User compromised our network - how?
*Placed this in the wrong forum - thought this was a general admin forum, please move*
Hi,
Recently on our network we had a user complain that on his computer he received a message informing that he was about to be logged off; and that's what happened, along with another user. This was clearly carried out by another user, (message was along
the lines of "hahaha logging you off")
My question is how could they have done this and how can it be prevented? In the GPO acceess to the command line is disabled. My suspicion is that they used a batch file to run the 'shutdown' command because even though the command line
is disabled some commands seem to work this way.
If this is the most likely way then I understand its not a good idea to disable the running of bath files completely because they are used at logon. Is there any way to monitor when a user manually runs a batch file?
May 17th, 2010 1:10pm
If you have permission on the computer, they run shutdown.exe to restart or shutdown the computer.
You can remvoe the admin privilege on the computer by using a restricted group GPO settings:
http://support.microsoft.com/kb/279301
http://support.microsoft.com/kb/810076
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2010 10:57pm
Hi Santhosh
We found this user and the batch files he was using. He confessed to adding himself to the local administrator group and then using the shutdown command. The only reason I can think of that he would be able to add himself to this group is that we have experienced
problems occasionally with group policy so it may be that during such a time he was able to run the 'net group administrators add <username>' command.
May 17th, 2010 11:42pm
Yes. Thanks for the udpate.
He must have local admin permission on the machine.
You can use Restricted GPO settings to control the local admin membership.
Also, look at one of my old blogs:
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/GetcontrolofyourseversusingStartupShutdownScript.html
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2010 11:51pm