Old admin hacking my network possibly
Posted on 2006-04-18
I have a question for the experts out there. More like input needed.
The old admin at my company was boasting to fellow former employees this weekend how he can still get into our network at knows what people are making and accessed financials. He was very angry when I met him when I first started. They payed him to come in and tell me passwords and show me how the network is set up. He was fired and that is why I am here. When I started I reset all admin passwords and vpn passwords. I think that he may have been just talking but I can not take the threat lightly. I have just reset the telnet and enable passwords on all routers and Pix. I reset the VPN username and passwords to complex ones. I have also reset the wireless key. I am going to have all users reset passwords. What am I missing? VPN is set up through the Pix. Not user’s credentials but there is a vpn user set up on the PIX. I do not know what other action to take. There are no invalid users in the directory. Where would I look to see if someone was in besides the event log? I am going to make sure that success logon events are recorded as well as failures. The Pix only has 2 rules. One to allow all SMTP and HTTP traffic to our mail server for mail and OWA. Another to allow users to access outside sites. I want to make sure that I am not missing anything. Exactly what security evernt should I be logging to catch as much info as I need? Right now I have set up every success and Failure event to log but that may be excessive. This is a small network with only 30 people. Not to complex and running SBS 2003. The firewall is a Pix 506e.