Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Changing of the guard

Posted on 2004-04-23
Medium Priority
Last Modified: 2010-04-11
I am doing some consulting for a client who is thinking of changing their IT leader. They are concerned about the incumbent leaving behind something nasty if they do make a change. Does anyone know of a software package that would help minimize this risk by doing at least the following and hopefully more: (small network of 100 PC's and a dozen servers)

1) Check all automated/scheduled tasks on all PC's/servers and provide a list of unrecognized or all items
2) Check all startup locations on all PC's/servers and provide a list of unrecognized programs.
3) ??????
Question by:rfuller02
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2

Accepted Solution

bitter_chicken earned 172 total points
ID: 10906477
If the computers have different hardware and software installed, it would be a prohibitively laborious task to compile a list of services to 'allow'.

Virus scanners will most likely do the job - ( or ) - if you turn on the predictive mode. Online scanners can help if cost is an issue:

Another good security precaution would be to reset the firewall (or install a firewall!) - so that any odd connections should throw up a warning (eg trojans).

If all the computers have the same setup, It might be advisable to use a hard-drive imaging program (win2000/xp have a rollout function which does this; or a program such as norton ghost: ) to completely clean the computers. By saving images on a hidden partition for each computer, you can then also get them back to optimum running state at will.

Hope this has helped,
bc :-)
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 164 total points
ID: 10906774
Just tell the incumbent that a full network, password, login and vulnerability audit have been commissioned to ensure there are no changes between now and when the new IT supplier takes over.
This should be enough to convince them that the risk of ILLEGAL system compromises or service disruption will be detected and reported to the police.
Put yourselves in their shoes - would you risk your professional reputation just because you've a chip on your shoulder ??  ;)
Think about:

1)  Terminating all remote access to the 3rd party (modems, VPNs, firewall rules)
2)  Changing ALL admin passwords on EVERYTHING
3)  Running patch assessment - ie check everything is up to date... Microsoft SUS is a start ?
4)  Run a vulnerability scan across the entire network (something like Retina would do the trick)
5)  Run up-to-date virus scans on everything
6)  Ensure firewall policies do not have liberal access rules in them
7)  Documenting everything, ensure full event logging is in place with a new admin account, just in case things turn out for the worse...


Author Comment

ID: 10907470
Timing is critical in this. If I was devising something nasty to leave behind, I'd set it to start when I didn't do something and I'd make sure that there were multiple points of entry.

I agree in that I can't imagine anyone risking their reputation, career and possibly jail time to get back at someone but the owners of the company are bringing this up, I just provide a service.
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


Expert Comment

ID: 10907693
you could always just wipe every computer and start again! That would be exciting ;-)
LVL 38

Expert Comment

by:Rich Rumble
ID: 10909761
I'm not sure you could prevent a "time-bomb" as this could be a batch-file or even tagged on the end of a popular program. Anti-Virus is going to be you best friend in a windows environment, and root-kit detection can be found with various programs. One of the leaders in finding malicious code is the TDS from dimondCS. I've written some things on purpose to test the software, and while I was able to avoid detection, it was a very paranoid program (TD3 that is) and found many of the other tests.,2460976~root=security,1~mode=flat

also a nice program

Timing is critical, we've had to let some very seasoned, and long time employee's go, and they knew the lan better than anyone there. You need to be swift, and perhaps Legal... our state is a "no reason" state, we don't have to give a reason for your termination, but we did hire a security guard to escort the individuals out of the building and off the premisis. All passwords were changed right after we turned off the Network port of their PC's. They were still logged in, and we were able to use their credintials to get to places we never would of, or it would of taken a week or more to crack their pass's, because it did in fact take a week ;) It's got to be a well thought out plan.

Author Comment

ID: 10909982

Thanks for the sites. Good stuff. I'm thinking of writing a VB app to accomplish some of this. Have you done anything like that? I'm thinking in terms of something that would check for all batch files (bat & cmd) and at least write a report listing all of them. Then, having the program parse the file looking for harmful commands. (Of course, if the person was really smart they'd copy the delete command and then rename it something innocuous. I could always have the program check the size of the program and if it looks suspect, run it against a test file to see what it does to it.) Haven't thought it all the way through but it seems like something that wouldn't be too tough to accomplish.

Any input would be appreciated and I'd give you a copy of it.

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 164 total points
ID: 10912856
Really is more about assessing the risk. We monitored the 2 admins's ports with ethereal, as well as used VNC to monitor their activities for a few days prior to their being let go. i did hack VNC's icon's to be all white instead of switching colors when we connected though. We assertained that they were totally unprepared for what was coming, and they were not emailing or ftp'ing, or cd copying any data off site. They were not doing any work at the same time ;) Again we used a Security officer we hired to enter their office with me, ask them to gather their things in a box and meet with a manager before leaving.

If you really feel that this person will hold a grudge, or is capable of the act's your trying to find, then your problem is bigger than mine. here are some other suggestions:

Oh yes, we changed all the passes on ALL accounts after the persons were escorted from the building, while I was watching their activities, another admin was specifically denying their accounts on all PC's and Servers, and they were removed from the admin group at the same time we turned off their netwrok ports. Swift and all encompassing action was what we did.
LVL 27

Expert Comment

ID: 15738885
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: bitter_chicken{http:#10906477} & tim_holman{http:#10906774} & richrumble{http:#10912856}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question