Possible inside security breach

  • Thread starter Thread starter G. Lentz
  • Start date Start date
G

G. Lentz

I have a strange situation that I really just need
clarification on so here goes.

I am an IT consultant for a company that has remote users
who connect via a VPN. One user, a recent contract
(potientially to be an employee) needed access to the
shared files/folders and e-mail. I gave him the
instruction on setting up the VPN on his home PC and was
going to get back to him on setting up the remaining
items (I work for other clients also) later. Instead of
waiting he and a friend logged onto the client's network
via the VPN and using their own words, "hacked and
guessed around about some things" so they could add his
PC to the domain and give him access to what he needed!
There are only two accounts on the domain that have
Administrator rights and his was neither. When I
questioned the user on this, suffice to say the friend
did all the work and he knows nothing. What really
puzzles me is that the client pricipal seems to think
nothing of this?!? He basically said well I guess you
have some competition.

Anyway my questions are:

1) I need to clarify that only an account with
Administrative privilages can create new user and
computer accounts in an AD domain?

2) Any possible ideas on how the hell they could have
done this? Don't need specifics, just could/can it be
done? I understand by the user having VPN access to the
network he basically had a key so to speak, allowing them
to bypass the normal things that discourage external
attacks (i.e firewalls).

I am going to try and speak to the client principla that
if they circumvented network security, then his network
is basically open at this point. Unfortunetely the
pricipal is high on this person and their abilities so I
may be creating an acrimonius situation by bringin it up.
My thinking is I don't want to be blamed for something
down the line as I feel I no longer have control over the
network. Thanks.
 
microsoft.public.win2000.security news group, G. Lentz
1) I need to clarify that only an account with
Administrative privilages can create new user and
computer accounts in an AD domain?
Click to expand...

User accounts yes, computer accounts, no. This, to be quite honest, is a
pretty basic AD concept, and I'd certainly expect any consultant working
for me (that was doing anything at all with AD) to know this. In AD,
every domain user account can add 10 workstations to the domain. Since
the person in question obviously already has a domain user account, it
is really just a matter of connecting to the domain through the VPN, and
then adding his computer to the domain.
2) Any possible ideas on how the hell they could have
done this? Don't need specifics, just could/can it be
done? I understand by the user having VPN access to the
network he basically had a key so to speak, allowing them
to bypass the normal things that discourage external
attacks (i.e firewalls).
Click to expand...

See above. If this wasn't supposed to be allowed, it certainly wasn't
the contractor's fault. It was whomever setup the remote access and
allowed this to happen.
I am going to try and speak to the client principla that
if they circumvented network security, then his network
is basically open at this point. Unfortunetely the
pricipal is high on this person and their abilities so I
may be creating an acrimonius situation by bringin it up.
My thinking is I don't want to be blamed for something
down the line as I feel I no longer have control over the
network. Thanks.
Click to expand...

Again, as above. Given what you've told of the story here, you _are_
responsible for this situation already.
 
Agreed.

In fact, if you have a user account, you wouldn't even need to have your
machine joined to the domain to gain access to data. Connection to the
network is all that's needed and a VPN connection gave him that.

So, as far as I can see, no "hacking" or "security breach" has taken place
here.

Oli
 
microsoft.public.win2000.security news group, Oli Restorick [MVP]
In fact, if you have a user account, you wouldn't even need to have your
machine joined to the domain to gain access to data. Connection to the
network is all that's needed and a VPN connection gave him that.
Click to expand...

That's not necessarily true all of the time, for example, if your
internal network is secured via IPSec using Kerberos or Certificate
auth.

But the bottom line here is that the lack of knowledge on the part of
the consultant in the OP is the cause of the events that took place.
 
Yes I realise that, but for someone who didn't know that any user can, by
default, add 10 workstations to the domain, I doubt IPSec was being used.

Agreed on your last point.

Oli
 
By default "authenticated users" can add up to ten workstations to a domain which
means that ANYONE that know a logon/password for a domain account can add a
workstation to the domain. This is configured in Domain Controller Security
Policy/security settings/local policies/users rights and the domain controller
container is the only place this user right is applied. You can remove authenticated
users if you do not want this to happen which I would suggest you do. Joining a
computer to the domain in itself does not give a user any more permissions than
credentials already do, though it may allow the computer to obtain a certificate or
ipsec policy to use for network communications restricted to only domain
omputers. --- Steve
 
Back
Top