I am a relative novice at Security. I know enough to ensure that an active firewall is up, disabling unnecessary services, ensuring OS and application patch updates take place and that Antivirus (Norton) and Antispyware (MS Antispyware Beta) are running.
I have been working for the last 6 months in a small company with 5 Windows 2000 servers (webserver with access over SSL to customers for submitting forms into database which is also acting as a Globalscape FTP server, SQL database server, transaction server, FileServer, and an unused FTP Server) a proprietary SQL Medical database application, 12-13 desktop clients running either Win2k or XP and a woefully understaffed IT situation that was neglected for far too long. Each server is running at the same level/layer as the other servers behind the gateway. We have a new Dell 48 port 1gb managed switch. I have as yet been unable to do a complete audit of running services on all of the machines.
I was brought in initially to do website work, some Access DB work and write a visual basic program for remapping some data in batch files so that they could be submitted into the proprietary database.
This is a peer to peer network where almost every client is being accessed by an Administrative account (I've already pushed numerous times to convert to a domain network and recommended that administrative accounts should not be logged into by users). We have changed passwords on all Server Admin accts 2 months ago. The network is not wireless (wired) but the internet access is achieved through a DSL gateway that is wireless to a tower nearby that is hooked into fiber.
We have at times had a passthrough for RDP in the gateway for tech support but we have been careful to disable it whenever the issue was taken care of.
Recently the CEO asked me if it was possible that a former IT employee might be capable of of surreptitiously accessing the network and reading the CEO's Email. The statement was made that the suspect knew way more about confidential goings on in the company than they should.
I answered that I was not sure but that I would attempt to find out.
The few things I have read in the past lead me to believe that it is certainly possible. If this is correct please respond with different ways that it might be accomplished and whatever recommendations you might have for hardening the network against such activity. I suspect that we should be setting up auditing somewhere on one or more of these servers and monitoring them but I am uncertain which server I should begin with.
Also if anyone can recommend a good security book that won't take the rest of my life to read or understand, I would be greatful.
All responses aiding a novice will be appreciated.