Security Incidents mailing list archives
RE: Remote registry changes from an ISA server
From: "Jim Harrison (ISA)" <jmharr () microsoft com>
Date: Sun, 4 Jul 2004 16:19:06 -0700
There's nothing in ISA itself that would be accessing remote registry on any host. ISA would be accessing AD objects related to ISA configuration if it's part of an Enterprise Array, but that's all. Was someone TS'd into the DC from the ISA? If ISA is operating in Firewall or Integrated mode, you'll have a firewall log that will tell you if ISA allowed a local TS session during that time. If they're logging in "ISA Format (IIS-style)", then the timestamp is local time. If W3C-format, the log timestamp is GMT. HTH, Jim Harrison MCP(NT4/2K), A+, Network+ Security Business Unit (ISA SE) "The definition of stress is when you wake up screaming, only to discover that you weren't asleep..." -----Original Message----- From: Christopher Harrington [mailto:cmh () nmi net] Sent: Thursday, July 01, 2004 09:41 To: incidents () securityfocus com Subject: Remote registry changes from an ISA server All, ISS RealSecure reported registry changes on 2 Win2k AD servers (destination port of 445) that originated from an ISA 2000 server that the customer uses for a web proxy (its behind a Checkpoint FW which is behind a border router). ISS cant tell what values were changed, only what keys were accessed. Here are the keys: Server 1 1. HKLM\Software\Microsoft\WindowsNT\CurrentVersion On 10.10.1.27: 2. HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration HKLM\System\CurrentControlSet\Control\ProductOptions 3. HKLM\System\CurrentControlSet001\Control\Terminal Server\Winstations\RDP\UserOverride 4. HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Keys 3 and 4 have no values or subkeys with values. Key 2 just identifies this as a server (LANMANNT key is present). Key 1 has nothing out of the ordinary, I checked each key. This customer has Shavlik for patch management and BindView for AD reporting. Any clue as to what could cause this? Thanks, --Chris
Current thread:
- Remote registry changes from an ISA server Christopher Harrington (Jul 04)
- <Possible follow-ups>
- RE: Remote registry changes from an ISA server Jim Harrison (ISA) (Jul 05)