I have a strange situation that I really just need
clarification on so here goes.

I am an IT consultant for a company that has remote users
who connect via a VPN. One user, a recent contract
(potientially to be an employee) needed access to the
shared files/folders and e-mail. I gave him the
instruction on setting up the VPN on his home PC and was
going to get back to him on setting up the remaining
items (I work for other clients also) later. Instead of
waiting he and a friend logged onto the client's network
via the VPN and using their own words, "hacked and
guessed around about some things" so they could add his
PC to the domain and give him access to what he needed!
There are only two accounts on the domain that have
Administrator rights and his was neither. When I
questioned the user on this, suffice to say the friend
did all the work and he knows nothing. What really
puzzles me is that the client pricipal seems to think
nothing of this?!? He basically said well I guess you
have some competition.

Anyway my questions are:

1) I need to clarify that only an account with
Administrative privilages can create new user and
computer accounts in an AD domain?

2) Any possible ideas on how the hell they could have
done this? Don't need specifics, just could/can it be
done? I understand by the user having VPN access to the
network he basically had a key so to speak, allowing them
to bypass the normal things that discourage external
attacks (i.e firewalls).

I am going to try and speak to the client principla that
if they circumvented network security, then his network
is basically open at this point. Unfortunetely the
pricipal is high on this person and their abilities so I
may be creating an acrimonius situation by bringin it up.
My thinking is I don't want to be blamed for something
down the line as I feel I no longer have control over the
network. Thanks.

In article <1c8f01c48cde$b45f7680$a501280a@phx.gbl>, in the
microsoft.public.win2000.security news group, G. Lentz
says...

> 1) I need to clarify that only an account with
> Administrative privilages can create new user and
> computer accounts in an AD domain?

User accounts yes, computer accounts, no. This, to be quite honest, is a
pretty basic AD concept, and I'd certainly expect any consultant working
for me (that was doing anything at all with AD) to know this. In AD,
every domain user account can add 10 workstations to the domain. Since
the person in question obviously already has a domain user account, it
is really just a matter of connecting to the domain through the VPN, and
then adding his computer to the domain.

>
> 2) Any possible ideas on how the hell they could have
> done this? Don't need specifics, just could/can it be
> done? I understand by the user having VPN access to the
> network he basically had a key so to speak, allowing them
> to bypass the normal things that discourage external
> attacks (i.e firewalls).

See above. If this wasn't supposed to be allowed, it certainly wasn't
the contractor's fault. It was whomever setup the remote access and
allowed this to happen.

>
> I am going to try and speak to the client principla that
> if they circumvented network security, then his network
> is basically open at this point. Unfortunetely the
> pricipal is high on this person and their abilities so I
> may be creating an acrimonius situation by bringin it up.
> My thinking is I don't want to be blamed for something
> down the line as I feel I no longer have control over the
> network. Thanks.

Again, as above. Given what you've told of the story here, you _are_
responsible for this situation already.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Agreed.

In fact, if you have a user account, you wouldn't even need to have your
machine joined to the domain to gain access to data. Connection to the
network is all that's needed and a VPN connection gave him that.

So, as far as I can see, no "hacking" or "security breach" has taken place
here.

Oli



"Paul Adare - MVP - Microsoft Virtual PC" wrote in
message news:MPG.1b9a189b779474f7989a41@msnews.microsoft.com...
> In article <1c8f01c48cde$b45f7680$a501280a@phx.gbl>, in the
> microsoft.public.win2000.security news group, G. Lentz
> says...
>
>> 1) I need to clarify that only an account with
>> Administrative privilages can create new user and
>> computer accounts in an AD domain?
>
> User accounts yes, computer accounts, no. This, to be quite honest, is a
> pretty basic AD concept, and I'd certainly expect any consultant working
> for me (that was doing anything at all with AD) to know this. In AD,
> every domain user account can add 10 workstations to the domain. Since
> the person in question obviously already has a domain user account, it
> is really just a matter of connecting to the domain through the VPN, and
> then adding his computer to the domain.
>
>>
>> 2) Any possible ideas on how the hell they could have
>> done this? Don't need specifics, just could/can it be
>> done? I understand by the user having VPN access to the
>> network he basically had a key so to speak, allowing them
>> to bypass the normal things that discourage external
>> attacks (i.e firewalls).
>
> See above. If this wasn't supposed to be allowed, it certainly wasn't
> the contractor's fault. It was whomever setup the remote access and
> allowed this to happen.
>
>>
>> I am going to try and speak to the client principla that
>> if they circumvented network security, then his network
>> is basically open at this point. Unfortunetely the
>> pricipal is high on this person and their abilities so I
>> may be creating an acrimonius situation by bringin it up.
>> My thinking is I don't want to be blamed for something
>> down the line as I feel I no longer have control over the
>> network. Thanks.
>
> Again, as above. Given what you've told of the story here, you _are_
> responsible for this situation already.
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.

In article , in the
microsoft.public.win2000.security news group, Oli Restorick [MVP]
says...

> In fact, if you have a user account, you wouldn't even need to have your
> machine joined to the domain to gain access to data. Connection to the
> network is all that's needed and a VPN connection gave him that.
>

That's not necessarily true all of the time, for example, if your
internal network is secured via IPSec using Kerberos or Certificate
auth.

But the bottom line here is that the lack of knowledge on the part of
the consultant in the OP is the cause of the events that took place.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Yes I realise that, but for someone who didn't know that any user can, by
default, add 10 workstations to the domain, I doubt IPSec was being used.

Agreed on your last point.

Oli


"Paul Adare - MVP - Microsoft Virtual PC" wrote in
message news:MPG.1b9a217ee02d5513989a42@msnews.microsoft.com...
> In article , in the
> microsoft.public.win2000.security news group, Oli Restorick [MVP]
> says...
>
>> In fact, if you have a user account, you wouldn't even need to have your
>> machine joined to the domain to gain access to data. Connection to the
>> network is all that's needed and a VPN connection gave him that.
>>
>
> That's not necessarily true all of the time, for example, if your
> internal network is secured via IPSec using Kerberos or Certificate
> auth.
>
> But the bottom line here is that the lack of knowledge on the part of
> the consultant in the OP is the cause of the events that took place.
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.

By default "authenticated users" can add up to ten workstations to a domain which
means that ANYONE that know a logon/password for a domain account can add a
workstation to the domain. This is configured in Domain Controller Security
Policy/security settings/local policies/users rights and the domain controller
container is the only place this user right is applied. You can remove authenticated
users if you do not want this to happen which I would suggest you do. Joining a
computer to the domain in itself does not give a user any more permissions than
credentials already do, though it may allow the computer to obtain a certificate or
ipsec policy to use for network communications restricted to only domain
omputers. --- Steve


"G. Lentz" wrote in message
news:1c8f01c48cde$b45f7680$a501280a@phx.gbl...
>I have a strange situation that I really just need
> clarification on so here goes.
>
> I am an IT consultant for a company that has remote users
> who connect via a VPN. One user, a recent contract
> (potientially to be an employee) needed access to the
> shared files/folders and e-mail. I gave him the
> instruction on setting up the VPN on his home PC and was
> going to get back to him on setting up the remaining
> items (I work for other clients also) later. Instead of
> waiting he and a friend logged onto the client's network
> via the VPN and using their own words, "hacked and
> guessed around about some things" so they could add his
> PC to the domain and give him access to what he needed!
> There are only two accounts on the domain that have
> Administrator rights and his was neither. When I
> questioned the user on this, suffice to say the friend
> did all the work and he knows nothing. What really
> puzzles me is that the client pricipal seems to think
> nothing of this?!? He basically said well I guess you
> have some competition.
>
> Anyway my questions are:
>
> 1) I need to clarify that only an account with
> Administrative privilages can create new user and
> computer accounts in an AD domain?
>
> 2) Any possible ideas on how the hell they could have
> done this? Don't need specifics, just could/can it be
> done? I understand by the user having VPN access to the
> network he basically had a key so to speak, allowing them
> to bypass the normal things that discourage external
> attacks (i.e firewalls).
>
> I am going to try and speak to the client principla that
> if they circumvented network security, then his network
> is basically open at this point. Unfortunetely the
> pricipal is high on this person and their abilities so I
> may be creating an acrimonius situation by bringin it up.
> My thinking is I don't want to be blamed for something
> down the line as I feel I no longer have control over the
> network. Thanks.