Table of contents exchange of letters with the minister executive summary


domain administrator accounts and domain controllers



Download 5.91 Mb.
View original pdf
Page145/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   141   142   143   144   145   146   147   148   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
domain administrator accounts and domain controllers
535. At about pm on 6 July 2018, Ernest called Raymond Sun Xiang
(“Raymond”), the Assistant Director of the Data Centre Team, and told him about the issues faced by the Citrix Team and the measures that had been proposed to Lum. Ernest also arranged to meet Raymond on 9 July 2018. Following the call, the Active Directory Team undertook a series of measures to secure the domain administrator accounts and domain controllers. It does not appear that the members of the Active Directory Team were informed of the events of June and July 2018.
27.7.1
Creating anew set of domain administrator accounts and removing
the old accounts from the administrator groups of their respective
domains
536. At around pm on 6 July 2018, Roy created anew set of domain administrator accounts. These new accounts were added to the administrator group and given administrator rights. At that point in time, every domain administrator had two accounts, one old and one new. At around pm on the same day, the old domain administrator accounts were removed from their respective administrative groups, but were not deleted.
27.7.2
Performing full antivirus scans on all domain controllers
537. At around pm on 6 July 2018, Chan Chee Choong (“Chee Choong”), the manager of the Active Directory Team, performed full antivirus scans on all the domain controllers under his charge.
This was occasioned by the fact that one of the domain controllers was found to have been infected by a virus. The result of the scans was that the domain controllers were clean.



COI Report – Part IV
Page 170 of 425

27.7.3
Creating and enforcing a GPO to block the access of domain
administrator accounts to servers
538. On 7 July 2018, on Raymond’s instructions, the Active Directory Team created anew GPO (Group Policy Object) to block the access of domain administrator accounts to servers in their respective domains. The intention was that domain administrator accounts were not to be used to login to servers in their domain at all during that period. This, however, was distinct from removing the domain administrator accounts entirely, which was not done.
539. The team implemented the GPO and specifically selected the option to enforce GPO, which is not something that is done usually.
This was done with the intention that the GPO should be implemented on all servers regardless of whether the server had been set to block policy inheritance. However, there was noway for the team to tell if the GPO was successfully implemented across all the servers, as there is no status report generated. The Active Directory Team simply sampled a few of the servers they managed in order to confirm that the GPO had been implemented.
They did not sample the Citrix servers.
27.7.4
Creating and implementing a GPO to prevent remote connections to
domain controllers
540. At around am on 7 July 2018, Chee Choong created another GPO to prevent remote connections to domain controllers from domain clients using domain privilege accounts. Prior to this GPO, a domain administrator would be able to connect remotely to the domain controller from any machine.

Download 5.91 Mb.

Share with your friends:
1   ...   141   142   143   144   145   146   147   148   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy