RE: Remote registry changes from an ISA server

["Jim Harrison (ISA)" <jmharr () microsoft com>]

There's nothing in ISA itself that would be accessing remote registry on
any host.
ISA would be accessing AD objects related to ISA configuration if it's
part of an Enterprise Array, but that's all.

Was someone TS'd into the DC from the ISA?
If ISA is operating in Firewall or Integrated mode, you'll have a
firewall log that will tell you if ISA allowed a local TS session during
that time.  If they're logging in "ISA Format (IIS-style)", then the
timestamp is local time.  If W3C-format, the log timestamp is GMT.

HTH,
Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)

"The definition of stress is when you wake up 
screaming, only to discover that you weren't 
asleep..." 


-----Original Message-----
From: Christopher Harrington [mailto:cmh () nmi net] 
Sent: Thursday, July 01, 2004 09:41
To: incidents () securityfocus com
Subject: Remote registry changes from an ISA server

All,

ISS RealSecure reported registry changes on 2 Win2k AD servers
(destination port of 445) that originated from an ISA 2000 server that
the customer uses for a web proxy (its behind a Checkpoint FW which is
behind a border router). ISS cant tell what values were changed, only
what keys were accessed.

Here are the keys:

Server 1
1. HKLM\Software\Microsoft\WindowsNT\CurrentVersion

On 10.10.1.27:

2. HKLM\System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
HKLM\System\CurrentControlSet\Control\ProductOptions
3. HKLM\System\CurrentControlSet001\Control\Terminal
Server\Winstations\RDP\UserOverride
4. HKLM\System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration

Keys 3 and 4 have no values or subkeys with values. Key 2 just
identifies this as a server (LANMANNT key is present). Key 1 has nothing
out of the ordinary, I checked each key. This customer has Shavlik for
patch management and BindView for AD reporting. 

Any clue as to what could cause this?

Thanks,

--Chris