security policy

[Dave]

Is there any way to truly lock down a work group so that
it can't be merged into a domain?? Let me explain, I
have been getting hacked for the past few weeks and the
first thing this person does is to absorb my work group
into his bogus domain. It would seem that he is using
valid though possibly stolen credentials. I am unsure how
he is doing
this but it looks like he is some sort of admin and has
access to every tool possible. Once my WG has been
assimilated, I find that I have lost admin rights and
SYSTEM has free reign over my whole system. He also
applies a massive security policy that locks me down to
the point of not being able to install Word etc.

I have a small network for my business but don't feel I
need to go the domain route right now. Is the a small
pre-configured security policy any where that I can apply
after a clean install that would at least stop him from
hacking me through this method??

Thanks for any help!

 

[Roger Abell]

If this behavior on the other person's part is that predictable
your first action should be contacting the authorities. If you
are a business and in a larger metro area they very likely do
have a cyber unit already. If in fact your machines are "being
assimilated" this would leave lots of traces. More likely you
are not being joined into some domain, but just suffer massive
redefinition of your deployment - in which case it could be
quite harder to trace down the perpetrator.

The only way to join into a domain, or change security policy
is to use an account that has admin powers - either a member
of the Administrators group or System. This includes the built-in
Administrator account (which you need to access in a safe mode
boot if Home edition).

IOW, if one has control over all of these accounts, then one
controls whether the workgroup can be joined into a domain
or otherwise messed with. If you do not control them, you
have given away the farm.

Since your machine(s) has(have) been compromised, the only
sane thing is to rebuild, starting with formatting. Install off the
network and enable the firewall before connecting. Once you
have connected do not do anything except install all service
pack / security rollup and patches.
Make certain that you take control of all accounts, particularly
any admin account with a strong password (long, complex) that
you have never used before.
Scan everything that you carry over from the old installs, and
think twice about each and every thing that you choose to install.

Your problem at this point is that they either have a foothold or
the whole farm, and no matter how well you clean the system(s)
you can never be certain that they have no foothold left.