0

I have a situation here. I have an intrusion detection system and it constantly alerts me that a remote host is accessing our AD's registry remotely.

Our remote hosts are mainly Windows XP and our ADs are W2K8. The remote hosts access them over SMB port 445

Is it normal for Windows hosts to access AD's remote registry? My colleagues confirmed with me that both host and AD is clean from virus with endpoint protection enabled.

Thanks.

smitty user
  • 1
  • 1

2 Answers2

0

Can you find the offending host? No I see no reason for remote client machines to access a domain controllers registry. To do so, the remote connection should have to be authenticated with domain admin rights.

Bret Fisher
  • 3,973
  • 2
  • 21
  • 25
  • Hi Bret, what about servers? Would it be normal if servers have the same kind of behaviour towards AD server? Thanks. – smitty user Oct 05 '12 at 06:08
  • @smitty deploying software, monitoring or running remote configuration of some kind might. Otherwise no not normally. – Bernie White Oct 05 '12 at 06:22
  • Yea no built in part of Windows or an AD network would have anything accessing the registry remotely of a DC. It's either 3rd party or a program that means to do harm, or your IDS is wrong. – Bret Fisher Oct 05 '12 at 14:52
0

Based off of this cisco document, it is not uncommon for clients to access remote registry under normal use scenario. It does not, however, list the individual cases.

Remote registry may be caused by some of the following, (these are off the top of my head - not an exhaustive list)

  • Viewing the list of Scheduled Tasks that appear on an SMB share
  • Using the registry editor remotely
  • Using Performance Monitor to access performance counters of the remote computer
  • Using Event Log to access log entries of a remote computer
  • Some COM+/DCOM applications
  • Software asset management programs
  • Viewing the list of installed printers that are not shared on a remote computer (unsure of this one)
Mitch
  • 2,363
  • 14
  • 23