Solved

is my win 2000 secure from remote administration

Posted on 2006-06-15
7
184 Views
Last Modified: 2010-04-13
Recently I took over some IT duties at a local business, apparently the last IT guy went a bit coo-coo but that’s a different matter. My problem is that before he left he was bragging to all the staff about how he can remotely access the network whenever he feels like it and do whatever he pleases to the sensitive data stored on it. I have been doing a few checks to cut off his access but I want to be 100% sure that he can’t get in. The setup is a simple network which is focused around the server (running win 2000 sp4) this server is connected to the rest of the network and the internet via a ADSL modem/router the rest of the computers on the network are running win xp sp2. This is what I have done so far, firstly I checked to see if the router has a VPN option which it doesn’t and the remote configuration option is disabled. Next I uninstalled pcAnywhere from all of the pc's (I suspect that this is what he was using but I’m not sure), I also checked if the pc's have a dial up connection but none of them have. I have begun doing some research about terminal services and telnet but it’s a bit over my head. It seems that there are numerous ways he can access this network and there’s probably even more that I don’t know about. ---The catch is that they do not use firewall software as no matter how much tweaked it seems to interfere with their booking system. ----

Now, what I'm really interested in is:

1. Is there other software similar to pcAnywhere that can be running hidden on the machines somewhere? (Unfortunately formatting the machines is not an option)
2. If there is such is there anything I can download to detect this vulnerability?  ---- Without using a firewall -----
3. if i need to use a firewall would a certain port number need to be disabled in the firewall for programs such as pcAnywhere to be able to run? If so can I enable this port or reinstall the firewall?
4. Can telnet be used for remote administration and id so can this be prevented?
5. Does terminal services run on win 2000 or is it only on 2000 server? if it does run on win2000 can it be disabled?
 

I will be happy to give the points to whoever can answer these questions and perhaps make some other suggestions that I have not thought of. Basically I just want to be 100% sure he can no longer access the network remotely, if there is a simple way to cover all these bases I would appreciate if someone could step me through it. Thank you in advance.
0
Comment
Question by:Drester211
7 Comments
 
LVL 43

Accepted Solution

by:
Steve Knight earned 350 total points
ID: 16910235
He probably has port forwarding set on the dsl firewall from either his specific IP or everywhere on the net.... look for port 3389 (rdp / terminal services to server), telnet (23), web (80), https (443),  5800/5900 (VNC) etc. to see what is open.  Try doing a ShieldsUp! scan (www.grc.com) from a PC on your network to test what is open to the world (this might not find what ports are open if he has restrictyed access to his own IP only.

If in doubt write down all the config. from the firewall, set it to factory defaults and connect it back up again ... you may need firewall rules in for incoming SMTP email (port 25) for instance though legitimately.

Once he is in he'll still need accounts onto the server so check for all administrators and change their passwords and make sure everyone else he may have known passwords for have changed their's too.

hth

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 16910240
netstat -an will tell you what connections there are to the server at any point BTW if you suspect someone is on there...

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 16910249
One more thing if there are no modems attached to any machines, WiFi access points (e.g. the router) or ISDN lines then the only access in is through the ADSl router or physicaly through yout door... I'd concentrate on the router and make sure no-one lets their old friend through the gate :-)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 18

Expert Comment

by:carl_legere
ID: 16910813
Many remote access options.  Increase your dilligence with backups incase he desires to erase files.
I would budget reformatting the system if you beleive he is a real threat.  Keep an ear to the ground if he is using information that he obtained during or after employment to his gain.
0
 
LVL 16

Expert Comment

by:Joe
ID: 16911248
First I would run logmein scout from your machine, this will scan your network for all remote access tools VNC, PC Anywhere etc.. It is free to use. Then I would go to your server and go into your teminal services manager to see what is setup on the network. Also try and go into your router and see if there are any ports being forwarded to any machines as already mentioned above by dragon-it. Good luck.

https://www.logmein.com/go.asp?page=products_scout (Free tool to scan network for remote access programs)

Joe
0
 

Author Comment

by:Drester211
ID: 16918355
thanks for you comments guys, dragon-it just one more thing; I have scanned all the ports using shieldUp that you instructed, they all say stealth.. is that a good thing? Also i checked th router and under services its got one service type listed and the ports 5631 - 5632 which i believe is pcAnywhere data and stats, can i just simply delete this service?
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 16918727
Yes it is good.  It means there is nothing open to everyone at least.  IT could still have a rule or two in there that forwards ports for specific IP addresses on the internet, have you checked the firewall / NAT port forwarding rules?

He could be using something like "logemein" which is a way of getting to a computer without having an inbounc connection.  I believe the utils mentioned above should look for programs like that.

Steve
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Moving applications to the cloud or switching services to cloud-based ones, is a stressful job.  Here's how you can make it easier.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now