Win2k network

at my school we have a network up where all the clients are running windows 2000 and the servers i believe are running windows 2000 advanced server we recently had a problem with someone getting through all the security on the networking so then they took away the right for students to bring in personal computers like PDAs or Laptops i want to set up a meeting with the vice principal to get this resolved so that we can have them back what i need to know is how can we increase the security on the network.  The network i s a wired and wireless.  like i was thinkin the couls disablle the capabilty to creat batch files and things like that but i would like to hear some ideas thanks in advanced
John
ArthiusAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wtrmk74Commented:
Schools usually have a very robust network!

Most likely...
They probably took the ability away from the students til they locate the security breach and patch their network.

It is however very common for schools to not allow outside PC connections to be established on there network. It is a major security threat to open the doors wide open to attack.

Sorry if that wasn't what you wanted to hear but it's safe to say you don't have a leg to stand on with this one.

Bottom line is that even the best systems in the world with the best security get cracked into...and if there choice is to close the doors to students logging in with their laptops than I agree with them!

I would assume in the meantime you can still log in at the school library right!

wtrmk74

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joseph_MooreCommented:
Ok, so a student brought in a laptop or a wireless PDA and hacked at least one of your Win2K servers? Is that correct?
Well then, let's go down the list.
All servers need to be up-to-date on patches/hotfixes/service packs.
All user accounts 1) need passwords, 2) need complex passwords (mixed case, alpha-numerics), 3) need at least logon failures audited, 4) and these audits need to be monitored.
Shared folder permissions, including NTFS Security permissions on the folders, need to be set properly, so that Everyone does not have Full Control. Only allow the accounts that need access, and only give them the appropriate access.
Make sure that passwords are not written down on Post-It notes and stuck on desks/tables/boards/monitors.
Check the Event Viewer logs on your servers for strange events.
Any IIS servers running? Check their logs.
Run the Microsoft Baseline Security Analyzier against the servers for recomendations on changes to make:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsahome.asp
Apply a new security template using the Security Configuration & Analysis MMC snap-in:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_SCMtopnode.asp

Just some ideas

loralCommented:
Arthius,

When you say they got past the security, can you elaborate a little more?

Did they have a "guest" logon and were able to access folders they shouldn't; were they able to make a logon other than "guest" and logon on as an admin account; etc.?

If the currect administrator is sharing folders or drives and doesn't have permissions set strong enough against students, they just need to get someone that understands security to streamline the AD / Groups / Permissions.

Post a little more info please.  I know you're frustrated, but reading what you know is sometimes a bit vague.

loral
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

ArthiusAuthor Commented:
ok here is the full story which i probilty should have posted for ya already.  but any was a friend of mine, they know who did all of it already, changed something on the school web site to f****** so they got mad and started investigating so they found out who did it and they wanted to know how he did it my friend used a simple batch file to view the c: drive considering we do have some security but the current admin is not that inteligant and could not figure out how to get auditing on so he posted on a fourm similar to this which i found funny. but any how on the c: dirve my friend looked at was a .txt file that contanted a password and username of a admin of the network so my friend desided to use it and from there gained a whole bunch of accsses to many different things and second nobody that has a major influence on the network really knows what they are doing which is a problem for me.  and this is a technical high school so we have two differnet classes dedicated to computers and networking so we have people that could run the network a little better but it is just not happing so i hope this helps thanks for ur post so far hopefully this can help even more i am not really that frustrated just mad lol any way thanks a lot and hopefully i can get them to change this new rule

John
spiderfixCommented:
So we are suppose to believe that you are setting up a meeting with the vice principle
to talk about security and your friend is the one who "reads *.txt files" on an NTFS
win2k server containing plain text passwords and admin names?

Anyone who helps you here is not paying attention to what your saying. Your history
questions tell a larger story than the story your telling here.

I say go fish.
ArthiusAuthor Commented:
what the heck are u talking about that file was on a client
and it only had one network admin file on it.  ok and second i am going the vice prncipal about getting the network more secure cause the personal computer are needed by some like me i use a PDA non wireless to take notes becuase my handwrint is horrible  

what are u talking about my history of question the only questions i have asked have had to do with my computer IE wine and one about wierless for the
Pda cause we were planing to setup wireless in my house but never did. i have not aslke any other question that might have told a larger story.
spiderfixCommented:
>>my friend used a simple batch file to view the c: drive considering
we do have some security but the current admin is not that inteligant<<
So your "friend" is the one who breeched security. So your friend hacks
the schools computer and on the other hand "you" are trying to assist
the school in better security.

http://oldlook.experts-exchange.com/Networking/Broadband/DSL_Cable/Q_20719455.html
>>me and a friend live about a mile apart and we both have a cable
connection we want to connect our pcs so that my pc can see his
and vice versa<<
Let me guess, this isn't the friend who hacked the schools computer network.

>>i have not aslke any other question that might have told a larger story<<
The school network was compromised and your friend did the hack. No
large story to decipher here.
ArthiusAuthor Commented:
first off yes it is the same friend but again that was personal use from my home computer to his hiome computer because if u read that therally it mentioned that we had d-link router if i am not mistaken and i know because i have worked on some wireing at the school that they use cisco routers.  and if u are trying to insinuate that my frined is me ur wrong because they caught to people and have supened them both for a unknown amoutn of time so therefor ei had nothing to do with what they did to our network i am trying to better the network becasue i want my PDA bac because that is what i use to take notes .  


on a side note i do not appriate the personal attacks i mearly was trying to get someknowledge on a subject as for the VPn over cable we were working on a project together and wanted to be able to easlily share files with ut the worry of emails and floppys and cdroms and if u look that post was mad a long time ago.
spiderfixCommented:
>>my friend used a simple batch file to view the c: drive considering
we do have some security but the current admin is not that inteligant<<

>>they caught to people and have supened them both for a unknown amoutn of time<<

So now it was not your friend [or you] who accessed the school network with
the "not that intelligent" administrator?

What is the name of the school and what country/city is it in?
ArthiusAuthor Commented:
that is relly none or ur business i do not appriate the personal attacks i mearly asked for help ok and u i have never said that my friend did not accesse the network he did but from inside the school and our netwoek admin is a complete moran ok i am not sure how he got the job i had nothing to do with the netowrk being breeched that was a frined of mine alright.  and the security i was talking about was theat we dont have " view" of things like c: drive or contol panell but there are student that know how to see them and my friend used a batch to view the c: he was not orignally looking for the admin pass.
Casca1Commented:
Tell the assistant Prinicipal to get an outside expert?
If your network is as bad as you say, and the IS/IT guys as bad as that, then they really need an outsource company to come in and straighten out the mess they have.
We could give you points to use, but the big issue here isn't about your using your PDA. Take a recorder.
The network needs good security finese, and neither you nor the Assistant prinicpal are in a position to recitify that.
ArthiusAuthor Commented:
Spiderfix i dont know what ur trying to prove here and i dont know what that li=nk ment and yes i followed it and what thats leads to has nothing to do with considering what happened had nothing to do with an outside connection like ur tryingto imply to are tring to prove me guilty of a cirme that u dont have enough background iunfo about u say stuff like u have said
Fatal_ExceptionSystems EngineerCommented:
Arthius..   You have got to admit that some of this is hard to swallow.  But since I have been in too many situations where companies (or government for that matter) have the sorriest Network Administrators, I guess I will have to give you a little leeway here.  The Network of which you speak needs to completely overhauled and while I was at it I would hire a decent admin.  Good security is not hard to set up for a decent technician.  You don't even need to be MCSE to implement good security features.  The concepts are pretty simple (see Joseph Moore) and anyone worth their weight in salt (add a little experience and some forethought) can put it together.

And if you wanted to really get aggresive on the way security should be implemented in a University Environment, I believe Indiana Univ has had several articles written about their Network.  

And if all you want to do is to access internet resources and insulate the Intranet (the network Lan), just setup a separate Subnet and do not let it into the Network Subnet.  Lots of ways to do this.  

Or better yet, have them hire a good consultant.  We could use some extra cash for the Holidays.

FE
loralCommented:
Arthius,

I think based on a lot of the vague responses, most are uneasy helping solve a problem like this or get involved any further.

To me, it would seem best that IF your school has any intention of allowing student access to the server, they should hire a tech or consultant to come in and go over the system.  Since this is a school and I assume, government owned (not private), there should be a regional IT manager that can take care of the security issues here, and allow limited access by students.

We've all heard the story of the "friend" that did this or that, and for that reason, I think you'll find most of us are not comfortable continuing making suggestions.  

If you were able to go into a meeting with your VP, I'm sure if you tell him that you "asked for help over the internet and here are some ideas these guys supplied"; I really doubt that considering the problem already, they are going to take your advice seriously.

There appears to be some real issues here on both sides.  Mainly, if they kept an admin passord in a text file in a drive someone accessed by a .bat file.......well, this is nothing I want my name associated with.

Much of what you're asking would take a 2 hour sit-down meeting to address; to try to resolve this with all parties involved in a text forum is doubtfully going to come to a conclusion that you will be happy enough to reward the points, regain access, and make the VP of your school assured that his system is again secure.

Good Luck,

Loral R. Johnson
SeaBreeze Computer Services
Fatal_ExceptionSystems EngineerCommented:
Well said, Loral.  A network security audit needs to be done here, and by someone that is On Site (knows what they are doing) and the resources that need to be accessed.

FE
Casca1Commented:
All in favor of an independant auditor to go onsite, say aye...
{Chorus of Ayes}
Dissenters... Someone gag him!
The Ayes have it... 8-)
wtrmk74Commented:
This is the worst post I have seen...and to make it worse it is all speculation!

I think we would all have reasonable imput if there was any validation here.

end of line..................................................................................................................................................................
......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
`````crash and burn`````
Fatal_ExceptionSystems EngineerCommented:
Yea, it did get carried away a bit.  O well.
Casca1Commented:
Mrrmmph! Hey!
Ok, so the Gag line was a bit much... 8-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.