Solved

Virus / User TS 2008 ProgramData folder

Posted on 2013-01-22
8
706 Views
Last Modified: 2013-02-03
We use 2008 terminal server. We had a user somehow get a virus downloaded and running on his session. It installed itself in the C:\programdata folder of the terminal server. We cleaned it by running malwarebytes on the terminal server and deleting his profile.
Is there any was to lock this down so it can't happen again?
0
Comment
Question by:SysBUTLER
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 38807267
Well first off access to the ProgramData folder on a server is only allowed by an Admin user - therefore the existing user must be in that group - remove users on a TS from the administrator group is a starting point...

What AV have you on this server?
I normally enable a 'lockdown' policy for TS users - i.e. using GPO to stop access to the C drive in general for a start, limit what they can see/access etc...
0
 

Author Comment

by:SysBUTLER
ID: 38807651
Let me take a closer look. Thanks for the quick response. It may be tomorrow before I post back.
0
 

Author Comment

by:SysBUTLER
ID: 38810328
The user is not in the Admin group. I have been googling around and do not see any documentation anywhere that suggests locking down the programdata folder. It would seem the user would need some rights to this folder in order to run some legitimate apps and save user specific information about the apps they run. I am still looking and am going to experiment with denying write to the entire C: drive on TS and see what happens.

Have you ever used AppLocker?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 24

Assisted Solution

by:smckeown777
smckeown777 earned 500 total points
ID: 38810377
Ok well when I said 'locking down' i wasn't referring to the ProgramData folder, I was talking in terms of 'locking down the server' such that the user doesn't have access to the C drive at all...

By default the ProgramData folder has Full Access for Admins, Read Only access for Users - so did you change those permissions by any chance?

As for denying access to the C drive I don't think that is possible(as you mentioned certain apps need access to parts of the system otherwise they will not work)

The way I do this for TS servers is I don't allow the user to 'see' the C drive, i.e. hide it using group policy...if they need access to a folder to save data then you can simply create a 'shared' folder on the C drive and just map a drive to allow them access - that way they still are able to work but can't actually get into the C drive itself...

No sorry never used Applocker so can't help with that one...

Last thing - the infection/virus - what was it? I mean was it an executable they ran and then installed itself? If so then its either a virus that doesn't need admin creds...or somehow the user was allowed to install it(using alternate creds??)

Are you using UAC(User Account Control) on the server as well? It is a big help for stopping these type of things...

You never said what AV you are using?
0
 

Author Comment

by:SysBUTLER
ID: 38810434
I am using forefront. I did not setup this terminal server so I don't yet know all the ins and outs of it.
The virus was PCDefenderPlus. A fake anti-virus program. Malwarebytes found and eliminated it.

Let me look around at the servers a bit more and post back. This is all good information!
0
 

Accepted Solution

by:
SysBUTLER earned 0 total points
ID: 38831151
I couldn't find anything that suggested I should lock down the ProgramData folder. It would seem to me the TS users would need to write to this folder. I am sure there is more than one way to accomplish what I want, but I went with AppLocker. It is an upgrade to SRP. I will award points anyway. Thanks for your help.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38831178
Ok grand, again I wasn't specifically saying you need to lock down the ProgramData folder(as you said its needed)

I was refering to locking down the server itself...standard practise with TS servers is to prevent the users from seeing the C drive at all, preventing them shutting down the server, access to Control panel...etc...all those things I was referring to...

Anyways good luck with Applocker, hope it does the job
0
 

Author Closing Comment

by:SysBUTLER
ID: 38848265
I am sure there is more than one way to get this done, but this is what I believed to be the best solution for me.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question