We recently had to lay off our IT person. We will get someone new soon.

I want to make sure I secured the network so that he cannot hack in. We have a very simple and small network. Basically, we have 8 PCs sitting behind a Linksys router, all of them with RFC 1918 private addresses, including a file server and a domain controller.

And then we have the outside interface of the router with a static global IP address, of course, for the PAT overload. And finally, we have an application server that also has a global IP address.

This is what I did:

Physical Security:

The file server, application server, the domain controller, and the Linksys router are sitting in a locked room and only I have the key.

Network Layer Security:

1.) I changed the password on the Linksys router.
2.) I disabled the function that allows anyone to manage it from a wireless connection.
3.) I disabled all port forwarding/redirection, EXCEPT for FTP -- port 21 to support remote FTP for our field personnel.

Application Layer Security

1.) I changed the Administrator account password on the domain controller (by going to "control panel" and then "user accounts"), as you would on any PC, which actually ended up changing the Administrator password across the entire domain. In other words, now if I want to log-on to a user PC with the Administrator password, it, too, has been changed to the password I applied when I changed it on the domain controller.

2.) I disabled his personal Active Directory account. Now, if I try logging on using his log-on credentials, it says that no controller or tree was available to authenticate him (or something like that).

3.) I changed the log-on credentials for the application server, but kept the remote management program running because I am not the one who manages it.

4.) On the file server, I changed BOTH the Administrator password when logging into the computer locally and the Administrator password when logging into the domain. In other words, if I want to log-on as "Administrator" on the file server, I can log onto "This Computer" or onto the domain. Both those passwords have been changed. I also changed the password for another account he created on the file server that also had administrator rights.

5.) I totally deleted the FTP program we were using on the same file server and re-installed it and then created new accounts with new log-on credentials for our remote users. By the way, those remote users can only FTP to a SEPARATE directory than the local users. IN other words, we used to have it set up where the same drive we were mapping to locally, was the same drive we were FTPing to/from from the field. Now, the field personnel use a different directory, with identical files and directory structure, as a "drop-box," so to speak.

6.) Finally, I "stopped" the remote management service he used to use to get into the network (I think it was called Ultra VNC) on all the PCs that had it loaded, including the file server, the domain controller, and what was his personal work station. As i said, i kept it running on the application server because I don't manage it, but the log-on credentials have been changed.

What do you think? Did I cover all the bases? Am I missing something? PLEASE READ EVERYTHING I WROTE CAREFULLY. Maybe I'm just paranoid now. :-)

Thank you in advance for your help and time.

Who is Participating?
Juan OcasioApplication DeveloperCommented:
Another thing you should do is scrutinize you ADUC for any accounts you're not familiar with.  Also look at the administrators group to see who are members and remove anyone who should not be a memeber of that group.
ex-engineerAuthor Commented:
By the way, to achieve what I say in "Application Security" item #2, "I disabled his personal Active Directory account," I simply opened the Active Directory management interface, aka "Active Directory Users and Computers," then highlighted his account, then right-clicked, and then selected "disable."

I know you can do this with sophisitcated scripts, but I am not interested in that right now. I just want to know if I got the job done.

Did I do it right?

Thank you once again.
Any outsourced services that have an administrative interface?  Email, spam filters, domain registrars?  
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

1.) Open RUN
2.) Type in CMD
3.) When it opens, type in IPCONFIG
4.) Copy and paste your ip address into internet explorer.
5.) A popup will prompt you for a username and password.  Leave the username blank, and your factory set password should be admin. (I would recommend changing this so your fired IT guy won't mess around).
6.) Add a password.
Two questions:

Did you fully trust this guy when he was working with you?
Does he have reason to get back at you on some way?

You mention a wireless connection.. I presume you are using encryption on the wireless network and that you have changed the key?
ex-engineerAuthor Commented:
JCasio: Excellent point. I am no Active Directory guru, but from what I can tell, the Administrator account and his personal account were the only accounts with administrator privileges. If you can show me the way to be 100% sure, I will check again. Thank you.

RVTHOST: Good point, too. We do outsource email to a provider and I did change the log-on credentials for the management interface and I deleted his email account.

Freshprince27: I guess you're suggesting I do that so i can change the password on the router. Yes? I did that already.

ISYSEUROPE: I did trust him not to do anything malicious, but he isn't too happy we let him go, that's for sure. hence my concern that I have secured the network.

And yes, I forgot to mention it in my opening statement, but I did change the WEP Key, too, for wireless users.

What do you think guys? Everything covered? I think simply by killing all port forwarding/redirection in the router for all applications (remote desktop, Ultra VNC, etc), except for FTP on port 21, I pretty much killed any chance he had of really accessing the network. Everything sits behind the router and uses private addresses, and there is no OOB access set up, so without port forwarding...

But I did everything else to be sure.
ex-engineer, one last thing I thought of.  Any dial-in modems laying around yet?  Otherwise, it sounds like you have all your bases covered!
Juan OcasioApplication DeveloperCommented:

Open Active Directory Users and Computers, look for the Administrators group, right click on it and select the members  tab.  You'll also want to look in all of the rganizational units (if you have any set up) as well to make sure there isn't a rogue user with access/adminstratin priviledges as well.  It seems as though your ex employee didn't have enough time to set this up, but if s/he knew in advnace then s/he could have...
Juan OcasioApplication DeveloperCommented:
One other thing...Change your WEP to WPA.  It's more secure (just a side-bar...)

ex-engineerAuthor Commented:

Thank you so much for all your help and guidance. I appreciate it very much.

Let me check a couple more things out..

From the author's last comments, it appears JOCASIO and I provided the most useful information. I suggest points to be split accordingly.  My 2 cents :)  Thanks.
ex-engineerAuthor Commented:
Everyone helped! Thanks to all!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.