RE: w2k server compromised

Dan

Regardless of the security implications and reasons of having an apparently compromised DC you can use the following procedure to get you AD databases copied:

Build new W2k server box
Harden new server
Use DCPROMO to make it a DC in the current domain/forest Await replication to complete, check by directing AD Users and computers at the new server.
Check your login scripts and policies have also come across by looking in SYSVOL
DCPROMO old server to remove DC functionality Power off old server
Remove entries in sites and services relating to the the old server if still there
Remove old server computer account
Rebuild old server
Harden old server
DCPROMO old server to make it a DC in the current domain/forest Await replication to complete, check by directing AD Users and computers at the old server.
Check your login scripts and policies have also come across by looking in SYSVOL
DCPROMO new server to remove DC functionality Power off new server
Remove entries in sites and services relating to the the new server if still there
Remove new server computer account
Done

Good luck and don't forget to check the rest of your LAN for pesky malware
Of course if the compromise is AD aware you may not be able to get rid it this way, but that is pretty unlikely. Anyone else comment??

Cheers

JamesD

-----Original Message-----
From: Dan Uscatu [mailto:duscatu@lunatech.ro] Sent: 23 January 2003 08:17
To: focus-ms@securityfocus.com
Subject: w2k server compromised

hey all

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

i just found one of the w2k servers to be infected and acting very strangely. unfortunately it is a domain controller and it has all the users/computers lists.

how can i export these before reinstall in order to keep the exact same configuration (everything except passwords of course) ? i suppose this could be usefull to be done on a regular basis too...

TIA Received on Fri Jan 24 10:31:35 2003