Add your comment

This blog isn't allowing comments at this time.

Previous Comments

Using Group Policy to regain access

On Thu 8th August 2013, 08:04 Jonathan, whilst Sneaky, says:

A customer of ours was hacked resulting in a compromised terminal server. They first noticed the problem because they could no longer login and had a number of employees unable to work. A colleague attempted to login to the server only to find the perpetrator had denied our account access to the server also - we couldn't even remote manage the thing! For completeness, the attacker also changed the local account password.

The clock is ticking and it's suggested someone go to site with a password reset disk to break back in to the server. A perfectly valid idea but travel time equals more downtime for the customer. An idea struck me at this point; we still had full access to the domain controller so we also had access to the power of group policy.

Group Policy allows you to control a multitude of settings in Windows and popular applications from the IT manager's desk, i.e centrally. One such setting is restricted groups, a mechanism that allows you to force group membership on a member server or workstation. This was my route in.

A group policy was created to force "domain admins" group to become a member of the local "adminstrators" group. The customer was asked to hard power off the compromised server, i.e. hold the power button in, and then power the server back on. On boot the server updated its settings from policy, making the "domain admins" group a local administrator again and permitting management and RDP access.

All that was needed then was to cleanup and resecure the server.