Solved

Ethical Hacking

Posted on 2006-10-23
29
563 Views
Last Modified: 2013-12-04
Experts,
I have a network administrator in my organization who has studied Ethical Hacking. I am a programmer, and I am not friends with that admin!

I don't know much about Ethical Hacking, and I want to know, what can this admin do with my PC without having my permission if I am on the same network? What are the limits? And is there a way to prevent him from doing that by installing some kind of software? Or if I cannot prevent him, at least how can I know that he hacked my PC?

I am running windows XP workstation. Our file server is windows 2003.
0
Comment
Question by:feesu
  • 8
  • 5
  • 5
  • +6
29 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 17787625
Hi feesu,
Depending on how well he understood the material presented (was it the "SANS" course?) there isn't going to be much you can do.
If he is working from a Domain Administrator-type account, and your computer is a member of the Domain, then by definition he can do (or undo) anything he wants.

With that account and the right knowledge or application, he can access anything he wants and delete any trace of his activity.

There is the possibility that you can turn on all of the 'Auditing' functions and re-direct the log output to an external source, but all he has to do is turn that off (remotely) before he starts.

If you have files that you don't want him to have access to, your best option is to get a large external drive and save all of you work there.

Good Luck,
Vic
0
 

Author Comment

by:feesu
ID: 17787757
Hi Vic,
Is he able to hack into my external drive while it is hooked to my pc while i'm on the network? Or do i need to disconnect the external storage whenver i'm done?
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 100 total points
ID: 17787792
Hi feesu,
The short answer is - yes he can.
You might consider something like the 40 GB (or larger) external USB drives.
All of my Techs carry them because they are frequently on the road and need immediate access to a wide variety of files (plus their email).
Ours are about the size of a deck of cards and fit in our Cargo Pockets.

The only time your data is safe from someone as you describe is when it is in your pocket.

Good Luck,
Vic
0
 
LVL 16

Assisted Solution

by:legalsrl
legalsrl earned 100 total points
ID: 17787988
Hi all,

Aha, the old ethical hacking debate......

To agree with Vic (younghv), yes, this guy can pretty much come and go as he pleases.....

Ethical hacking is pretty much called Penetration Testing over here, and we make a policy of never employing anyone who has studied an Ethical Hacking course.   There are lots of them available, Foundstone do a load of training courses on ethical hacking.

We sub-contract out our Penetration Testing as it's easier to have legal documents to cover the work we are instructed to carry out on behalf of a client.

The only way to really protect yourself is to unplug yourself from the network....

Obviously not always practical, but with Domain Admin privileges, he can do anything to your PC

You have to trust that your bosses trust him.....

Si
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17788647
1.  you both work for the same company right?
2.  the PC you use for work is company owned  right?
3.  he is the network/PC admin for your company right?
4.  he is 'allowed' to do/monitor, whatever he is given permission to do by 'the company' IE your boss and his boss.
5.  why are you so affraid of a network admin knowing what you do AT work?
6.  it is a MAJOR part of every admins job to know what their users are doing on COMPANY PCs, since a) it is a company owned asset b) since the company is paying you, it is in their best interested to at least know how you are spending your time at work.

you are using the word "HACKING" here, but since it is a network and a PC that it is his JOB to manage, then it isn't hacking at all, he is simply doing his job. Hacking means UNAUTHORIZED use,,, since he works for the company, it is more than likely authorized by the powers that be in your company to access PCs on the network.

>>There is the possibility that you can turn on all of the 'Auditing' functions and re-direct the log output to an external source, but all he has to do is turn that off (remotely) before he starts.

i'm sure that would be against company policy for obvious reasons,,,, that would be grounds for instant termination in most companies.
1
 
LVL 9

Expert Comment

by:maninblac1
ID: 17788686
Well, if he's trained in "ethical" hacking, then you likely have nothing to worry about.  If he's going to break into your machine, he's going to do it, then gloat about it to your face to make sure you fix the problem.  As for what can he do, well.

If you are a pretty skilled user, you're probably already taking all the steps necessary.

He's primary focus will depend on your OS.  In general, it's very difficult to just usurp file permissions, you have to root the system first before you can bypass this.  So if you're using NTFS, LINUX or UNIX, as long as your OS isn't exploitable, and you have no open network shares, then he can't have access to your files.  That's just how it works, file permissions are just that, brute forcing it doesn't work.

So, he has to exploit your OS first so he can get admin access.  Depending on the OS, the programs being run, will dictate how easy or hard this is.

Now, something to keep in mind, is you're likely both using windows, and are likely on a domain.  So active directory gives you both admin level permissions for all levels below you, however a proper domain set up will exclude admins to overrun other admins, so hopefully that won't be a point of exploit.

Needless to say, i think you have nothing to worry about, unauthorized access whether benign or not, in the IT world is a very severe offence and would likely get him fired.  No matter how easy the hacking world makes it seem, defeating modern operating systems is very difficult.

As for access to your external, if you're not sharing it, he shouldn't have access to it all, he likely wouldn't even know it exists.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17788782
>>As for access to your external, if you're not sharing it, he shouldn't have access to it all, he likely wouldn't even know it exists.

wrong,,,, he he logs into 'your' machine locally, it will show up.

again, it isn't YOUR machine, it is the company's machine and they have EVERY right to know what you are doing with their equipment.

0
 
LVL 38

Expert Comment

by:younghv
ID: 17788784
maninblac1,
I have been fortunate enough to be sent to many "Network/Security" training courses (military and civilian) over the past 11 years.

There is NOTHING a local user can do (even with Local Admin privs) to stop a Domain Administrator from doing anything he wants on a 'member' computer.

There is no privilege restriction that can possibly be applied that will stop a Domain Administrator.

I've seen two posts in the last couple of days by folks who think some kind of 'configuration' can stop a Domain Administrator and you need to understand that it is not possible.

IF a local user could stop a Domain Administrator from doing his job (as mikeleebrla says), how could any company/entity have any kind of network security?

By definition, Domain Admins need total control of every device in the Domain - that is their job.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17788813
This (as mikeleebrla says) SHOULD have read (just as mikeleebria is saying).

He and I agree completely on this.
Domain Admins have complete and total control over every device on the network ...
and they should, by virtue of their jobs.
0
 

Author Comment

by:feesu
ID: 17788914
Experts,
We do work for one company. He is an admin. The company has the right to know everything in the pc.
That's not my problem. My problem is that i don't trust him. I am a senior as well. And i am sure that the highier management doesn't accept that he goes into my PC without my permission, BUT who would ever know?! No one will, simply cuz he's the only Admin of the network...

He won't ever dare to ask me why i did any thing on my PC that would prevent him from hacking thru. I need - in worse case scenarios - a software that if i install on my PC, i would come to know whether this admin has come and took any kind of action, like for example copying a source code or mine, or viewed a certain document that might be confidential.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17789086
feesu,
This string of posts is turning out just like the one last week.
A whole list of experts tried to explain to the asker why it is not possible to do what you are asking and he 'accepted' the first answer that told him to 'right-click' on a folder and change the Properties-Permissions.

You can load any application/program you want and the answer is still going to be the same.

A determined, knowledgeable Domain Administrator - with the right tools - is going to do anything he wants; as long as your computer is a member of the Domain.

You think you can install a FireWall and stop something?
All he has to do is change your password (or crack the existing one) and your FW is made out of Swiss Cheese.
If he's real nasty, he'll just re-configure your FW to give himself anonymous access and you'll be sitting there thinking you're protected when - in fact - you're wide open.

mikeleebrla has earned over a million points answering questions here and I'm a newby with 300,000 - when you decide what you're going to do, please give our answers the credibility they deserve.
0
 

Author Comment

by:feesu
ID: 17789158
younghv,
Forget about preventing him from doing that. Isn't there any software that i install that records all user id's who access my PC and monitor what they acutally do?
I'm sure there must be something like this! Plus, I don't think that everytime he accesses my PC he will check whether i have installed such a software or not cuz i already have got hundreds of applications installed on my PC.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17789280
feesu,
There are lots of programs that will 'log' activity on your computer - including the native 'audit' functions in the Windows OS.

All of these can be by-passed by an Admin who knows what he is doing. We (Domain Admins) have a giant list of applications we can run to monitor everything that is going on with a computer (including capturing your keystrokes) and it will never get recorded by any program you install.

My main point is that when you get sideways with the wrong Administrator, there is not much you can do about it.

If you Google the expression "computer network defense course" you will see what is available out there. I've been to at least 6 courses on that first page. A good administrator needs to know how the bad guys do what they do - if - they are going to have any chance of protecting their network.

Unfortunately, some of the folks attending those courses are not the good guys and the knowledge is readily available to anyone who wants it.

Wish I had a better answer for you, but until Higher Management wants to make some changes, you're going to have to live with this guy.

A final note. I am about the most paranoid guy around when it comes to protecting my computer - and I admit it.

Are you sure this (sneak peek) is going on, or are you just worried that it MAY happen?


Vic
0
 
LVL 9

Expert Comment

by:maninblac1
ID: 17789452
In response to the above, i missed the "he's a "local" admin"
I thought he was a domain admin as well.

Then yes, if you're in a domain, there's nothing you can do.  He has all the privledges necessary to access your machine.  So your best defense is, don't have anything worth looking at.
He's not hacking your machine, he's simply using the privledges afforded to him, your company will address the issues of his access on a case by case basis.

If you want to keep him out, take the computer off the domain.  That's about all you can do.  And that's about it.  Though i doubt that's permitted.

As for not trusting him, well, he is your coworker, you should work on building a better trust relationship.

As for monitoring software, you're not likely going to find anything that will help you.  Keep all your important stuff in a single folder.  Get a zipping program, probably freeware, and do a quick pack with password protect for all your files, i suggest 14+ charcters with triple or quadruple groups type groups.  Unless you have hundreds of megabytes of data you're afraid of him stealing.  This should only take 1-2 mins to pack and unpack before and after work.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17789526
>>Isn't there any software that i install that records all user id's who access my PC and monitor what they acutally do?
again, this is not YOUR pc, it is a company PC.

>> Isn't there any software that i install that records all user id's who access my PC and monitor what they acutally do?
yes there is, but is is the ADMIN's job, not yours to install such software. In fact, if any USER installed anything such as that on a PC on my network they would be terminated (and they have been). Think about it. Say you do put software that monitors what OTHER EMPLOYEES at your comany do on THEIR pc (remember, its not your's, its the company's) and you capture admin passwords for example. Congradulations, you just got fired for essensially copying the manager's key the building (network) without his knowledge.  

0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17789659
>>If you want to keep him out, take the computer off the domain.
this is grounds for disciplinary action to be taken against you in most companies.  Think about it, you are preventing you company from accessing THEIR computer.

>>Get a zipping program, probably freeware, and do a quick pack with password protect for all your files...

again, this is grounds for disiplinary action since you are preventing the company from accessing THEIR files.

 i think the real point you are missing here is this is NOT your PC and these are NOT your files.... they are both owned by the company and if they grant another employee (in this case the admin) the power to access THEIR data, they are completely within their right to do so.
0
 
LVL 9

Expert Comment

by:maninblac1
ID: 17790342
I'm going to bow out of this thread now, before i "get in trouble again", i have no problems providing solutions like this, it is the responsibility of the user (namely you feesu) what they do with my information.  Just because i teach you how, doesn't mean you should.

But the consensus of this crowd is definately right, when you start trying to lock people out of company stuff, you're playing with fire.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17793115
--> I am a senior as well. And i am sure that the highier management doesn't accept that he goes into my PC without my permission, BUT who would ever know?!

Is this YOUR PC, or is it the Company's PC?  If you leave the company today, right now, does the PC go home with you or does it stay at the company?  If it goes home with you, then you have the right to install anything you want.  If it stays at the company, then it is NOT your PC and you have NO rights unless the company gives you them.

If it is the company's PC, unless you have some weird special policies, an admin does NOT need a individual user's permission to access a PC he is supposed to support.  That is his job.  By being an admin the company has given him the right to do this.  Depending on what the company does and the type of data that is stored on the company's PC there may be requirements that all access is logged.  But you can't be an admin of a PC that you are not allowed to access.  

It like being hired to drive a bus, but being told you can't get on the bus because a passenger doesn't like you, but you are still expected to drive it.

At my company, as with most, any user that installs non-authorized/approved software, or has non-approved/authorized files residing on their PC can be terminated on the spot.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17795764
The event logs log who comes and goes on your pc. It logs their username and the pc they accessed it from, but not the IP of that pc. The windows firewall, under the advanced settings, connection settings there is a check box for logging all successful connections also, this will log the ip. If you are an admin of your pc, then you should be able to set these settings. If you have a complaint about his actions I'd suggest you take it up with the proper authority like a manager or an HR person. You can also turn of the default logging on M$ so the event logs will show you more detail about what he/she did while connected to your pc. There is a chance however that the event logs could be erased by that admin, you may want to install Snare, it will keep a copy of your logs also.
You can encrypt any data you do not wish him/her to view with TrueCrypt, and TrueCrypt also has the added benefit of eluding keystroke loggers, because you can specify a file as the unlock code, and all you do is use your mouse to navigate to that file, no keystrokes. http://www.truecrypt.org/docs/
The windows firewall doesn't have to be blocking to log successful connections but does have to be on.
-rich
0
 

Author Comment

by:feesu
ID: 17796830
Thank you all for all your replies!

AGAIN, the company's management does not allow a domain admin copying files from any user's PC! That has to be clear to mikeleebrla/giltjr

maninblac1,
Thanks for all the effort. There is nothing to worry about. I do confirm, that if i prove that my domain admin copied a single file from my machine without my permission, he will be in trouble!
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17796927
i hear you, but i have NEVER seen any company's computer use policy that says that an admin cannot view/copy files from a PC that they manage. It simply doesn't make sense.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17797105
---> AGAIN, the company's management does not allow a domain admin copying files from any user's PC! That has to be clear to mikeleebrla/giltjr

Is it written policy?  If it is not a written policy and the admins job responsibilities include managing your pc's, then he can read/copy or do whatever is needed in order for him to do his job.  

I agree with mikeleebrla, I have NEVER seen or heard of a company where a admin does not have the authority to get to files on any of the computers he is responsible for.

Copying a file is different from viewing a file.  If a domain admin can't view files on your computer then how in the world is he suppose to verify that you are complying with company policy, which should be part of his job.

The only way you can prove if copied a file is to find where he copied it to.  If I map a drive to your hard drive and I open a document that physically resides on your computer, it looks no different than if I were to copy it.  You computer (if you have software that logs it) will only show that I read the file.  It can't tell if I read with a program to allow me to view it, of if I read it to copy it.

If you do have a written policy that states the system admin can't view/copy files then your management is not too bright.  Your company must not have a disaster recovery plan (a.k.a. a business continuity plan).  Especially if the only place the files exist is on your computer.



0
 
LVL 22

Expert Comment

by:orangutang
ID: 17816622
Well, you really don't need to worry if your computer is secure. Make sure you have a good firewall such as Norton, McAfee, or ZoneAlarm and make sure you turn off the remote registry service and whatever else that may make it possible for someone to hack your PC.
0
 

Author Comment

by:feesu
ID: 17819797
mikeleebrla/giltjr,
This is getting funny overhere! I am the one who is asking the question, and i am the one who works in this company. You guys keep preaching in something you might be thousands of miles far from! You don't have to here of  a company that has such a policy! You have no answer, just ignore my question. Thanks!
0
 
LVL 57

Accepted Solution

by:
giltjr earned 100 total points
ID: 17820298
O.K.  I will answer:

--> what can this admin do with my PC without having my permission

Technically he can do anything he wants.  The admin of a computer has full unrestricted rights to that computer.  Why, because in order to perform the necessary functions of a system admin, they must have unrestricted rights.  Parts of the OS runs with admin rights.  If you attempt to restrict the admin rights, your computer will stop working.

You can't tell the difference between reading a file and copying a file so if the admin has rights to read a file, say for backing it up, then you are in a very tough situation.  Because if he can back it up, more than likely he can restore it and restore it to someplace else.

If your company does really have a policy that states the admin of the system can't do "x", then need to enable auditing on every computer within the company and hire a 3rd party to review the audit logs to make sure the system admin does not do things he is not supposed to do.  

Please note that the system admin is the person that must enable/disable auditing.



0
 
LVL 3

Assisted Solution

by:mhts
mhts earned 200 total points
ID: 18193846
You also asked about monitoring -- essentially -- your own workstation. You can do this easily enough with a single user license of SpectorPro or SpectorCNE (or any other similar program).

http://www.spectorsoft.com/

Be sure to change the key-character sequence for viewing monitored activity from the out-of-the-box default to something only you know, set the viewing monitor activity password from out-of-the-box blank/empty/null to something only you know, configure your preferred monitoring settings, and then routinely view your workstation activity that Spector recorded/saved to see if anything was done that you don't recall doing or that was done during days or times-of-days while you weren't present. Be aware that the process of monitoring is paused/stopped while you are viewing monitored/recorded information IF you are viewing monitored information on the same machine that you are monitoring.

Even though Spector (and many other similar programs) are used for legitimate monitoring purposes, other people may use them for non-legit purposes. Therefore, some AV softwares may trigger/block it. So if you have Symantec AV (or another AV software) running, you will likely have to put in an exclusion to keep it from being blocked.

Hope That Helps!
-mike
Always remember to help the community help itself. If someone's answer solves your problem, be sure to accept their answer so that it gets into the solutions area asap.
0
 
LVL 38

Expert Comment

by:younghv
ID: 18194923
mhts (mike),
I think we should be careful when recommending that someone load anything on an organization-owned computer.
This string of posts has frayed a few nerves, but the bottom line is that we aren't talking about someone's home computer, so the rules are a little different.

Personally, I'm just glad I don't have that situation to worry about.

Vic
0
 
LVL 3

Expert Comment

by:mhts
ID: 18194929
Vic,

Well said. Point should be taken by all, and in particular the original poster.

In our situation, we install those programs at company owner direction, and only after they have distributed an Acceptable Use Policy for Resources to all employees that has first been blessed by company counsel.

I made the assumption that the original poster would get an okay from company management and/or ownership before taking such action.

To the original poster: Be sure your supervisory/managerial staff and/or the principals/ownership of the company are aware of (a) your concerns about the other employee and (b) that they are okay with you monitoring your own workstation in the way described.

Hope That Helps!
-mike
Always remember to help the community help itself. If someone's answer solves your problem, be sure to accept their answer so that it gets into the solutions area asap.
0
 
LVL 38

Expert Comment

by:younghv
ID: 18194937
mike,
Hoo Ahh!
Vic
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now