Announcement

Collapse
No announcement yet.

Server access revoked by rogue admin

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server access revoked by rogue admin

    Hi all
    I consult for a company which has a file server running Server 2008 r2
    On Thursday afternoon the manager contacted me regarding RDP & VPN access to their server Based in Birmingham

    I got an RDP connection to the server with a view to a quick investigation

    Oh what a can of worms I opened

    I found the following

    Symptom Whenever we tried to RDP, the session would be disconnected within a minute automatically

    Cause RDP-TCP listener was not properly configured .

    Resolution I changed the setting in registry and this resolved the issue.

    Then on Friday we began a little deeper research
    There are 8 users of this server which had access either via RDP or VPN or both

    I do know that team viewer is installed to connect to clients around the country and have now revoked all access apart from myself and the manager
    Team viewer has now been removed, until we can trace which user logged in

    I know it wasn't me or the manager, as he is a personal friend and I do trust him not to wreck his business
    There are thousands of confidential files that 'could' have been removed by another employee (they don't have the skill set to wreck a server)

    Q1.What is the easiest way to find out if an RDP session was used to make registry changes?

    Q2. Where in the event logs does it show the connection IP addresses

    Q3. do RDP session connections show up in event logs etc

    that's a start, answers please on a post card

    many thanks

    Paul


  • #2
    1. None. The system doesn't log this type of information.
    2. The security logs will have a note of these. Event ID 4264 with logon type 3 should be the one you are looking for.
    3. See Q2.

    Comment


    • #3
      Re Q1 - There is an Audit Registry option in advanced security audit settings, but unless it was turned on, nothing will be logged:
      https://technet.microsoft.com/en-us/...(v=ws.11).aspx
      It audits access to the registry, but that should include changes

      I take it you have changed passwords and revoked all admin access except approved users, also scanned for nasties?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Hi Ossian

        The Audit trails have never been activated, but I now wish that they had!
        I checked a couple of other commercial servers I have access to and they aren't enabled either, so I guess they aren't always turned on everywhere
        That being said, some of them are accessed using Token codes that change every minute

        All the users except myself and the manager have been disabled for the time being

        Comment


        • #5
          No, auditing is (deliberately) off by default, due to the volume of security events generated.
          If this was an "attack", are you sure there is no malware such as keyloggers left behind to catch new admin credentials? Do you have any idea of who/why the server was attacked?
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            We are currently reviewing the CCTV from Thursday & Friday night, to see if any of the staff were in the building around midnight on both days
            The server is was to disallow connections between 20.00 & 06.30 via RDP & VPN
            We suspect the Guest account was activated on Thursday at 00.20 locally from within the building

            I don't think it's malware or keyloggers, as physical access to the servers is 'VERY Restricted'

            As I'm an Sub-Contractor, my access is only available as required, therefore, until Friday afternoon was disabled

            Whoever did this, wanted to download, sales & contact data, so possibly triggered by an internal dispute, of some kind

            Sales staff aren't really that technical, so would need assistance from one of the tech team, that's where the confusion is
            I can't wait to see the CCTV !!

            Paul

            Comment

            Working...
            X