LinkBack URL
About LinkBacks
Reply With QuoteSorry, forgot to add; the client machines are all XP.
Pupils have command prompt blocked and haven't many priveledges.
Securing a Win2k3 Network Right I'll ignore most of your sniggers at the title, but I've got an 'awkward' pupil just after some tips.
The kid's managed to successfully hack the network and change security rights on shared folders, how he's doing it I'm not entirely sure, he's either used a boot tool or somehow obtained an admin password. What he has managed to do is create local admin accounts on machines, I really reckon he's used a boot tool actually (the admin accounts he's set up are named 'adm' if it's of any significance).
Now firstly is there anyway of stopping him messing with the local admin passwords, I'm thinking the chances are slim. Secondly (mainly) how is he utilizing the local admin account to mess with the servers and how do I block him? I thought to do anything to files on the server he'd be prompted to enter network credentials upon connecting.
Help anyone?
Sorry, forgot to add; the client machines are all XP.
Pupils have command prompt blocked and haven't many priveledges.
Well the first thing that you need to so is change the BIOS boot order and set a password so that the person can't boot your stations from any bootable media.
I'd probably also set this value to help stop local passwords being cracked "Do not store LAN Manager hash value on next password change"
Use restricted groups to stop local admins from being added to stations.
http://www.windowsecurity.com/articl...ed-Groups.html
Make sure that all of your users are only ordinary users NOT power users or local admins. Then I'd audit all users in the domain with administrator rights and change the passwords.
Also run the MBSA on servers and a few clients this will highlight any obvious problems.
Oh and I'd also be sitting the student down for a 'chat'it doesn't have to be nasty but they must be in breach of your AUP and could be suspended not to mention any seriouse breach of data should involve the police.
Last edited by cookie_monster; 24-11-2009 at 02:03 PM.
Put it on the school intranet that he wears his mam's knickers!
andyturpie (01-12-2009), bossman (24-11-2009), dave20046 (24-11-2009), Edu-IT (24-11-2009)
As above the BIOS boot sequence configuration needs to be changed and passworded. Secondly the local administrator account password should be changed to something random too. By default XP leaves the administrator password blank. You can specify what the local adminstrator password should be in an answer file when Sysprepping machines.
On your domain, if you're using 'administrator', you should really rename this. You could also introduce Access-based Enumeration (ABE), so you can hide shares based on permissions.
cookie_monster (24-11-2009), dave20046 (24-11-2009)
Good call. You can do this at the domain level and it will rename the local on your stations as well.On your domain, if you're using 'administrator', you should really rename this
HOW TO: Rename the Administrator and Guest Account in Windows Server 2003
Thanks for the above, I wasn't aware of the restricted groups setting I'll look into it and get it enforced. I'll nip round as many vulnerable stations as possible to alter the bios settings too (was hoping I could avoid that!) . Could you tell me where the 'do not store lan manager' value can be found?Originally Posted by cookie_monster
Well the first thing that you need to so is change the BIOS boot order and set a password so that the person can't boot your stations from any bootable media.
I'd probably also set this value to help stop local passwords being cracked "Do not store LAN Manager hash value on next password change"
Use restricted groups to stop local admins from being added to stations.
Using Restricted Groups
Make sure that all of your users are only ordinary users NOT power users or local admins. Then I'd audit all users in the domain with administrator rights and change the passwords.
Also run the MBSA on servers and a few clients this will highlight any obvious problems.
Oh and I'd also be sitting the student down for a 'chat'
I've had a chat with the pupilAll I could really say was 'don't be distructive it's pointless' he told me the machines he'd added the extra user account to and refused to give me much more information. He reckoned he could get on remotely from home and he reckoned he was using tools that automatically cleared the logs. He also reckoned his mate who works for the MOD would be launching a dos attack at 15.05 today. It's just trying to determine the truth...
I'm keen to know how he's using the local admin account he's made to mess with the shared folders too.
Yeah and I reckon he has 4 arms too. Too busy doing things he shouldn't.
Indeed it's frustrating, however I'm staying positive. I'm not a teacher I'm not allowed to discipline him, the teachers and head are well aware so it's up to them.
My main priority's getting stuff back on track and blocking him out, interesting episode too.
Thanks for your help michael, just renaming the admin now.
PS: I hadn't changed the admin account name previously as I thought it was pointless as the SID doesn't change for the account and they don't have the password. I take it I'm wrong just wondering if you know why though?
Last edited by dave20046; 24-11-2009 at 02:39 PM.
Take a look here for Do not store LAN Manager hash value on next password change, read the notes about 9x clients if you have any.
Network security: Do not store LAN Manager hash value on next password change
The DA will still have the same SID but it's still an extra stumbling block, security in layers remember.PS: I hadn't changed the admin account name previously as I thought it was pointless as the SID doesn't change for the account and they don't have the password. I take it I'm wrong just wondering if you know why though?
dave20046 (24-11-2009)
If you know the username, you know half the login details. Admittedly the smaller half (!), but every little helps . . . .
If network folders have been changed, it means that either the compromised local accounts have access to the network folders (unlikely?), his account has access to do that to the network (unlikely?) OR that he's compromised a network account that has the relevant access. Given that many of your staff will be using their fave football team as their password, that won't have been rocket surgery.
Who has access to modify those folders? Enforce a password change, and for added fun scan the logs for failed login attempts in the next few days and see if you can catch him red-handed :-)
Good luck with the MOD ;-)
True, I've applied that GPO now however it doesn't seem to have changed the username
What he's actually done to the network folders is removed rights, he stripped all the users of rights to their own my documents (folder redirected). Only an administrator could have done that...
I made the change in the default domain policy, I'd be temped to wait until scheduled downtime to try it and remember that the stations might need a policy refresh or reboot.True, I've applied that GPO now however it doesn't seem to have changed the username
Again another task for the evening or hols but change all of the share permissions to 'change' rather than full control this stops users editing NTFS permissions remotely. I'd test this with folder redirection as I haven't tried it with that.What he's actually done to the network folders is removed rights, he stripped all the users of rights to their own my documents (folder redirected). Only an administrator could have done that...
Last edited by cookie_monster; 24-11-2009 at 03:30 PM.
We had this problem with kids adding local administrators accounts. It turned out that they had been bringing in the shortcut to computer managment in on a USB pen drive and running it. All as we done is set up software restricitons to stop them running lnk files. Was a pain as they also changed local admin passwords aswell as adding there own users.
They must have some form of admin rights already to be able to add users to the administrators group.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions 