Security Incidents mailing list archives
Remote registry changes from an ISA server
From: "Christopher Harrington" <cmh () nmi net>
Date: Thu, 1 Jul 2004 12:41:19 -0400
All, ISS RealSecure reported registry changes on 2 Win2k AD servers (destination port of 445) that originated from an ISA 2000 server that the customer uses for a web proxy (its behind a Checkpoint FW which is behind a border router). ISS cant tell what values were changed, only what keys were accessed. Here are the keys: Server 1 1. HKLM\Software\Microsoft\WindowsNT\CurrentVersion On 10.10.1.27: 2. HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration HKLM\System\CurrentControlSet\Control\ProductOptions 3. HKLM\System\CurrentControlSet001\Control\Terminal Server\Winstations\RDP\UserOverride 4. HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Keys 3 and 4 have no values or subkeys with values. Key 2 just identifies this as a server (LANMANNT key is present). Key 1 has nothing out of the ordinary, I checked each key. This customer has Shavlik for patch management and BindView for AD reporting. Any clue as to what could cause this? Thanks, --Chris
Current thread:
- Remote registry changes from an ISA server Christopher Harrington (Jul 04)
- <Possible follow-ups>
- RE: Remote registry changes from an ISA server Jim Harrison (ISA) (Jul 05)