Win2003 loses AD user account

Discussion in 'Server Security' started by Mike, Sep 28, 2005.

  1. Mike

    Mike Guest

    My client has a Win2003 file/print server with SP1 and latest updates. AD,
    DNS + DHCP installed and configured. It is the only domain controller on the
    network. All workstations run WinXP SP2. It uses the standard "default
    domain policy" installed with AD.

    PROBLEM
    1 x Winxp machine keeps on losing its network shares (these are
    administrative shares).
    When this happens the data gets "deleted" from the server. The LAN settings
    gets disabled (No TCP/IP or Client for Mic Net)
    The "change" and "Network ID" buttons are disabled.
    The user account in Active Directory is deleted

    I have tried the following
    1. Rebuild user domain profile on wks, to no success
    2. Reinstalled AD + rejoined all wks to domain
    3. No errors in Event log as to why this happens. In Security log it show
    that acocunt was removed by administrator. But no one has administrator
    password and wks are not setup with admin rights.
    4. Tried: Different NIC, Power Supply, another WinXP pc (different model as
    to those on site), different power point, Network point and UTP flylead
    5. Scanned for viruses using Trend, McAfee = pc was clean (as well as
    domain)
    6. Scanned for spyware and malware = pc clean (as well as domain)

    If anyone can assist with this it would greatly be appreciated. (Ek is
    raadop)

    Thanks
    Mike
     
    Mike, Sep 28, 2005
    #1
    1. Advertisements

  2. It would seem that someone/something is using administrator credentials for
    the domain. If a domain administrator logs onto a domain workstation and the
    computer is infected it is possible that the malware use domain
    administrator credentials to compromise the domain. Keyboard loggers are
    another risk. See if the security logs on the domain controller can pinpoint
    the computer that the administrator deleted the account from and you may
    have to correlate logon events in the security log to the account deletion
    event which may be close in time. Also look in the security logs to see if
    it shows logons from any account in the administrators group or domain
    admins group from domain computers at times that would be suspicious.

    What I would do is to shutdown the problem computer, make sure that
    membership in Active Directory Users and Computers for administrators group,
    domain admins, and enterprise admins is what it should be, have any users in
    these groups change their passwords and force such by checking that user
    must change password at next logon , make sure that the use of password
    complexity is enabled in the domain, and instruct anyone that is in any
    administrator group in the domain to never logon to a domain computer with
    their domain administrator account other then know secured domain
    workstations used for administrating the domain. Such workstations would be
    restricted by security policy to allow only domain administrators to logon
    to [including their normal domain accounts that do NOT use the same password
    as their admin accounts], be hardened, physically secured from all other
    users, and never used for internet browsing. Then I would isolate the
    problem computer from the network before you turn it back on and do a fresh
    install of the operating system to a formatted hard drive, install security
    updates, antivirus, etc and then put it back on the network to see what
    happens.

    Scanning for malware will not always insure a computer is clean. Root
    usually escape detection by malware detection programs. SysInternals has a
    free tool called RooKitRevealer that may be helpful in detecting a rootkit
    compromise. The other thing to remember is that malware detection tools can
    not detect if a computer has been hacked which is a big difference. A hacked
    computer could be completely clean but have hard to detect instructions or
    scripts on it that can still do damage such as you describe. If problems
    continue other computers on the network would also be suspect and I would
    use the security logs on domain controllers and possibly domain computers
    [enable auditing of "logon" events in Domain Security Policy] to try and
    track down the offending computers. Event Comb free from MS can be used to
    scan domain computers for Event ID's and text strings such as user names. A
    software or hardware problem on a client computer simply does not delete
    accounts in AD. The links below may help. --- Steve

    http://www.sysinternals.com/utilities/rootkitrevealer.html --- RootKit
    Revealer
    http://www.microsoft.com/downloads/...E3-63A4-45A1-97B6-3FEF52F63ABB&displaylang=en
    --- Anti Virus in Depth Guide from Microsoft
    http://www.microsoft.com/smallbusiness/support/computer-security.mspx ---
    MS Small Business Security Guidance
     
    Steven L Umbach, Sep 28, 2005
    #2
    1. Advertisements

  3. Mike

    Mike Guest

    Thanks Steve,

    Will try out as mentioned below and post back the resluts

    Mike

     
    Mike, Sep 28, 2005
    #3
  4. OK. I also want to add that I should have clarified something. To allow a
    domain user to be a local administrator on a domain computer add that domain
    user account to the local administrators group on the domain computers. You
    can use Restricted Groups as described in the link below to do this with a
    global group. This allows a domain user such as a domain administrator to
    administer domain computers, other than domain controllers, with that
    regualr domain user account without being logged on as a domain
    administrator. --- Steve

    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

     
    Steven L Umbach, Sep 28, 2005
    #4
  5. Mike

    Mike Guest

    done as you mentioned below and even used the rootkitrevealer tool, but no
    luck

    my main problem is still that the AD user account gets deleted (and security
    log show administrator did it)
    I even went as far to setup 2 machines, each with their own profiles. One
    machine accesses "home data" and "company data"(everyone has access) on
    server. These shares are administrative shares $, The other machine accesses
    only a copy of the pst and "company data" share.

    I went as far as to create a mandatory profile for the user, which seams to
    keep the profile stored on the server (previously the local profile on XP
    also disappeared), but the AD account still gets deleted.

    any other suggestions?

    mike


     
    Mike, Oct 11, 2005
    #5
  6. It sounds like the problem may be related to users having more access than
    needed. The administrative shares normally are not used as general shares as
    users need to be local administrators [or domain admins for a domain
    controller] to access and administrative share and that means the users can
    do anything they want on the server including deleting user accounts,
    changing passwords for the built in administrator account to logon as that
    acount, and just about anything else. It is much more likely that a server
    could be hacked or have malware if all users are administrators. Users that
    are administrators do not have to be malicious to do damage but can through
    ineptness, laziness, or being careless.

    I understand that in small businesses that one server is often jack of all
    trades as it sounds like here but unless it can be configured to be
    functional with users not being administrators [particualry domain
    administrators] it is going to be very difficult to impossible to figure out
    exactly what is going on and prevent future problems. Having said that I
    would change the password on the built in administrator account and look for
    account management events [ 628 and 642 I believe] that indicate that the
    password for the built in administrator accound was changed/reset and by
    what user that may give you a clue as to what is going on. --- Steve



     
    Steven L Umbach, Oct 12, 2005
    #6
  7. Another thing I would try is to rename the built in administrator account
    and change it's description. Then create a regular user account named
    administrator and disable it to see what happens. Be sure to write the new
    name down somewhere in a safe place so that you do not forget it. If someone
    is playing around with the administrator account that may stop or expose
    them [via security log events] . However that will not stop a more
    knowledgeable user as the there are tools to find the real administrator
    account since it has a fixed SID. --- Steve


     
    Steven L Umbach, Oct 12, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.