Old admin hacking my network possibly
I have a question for the experts out there. More like input needed.
The old admin at my company was boasting to fellow former employees this weekend how he can still get into our network at knows what people are making and accessed financials. He was very angry when I met him when I first started. They payed him to come in and tell me passwords and show me how the network is set up. He was fired and that is why I am here. When I started I reset all admin passwords and vpn passwords. I think that he may have been just talking but I can not take the threat lightly. I have just reset the telnet and enable passwords on all routers and Pix. I reset the VPN username and passwords to complex ones. I have also reset the wireless key. I am going to have all users reset passwords. What am I missing? VPN is set up through the Pix. Not user’s credentials but there is a vpn user set up on the PIX. I do not know what other action to take. There are no invalid users in the directory. Where would I look to see if someone was in besides the event log? I am going to make sure that success logon events are recorded as well as failures. The Pix only has 2 rules. One to allow all SMTP and HTTP traffic to our mail server for mail and OWA. Another to allow users to access outside sites. I want to make sure that I am not missing anything. Exactly what security evernt should I be logging to catch as much info as I need? Right now I have set up every success and Failure event to log but that may be excessive. This is a small network with only 30 people. Not to complex and running SBS 2003. The firewall is a Pix 506e.
Thanks all,
Mark
The old admin at my company was boasting to fellow former employees this weekend how he can still get into our network at knows what people are making and accessed financials. He was very angry when I met him when I first started. They payed him to come in and tell me passwords and show me how the network is set up. He was fired and that is why I am here. When I started I reset all admin passwords and vpn passwords. I think that he may have been just talking but I can not take the threat lightly. I have just reset the telnet and enable passwords on all routers and Pix. I reset the VPN username and passwords to complex ones. I have also reset the wireless key. I am going to have all users reset passwords. What am I missing? VPN is set up through the Pix. Not user’s credentials but there is a vpn user set up on the PIX. I do not know what other action to take. There are no invalid users in the directory. Where would I look to see if someone was in besides the event log? I am going to make sure that success logon events are recorded as well as failures. The Pix only has 2 rules. One to allow all SMTP and HTTP traffic to our mail server for mail and OWA. Another to allow users to access outside sites. I want to make sure that I am not missing anything. Exactly what security evernt should I be logging to catch as much info as I need? Right now I have set up every success and Failure event to log but that may be excessive. This is a small network with only 30 people. Not to complex and running SBS 2003. The firewall is a Pix 506e.
Thanks all,
Mark
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You said you changed all domain admin passwords, right? Did you also change the built in admin account password and the passwords of service accounts that maybe use privileged accounts?
I would also look at any accounts that may have been created before or after he left. He could have left a back door account for future use. I would start with the accounts that have vpn access and disable any that can't be verified.
You could also watch the logon events to see who is logging on after hours that normally doesn't.
I would also look at any accounts that may have been created before or after he left. He could have left a back door account for future use. I would start with the accounts that have vpn access and disable any that can't be verified.
You could also watch the logon events to see who is logging on after hours that normally doesn't.
Also check the administrators group in AD to see who is a member. Since you only have 30 accounts I would make sure I checked each one, disable any that you do not recognize and are not built in. Also check the built in groups, Domain Admins, Domain Guests, etc. And more importantly check the permissions of the folders themselves to see who has access to the financial folders. This will tell you a lot and put your mind at ease
PS the only security event you could look for is unsuccessful attempts. The problem is if he has access, his attempts will be successfull...
ASKER
rvthost - good point that I did not think about but there are no modems for remote access.
jjparrott - I have changes all local password on all severs and local machines since I have taken over the network. I have also checked all member of the domain admin accounts and any built-in account and there are no members but myself.
jocasio - I will check the financial folder permissions.
Another colleuge also brought it to my attention to make sure that logmein or some other type of service is not running on any of the PC's that would allow for remote access. Especially the PC of the person who does the financials.
I was not logging successful attempts before today but as I mentuioned in my post I just changed it through group policy to log every success and failure attempt for every option. What do you experts log as far as this? What is recommended?
Tomorrow I plan on combing through the security event logs to see if there are successful logon attempts after hours. We are a 7:00 to 5:00 place so there should be none after 6:00 at most.
Thanks for the input so far,
Mark
jjparrott - I have changes all local password on all severs and local machines since I have taken over the network. I have also checked all member of the domain admin accounts and any built-in account and there are no members but myself.
jocasio - I will check the financial folder permissions.
Another colleuge also brought it to my attention to make sure that logmein or some other type of service is not running on any of the PC's that would allow for remote access. Especially the PC of the person who does the financials.
I was not logging successful attempts before today but as I mentuioned in my post I just changed it through group policy to log every success and failure attempt for every option. What do you experts log as far as this? What is recommended?
Tomorrow I plan on combing through the security event logs to see if there are successful logon attempts after hours. We are a 7:00 to 5:00 place so there should be none after 6:00 at most.
Thanks for the input so far,
Mark
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
check if u haven't trojan or othe malicious programs that are sending iformation out side your network. thsi is if your old amdmin is an expert hacker.
check for unauthorized/known equipment too.
so, let me get this right- he already bragged to other employees of having illegally accessing your network, and even looking at financial records...
Sounds to me like someone just committed a serious crime (I think it is Wire Fraud in the US), and bragged about it to several 'witnesses'.
Yes, it was a good idea to change the passwords, but step 2 should be to call the cops.
If he did it across state lines you get to call the feds.
Sounds to me like someone just committed a serious crime (I think it is Wire Fraud in the US), and bragged about it to several 'witnesses'.
Yes, it was a good idea to change the passwords, but step 2 should be to call the cops.
If he did it across state lines you get to call the feds.
ASKER
Thank you all for the posts thus far. I have reset all users passwords, wireless keys, admin, Router, PIX and VPN passwords. Everything that I can think of. I have not noticed nor can I find any unusual access. I can not find any programs like logme in or VNC. If it were my decision I would contact the authorities but the person is well liked at this place and they will not do that.
Now that I have enabled every security event my event log is filling up fast with normal events. What is the best practice to log events. I know the more I log the better but is that usual? I want to log enough to detects events and not worthless success data that is normal. I asked this in my post but have no answers about this part.
Mark
Now that I have enabled every security event my event log is filling up fast with normal events. What is the best practice to log events. I know the more I log the better but is that usual? I want to log enough to detects events and not worthless success data that is normal. I asked this in my post but have no answers about this part.
Mark
I still think it's unwise to discount the possibility of a rootkit or rootkit-type application. These can hide themselves from detection and logs since they operate at the Windows kernel level.
Did you try the excellent (and free) tool RootKit Revealer? I strongly recommend you try it:
http://www.sysinternals.com/Utilities/RootkitRevealer.html
Did you try the excellent (and free) tool RootKit Revealer? I strongly recommend you try it:
http://www.sysinternals.com/Utilities/RootkitRevealer.html
ASKER
I have downloaded this tool and I am using it. Sorry I did not reveal that. It is a good tool. I started it on my PC yesterday to get familiar and I am going to run it on the server.
Thanks,
Mark
Thanks,
Mark
You have taken some sound measures and, chances are, the ex admin is just talkin *%$@!
I am by no means a security expert but I am aware that most networks are like tootsie pops: hard and crunchy on the outside, with a nice chewy center. LOL
Did you bother to force password changes on all the end users? Chances are if he worked there for any length of time he knows some of their passwords. Especially execs, they seem to be the laziest and want to be above policy.
Use compex passwords, force frequent changes, at least every 60 days if not less.
Turn on audting on the financials and monitor account management events.
Get a good intrusion detection system www.snort.org or www.winsnort.com. snort is about the best and it's free.
Sleep tight.
Cheers.
I am by no means a security expert but I am aware that most networks are like tootsie pops: hard and crunchy on the outside, with a nice chewy center. LOL
Did you bother to force password changes on all the end users? Chances are if he worked there for any length of time he knows some of their passwords. Especially execs, they seem to be the laziest and want to be above policy.
Use compex passwords, force frequent changes, at least every 60 days if not less.
Turn on audting on the financials and monitor account management events.
Get a good intrusion detection system www.snort.org or www.winsnort.com. snort is about the best and it's free.
Sleep tight.
Cheers.
Also, did you call the police? Many police departments have computer crimes divisions. There is nothing to press charges for but perhaps one of the nice detectives can give him a phone call and rattle his cage. Cops enjoy that kind of thing and the ex admin willbe scared out of his wits.
ASKER
Thank you all for the help. I awarded points based on extra information provided for me to check and secure. I have been monitoring events and nothig seems out of the ordinary. No excessive web usage or after hours logins. Every password imaginable has been changed at no delight to the users.
Thanks again.
Thanks again.
Instead of killing yourself looking at new stuff. Just look at all the allowed connections for say the past 30 days. And verify them as valid or not. looking closely at usernames etc, that those users might be on vacation or on a sales trip etc.