Windows 2003 remote admin access

Hello,

I have a query which is only apparent due to politics in the work place. On
a technical level I can quite easily stop this issue but am intrigued as to
how this can be happening?..

One of our Windows 2003 servers is being accessed by a user who does have an
administrator account, but does not have local access to the server. From
outside the local network the only permitted inbound access is for HTTP,
HTTPS, SMTP and FTP, all using the standard ports. There is no remote
access software installed, e.g. Remote Desktop, NetOp etc. How can it be
possible for files to be added / removed, permissions changed etc on this
server via these protocols? (Obviously the user can interact with the
services that are provided, but things are changing outside of these
locations).

Any ideas at all, anyone?

Thanks,
John

Roger
Thu Jun 29 20:25:48 CDT 2006

Are they allowed to author web content ? particularly if it is in
and IIS defined application area ??
Has DCOM proxying over HTTP been enabled ?
How are you certain that there are no other allowed ports ?


"John Collins" <jc1998@yahoo.com> wrote in message
news:e80ucu$d86$1@newsfeed.th.ifl.net...
> Hello,
>
> I have a query which is only apparent due to politics in the work place.
> On a technical level I can quite easily stop this issue but am intrigued
> as to how this can be happening?..
>
> One of our Windows 2003 servers is being accessed by a user who does have
> an administrator account, but does not have local access to the server.
> From outside the local network the only permitted inbound access is for
> HTTP, HTTPS, SMTP and FTP, all using the standard ports. There is no
> remote access software installed, e.g. Remote Desktop, NetOp etc. How can
> it be possible for files to be added / removed, permissions changed etc on
> this server via these protocols? (Obviously the user can interact with
> the services that are provided, but things are changing outside of these
> locations).
>
> Any ideas at all, anyone?
>
> Thanks,
> John
>

John
Fri Jun 30 03:08:46 CDT 2006

Hello Roger,

The server sits behind a hardware firewall which is only allowing those
particular ports inbound so access on any other ports shouldn't be possible.
The user does have HTTP and FTP web authoring access but this should (as I
understand it) only be for the areas defined in IIS under the website and
FTP sites? DCOM proxying certainly hasn't been enabled manually by myself.
I'm assuming that this wouldn't be enabled by default? How can I check to
see if it is enabled and if so how can this be used to gain access?

Many thanks,
John

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:Oi%239fQ%23mGHA.3544@TK2MSFTNGP05.phx.gbl...
> Are they allowed to author web content ? particularly if it is in
> and IIS defined application area ??
> Has DCOM proxying over HTTP been enabled ?
> How are you certain that there are no other allowed ports ?
>
>
> "John Collins" <jc1998@yahoo.com> wrote in message
> news:e80ucu$d86$1@newsfeed.th.ifl.net...
>> Hello,
>>
>> I have a query which is only apparent due to politics in the work place.
>> On a technical level I can quite easily stop this issue but am intrigued
>> as to how this can be happening?..
>>
>> One of our Windows 2003 servers is being accessed by a user who does have
>> an administrator account, but does not have local access to the server.
>> From outside the local network the only permitted inbound access is for
>> HTTP, HTTPS, SMTP and FTP, all using the standard ports. There is no
>> remote access software installed, e.g. Remote Desktop, NetOp etc. How
>> can it be possible for files to be added / removed, permissions changed
>> etc on this server via these protocols? (Obviously the user can interact
>> with the services that are provided, but things are changing outside of
>> these locations).
>>
>> Any ideas at all, anyone?
>>
>> Thanks,
>> John
>>
>
>

Roger
Fri Jun 30 10:26:22 CDT 2006

Then I would look at the web content, as I try to say before, at
least if the content are is IIS enabled as application (i.e. supports
asp, asp.net) or if any areas are enabled for scripting (i.e. granted
execute, such as for cgi). Consider, if any area is made to allow
non-anonymous browsing, then that area when browsed will have
access done in context of the authenticated browsing account (i.e.
the person's admin account) so any code posted to the content
area couuld be made to run with that account. Similarly, if the
authoring is being done with use of the FrontPage server extensions,
or if FTP is configured with excess dirs, then once authenticated to
author with these as an admin account the authoring would only
be limited to areas defined as vdirs in IIS and/or FTP. If you
are finding changes at other locations, or changes to machine
config settings (new accounts, service properties changes, etc.)
then I would examine the content of web script and/or application
areas (assuming your statements about dcom over http, ports
allowed, rdp not allowed are all correct).

"John Collins" <jc1998@yahoo.com> wrote in message
news:e82m6l$g02$1@newsfeed.th.ifl.net...
> Hello Roger,
>
> The server sits behind a hardware firewall which is only allowing those
> particular ports inbound so access on any other ports shouldn't be
> possible. The user does have HTTP and FTP web authoring access but this
> should (as I understand it) only be for the areas defined in IIS under the
> website and FTP sites? DCOM proxying certainly hasn't been enabled
> manually by myself. I'm assuming that this wouldn't be enabled by default?
> How can I check to see if it is enabled and if so how can this be used to
> gain access?
>
> Many thanks,
> John
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:Oi%239fQ%23mGHA.3544@TK2MSFTNGP05.phx.gbl...
>> Are they allowed to author web content ? particularly if it is in
>> and IIS defined application area ??
>> Has DCOM proxying over HTTP been enabled ?
>> How are you certain that there are no other allowed ports ?
>>
>>
>> "John Collins" <jc1998@yahoo.com> wrote in message
>> news:e80ucu$d86$1@newsfeed.th.ifl.net...
>>> Hello,
>>>
>>> I have a query which is only apparent due to politics in the work place.
>>> On a technical level I can quite easily stop this issue but am intrigued
>>> as to how this can be happening?..
>>>
>>> One of our Windows 2003 servers is being accessed by a user who does
>>> have an administrator account, but does not have local access to the
>>> server. From outside the local network the only permitted inbound access
>>> is for HTTP, HTTPS, SMTP and FTP, all using the standard ports. There
>>> is no remote access software installed, e.g. Remote Desktop, NetOp etc.
>>> How can it be possible for files to be added / removed, permissions
>>> changed etc on this server via these protocols? (Obviously the user can
>>> interact with the services that are provided, but things are changing
>>> outside of these locations).
>>>
>>> Any ideas at all, anyone?
>>>
>>> Thanks,
>>> John
>>>
>>
>>
>
>

Roger
Sat Jul 01 10:50:22 CDT 2006

John,
I think that prior post ended up sounding confusing.
What I was intending to say is that if indeed the firewall is
only allowing those ports and the state of what is installed
as stated is correct, then you have to look for how it could
be done over the ports that are allowed.
IIS ftp will contain it usage to areas within ftp defined as vdirs,
while this is possibly also true for w3svc websites depending
on the config and whether parent paths are enabled.
If posting of web content to areas enabled for script or for
execute privilege is allowed, then it is possible to load any
code within limits of whether script or execute is allowed in
the area. If there are web areas that are set to not allow
anonymous access then code placed there would be triggered
by browsing to run as the account that authenticates for the
browsing. etc. There is code one could place there that is
intended for remote management of some aspects of the
server, and/or, of the IIS install as one example, or simple
asp could be used to walk around in the filesystem outside
of the vdir areas defined to IIS. Etc.

I have to ask. Why is this account an admin anyway?
It seem not needed if there were really no way to use
the admin privs. But if there was a need with a way to
use the privs, then perhaps that is where you should
begin looking.

"John Collins" <jc1998@yahoo.com> wrote in message
news:e82m6l$g02$1@newsfeed.th.ifl.net...
> Hello Roger,
>
> The server sits behind a hardware firewall which is only allowing those
> particular ports inbound so access on any other ports shouldn't be
> possible. The user does have HTTP and FTP web authoring access but this
> should (as I understand it) only be for the areas defined in IIS under the
> website and FTP sites? DCOM proxying certainly hasn't been enabled
> manually by myself. I'm assuming that this wouldn't be enabled by default?
> How can I check to see if it is enabled and if so how can this be used to
> gain access?
>
> Many thanks,
> John
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:Oi%239fQ%23mGHA.3544@TK2MSFTNGP05.phx.gbl...
>> Are they allowed to author web content ? particularly if it is in
>> and IIS defined application area ??
>> Has DCOM proxying over HTTP been enabled ?
>> How are you certain that there are no other allowed ports ?
>>
>>
>> "John Collins" <jc1998@yahoo.com> wrote in message
>> news:e80ucu$d86$1@newsfeed.th.ifl.net...
>>> Hello,
>>>
>>> I have a query which is only apparent due to politics in the work place.
>>> On a technical level I can quite easily stop this issue but am intrigued
>>> as to how this can be happening?..
>>>
>>> One of our Windows 2003 servers is being accessed by a user who does
>>> have an administrator account, but does not have local access to the
>>> server. From outside the local network the only permitted inbound access
>>> is for HTTP, HTTPS, SMTP and FTP, all using the standard ports. There
>>> is no remote access software installed, e.g. Remote Desktop, NetOp etc.
>>> How can it be possible for files to be added / removed, permissions
>>> changed etc on this server via these protocols? (Obviously the user can
>>> interact with the services that are provided, but things are changing
>>> outside of these locations).
>>>
>>> Any ideas at all, anyone?
>>>
>>> Thanks,
>>> John
>>>
>>
>>
>
>

John
Mon Jul 03 09:02:51 CDT 2006

Hello Roger,

Thanks for clarifying your points on this one.

Unfortunately the only reason this guy has admin rights is a political one.
My stand point is that he doesn't need admin rights to this new install but
as he's higher up in the company he has the Director's backing to have full
admin rights to all of our kit. The uploading of scripts theory to IIS is
interesting as he does have (and need) at least Advanced Author rights to
the websites hosted on this box. There are areas that will allow script and
execute. I think I will need to monitor the upload and deletion activity
for the IIS webs to see if this is indeed what's happening?

Many thanks for you help on this one.

Regards,
John

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:ut0IPYSnGHA.376@TK2MSFTNGP05.phx.gbl...
> John,
> I think that prior post ended up sounding confusing.
> What I was intending to say is that if indeed the firewall is
> only allowing those ports and the state of what is installed
> as stated is correct, then you have to look for how it could
> be done over the ports that are allowed.
> IIS ftp will contain it usage to areas within ftp defined as vdirs,
> while this is possibly also true for w3svc websites depending
> on the config and whether parent paths are enabled.
> If posting of web content to areas enabled for script or for
> execute privilege is allowed, then it is possible to load any
> code within limits of whether script or execute is allowed in
> the area. If there are web areas that are set to not allow
> anonymous access then code placed there would be triggered
> by browsing to run as the account that authenticates for the
> browsing. etc. There is code one could place there that is
> intended for remote management of some aspects of the
> server, and/or, of the IIS install as one example, or simple
> asp could be used to walk around in the filesystem outside
> of the vdir areas defined to IIS. Etc.
>
> I have to ask. Why is this account an admin anyway?
> It seem not needed if there were really no way to use
> the admin privs. But if there was a need with a way to
> use the privs, then perhaps that is where you should
> begin looking.
>
> "John Collins" <jc1998@yahoo.com> wrote in message
> news:e82m6l$g02$1@newsfeed.th.ifl.net...
>> Hello Roger,
>>
>> The server sits behind a hardware firewall which is only allowing those
>> particular ports inbound so access on any other ports shouldn't be
>> possible. The user does have HTTP and FTP web authoring access but this
>> should (as I understand it) only be for the areas defined in IIS under
>> the website and FTP sites? DCOM proxying certainly hasn't been enabled
>> manually by myself. I'm assuming that this wouldn't be enabled by
>> default? How can I check to see if it is enabled and if so how can this
>> be used to gain access?
>>
>> Many thanks,
>> John
>>
>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
>> news:Oi%239fQ%23mGHA.3544@TK2MSFTNGP05.phx.gbl...
>>> Are they allowed to author web content ? particularly if it is in
>>> and IIS defined application area ??
>>> Has DCOM proxying over HTTP been enabled ?
>>> How are you certain that there are no other allowed ports ?
>>>
>>>
>>> "John Collins" <jc1998@yahoo.com> wrote in message
>>> news:e80ucu$d86$1@newsfeed.th.ifl.net...
>>>> Hello,
>>>>
>>>> I have a query which is only apparent due to politics in the work
>>>> place. On a technical level I can quite easily stop this issue but am
>>>> intrigued as to how this can be happening?..
>>>>
>>>> One of our Windows 2003 servers is being accessed by a user who does
>>>> have an administrator account, but does not have local access to the
>>>> server. From outside the local network the only permitted inbound
>>>> access is for HTTP, HTTPS, SMTP and FTP, all using the standard ports.
>>>> There is no remote access software installed, e.g. Remote Desktop,
>>>> NetOp etc. How can it be possible for files to be added / removed,
>>>> permissions changed etc on this server via these protocols? (Obviously
>>>> the user can interact with the services that are provided, but things
>>>> are changing outside of these locations).
>>>>
>>>> Any ideas at all, anyone?
>>>>
>>>> Thanks,
>>>> John
>>>>
>>>
>>>
>>
>>
>
>

Roger
Tue Jul 04 03:44:05 CDT 2006

If you are going to follow-up on the idea that what you see may be
due to authorship of IIS content, keep in mind that the published
code would run as the IIS backside accounts unless in a non-anonymous
area, so, key in on areas that require browser login as those would boost
the code to running in his account.

"John Collins" <johncollins232@yahoo.com> wrote in message
news:e8b82d$fpd$1@news.freedom2surf.net...
> Hello Roger,
>
> Thanks for clarifying your points on this one.
>
> Unfortunately the only reason this guy has admin rights is a political
> one. My stand point is that he doesn't need admin rights to this new
> install but as he's higher up in the company he has the Director's backing
> to have full admin rights to all of our kit. The uploading of scripts
> theory to IIS is interesting as he does have (and need) at least Advanced
> Author rights to the websites hosted on this box. There are areas that
> will allow script and execute. I think I will need to monitor the upload
> and deletion activity for the IIS webs to see if this is indeed what's
> happening?
>
> Many thanks for you help on this one.
>
> Regards,
> John
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:ut0IPYSnGHA.376@TK2MSFTNGP05.phx.gbl...
>> John,
>> I think that prior post ended up sounding confusing.
>> What I was intending to say is that if indeed the firewall is
>> only allowing those ports and the state of what is installed
>> as stated is correct, then you have to look for how it could
>> be done over the ports that are allowed.
>> IIS ftp will contain it usage to areas within ftp defined as vdirs,
>> while this is possibly also true for w3svc websites depending
>> on the config and whether parent paths are enabled.
>> If posting of web content to areas enabled for script or for
>> execute privilege is allowed, then it is possible to load any
>> code within limits of whether script or execute is allowed in
>> the area. If there are web areas that are set to not allow
>> anonymous access then code placed there would be triggered
>> by browsing to run as the account that authenticates for the
>> browsing. etc. There is code one could place there that is
>> intended for remote management of some aspects of the
>> server, and/or, of the IIS install as one example, or simple
>> asp could be used to walk around in the filesystem outside
>> of the vdir areas defined to IIS. Etc.
>>
>> I have to ask. Why is this account an admin anyway?
>> It seem not needed if there were really no way to use
>> the admin privs. But if there was a need with a way to
>> use the privs, then perhaps that is where you should
>> begin looking.
>>
>> "John Collins" <jc1998@yahoo.com> wrote in message
>> news:e82m6l$g02$1@newsfeed.th.ifl.net...
>>> Hello Roger,
>>>
>>> The server sits behind a hardware firewall which is only allowing those
>>> particular ports inbound so access on any other ports shouldn't be
>>> possible. The user does have HTTP and FTP web authoring access but this
>>> should (as I understand it) only be for the areas defined in IIS under
>>> the website and FTP sites? DCOM proxying certainly hasn't been enabled
>>> manually by myself. I'm assuming that this wouldn't be enabled by
>>> default? How can I check to see if it is enabled and if so how can this
>>> be used to gain access?
>>>
>>> Many thanks,
>>> John
>>>
>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
>>> news:Oi%239fQ%23mGHA.3544@TK2MSFTNGP05.phx.gbl...
>>>> Are they allowed to author web content ? particularly if it is in
>>>> and IIS defined application area ??
>>>> Has DCOM proxying over HTTP been enabled ?
>>>> How are you certain that there are no other allowed ports ?
>>>>
>>>>
>>>> "John Collins" <jc1998@yahoo.com> wrote in message
>>>> news:e80ucu$d86$1@newsfeed.th.ifl.net...
>>>>> Hello,
>>>>>
>>>>> I have a query which is only apparent due to politics in the work
>>>>> place. On a technical level I can quite easily stop this issue but am
>>>>> intrigued as to how this can be happening?..
>>>>>
>>>>> One of our Windows 2003 servers is being accessed by a user who does
>>>>> have an administrator account, but does not have local access to the
>>>>> server. From outside the local network the only permitted inbound
>>>>> access is for HTTP, HTTPS, SMTP and FTP, all using the standard ports.
>>>>> There is no remote access software installed, e.g. Remote Desktop,
>>>>> NetOp etc. How can it be possible for files to be added / removed,
>>>>> permissions changed etc on this server via these protocols?
>>>>> (Obviously the user can interact with the services that are provided,
>>>>> but things are changing outside of these locations).
>>>>>
>>>>> Any ideas at all, anyone?
>>>>>
>>>>> Thanks,
>>>>> John
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>