Possible compromise of Windows Server 2003 security risk & unknown users

12-07-2005, 03:29 PM

Hi Everyone,

I wanted to find out if anybody is aware of how a Windows Server 2003
Terminal Server out of the box environment can ever become
compromised/hacked?

We have recently received a security report stating that the server we are
running has been performing other tasks, such as the polling of websites,
and the scanning of other networks also being hosted. Our server is on the
Internet.

We noticed in our user list an unknown username named 'tsadmin' had been
created and was logging in, with full access rights just like an
administrator, they were also a member of the backup users group, however
none of us ever recall creating this user. We are careful who we create
onto the server and never allow them to have a desktop environment.

Is this a coincidence?

We have now deleted the tsadmin user.

If anybody could advise of this, or recommend any additional security checks
or security logging software then this would be ideal.

How can we check if our server has been compromised? Do we need to fix
anything? What can we do to prevent it from happening again.

We currently use an up to date version of AVG server edition scanner, but if
anybody knows of a more dedicated server security product this would be
greatly appreciated.

Thanking you in advance

Chris

12-07-2005, 05:30 PM

Hello,

I don't know if this could be usefull but I'm posting it anyway ...

- If your Os is not yet updated, update it to SP1
- on Local Policies > Security Options : enable " Do not allow anonymous
enumeration of SAM accounts" and enable " Do not allow anonymous enumeration
of SAM accounts and share" this would prevent some brute force attacks.

Setting account treshold to 5 and lockout duration to 30 minutes could be
good too.
Delet any account that you didn't create.

Although it's commen sense, I hope this could help.

Regards.

"Chris" wrote:

> Hi Everyone,
>
>
>
> I wanted to find out if anybody is aware of how a Windows Server 2003
> Terminal Server out of the box environment can ever become
> compromised/hacked?
>
>
>
> We have recently received a security report stating that the server we are
> running has been performing other tasks, such as the polling of websites,
> and the scanning of other networks also being hosted. Our server is on the
> Internet.
>
>
>
> We noticed in our user list an unknown username named 'tsadmin' had been
> created and was logging in, with full access rights just like an
> administrator, they were also a member of the backup users group, however
> none of us ever recall creating this user. We are careful who we create
> onto the server and never allow them to have a desktop environment.
>
>
>
> Is this a coincidence?
>
>
>
> We have now deleted the tsadmin user.
>
>
>
> If anybody could advise of this, or recommend any additional security checks
> or security logging software then this would be ideal.
>
>
>
> How can we check if our server has been compromised? Do we need to fix
> anything? What can we do to prevent it from happening again.
>
>
>
> We currently use an up to date version of AVG server edition scanner, but if
> anybody knows of a more dedicated server security product this would be
> greatly appreciated.
>
>
>
> Thanking you in advance
>
> Chris
>
>
>

12-07-2005, 08:23 PM

"Chris" <(E-Mail Removed)> wrote in message
news:OT5I%23t0%(E-Mail Removed)...
> We noticed in our user list an unknown username named 'tsadmin' had been

You have to already be an administrator to create an account,....if someone
already had the Admin credentials why would they need to bother creating an
account to do something they already could have done before they created it?
Somebody there either created the account and forgot,...or created it and
isn't telling,...or your Admin credentials are "well known" by others.

You should have left the account there and allowed it to be used (with
auditing "on") so you could track its use. After that you should have left
it there, but with a changed password so you could watch the failed login
attempts "roll in" and track them.

By removing it, you kind of cut yourself off from the only link you had to
figure it out.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Security Compromise	Somchai	Windows Networking	1	08-05-2007 03:28 PM
What security risk is a GUEST VLAN?	Mike Webb	Wireless Networks	2	07-09-2007 12:55 PM
System detected a possible attempt to compromise security	jsmith609@yahoo.com	Windows Networking	3	09-22-2006 11:51 PM
Plusnet Compromise Users Billing Data and personal address details	Sue Lee	Broadband	26	11-03-2004 09:14 PM
Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng?	Edgar E. Cayce	Windows Networking	0	07-22-2004 07:55 PM