Users exceeding permissions -- How do you find 'em?

[AngelicKnight]

Boy, do I ever agree with you on that one!

[Tiger Shark]

I don't know of any way to access the TS without using the ISP if trying to connect from outside the LAN. The TS can indeed be accessed from other locations (for example, our CEO is currently using it from the Virgin Islands).

I dunno, maybe I'm being dumb.... You seem to contradict yourself there... Is your ISP a dial in only affair that has no internet connectivity? How is the CEO connecting between pina coladas right now?

One of us is missing something.... Hopefully it's me.... otherwise, a reasonable conclusion to come to might be thata there is an outsider with admin access....

Lets also note in this thread that the main reason we are kind of "fishing in the dark" is because the logging was deficient, (Not a criticism Angelic, it's the most overlooked asset in the security world, but as you can see - without them you are "blind").

NOTE TO ALL: If you think it is irrelevant, will never be useful and will only take up disk space..... Log it anyway.... It will be one day... when you _really_ need it to determine what happened....

[AngelicKnight]

I dunno, maybe I'm being dumb.... You seem to contradict yourself there... Is your ISP a dial in only affair that has no internet connectivity? How is the CEO connecting between pina coladas right now?

No, I'm probably the confused one. Let me try to put it another way best I can, maybe I am contradicting myself (when does the noobness end?!). Anyone in the LAN can connect to TS via the IP on the LAN, 192.168...., whereas someone like our CEO who is nowhere near the LAN connects via the ISP (as I understand it anyway), which is something down the lines of 64.63....

Those are the only two ways I know to connect to the TS.

Great points too, Tiger, I'll remember that.

[Tiger Shark]

Angelic: then your TS is publicly available..... simple as that....

I am at my "satellite office" right now and have to run so I don't utterly peeve the wife....

Probably won't get back to this tonight but we can chat again in the morning.... No further harm is going to be done, realistically.

[edit]

"When will the noobness end?"

Never.... The ingenuity and dedication of people on computers never ceases to amaze and interest me.... and they are always ahead of me...... it's a game.... if you apply yourself to it and, most importantly, enjoy it..... then it gets much easier.... but it's always a challenge....

[/edit]

[RoadClosed]

"When will the noobness end?"

Ya? Read my mail server exploitation thread. Closer attention could have prevented that.

Me <---- supanooba

[halv]

Okie, you said that only you and the boss have rights to install, but something was installed and it was neither of you. The server was never left alone long enough for someone to walk up to it and say 'hey lets have some fun'


You do have users and they use Terminal Service on a Windows 2000 Server machine (I hope I remembered that you said you use W2k Server). You said you tried to log on as a user and install something and that did not work.

Do you have different security groups/policies set up for different departments? If so then I would create a test user and put TEST in one group/policy, then try, then another then try, till you run out of security groups/policies. Once you find the one that works, then that can narrow down your search to that group. I would try them all to be sure that you dont have sereral holes like this.

If you don't find any that work, then that would mean that all of your group/policies are set up to prevent that from happening. So there is a user on your system that does not have one of your group/policies as part of their logon profile.

Good luck and keep us updated.

Halv

[AngelicKnight]

Ok, I have an update, and it only gets more interesting...

Though the software was removed, I did manage to find the installer. Specifically, the program installed was Adobe Photoshop Album 2.0 Starter Edition, and it was downloaded to this folder:

C:\Documents and Settings\Administrator\WINDOWS\Downloaded Installations\{30F65707-62BC-4443-BB21-86DA6E7F8A55}

So, now I know whoever did it managed to get access to the administrator folder somehow.I also checked out everyone's cookies, and though various users surfed the Adobe website, only the administrator account had a cookie from the downloads page.

Evidently, then, whatever was done was done from the administrative login somehow.

[catch]

This is from my experience, but I'd start looking over what your boss is doing more carefully. If your company handles private second party data the fact that he has disrupted the investigation of a potential security breach puts him at risk for criminal charges.

The nature of the rouge application (photoshop) and the fact that he "resolved" the issue and still put you on the case point to a very low likelihood of a malicious element here... with the exception of the boss himself. It is not uncommon for administrative users to commit a crime, then commit a lesser offense which will make lots of noise in the logs, "resolve" this lesser offense without following proper procedure making a totally mess of the logs, then report the lesser issue to another admin so the whole thing is glossed over and the admin appears to be on the up and up... and little too eager, but honest. The original clandestine actions lost forever and no one suspects a thing.

I don't know that this is applicable in this situation... but having worked in Audit & Control as well as Policy Enforcement & Governance as long as I have... this situation just seems suspect to me and it seemed like a good idea to mention this possability since no one else has.

catch

[jinxy]

Photoshop Album 2.0 Starter Edition, and it was downloaded to this folder

Have you got Abode Acrobat Reader 6. The above will install if Reader updates it's self when used.


Jinxy

[AngelicKnight]

Indeed we do! Maybe that's it. I bet that's the solution to our mystery -- The darn server is the culprit itself!