troubleshooting Question

Possible compromised server? - "The system detected a possible attempt to compromise security"

Avatar of benconnected
benconnectedFlag for Afghanistan asked on
SBSMicrosoft Server OS
9 Comments1 Solution2558 ViewsLast Modified:
SBS 2011 domain controller, 10 Windows 7 machines.

Everything was working fine last night when people went home.

This morning, no one could log in to their accounts on the workstations. After entering their creds, they got another login box that had the warning: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

I disconnected the server from the network and now everyone can log in to their workstations with the cached credentials. They have internet and everything they need except what's on the server that I disconnected.

The terrifying bit is that the administrator password had changed. I couldn't log into the server. It said the username or password is incorrect. The only two people with admin access said they haven't changed the password and I'm inclined to believe them. For this reason I could only assume the server was compromised.

I used this guide to reset the admin account password (luckily the account name hadn't been changed): http://sysadmin.magnix.nl/?p=112

After regaining access to the admin account, it was acting a little flaky. Explorer kept crashing and I could only open certain utilities but not others. For instance, I could open computer properties but the management console would hang.

I created another admin account to test for a corrupt profile. When trying to login to the new account, it hangs while setting up the desktop and never gets there.

At this point, I'm inclined to think it's a hardware issue or corrupt profile. But what could have changed the admin password? My favorite option right now is to completely reload from last night's backup. If it's a hardware problem we'll find out pretty quickly. If it's a profile issue, that will hopefully fix it.

The only reason I'm concerned it might have been compromised is because of the changed admin password and the error users get when trying to authenticate with the server. There are very sensitive documents and SSL certs stored on this server so I'm being a little paranoid.

What other TSing steps would you suggest before I make the leap and reload?
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 9 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros