Ethical Hacking

Experts,
I have a network administrator in my organization who has studied Ethical Hacking. I am a programmer, and I am not friends with that admin!

I don't know much about Ethical Hacking, and I want to know, what can this admin do with my PC without having my permission if I am on the same network? What are the limits? And is there a way to prevent him from doing that by installing some kind of software? Or if I cannot prevent him, at least how can I know that he hacked my PC?

I am running windows XP workstation. Our file server is windows 2003.
feesuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

younghvCommented:
Hi feesu,
Depending on how well he understood the material presented (was it the "SANS" course?) there isn't going to be much you can do.
If he is working from a Domain Administrator-type account, and your computer is a member of the Domain, then by definition he can do (or undo) anything he wants.

With that account and the right knowledge or application, he can access anything he wants and delete any trace of his activity.

There is the possibility that you can turn on all of the 'Auditing' functions and re-direct the log output to an external source, but all he has to do is turn that off (remotely) before he starts.

If you have files that you don't want him to have access to, your best option is to get a large external drive and save all of you work there.

Good Luck,
Vic
0
feesuAuthor Commented:
Hi Vic,
Is he able to hack into my external drive while it is hooked to my pc while i'm on the network? Or do i need to disconnect the external storage whenver i'm done?
0
younghvCommented:
Hi feesu,
The short answer is - yes he can.
You might consider something like the 40 GB (or larger) external USB drives.
All of my Techs carry them because they are frequently on the road and need immediate access to a wide variety of files (plus their email).
Ours are about the size of a deck of cards and fit in our Cargo Pockets.

The only time your data is safe from someone as you describe is when it is in your pocket.

Good Luck,
Vic
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

legalsrlCommented:
Hi all,

Aha, the old ethical hacking debate......

To agree with Vic (younghv), yes, this guy can pretty much come and go as he pleases.....

Ethical hacking is pretty much called Penetration Testing over here, and we make a policy of never employing anyone who has studied an Ethical Hacking course.   There are lots of them available, Foundstone do a load of training courses on ethical hacking.

We sub-contract out our Penetration Testing as it's easier to have legal documents to cover the work we are instructed to carry out on behalf of a client.

The only way to really protect yourself is to unplug yourself from the network....

Obviously not always practical, but with Domain Admin privileges, he can do anything to your PC

You have to trust that your bosses trust him.....

Si
0
mikeleebrlaCommented:
1.  you both work for the same company right?
2.  the PC you use for work is company owned  right?
3.  he is the network/PC admin for your company right?
4.  he is 'allowed' to do/monitor, whatever he is given permission to do by 'the company' IE your boss and his boss.
5.  why are you so affraid of a network admin knowing what you do AT work?
6.  it is a MAJOR part of every admins job to know what their users are doing on COMPANY PCs, since a) it is a company owned asset b) since the company is paying you, it is in their best interested to at least know how you are spending your time at work.

you are using the word "HACKING" here, but since it is a network and a PC that it is his JOB to manage, then it isn't hacking at all, he is simply doing his job. Hacking means UNAUTHORIZED use,,, since he works for the company, it is more than likely authorized by the powers that be in your company to access PCs on the network.

>>There is the possibility that you can turn on all of the 'Auditing' functions and re-direct the log output to an external source, but all he has to do is turn that off (remotely) before he starts.

i'm sure that would be against company policy for obvious reasons,,,, that would be grounds for instant termination in most companies.
1
maninblac1Commented:
Well, if he's trained in "ethical" hacking, then you likely have nothing to worry about.  If he's going to break into your machine, he's going to do it, then gloat about it to your face to make sure you fix the problem.  As for what can he do, well.

If you are a pretty skilled user, you're probably already taking all the steps necessary.

He's primary focus will depend on your OS.  In general, it's very difficult to just usurp file permissions, you have to root the system first before you can bypass this.  So if you're using NTFS, LINUX or UNIX, as long as your OS isn't exploitable, and you have no open network shares, then he can't have access to your files.  That's just how it works, file permissions are just that, brute forcing it doesn't work.

So, he has to exploit your OS first so he can get admin access.  Depending on the OS, the programs being run, will dictate how easy or hard this is.

Now, something to keep in mind, is you're likely both using windows, and are likely on a domain.  So active directory gives you both admin level permissions for all levels below you, however a proper domain set up will exclude admins to overrun other admins, so hopefully that won't be a point of exploit.

Needless to say, i think you have nothing to worry about, unauthorized access whether benign or not, in the IT world is a very severe offence and would likely get him fired.  No matter how easy the hacking world makes it seem, defeating modern operating systems is very difficult.

As for access to your external, if you're not sharing it, he shouldn't have access to it all, he likely wouldn't even know it exists.
0
mikeleebrlaCommented:
>>As for access to your external, if you're not sharing it, he shouldn't have access to it all, he likely wouldn't even know it exists.

wrong,,,, he he logs into 'your' machine locally, it will show up.

again, it isn't YOUR machine, it is the company's machine and they have EVERY right to know what you are doing with their equipment.

0
younghvCommented:
maninblac1,
I have been fortunate enough to be sent to many "Network/Security" training courses (military and civilian) over the past 11 years.

There is NOTHING a local user can do (even with Local Admin privs) to stop a Domain Administrator from doing anything he wants on a 'member' computer.

There is no privilege restriction that can possibly be applied that will stop a Domain Administrator.

I've seen two posts in the last couple of days by folks who think some kind of 'configuration' can stop a Domain Administrator and you need to understand that it is not possible.

IF a local user could stop a Domain Administrator from doing his job (as mikeleebrla says), how could any company/entity have any kind of network security?

By definition, Domain Admins need total control of every device in the Domain - that is their job.
0
younghvCommented:
This (as mikeleebrla says) SHOULD have read (just as mikeleebria is saying).

He and I agree completely on this.
Domain Admins have complete and total control over every device on the network ...
and they should, by virtue of their jobs.
0
feesuAuthor Commented:
Experts,
We do work for one company. He is an admin. The company has the right to know everything in the pc.
That's not my problem. My problem is that i don't trust him. I am a senior as well. And i am sure that the highier management doesn't accept that he goes into my PC without my permission, BUT who would ever know?! No one will, simply cuz he's the only Admin of the network...

He won't ever dare to ask me why i did any thing on my PC that would prevent him from hacking thru. I need - in worse case scenarios - a software that if i install on my PC, i would come to know whether this admin has come and took any kind of action, like for example copying a source code or mine, or viewed a certain document that might be confidential.
0
younghvCommented:
feesu,
This string of posts is turning out just like the one last week.
A whole list of experts tried to explain to the asker why it is not possible to do what you are asking and he 'accepted' the first answer that told him to 'right-click' on a folder and change the Properties-Permissions.

You can load any application/program you want and the answer is still going to be the same.

A determined, knowledgeable Domain Administrator - with the right tools - is going to do anything he wants; as long as your computer is a member of the Domain.

You think you can install a FireWall and stop something?
All he has to do is change your password (or crack the existing one) and your FW is made out of Swiss Cheese.
If he's real nasty, he'll just re-configure your FW to give himself anonymous access and you'll be sitting there thinking you're protected when - in fact - you're wide open.

mikeleebrla has earned over a million points answering questions here and I'm a newby with 300,000 - when you decide what you're going to do, please give our answers the credibility they deserve.
0
feesuAuthor Commented:
younghv,
Forget about preventing him from doing that. Isn't there any software that i install that records all user id's who access my PC and monitor what they acutally do?
I'm sure there must be something like this! Plus, I don't think that everytime he accesses my PC he will check whether i have installed such a software or not cuz i already have got hundreds of applications installed on my PC.
0
younghvCommented:
feesu,
There are lots of programs that will 'log' activity on your computer - including the native 'audit' functions in the Windows OS.

All of these can be by-passed by an Admin who knows what he is doing. We (Domain Admins) have a giant list of applications we can run to monitor everything that is going on with a computer (including capturing your keystrokes) and it will never get recorded by any program you install.

My main point is that when you get sideways with the wrong Administrator, there is not much you can do about it.

If you Google the expression "computer network defense course" you will see what is available out there. I've been to at least 6 courses on that first page. A good administrator needs to know how the bad guys do what they do - if - they are going to have any chance of protecting their network.

Unfortunately, some of the folks attending those courses are not the good guys and the knowledge is readily available to anyone who wants it.

Wish I had a better answer for you, but until Higher Management wants to make some changes, you're going to have to live with this guy.

A final note. I am about the most paranoid guy around when it comes to protecting my computer - and I admit it.

Are you sure this (sneak peek) is going on, or are you just worried that it MAY happen?


Vic
0
maninblac1Commented:
In response to the above, i missed the "he's a "local" admin"
I thought he was a domain admin as well.

Then yes, if you're in a domain, there's nothing you can do.  He has all the privledges necessary to access your machine.  So your best defense is, don't have anything worth looking at.
He's not hacking your machine, he's simply using the privledges afforded to him, your company will address the issues of his access on a case by case basis.

If you want to keep him out, take the computer off the domain.  That's about all you can do.  And that's about it.  Though i doubt that's permitted.

As for not trusting him, well, he is your coworker, you should work on building a better trust relationship.

As for monitoring software, you're not likely going to find anything that will help you.  Keep all your important stuff in a single folder.  Get a zipping program, probably freeware, and do a quick pack with password protect for all your files, i suggest 14+ charcters with triple or quadruple groups type groups.  Unless you have hundreds of megabytes of data you're afraid of him stealing.  This should only take 1-2 mins to pack and unpack before and after work.
0
mikeleebrlaCommented:
>>Isn't there any software that i install that records all user id's who access my PC and monitor what they acutally do?
again, this is not YOUR pc, it is a company PC.

>> Isn't there any software that i install that records all user id's who access my PC and monitor what they acutally do?
yes there is, but is is the ADMIN's job, not yours to install such software. In fact, if any USER installed anything such as that on a PC on my network they would be terminated (and they have been). Think about it. Say you do put software that monitors what OTHER EMPLOYEES at your comany do on THEIR pc (remember, its not your's, its the company's) and you capture admin passwords for example. Congradulations, you just got fired for essensially copying the manager's key the building (network) without his knowledge.  

0
mikeleebrlaCommented:
>>If you want to keep him out, take the computer off the domain.
this is grounds for disciplinary action to be taken against you in most companies.  Think about it, you are preventing you company from accessing THEIR computer.

>>Get a zipping program, probably freeware, and do a quick pack with password protect for all your files...

again, this is grounds for disiplinary action since you are preventing the company from accessing THEIR files.

 i think the real point you are missing here is this is NOT your PC and these are NOT your files.... they are both owned by the company and if they grant another employee (in this case the admin) the power to access THEIR data, they are completely within their right to do so.
0
maninblac1Commented:
I'm going to bow out of this thread now, before i "get in trouble again", i have no problems providing solutions like this, it is the responsibility of the user (namely you feesu) what they do with my information.  Just because i teach you how, doesn't mean you should.

But the consensus of this crowd is definately right, when you start trying to lock people out of company stuff, you're playing with fire.
0
giltjrCommented:
--> I am a senior as well. And i am sure that the highier management doesn't accept that he goes into my PC without my permission, BUT who would ever know?!

Is this YOUR PC, or is it the Company's PC?  If you leave the company today, right now, does the PC go home with you or does it stay at the company?  If it goes home with you, then you have the right to install anything you want.  If it stays at the company, then it is NOT your PC and you have NO rights unless the company gives you them.

If it is the company's PC, unless you have some weird special policies, an admin does NOT need a individual user's permission to access a PC he is supposed to support.  That is his job.  By being an admin the company has given him the right to do this.  Depending on what the company does and the type of data that is stored on the company's PC there may be requirements that all access is logged.  But you can't be an admin of a PC that you are not allowed to access.  

It like being hired to drive a bus, but being told you can't get on the bus because a passenger doesn't like you, but you are still expected to drive it.

At my company, as with most, any user that installs non-authorized/approved software, or has non-approved/authorized files residing on their PC can be terminated on the spot.
0
Rich RumbleSecurity SamuraiCommented:
The event logs log who comes and goes on your pc. It logs their username and the pc they accessed it from, but not the IP of that pc. The windows firewall, under the advanced settings, connection settings there is a check box for logging all successful connections also, this will log the ip. If you are an admin of your pc, then you should be able to set these settings. If you have a complaint about his actions I'd suggest you take it up with the proper authority like a manager or an HR person. You can also turn of the default logging on M$ so the event logs will show you more detail about what he/she did while connected to your pc. There is a chance however that the event logs could be erased by that admin, you may want to install Snare, it will keep a copy of your logs also.
You can encrypt any data you do not wish him/her to view with TrueCrypt, and TrueCrypt also has the added benefit of eluding keystroke loggers, because you can specify a file as the unlock code, and all you do is use your mouse to navigate to that file, no keystrokes. http://www.truecrypt.org/docs/
The windows firewall doesn't have to be blocking to log successful connections but does have to be on.
-rich
0
feesuAuthor Commented:
Thank you all for all your replies!

AGAIN, the company's management does not allow a domain admin copying files from any user's PC! That has to be clear to mikeleebrla/giltjr

maninblac1,
Thanks for all the effort. There is nothing to worry about. I do confirm, that if i prove that my domain admin copied a single file from my machine without my permission, he will be in trouble!
0
mikeleebrlaCommented:
i hear you, but i have NEVER seen any company's computer use policy that says that an admin cannot view/copy files from a PC that they manage. It simply doesn't make sense.
0
giltjrCommented:
---> AGAIN, the company's management does not allow a domain admin copying files from any user's PC! That has to be clear to mikeleebrla/giltjr

Is it written policy?  If it is not a written policy and the admins job responsibilities include managing your pc's, then he can read/copy or do whatever is needed in order for him to do his job.  

I agree with mikeleebrla, I have NEVER seen or heard of a company where a admin does not have the authority to get to files on any of the computers he is responsible for.

Copying a file is different from viewing a file.  If a domain admin can't view files on your computer then how in the world is he suppose to verify that you are complying with company policy, which should be part of his job.

The only way you can prove if copied a file is to find where he copied it to.  If I map a drive to your hard drive and I open a document that physically resides on your computer, it looks no different than if I were to copy it.  You computer (if you have software that logs it) will only show that I read the file.  It can't tell if I read with a program to allow me to view it, of if I read it to copy it.

If you do have a written policy that states the system admin can't view/copy files then your management is not too bright.  Your company must not have a disaster recovery plan (a.k.a. a business continuity plan).  Especially if the only place the files exist is on your computer.



0
orangutangCommented:
Well, you really don't need to worry if your computer is secure. Make sure you have a good firewall such as Norton, McAfee, or ZoneAlarm and make sure you turn off the remote registry service and whatever else that may make it possible for someone to hack your PC.
0
feesuAuthor Commented:
mikeleebrla/giltjr,
This is getting funny overhere! I am the one who is asking the question, and i am the one who works in this company. You guys keep preaching in something you might be thousands of miles far from! You don't have to here of  a company that has such a policy! You have no answer, just ignore my question. Thanks!
0
giltjrCommented:
O.K.  I will answer:

--> what can this admin do with my PC without having my permission

Technically he can do anything he wants.  The admin of a computer has full unrestricted rights to that computer.  Why, because in order to perform the necessary functions of a system admin, they must have unrestricted rights.  Parts of the OS runs with admin rights.  If you attempt to restrict the admin rights, your computer will stop working.

You can't tell the difference between reading a file and copying a file so if the admin has rights to read a file, say for backing it up, then you are in a very tough situation.  Because if he can back it up, more than likely he can restore it and restore it to someplace else.

If your company does really have a policy that states the admin of the system can't do "x", then need to enable auditing on every computer within the company and hire a 3rd party to review the audit logs to make sure the system admin does not do things he is not supposed to do.  

Please note that the system admin is the person that must enable/disable auditing.



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mhtsCommented:
You also asked about monitoring -- essentially -- your own workstation. You can do this easily enough with a single user license of SpectorPro or SpectorCNE (or any other similar program).

http://www.spectorsoft.com/

Be sure to change the key-character sequence for viewing monitored activity from the out-of-the-box default to something only you know, set the viewing monitor activity password from out-of-the-box blank/empty/null to something only you know, configure your preferred monitoring settings, and then routinely view your workstation activity that Spector recorded/saved to see if anything was done that you don't recall doing or that was done during days or times-of-days while you weren't present. Be aware that the process of monitoring is paused/stopped while you are viewing monitored/recorded information IF you are viewing monitored information on the same machine that you are monitoring.

Even though Spector (and many other similar programs) are used for legitimate monitoring purposes, other people may use them for non-legit purposes. Therefore, some AV softwares may trigger/block it. So if you have Symantec AV (or another AV software) running, you will likely have to put in an exclusion to keep it from being blocked.

Hope That Helps!
-mike
Always remember to help the community help itself. If someone's answer solves your problem, be sure to accept their answer so that it gets into the solutions area asap.
0
younghvCommented:
mhts (mike),
I think we should be careful when recommending that someone load anything on an organization-owned computer.
This string of posts has frayed a few nerves, but the bottom line is that we aren't talking about someone's home computer, so the rules are a little different.

Personally, I'm just glad I don't have that situation to worry about.

Vic
0
mhtsCommented:
Vic,

Well said. Point should be taken by all, and in particular the original poster.

In our situation, we install those programs at company owner direction, and only after they have distributed an Acceptable Use Policy for Resources to all employees that has first been blessed by company counsel.

I made the assumption that the original poster would get an okay from company management and/or ownership before taking such action.

To the original poster: Be sure your supervisory/managerial staff and/or the principals/ownership of the company are aware of (a) your concerns about the other employee and (b) that they are okay with you monitoring your own workstation in the way described.

Hope That Helps!
-mike
Always remember to help the community help itself. If someone's answer solves your problem, be sure to accept their answer so that it gets into the solutions area asap.
0
younghvCommented:
mike,
Hoo Ahh!
Vic
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.