Hacked again...

Morning all. To say the least my DC has been compromised again. I've setup a Windows 2000 Adv. Server with AD and secured it with TCP port filtering along with a tightened policy setup where the user is not even allowed to right mouse button click on the domain.

Windows Software 5498 This topic was started by ,


data/avatar/default/avatar04.webp

146 Posts
Location -
Joined 2001-07-13
Morning all.
 
To say the least my DC has been compromised again.
 
I've setup a Windows 2000 Adv. Server with AD and secured it with TCP port filtering along with a tightened policy setup where the user is not even allowed to "right mouse button click" on the domain. But whoever the bugger is, has been able to hack and give the ability to add a workstation to the domain with any user account on the AD. So long as the person is a user on the AD they can join any system to the domain. However, they still do not have access to the AD Users and Computers app to have delegation over my AD. It's most likely I was hacked from a node outside of my segment of network within my company as I do not have a firewall in place yet to protect my segment of network. So far it seems that joining systems to the domain is the extent of the damage. I've checked policy settings and built-in account groups to see if anything had been tampered with (eg. any users added to any of the Admin groups) and came up with nothing.
 
Can anyone tell me anywhere else I can look to see who has been given delegation or permission to add a workstation to the domain keeping in mind that I've already checked the default domain policy. And also a solution to prevent the joining of a system from unauthorized user accounts.
 
Thanks in advance either way.

Participate on our website and join the conversation

You have already an account on our website? Use the link below to login.
Login
Create a new user account. Registration is free and takes only a few seconds.
Register
This topic is archived. New comments cannot be posted and votes cannot be cast.

Responses to this topic


data/avatar/default/avatar26.webp

690 Posts
Location -
Joined 2004-05-06
To join a domain you just need 'Account Operator' rights and that should give 'Create Computer Objects' priviledges and new objects are created in the Computers containter by default.
 
I suggest you turn on Auditing on the Domain Controllers of 'Audit Account Management' in the GPO and then you can see who is hacking your system in the Event Viewer!
 

data/avatar/default/avatar19.webp

91 Posts
Location -
Joined 2001-04-19
If the policy has not been changed, by default any Domain User can add up to 10 PCs to the domain.
 
This can be changed through a group policy.