Avatar of benconnected
benconnectedFlag for Afghanistan asked on

Possible compromised server? - "The system detected a possible attempt to compromise security"

SBS 2011 domain controller, 10 Windows 7 machines.

Everything was working fine last night when people went home.

This morning, no one could log in to their accounts on the workstations. After entering their creds, they got another login box that had the warning: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

I disconnected the server from the network and now everyone can log in to their workstations with the cached credentials. They have internet and everything they need except what's on the server that I disconnected.

The terrifying bit is that the administrator password had changed. I couldn't log into the server. It said the username or password is incorrect. The only two people with admin access said they haven't changed the password and I'm inclined to believe them. For this reason I could only assume the server was compromised.

I used this guide to reset the admin account password (luckily the account name hadn't been changed): http://sysadmin.magnix.nl/?p=112

After regaining access to the admin account, it was acting a little flaky. Explorer kept crashing and I could only open certain utilities but not others. For instance, I could open computer properties but the management console would hang.

I created another admin account to test for a corrupt profile. When trying to login to the new account, it hangs while setting up the desktop and never gets there.

At this point, I'm inclined to think it's a hardware issue or corrupt profile. But what could have changed the admin password? My favorite option right now is to completely reload from last night's backup. If it's a hardware problem we'll find out pretty quickly. If it's a profile issue, that will hopefully fix it.

The only reason I'm concerned it might have been compromised is because of the changed admin password and the error users get when trying to authenticate with the server. There are very sensitive documents and SSL certs stored on this server so I'm being a little paranoid.

What other TSing steps would you suggest before I make the leap and reload?
Microsoft Server OSSBS

Avatar of undefined
Last Comment
Cliff Galiher

8/22/2022 - Mon
Member_2_6515809

So which services hang on starting and what errors are you logging in the event logs?  Does this server have RAID and have you run checkdisk at all?  How many times have you rebooted the server since your issues began?
WORKS2011

I would disable the other admin account asap, start here. Even if they didn't change the password maybe they left it out in the open. So, first rule disable all access to every admin but yourself. Make backup account but only you have access.

If it's a poweredge server does Open Manage tell you anything about hardware?

It could be a corrupt sysvol which may be due to hardware.
Pauld88

I suggest you make sure your DNS is correct on your server as well.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
Cliff Galiher

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
benconnected

I've rebooted several times. I am unable to check event logs or get into Dell OpenManage to check hardware. There's a lot that doesn't work after I log in. I'm going to be safe and take Cliff's advice. Thanks!
ASKER
benconnected

I also ran a full Dell hardware diagnostic with no related errors.

I restored to a backup from several days ago when I know it was working okay. It's still acting a little flaky but that's probably because Exchange is catching up. Everyone can connect now and employees are running fine.

My only worry is that if there was malware installed it may have been on there for a while. I ran full virus/malware scans and several different rookit scans. I haven't come up with anything.
Cliff Galiher

Unfortunately there are a lot of things that could have been done. Active Directory is the "hub" of a Windows-based network and it is why protecting domain controllers is of particular importance and often stressed vigorously throughout Microsoft security practices. If the server really was compromised, there is a good chance whoever had access pulled all of the security IDs and the account databases. Unlike a compromised member server, once a DC is compromised, there is a continued high risk to the network that even restoring a backup won't help.

Further, whoever compromised the server gained access "somehow" (got a password, brute forced the password, used an unpatched vulnerability) and restoring the backup restores the compromised password and/or vulnerability.

Honestly? There is one way forward. Rebuild. Export data. Install a new OS creating a new active directory domain. Patch. Patch. And Patch. And then import the data. But a new AD domain will by design create new SIDs and other security principles. It will be inconvenient for users. It will be downright painful for you. But the disclosure of data and ongoing headache will be far worse if you don't.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Member_2_6515809

Not being funny Cliff, but that is a real error message.  You get it on clients when Kerberos is loused up in certain ways (which ones?  not sure.  eg bad ticket timestamps)  I was thinking maybe he'd copped a bad update...
ref: MS KB 938457

I can't explain the admin password changing though, so that is a big red flag :-O
Cliff Galiher

Never said it wasn't a real error message. I said it wasn't a standard message. The KB article, if you note, has been retired. Kerberos problems now throw more detailed (And useful) messages.