Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing Windows Servers

Status
Not open for further replies.

RichardParry

IS-IT--Management
Aug 28, 2002
91
GB
Hi All,

A number of our customers' systems have been compromised by an unknown attacker, through an unknown method. These servers are running 2k3 SR2 w/ SP1 and 2k3 w/ SP1 (non RC2), all have latest AVG File-Server 7.5 AntiVirus, Latest Windows Updates for OS & Hardware, but both had been compromised in the same way, a user named "backup" (lower case) was created and assigned to the Administrator group. These servers are all protected by a hardware firewall, including the local Windows firewall, so RDP traffic etc is not allowed outside of the network, and the only outgoing access from each server to the net was HTTP, HTTPS and SMTP (DNS and NTP are only allowed through specific IP's). The incoming ports on each server are as follows, FTP HTTP HTTPS POP3 SMTP DNS "Plesk Admin"

I believe the compromised application was MailEnable Standard mail server software on both systems, as the POP3 Connector would go down and couldn't be started until the "backup" user was removed. I have since upgraded every software applications to the latest versions on each system and monitored very closely the traffic on each system - each seems to be fine.

I have also ran RootKitRevealer, HiJackThis, Full AV scan and all seem fine. I also checked the Services list and there is nothing suspicious, going through every item and checking the referenced file's signature. All non-required services are stopped and disabled and all services on Manual start, but Started were checked and all are fine. I have confirmed on each system that outbound access on non-allowed ports (other than above) does not work, so any ports opened that may attempt to connect to an external system won't happen.

I have also monitored running files (through Microsoft's FileMon application) and can confirm all applications run through the Task Manager etc.

Is there anything you may suggest I look at further, or additional tests that I can run to see if there is something still lurking on each machine?

Btw, the main administrator user was renamed and all passwords on each system has a strong 10 character password, made up of upper and lower characters, along with numbers.

Many Thanx, Richard
 
That should read that all non-required services were disabled and stopped and that the administrator user was renamed before each server was installed in production. All updates were also installed, to the latest versions before each server was comissioned.

All systems have been running for a number of months without any issue.
 
Hi Pat,

It's SR2 (latest version of 2k3 Server), not sure why I put RC2 above (doh!)

Thanx, Richard
 
I guess Microsoft call it R2, but I always call it SR2 (Service Release 2)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top