Security Incidents mailing list archives

Remote registry changes from an ISA server

From: "Christopher Harrington" <cmh () nmi net>
Date: Thu, 1 Jul 2004 12:41:19 -0400

All,

ISS RealSecure reported registry changes on 2 Win2k AD servers (destination
port of 445) that originated from an ISA 2000 server that the customer uses
for a web proxy (its behind a Checkpoint FW which is behind a border
router). ISS cant tell what values were changed, only what keys were
accessed.

Here are the keys:

Server 1
1. HKLM\Software\Microsoft\WindowsNT\CurrentVersion

On 10.10.1.27:

2. HKLM\System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
HKLM\System\CurrentControlSet\Control\ProductOptions
3. HKLM\System\CurrentControlSet001\Control\Terminal
Server\Winstations\RDP\UserOverride 
4. HKLM\System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration

Keys 3 and 4 have no values or subkeys with values. Key 2 just identifies
this as a server (LANMANNT key is present). Key 1 has nothing out of the
ordinary, I checked each key. This customer has Shavlik for patch management
and BindView for AD reporting. 

Any clue as to what could cause this?

Thanks,

--Chris

Current thread:

Remote registry changes from an ISA server Christopher Harrington (Jul 04)
- <Possible follow-ups>
- RE: Remote registry changes from an ISA server Jim Harrison (ISA) (Jul 05)