+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 40
Windows Server 2000/2003 Thread, Securing a Win2k3 Network in Technical; Right I'll ignore most of your sniggers at the title, but I've got an 'awkward' pupil just after some tips. ...
  1. #1

    Join Date
    Jan 2009
    Location
    leicestershire
    Posts
    59
    Thank Post
    7
    Thanked 2 Times in 1 Post
    Rep Power
    12

    Securing a Win2k3 Network

    Right I'll ignore most of your sniggers at the title, but I've got an 'awkward' pupil just after some tips.
    The kid's managed to successfully hack the network and change security rights on shared folders, how he's doing it I'm not entirely sure, he's either used a boot tool or somehow obtained an admin password. What he has managed to do is create local admin accounts on machines, I really reckon he's used a boot tool actually (the admin accounts he's set up are named 'adm' if it's of any significance).

    Now firstly is there anyway of stopping him messing with the local admin passwords, I'm thinking the chances are slim. Secondly (mainly) how is he utilizing the local admin account to mess with the servers and how do I block him? I thought to do anything to files on the server he'd be prompted to enter network credentials upon connecting.

    Help anyone?

  2. #2

    Join Date
    Jan 2009
    Location
    leicestershire
    Posts
    59
    Thank Post
    7
    Thanked 2 Times in 1 Post
    Rep Power
    12
    Sorry, forgot to add; the client machines are all XP.
    Pupils have command prompt blocked and haven't many priveledges.

  3. #3
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Well the first thing that you need to so is change the BIOS boot order and set a password so that the person can't boot your stations from any bootable media.

    I'd probably also set this value to help stop local passwords being cracked "Do not store LAN Manager hash value on next password change"

    Use restricted groups to stop local admins from being added to stations.

    http://www.windowsecurity.com/articl...ed-Groups.html


    Make sure that all of your users are only ordinary users NOT power users or local admins. Then I'd audit all users in the domain with administrator rights and change the passwords.
    Also run the MBSA on servers and a few clients this will highlight any obvious problems.


    Oh and I'd also be sitting the student down for a 'chat' it doesn't have to be nasty but they must be in breach of your AUP and could be suspended not to mention any seriouse breach of data should involve the police.
    Last edited by cookie_monster; 24th November 2009 at 02:03 PM.

  4. 2 Thanks to cookie_monster:

    dave20046 (24th November 2009), sparkeh (24th November 2009)

  5. #4
    KWestos's Avatar
    Join Date
    Jan 2008
    Posts
    520
    Thank Post
    91
    Thanked 54 Times in 45 Posts
    Rep Power
    25
    Put it on the school intranet that he wears his mam's knickers!

  6. 4 Thanks to KWestos:

    andyturpie (1st December 2009), bossman (24th November 2009), dave20046 (24th November 2009), Edu-IT (24th November 2009)

  7. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    As above the BIOS boot sequence configuration needs to be changed and passworded. Secondly the local administrator account password should be changed to something random too. By default XP leaves the administrator password blank. You can specify what the local adminstrator password should be in an answer file when Sysprepping machines.

    On your domain, if you're using 'administrator', you should really rename this. You could also introduce Access-based Enumeration (ABE), so you can hide shares based on permissions.

  8. 2 Thanks to Michael:

    cookie_monster (24th November 2009), dave20046 (24th November 2009)

  9. #6
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    On your domain, if you're using 'administrator', you should really rename this
    Good call. You can do this at the domain level and it will rename the local on your stations as well.

    HOW TO: Rename the Administrator and Guest Account in Windows Server 2003

  10. 3 Thanks to cookie_monster:

    dave20046 (24th November 2009), Michael (24th November 2009), sparkeh (24th November 2009)

  11. #7

    Join Date
    Jan 2009
    Location
    leicestershire
    Posts
    59
    Thank Post
    7
    Thanked 2 Times in 1 Post
    Rep Power
    12
    Quote Originally Posted by cookie_monster View Post
    Well the first thing that you need to so is change the BIOS boot order and set a password so that the person can't boot your stations from any bootable media.

    I'd probably also set this value to help stop local passwords being cracked "Do not store LAN Manager hash value on next password change"

    Use restricted groups to stop local admins from being added to stations.

    Using Restricted Groups


    Make sure that all of your users are only ordinary users NOT power users or local admins. Then I'd audit all users in the domain with administrator rights and change the passwords.
    Also run the MBSA on servers and a few clients this will highlight any obvious problems.


    Oh and I'd also be sitting the student down for a 'chat' it doesn't have to be nasty but they must be in breach of your AUP and could be suspended not to mention any seriouse breach of data should involve the police.
    Thanks for the above, I wasn't aware of the restricted groups setting I'll look into it and get it enforced. I'll nip round as many vulnerable stations as possible to alter the bios settings too (was hoping I could avoid that!) . Could you tell me where the 'do not store lan manager' value can be found?

    I've had a chat with the pupil All I could really say was 'don't be distructive it's pointless' he told me the machines he'd added the extra user account to and refused to give me much more information. He reckoned he could get on remotely from home and he reckoned he was using tools that automatically cleared the logs. He also reckoned his mate who works for the MOD would be launching a dos attack at 15.05 today. It's just trying to determine the truth...

    I'm keen to know how he's using the local admin account he's made to mess with the shared folders too.

  12. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    Yeah and I reckon he has 4 arms too. Too busy doing things he shouldn't.

  13. #9

    Join Date
    Jan 2009
    Location
    leicestershire
    Posts
    59
    Thank Post
    7
    Thanked 2 Times in 1 Post
    Rep Power
    12
    Quote Originally Posted by Michael View Post
    Yeah and I reckon he has 4 arms too. Too busy doing things he shouldn't.
    Indeed it's frustrating, however I'm staying positive. I'm not a teacher I'm not allowed to discipline him, the teachers and head are well aware so it's up to them.

    My main priority's getting stuff back on track and blocking him out, interesting episode too.

    Thanks for your help michael, just renaming the admin now.

    PS: I hadn't changed the admin account name previously as I thought it was pointless as the SID doesn't change for the account and they don't have the password. I take it I'm wrong just wondering if you know why though?
    Last edited by dave20046; 24th November 2009 at 02:39 PM.

  14. #10
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Take a look here for Do not store LAN Manager hash value on next password change, read the notes about 9x clients if you have any.

    Network security: Do not store LAN Manager hash value on next password change

    PS: I hadn't changed the admin account name previously as I thought it was pointless as the SID doesn't change for the account and they don't have the password. I take it I'm wrong just wondering if you know why though?
    The DA will still have the same SID but it's still an extra stumbling block, security in layers remember.

  15. Thanks to cookie_monster from:

    dave20046 (24th November 2009)

  16. #11

    Join Date
    Apr 2006
    Posts
    389
    Thank Post
    23
    Thanked 95 Times in 61 Posts
    Rep Power
    45
    Quote Originally Posted by dave20046 View Post
    PS: I hadn't changed the admin account name previously as I thought it was pointless as the SID doesn't change for the account and they don't have the password. I take it I'm wrong just wondering if you know why though?
    If you know the username, you know half the login details. Admittedly the smaller half (!), but every little helps . . . .

    If network folders have been changed, it means that either the compromised local accounts have access to the network folders (unlikely?), his account has access to do that to the network (unlikely?) OR that he's compromised a network account that has the relevant access. Given that many of your staff will be using their fave football team as their password, that won't have been rocket surgery.

    Who has access to modify those folders? Enforce a password change, and for added fun scan the logs for failed login attempts in the next few days and see if you can catch him red-handed :-)

    Good luck with the MOD ;-)

  17. #12

    Join Date
    Jan 2009
    Location
    leicestershire
    Posts
    59
    Thank Post
    7
    Thanked 2 Times in 1 Post
    Rep Power
    12
    Quote Originally Posted by theriver View Post
    If you know the username, you know half the login details. Admittedly the smaller half (!), but every little helps . . . .
    True, I've applied that GPO now however it doesn't seem to have changed the username

    Quote Originally Posted by theriver View Post

    If network folders have been changed, it means that either the compromised local accounts have access to the network folders (unlikely?), his account has access to do that to the network (unlikely?) OR that he's compromised a network account that has the relevant access. Given that many of your staff will be using their fave football team as their password, that won't have been rocket surgery.

    Who has access to modify those folders? Enforce a password change, and for added fun scan the logs for failed login attempts in the next few days and see if you can catch him red-handed :-)

    Good luck with the MOD ;-)
    What he's actually done to the network folders is removed rights, he stripped all the users of rights to their own my documents (folder redirected). Only an administrator could have done that...

  18. #13
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    True, I've applied that GPO now however it doesn't seem to have changed the username
    I made the change in the default domain policy, I'd be temped to wait until scheduled downtime to try it and remember that the stations might need a policy refresh or reboot.


    What he's actually done to the network folders is removed rights, he stripped all the users of rights to their own my documents (folder redirected). Only an administrator could have done that...
    Again another task for the evening or hols but change all of the share permissions to 'change' rather than full control this stops users editing NTFS permissions remotely. I'd test this with folder redirection as I haven't tried it with that.
    Last edited by cookie_monster; 24th November 2009 at 03:30 PM.

  19. #14
    Ryno's Avatar
    Join Date
    Apr 2009
    Location
    Liverpool
    Posts
    122
    Thank Post
    36
    Thanked 1 Time in 1 Post
    Rep Power
    0
    We had this problem with kids adding local administrators accounts. It turned out that they had been bringing in the shortcut to computer managment in on a USB pen drive and running it. All as we done is set up software restricitons to stop them running lnk files. Was a pain as they also changed local admin passwords aswell as adding there own users.

  20. #15
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by fagan View Post
    We had this problem with kids adding local administrators accounts. It turned out that they had been bringing in the shortcut to computer managment in on a USB pen drive and running it. All as we done is set up software restricitons to stop them running lnk files. Was a pain as they also changed local admin passwords aswell as adding there own users.

    They must have some form of admin rights already to be able to add users to the administrators group.

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Pagefile win2k3
    By sparkeh in forum Windows
    Replies: 2
    Last Post: 19th December 2008, 05:58 PM
  2. timezone: vm guest OS on win2k3
    By contink in forum Thin Client and Virtual Machines
    Replies: 7
    Last Post: 4th October 2007, 10:49 AM
  3. RC1 on Win2k3 (R2) Domain
    By Gatt in forum Windows Vista
    Replies: 11
    Last Post: 19th September 2006, 09:56 PM
  4. securing wireless network
    By adamyoung in forum Wireless Networks
    Replies: 22
    Last Post: 1st February 2006, 09:26 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •