Changing of the guard

Posted on 2004-04-23
Last Modified: 2010-04-11
I am doing some consulting for a client who is thinking of changing their IT leader. They are concerned about the incumbent leaving behind something nasty if they do make a change. Does anyone know of a software package that would help minimize this risk by doing at least the following and hopefully more: (small network of 100 PC's and a dozen servers)

1) Check all automated/scheduled tasks on all PC's/servers and provide a list of unrecognized or all items
2) Check all startup locations on all PC's/servers and provide a list of unrecognized programs.
3) ??????
Question by:rfuller02
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2

Accepted Solution

bitter_chicken earned 43 total points
ID: 10906477
If the computers have different hardware and software installed, it would be a prohibitively laborious task to compile a list of services to 'allow'.

Virus scanners will most likely do the job - ( or ) - if you turn on the predictive mode. Online scanners can help if cost is an issue:

Another good security precaution would be to reset the firewall (or install a firewall!) - so that any odd connections should throw up a warning (eg trojans).

If all the computers have the same setup, It might be advisable to use a hard-drive imaging program (win2000/xp have a rollout function which does this; or a program such as norton ghost: ) to completely clean the computers. By saving images on a hidden partition for each computer, you can then also get them back to optimum running state at will.

Hope this has helped,
bc :-)
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 41 total points
ID: 10906774
Just tell the incumbent that a full network, password, login and vulnerability audit have been commissioned to ensure there are no changes between now and when the new IT supplier takes over.
This should be enough to convince them that the risk of ILLEGAL system compromises or service disruption will be detected and reported to the police.
Put yourselves in their shoes - would you risk your professional reputation just because you've a chip on your shoulder ??  ;)
Think about:

1)  Terminating all remote access to the 3rd party (modems, VPNs, firewall rules)
2)  Changing ALL admin passwords on EVERYTHING
3)  Running patch assessment - ie check everything is up to date... Microsoft SUS is a start ?
4)  Run a vulnerability scan across the entire network (something like Retina would do the trick)
5)  Run up-to-date virus scans on everything
6)  Ensure firewall policies do not have liberal access rules in them
7)  Documenting everything, ensure full event logging is in place with a new admin account, just in case things turn out for the worse...


Author Comment

ID: 10907470
Timing is critical in this. If I was devising something nasty to leave behind, I'd set it to start when I didn't do something and I'd make sure that there were multiple points of entry.

I agree in that I can't imagine anyone risking their reputation, career and possibly jail time to get back at someone but the owners of the company are bringing this up, I just provide a service.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 10907693
you could always just wipe every computer and start again! That would be exciting ;-)
LVL 38

Expert Comment

by:Rich Rumble
ID: 10909761
I'm not sure you could prevent a "time-bomb" as this could be a batch-file or even tagged on the end of a popular program. Anti-Virus is going to be you best friend in a windows environment, and root-kit detection can be found with various programs. One of the leaders in finding malicious code is the TDS from dimondCS. I've written some things on purpose to test the software, and while I was able to avoid detection, it was a very paranoid program (TD3 that is) and found many of the other tests.,2460976~root=security,1~mode=flat

also a nice program

Timing is critical, we've had to let some very seasoned, and long time employee's go, and they knew the lan better than anyone there. You need to be swift, and perhaps Legal... our state is a "no reason" state, we don't have to give a reason for your termination, but we did hire a security guard to escort the individuals out of the building and off the premisis. All passwords were changed right after we turned off the Network port of their PC's. They were still logged in, and we were able to use their credintials to get to places we never would of, or it would of taken a week or more to crack their pass's, because it did in fact take a week ;) It's got to be a well thought out plan.

Author Comment

ID: 10909982

Thanks for the sites. Good stuff. I'm thinking of writing a VB app to accomplish some of this. Have you done anything like that? I'm thinking in terms of something that would check for all batch files (bat & cmd) and at least write a report listing all of them. Then, having the program parse the file looking for harmful commands. (Of course, if the person was really smart they'd copy the delete command and then rename it something innocuous. I could always have the program check the size of the program and if it looks suspect, run it against a test file to see what it does to it.) Haven't thought it all the way through but it seems like something that wouldn't be too tough to accomplish.

Any input would be appreciated and I'd give you a copy of it.

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 41 total points
ID: 10912856
Really is more about assessing the risk. We monitored the 2 admins's ports with ethereal, as well as used VNC to monitor their activities for a few days prior to their being let go. i did hack VNC's icon's to be all white instead of switching colors when we connected though. We assertained that they were totally unprepared for what was coming, and they were not emailing or ftp'ing, or cd copying any data off site. They were not doing any work at the same time ;) Again we used a Security officer we hired to enter their office with me, ask them to gather their things in a box and meet with a manager before leaving.

If you really feel that this person will hold a grudge, or is capable of the act's your trying to find, then your problem is bigger than mine. here are some other suggestions:

Oh yes, we changed all the passes on ALL accounts after the persons were escorted from the building, while I was watching their activities, another admin was specifically denying their accounts on all PC's and Servers, and they were removed from the admin group at the same time we turned off their netwrok ports. Swift and all encompassing action was what we did.
LVL 27

Expert Comment

by:Rainer Meller
ID: 15738885
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: bitter_chicken{http:#10906477} & tim_holman{http:#10906774} & richrumble{http:#10912856}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question