does not delete accounts in AD. The links below
may elp. --- Steve

http://www.sysinternals.com/utilities/rootkitrevealer.html --- RootKit
Revealer
http://www.microsoft.com/downloads/details.aspx?FamilyId=F24A8CE3-63A4-45A1-97B6-3FEF52F63ABB&displaylang=en
--- Anti Virus in Depth Guide from Microsoft

ttp://www.microsoft.com/smallbusiness/support/computer-security.mspx ---
MS Small Business Security Guidance

"Mike" <mikeg452@hotmail.com> wrote in message
news:uS1phg$wFHA.1412@TK2MSFTNGP09.phx.gbl...
My client has a Win2003 file/print server with SP1 and latest updates.
AD, DNS + DHCP installed and configured. It is the only domain
controller on the network. All workstations run WinXP SP2. It uses the
standard "default domain policy" installed with AD.

PROBLEM
1 x Winxp machine keeps on losing its network shares (these are
administrative shares).
When this happens the data gets "deleted" from the server. The LAN
settings gets disabled (No TCP/IP or Client for Mic Net)
The "change" and "Network ID" buttons are disabled.
The user account in Active Directory is deleted

I have tried the following
1. Rebuild user domain profile on wks, to no success
2. Reinstalled AD + rejoined all wks to domain
3. No errors in Event log as to why this happens. In Security log it
show that acocunt was removed by administrator. But no one has
administrator password and wks are not setup with admin rights.
4. Tried: Different NIC, Power Supply, another WinXP pc (different model
as to those on site), different power point, Network point and UTP
flylead
5. Scanned for viruses using Trend, McAfee = pc was clean (as well as
domain)
6. Scanned for spyware and malware = pc clean (as well as domain)

If anyone can assist with this it would greatly be appreciated. (Ek is
raadop)

Thanks
Mike

[/quote]

Steven L Umbach · Guest

Another thing I would try is to rename the built in administrator account
and change it's description. Then create a regular user account named
administrator and disable it to see what happens. Be sure to write the new
name down somewhere in a safe place so that you do not forget it. If someone
is playing around with the administrator account that may stop or expose
them [via security log events] . However that will not stop a more
knowledgeable user as the there are tools to find the real administrator
account since it has a fixed SID. --- Steve

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23RaSbk1zFHA.404@TK2MSFTNGP09.phx.gbl...
[quote]It sounds like the problem may be related to users having more access than
needed. The administrative shares normally are not used as general shares
as users need to be local administrators [or domain admins for a domain
controller] to access and administrative share and that means the users
can do anything they want on the server including deleting user accounts,
changing passwords for the built in administrator account to logon as that
acount, and just about anything else. It is much more likely that a server
could be hacked or have malware if all users are administrators. Users
that are administrators do not have to be malicious to do damage but can
through ineptness, laziness, or being careless.

I understand that in small businesses that one server is often jack of all
trades as it sounds like here but unless it can be configured to be
functional with users not being administrators [particualry domain
administrators] it is going to be very difficult to impossible to figure
out exactly what is going on and prevent future problems. Having said that
I would change the password on the built in administrator account and look
for account management events [ 628 and 642 I believe] that indicate that
the password for the built in administrator accound was changed/reset and
by what user that may give you a clue as to what is going on. --- Steve

"Mike" <mikeg452@hotmail.com> wrote in message
news:ud%238T8nzFHA.1252@TK2MSFTNGP09.phx.gbl...
done as you mentioned below and even used the rootkitrevealer tool, but
no luck

my main problem is still that the AD user account gets deleted (and
security log show administrator did it)
I even went as far to setup 2 machines, each with their own profiles. One
machine accesses "home data" and "company data"(everyone has access) on
server. These shares are administrative shares $, The other machine
accesses only a copy of the pst and "company data" share.

I went as far as to create a mandatory profile for the user, which seams
to keep the profile stored on the server (previously the local profile on
XP also disappeared), but the AD account still gets deleted.

any other suggestions?

mike

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OiZe1IAxFHA.2960@tk2msftngp13.phx.gbl...
It would seem that someone/something is using administrator credentials
for the domain. If a domain administrator logs onto a domain workstation
and the computer is infected it is possible that the malware use domain
administrator credentials to compromise the domain. Keyboard loggers are
another risk. See if the security logs on the domain controller can
pinpoint the computer that the administrator deleted the account from
and you may have to correlate logon events in the security log to the
account deletion event which may be close in time. Also look in the
security logs to see if it shows logons from any account in the
administrators group or domain admins group from domain computers at
times that would be suspicious.

What I would do is to shutdown the problem computer, make sure that
membership in Active Directory Users and Computers for administrators
group, domain admins, and enterprise admins is what it should be, have
any users in these groups change their passwords and force such by
checking that user must change password at next logon , make sure that
the use of password complexity is enabled in the domain, and instruct
anyone that is in any administrator group in the domain to never logon
to a domain computer with their domain administrator account other then
know secured domain workstations used for administrating the domain.
Such workstations would be restricted by security policy to allow only
domain administrators to logon to [including their normal domain
accounts that do NOT use the same password as their admin accounts], be
hardened, physically secured from all other users, and never used for
internet browsing. Then I would isolate the problem computer from the
network before you turn it back on and do a fresh install of the
operating system to a formatted hard drive, install security updates,
antivirus, etc and then put it back on the network to see what happens.

Scanning for malware will not always insure a computer is clean. Root
usually escape detection by malware detection programs. SysInternals has
a free tool called RooKitRevealer that may be helpful in detecting a
rootkit compromise. The other thing to remember is that malware
detection tools can not detect if a computer has been hacked which is a
big difference. A hacked computer could be completely clean but have
hard to detect instructions or scripts on it that can still do damage
such as you describe. If problems continue other computers on the
network would also be suspect and I would use the security logs on
domain controllers and possibly domain computers [enable auditing of
"logon" events in Domain Security Policy] to try and track down the
offending computers. Event Comb free from MS can be used to scan domain
computers for Event ID's and text strings such as user names. A software
or hardware problem on a client computer simply does not delete accounts
in AD. The links below may elp. --- Steve

http://www.sysinternals.com/utilities/rootkitrevealer.html --- RootKit
Revealer
http://www.microsoft.com/downloads/details.aspx?FamilyId=F24A8CE3-63A4-45A1-97B6-3FEF52F63ABB&displaylang=en
--- Anti Virus in Depth Guide from Microsoft

tp://www.microsoft.com/smallbusiness/support/computer-security.mspx ---
MS Small Business Security Guidance

"Mike" <mikeg452@hotmail.com> wrote in message
news:uS1phg$wFHA.1412@TK2MSFTNGP09.phx.gbl...
My client has a Win2003 file/print server with SP1 and latest updates.
AD, DNS + DHCP installed and configured. It is the only domain
controller on the network. All workstations run WinXP SP2. It uses the
standard "default domain policy" installed with AD.

PROBLEM
1 x Winxp machine keeps on losing its network shares (these are
administrative shares).
When this happens the data gets "deleted" from the server. The LAN
settings gets disabled (No TCP/IP or Client for Mic Net)
The "change" and "Network ID" buttons are disabled.
The user account in Active Directory is deleted

I have tried the following
1. Rebuild user domain profile on wks, to no success
2. Reinstalled AD + rejoined all wks to domain
3. No errors in Event log as to why this happens. In Security log it
show that acocunt was removed by administrator. But no one has
administrator password and wks are not setup with admin rights.
4. Tried: Different NIC, Power Supply, another WinXP pc (different
model as to those on site), different power point, Network point and
UTP flylead
5. Scanned for viruses using Trend, McAfee = pc was clean (as well as
domain)
6. Scanned for spyware and malware = pc clean (as well as domain)

If anyone can assist with this it would greatly be appreciated. (Ek is
raadop)

Thanks
Mike

[/quote]

	Windows Server Forum Index -> Security	All times are GMT
Page 1 of 1