Solved

Accessing data on company laptop after disgruntled user usurped control.

Posted on 2008-10-14
12
473 Views
Last Modified: 2013-11-08
We have a user who works remotely from another site that had the domain admin password.  She disjoined the domain on her laptop several months ago.  She's decided to hold hostage proprietary information from the company and is not responding to requests for the company data.  She still VPN's in to the main site for email and to access file shares.  We need to regain access to her computer so the company can have access to the information she is holding hostage.

We can no longer access her admin share as she has disjoined the domain and she has changed the local admin password on her computer.  We are ready to let this employee go, but it is critical that we retrieve the company data off of her computer prior to terminating her.

Is there any way that we can still access the data on her computer via VPN if she is still connected to our site?  She is using Windows XP and we are using Windows 2003 Servers.
0
Comment
Question by:OAC Technology
  • 6
  • 2
  • 2
  • +1
12 Comments
 
LVL 12

Expert Comment

by:michaelgoldsmith
ID: 22716349
Theoretically you can access her PC while she is connected to the VPN. If you know her IP address you may be able to access the c$ share, but if she was an IT professional (since she has the domain admin password) she probably has the laptop locked down.

Make sure you put some VNC program on all of your laptops so you can get to them when they are connected to the internet.

I need to ponder this question some more.
0
 
LVL 5

Expert Comment

by:NutrientMS
ID: 22716376
You will need to have some local username and password for the computer.  Just try \\<VPN IP ADDY OF CLIENT>\

see if there are any shares available
if not try \c$ and try lots of passwords

I would personally recommend that someone collects the laptop of the user in a supprise move the day of / before you terminate their employment.  Once you retreive the laptop, use something like heirens boot cd to change the local admin password and gain access back into the laptop.

Cheers.
0
 
LVL 18

Expert Comment

by:Johnjces
ID: 22717797
I concur that without a password for the c$ admin share, you are well, up the creek.

Your company needs to have security and or the police head to her home to physically retrieve the laptop. In most jurisdictions she has already committed a crime.

In Arizona one of the violations would  be 13-2316. Computer tampering; venue; forfeiture; classification. I don't know where you live, but if in the US the police should provide a "civil standby" to keep the peace while your company's property is retrieved. They can't force it unless you charge her with theft.

DISCLAIMER: I am not an attorney. Seek counsel or the police before doing anything. But there are laws to help you here.

John
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 12

Expert Comment

by:michaelgoldsmith
ID: 22720169
Sounds like it may be her personal laptop, Johnjces. She just has proprietary information on it from using it at work. Hopefully the security and company policies account for this.
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 22721362
Yes, it was a personal laptop.  If I try to access the C$ share over VPN, a prompt for username/password pops up.  The username is greyed out with "DELL\Guest" and password is blank.  I assume the guest account is disabled, since I don't believe any computers ship with it enabled.  I doubt it, but is there possibly any way to run a script that could force that computer to rejoin the domain on connection to the VPN?

Other ideas?

Thanks
0
 
LVL 18

Expert Comment

by:Johnjces
ID: 22721457
Ahh...

She is still committing a crime at least in AZ by withholding the proprietary information that belongs to others which is contained on her personal laptop.

Sorry... a case for company owned laptops. AND if you try to get into her personal PC to get to even your company owned info, you may also be breaking a law. You have a catch 22.

Seek counsel.

John

0
 
LVL 12

Expert Comment

by:michaelgoldsmith
ID: 22723284
Have you tried cracking the password with software?
0
 
LVL 12

Accepted Solution

by:
michaelgoldsmith earned 500 total points
ID: 22723634
I spoke to a security specialist and we have come to the following conclusions:

1. If the employee has NOT been fired, and does NOT know that she is going to be fired then your best bet is going to be to try to dupe her into giving you access to the laptop. Our ultimate scenario would be to tell her that you have had a security or virus breach, and that you are updating (or giving out) antivirus software on every computer that connects to the network. Tell her that you need to connect to her laptop to "push" the new software package out and install it (as per protocol, ie: she can not do it herself because you need to sign-off on the installation). Once you get the laptop, get the info off it, delete it, etc. If she resists, threaten her with dismissal.

2. If all else fails, you can send her an email with a keystroke logger. Theoretically, when she is connected to the vpn you should be able to view her keystrokes and maybe get the password you need.
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 22727858
we have Trend Micro antivirus on the comptuer, are there keystroke loggers that would not set off alarms?

one other thought i had, is there a way to get a logon script or something to process when connecting via VPN?
0
 
LVL 12

Expert Comment

by:michaelgoldsmith
ID: 22730111
Nothing I know of. Make it seem like you need to upgrade Trend Micro to a newer version and get control of the laptop.
0
 
LVL 12

Expert Comment

by:michaelgoldsmith
ID: 23307210
I believe that my answer was valid and researched via a security specialist.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Botnet detection help me please 21 133
Use of vpn-filter value  in S2S VPN 2 49
SQL Server Connection String through a VPN 8 55
Another machine has a duplicate ip? 11 26
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question