dcxman 0 Posted May 7, 2004 Morning all. To say the least my DC has been compromised again. I've setup a Windows 2000 Adv. Server with AD and secured it with TCP port filtering along with a tightened policy setup where the user is not even allowed to "right mouse button click" on the domain. But whoever the bugger is, has been able to hack and give the ability to add a workstation to the domain with any user account on the AD. So long as the person is a user on the AD they can join any system to the domain. However, they still do not have access to the AD Users and Computers app to have delegation over my AD. It's most likely I was hacked from a node outside of my segment of network within my company as I do not have a firewall in place yet to protect my segment of network. So far it seems that joining systems to the domain is the extent of the damage. I've checked policy settings and built-in account groups to see if anything had been tampered with (eg. any users added to any of the Admin groups) and came up with nothing. Can anyone tell me anywhere else I can look to see who has been given delegation or permission to add a workstation to the domain keeping in mind that I've already checked the default domain policy. And also a solution to prevent the joining of a system from unauthorized user accounts. Thanks in advance either way. Share this post Link to post
peterh 1 Posted May 7, 2004 To join a domain you just need 'Account Operator' rights and that should give 'Create Computer Objects' priviledges and new objects are created in the Computers containter by default. I suggest you turn on Auditing on the Domain Controllers of 'Audit Account Management' in the GPO and then you can see who is hacking your system in the Event Viewer! Share this post Link to post
Shakedown 0 Posted May 10, 2004 If the policy has not been changed, by default any Domain User can add up to 10 PCs to the domain. This can be changed through a group policy. Share this post Link to post