Very good point there, however if you follow the procedure then DCPROMO
will do that for you (thankfully). Laura posted a good export/import
fix, but as she rightly says, this will not bring the SIDS across and
therefore Dan would have to Re-ACL everything again. Pretty unpleasant,
but very nice and clean afterwards!
I have asked around our W2k chaps here and everyone agrees, if the AD is
not damaged by the compromise, then a second DC is the way to go.
HTH
JamesD
-----Original Message-----
From: Ronald Balk [mailto:rbalk (at) borland (dot) com [email concealed]]
Sent: 24 January 2003 15:12
To: James D. Stallard; Dan Uscatu; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: w2k server compromised
Don't forget to move the "Operation Masters Roles" to the new DC .. !
-----Original Message-----
From: James D. Stallard [mailto:james (at) leafgrove (dot) com [email concealed]]
Sent: 23 January 2003 23:08
To: 'Dan Uscatu'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: w2k server compromised
Dan
Regardless of the security implications and reasons of having an
apparently compromised DC you can use the following procedure to get you
AD databases copied:
Build new W2k server box
Harden new server
Use DCPROMO to make it a DC in the current domain/forest
Await replication to complete, check by directing AD Users and computers
at the new server. Check your login scripts and policies have also come
across by looking in SYSVOL DCPROMO old server to remove DC
functionality Power off old server Remove entries in sites and services
relating to the the old server if still there Remove old server computer
account Rebuild old server Harden old server DCPROMO old server to make
it a DC in the current domain/forest Await replication to complete,
check by directing AD Users and computers at the old server. Check your
login scripts and policies have also come across by looking in SYSVOL
DCPROMO new server to remove DC functionality Power off new server
Remove entries in sites and services relating to the the new server if
still there Remove new server computer account Done
Good luck and don't forget to check the rest of your LAN for pesky
malware Of course if the compromise is AD aware you may not be able to
get rid it this way, but that is pretty unlikely. Anyone else comment??
Cheers
JamesD
-----Original Message-----
From: Dan Uscatu [mailto:duscatu (at) lunatech (dot) ro [email concealed]]
Sent: 23 January 2003 08:17
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: w2k server compromised
hey all
i just found one of the w2k servers to be infected and acting very
strangely. unfortunately it is a domain controller and it has all the
users/computers lists.
how can i export these before reinstall in order to keep the exact same
configuration (everything except passwords of course) ? i suppose this
could be usefull to be done on a regular basis too...
Very good point there, however if you follow the procedure then DCPROMO
will do that for you (thankfully). Laura posted a good export/import
fix, but as she rightly says, this will not bring the SIDS across and
therefore Dan would have to Re-ACL everything again. Pretty unpleasant,
but very nice and clean afterwards!
I have asked around our W2k chaps here and everyone agrees, if the AD is
not damaged by the compromise, then a second DC is the way to go.
HTH
JamesD
-----Original Message-----
From: Ronald Balk [mailto:rbalk (at) borland (dot) com [email concealed]]
Sent: 24 January 2003 15:12
To: James D. Stallard; Dan Uscatu; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: w2k server compromised
Don't forget to move the "Operation Masters Roles" to the new DC .. !
-----Original Message-----
From: James D. Stallard [mailto:james (at) leafgrove (dot) com [email concealed]]
Sent: 23 January 2003 23:08
To: 'Dan Uscatu'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: w2k server compromised
Dan
Regardless of the security implications and reasons of having an
apparently compromised DC you can use the following procedure to get you
AD databases copied:
Build new W2k server box
Harden new server
Use DCPROMO to make it a DC in the current domain/forest
Await replication to complete, check by directing AD Users and computers
at the new server. Check your login scripts and policies have also come
across by looking in SYSVOL DCPROMO old server to remove DC
functionality Power off old server Remove entries in sites and services
relating to the the old server if still there Remove old server computer
account Rebuild old server Harden old server DCPROMO old server to make
it a DC in the current domain/forest Await replication to complete,
check by directing AD Users and computers at the old server. Check your
login scripts and policies have also come across by looking in SYSVOL
DCPROMO new server to remove DC functionality Power off new server
Remove entries in sites and services relating to the the new server if
still there Remove new server computer account Done
Good luck and don't forget to check the rest of your LAN for pesky
malware Of course if the compromise is AD aware you may not be able to
get rid it this way, but that is pretty unlikely. Anyone else comment??
Cheers
JamesD
-----Original Message-----
From: Dan Uscatu [mailto:duscatu (at) lunatech (dot) ro [email concealed]]
Sent: 23 January 2003 08:17
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: w2k server compromised
hey all
i just found one of the w2k servers to be infected and acting very
strangely. unfortunately it is a domain controller and it has all the
users/computers lists.
how can i export these before reinstall in order to keep the exact same
configuration (everything except passwords of course) ? i suppose this
could be usefull to be done on a regular basis too...
TIA
[ reply ]