Hi. I'm looking for some ideas from knowledgeable people.

First, an introduction. The network I'm dealing with has these features:

  • Windows Server 2003
  • a public facing IIS-6.0 server (run by the Windows Server) with ports 80, 443, and 22 open
  • --port 80 redirects to port 443, and the only thing that I can tell is on port 443 is Microsoft Office Outlook Web Access (OWA)
  • Around 200 machines running Windows XP that connect to the 2003 server
  • all of the client machines have the same LOCAL admin password, which I have compromised
  • each domain user has access to certain shares on the server
  • --I have compromised the passwords of various users whose shares I would like to access, however I can not crack the domain admin password

So basically my goal is to be able to regularly access the shares of certain domain users. The problem is that I cannot physically access a PC to log in without being seen (because other users are always working at neighboring PCs).

So do you guys have any ideas?

Perhaps I could set up some sort of remote access software on one of the XP machines using a local admin password? Though then it would have to be able to be seen through the restricted firewall...
Perhaps something could be done using the open port 22? I don't know much about SSH.
Perhaps OWA is vulnerble? Or IIS-6.0?