user profiles on a dc

[Guest]

we discovered lately created profiles of a few normal users on our DC (w2k
sp4, patched upto june)! is there some vulnerability we have overseen? The DC
is also fileserver, no IIS, we use TS only in admin mode. We are worried as
there were already rumours of security breaches.

 

[Patty Calcaterra]

Did these people log on to the DC? The only way profiles can be
created is if they logged on either through RDP or locally....I am
assuming that you mean the profiles are located at c:\documents and
settings\[profile name]....or do you mean that you are using roaming
profiles and these profiles are on the server?

1.8cup, I am trying to understand how the profiles got there. Do you
know? Or are you asking us how they got there?

Regards,

Patty

 

[Guest]

The dc is in a protected area so no user can reach it (and besides that a
normal user cannot login on a dc). de profiles are indeed located at
c:\documents and
settings\ and show up the system properties. I'm afraid the profiles are
put there by an illegal utility using some vulnerability.

 

[Brandon Baker]

These profiles that were created, I assume they are actual employees. I
would check their security group membership right away. Then create another
user for test, see if they can logon to a domain controller through terminal
services.

The dc is in a protected area so no user can reach it (and besides that a
normal user cannot login on a dc). de profiles are indeed located at
c:\documents and
settings\ and show up the system properties. I'm afraid the profiles are
put there by an illegal utility using some vulnerability.

Did these people log on to the DC? The only way profiles can be
created is if they logged on either through RDP or locally....I am
assuming that you mean the profiles are located at c:\documents and
settings\[profile name]....or do you mean that you are using roaming
profiles and these profiles are on the server?

1.8cup, I am trying to understand how the profiles got there. Do you
know? Or are you asking us how they got there?

Regards,

Patty

 

[Guest]

it are actual (domain-)users, and indeed i did check their security group
membership right away. With one account i tried to log on with terminal
services but the user is not "allowed to login locally". Are there other
possibilities for creation of profiles? We also noticed that at the same date
a profile was created named <Computername>$, maybe this gives a clue?

These profiles that were created, I assume they are actual employees. I
would check their security group membership right away. Then create another
user for test, see if they can logon to a domain controller through terminal
services.

The dc is in a protected area so no user can reach it (and besides that a
normal user cannot login on a dc). de profiles are indeed located at
c:\documents and
settings\ and show up the system properties. I'm afraid the profiles are
put there by an illegal utility using some vulnerability.

Did these people log on to the DC? The only way profiles can be
created is if they logged on either through RDP or locally....I am
assuming that you mean the profiles are located at c:\documents and
settings\[profile name]....or do you mean that you are using roaming
profiles and these profiles are on the server?

1.8cup, I am trying to understand how the profiles got there. Do you
know? Or are you asking us how they got there?

Regards,

Patty