Compromised? Or a Win2k "Feature"????
Results 1 to 6 of 6

Thread: Compromised? Or a Win2k "Feature"????

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Compromised? Or a Win2k "Feature"????

    This has me stumped..... The story......

    I have Surfcontrol running to log and restrict internet use. I upgraded it this am and to make sure it was working I ran the real-time monitor. Much to my surprise I see a domain admin surfing the net from a PC in a remote location, (across the WAN). Hmmm.... I call the only person at the location that has admin password and ask if she is using that machine. Nope! In fact it belongs to one of her "problem" children who brags about his computer/network prowess. Ok, I have her go to that office and see who he is logged in as. She does a Start-logout and sees that the PC claims he is logged in as himself. Hmmmm.... Ok, Surfcontrol is screwed up..... Just to be sure I run a script to capture the login name of the user logged on to the machine. It says _no-one_ is logged on but I know he is still on the machine because I can see the activity. Ok.... The script failed..... I run it against another machine in that location and it returns a valid domain user logged in. Ahhh.... The script fails against a local login. So I simulate that scenario and lo and behold it returns the local user name........

    So now I'm baffled...... SurfControl gets the logged in user name from an agent running on an AD server. As we all know the name is irrelevant it's the SUID that is the key to the user's ID. So how is the machine reporting the user being of a different name to the AD server/SurfControl? How is my script reporting no user, therefore no SUID logged in while I can see the activity generated by a user of some type?

    If it is mixing/confusing SUID's wouldn't that be considered a colossal security issue on M$ part?

    Any thoughts would be much appreciated.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    You might want to check to see what software is installed on that computer. It could be several different things, anything from a worm/virus, to spyware reporting home, to a trojan...Might want to check and make sure AV is up to date and run through ad-aware and see if it finds anything...I wouldn't be suprised if it does...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Maybe he is using the RUN-AS service?
    It would then show that the second user is logged in as well as the first user.
    (Thats what I see in my security logs)

    I was able to run my desktop as a normal restricted user but surt the web using a domain admin account. I'm using WinXP pro and I also tested it on 2k.

    As for your internet monitoring software... I don't know anything about it.

    You should be able to disable the RUN-AS feature by disabling the secondary logon.

    I would also make sure that that user (the domain admin) change his/her password.

    If you really want to get sneaky... install VNC and hide it from the user...
    That way... you can see what is really going on...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Frankly the machine looks perfectly normal. Nothing unusual seems to be running, nothing seems to go off at startup. The web sites being visited were part of his work, etc. etc, etc.

    I netmeetinged his machine and did a runas as a network admin and then reran the logged in user script. It still shown no-one logged in on the machine.

    I did a quick look around the network to see if he has only his own rights or those of the admin. He was working entirely in his own context...... I dunno..... It's gotta be a glitch in the system somewhere but I am becoming less concerned that it is a security breach.

    Password will be changed anyway, just in case..... I didn't want to change it until I had investigated some more.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    How well patched is that local machine? There are plenty of local exploits on Win2k that escalate privileges of the user...perhaps he just gave himself some extra rights. I believe that an account utilizing a privilege-boosting exploit may appear to be admin, some of the exploits modified the users sid.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    bballad: I had thought about that and that's why I netmeetinged his machine and took a look around the network in his context. Nothing he could see was anything that he shouldn't be able to see. Everything he was denied access to would have been something that he should have been denied access to but had he been running with the priviledges of that Admin he would have had a free run across all our servers in all our locations...... He didn't.

    I dunno..... Remember, Microsoft does not have Bugs...... They are undocumented features....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •