Possible compromised server? - "The system detected a possible attempt to compromise security"

SBS 2011 domain controller, 10 Windows 7 machines.

Everything was working fine last night when people went home.

This morning, no one could log in to their accounts on the workstations. After entering their creds, they got another login box that had the warning: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

I disconnected the server from the network and now everyone can log in to their workstations with the cached credentials. They have internet and everything they need except what's on the server that I disconnected.

The terrifying bit is that the administrator password had changed. I couldn't log into the server. It said the username or password is incorrect. The only two people with admin access said they haven't changed the password and I'm inclined to believe them. For this reason I could only assume the server was compromised.

I used this guide to reset the admin account password (luckily the account name hadn't been changed): http://sysadmin.magnix.nl/?p=112

After regaining access to the admin account, it was acting a little flaky. Explorer kept crashing and I could only open certain utilities but not others. For instance, I could open computer properties but the management console would hang.

I created another admin account to test for a corrupt profile. When trying to login to the new account, it hangs while setting up the desktop and never gets there.

At this point, I'm inclined to think it's a hardware issue or corrupt profile. But what could have changed the admin password? My favorite option right now is to completely reload from last night's backup. If it's a hardware problem we'll find out pretty quickly. If it's a profile issue, that will hopefully fix it.

The only reason I'm concerned it might have been compromised is because of the changed admin password and the error users get when trying to authenticate with the server. There are very sensitive documents and SSL certs stored on this server so I'm being a little paranoid.

What other TSing steps would you suggest before I make the leap and reload?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

So which services hang on starting and what errors are you logging in the event logs?  Does this server have RAID and have you run checkdisk at all?  How many times have you rebooted the server since your issues began?
WORKS2011Austin Tech CompanyCommented:
I would disable the other admin account asap, start here. Even if they didn't change the password maybe they left it out in the open. So, first rule disable all access to every admin but yourself. Make backup account but only you have access.

If it's a poweredge server does Open Manage tell you anything about hardware?

It could be a corrupt sysvol which may be due to hardware.
I suggest you make sure your DNS is correct on your server as well.
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Cliff GaliherCommented:
That error message is *not* a standard error message in Windows. I hate to be the bearer of bad news, but your fears are well founded. I doubt this is a corrupt profile or bad hardware. Parts of the OS freezing and certain utilities not working is a classic sign of a rootkit that is not compatible with a windows update, so it isn't as "hidden" as it should be.

The fact that the admin password alone was changed would be a HUGE red flag for me. If it were my server, I'd be planning a rebuild ASAP.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
benconnectedAuthor Commented:
I've rebooted several times. I am unable to check event logs or get into Dell OpenManage to check hardware. There's a lot that doesn't work after I log in. I'm going to be safe and take Cliff's advice. Thanks!
benconnectedAuthor Commented:
I also ran a full Dell hardware diagnostic with no related errors.

I restored to a backup from several days ago when I know it was working okay. It's still acting a little flaky but that's probably because Exchange is catching up. Everyone can connect now and employees are running fine.

My only worry is that if there was malware installed it may have been on there for a while. I ran full virus/malware scans and several different rookit scans. I haven't come up with anything.
Cliff GaliherCommented:
Unfortunately there are a lot of things that could have been done. Active Directory is the "hub" of a Windows-based network and it is why protecting domain controllers is of particular importance and often stressed vigorously throughout Microsoft security practices. If the server really was compromised, there is a good chance whoever had access pulled all of the security IDs and the account databases. Unlike a compromised member server, once a DC is compromised, there is a continued high risk to the network that even restoring a backup won't help.

Further, whoever compromised the server gained access "somehow" (got a password, brute forced the password, used an unpatched vulnerability) and restoring the backup restores the compromised password and/or vulnerability.

Honestly? There is one way forward. Rebuild. Export data. Install a new OS creating a new active directory domain. Patch. Patch. And Patch. And then import the data. But a new AD domain will by design create new SIDs and other security principles. It will be inconvenient for users. It will be downright painful for you. But the disclosure of data and ongoing headache will be far worse if you don't.
Not being funny Cliff, but that is a real error message.  You get it on clients when Kerberos is loused up in certain ways (which ones?  not sure.  eg bad ticket timestamps)  I was thinking maybe he'd copped a bad update...
ref: MS KB 938457

I can't explain the admin password changing though, so that is a big red flag :-O
Cliff GaliherCommented:
Never said it wasn't a real error message. I said it wasn't a standard message. The KB article, if you note, has been retired. Kerberos problems now throw more detailed (And useful) messages.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.