Solved

Accessing data on company laptop after disgruntled user usurped control.

Posted on 2008-10-14
12
462 Views
Last Modified: 2013-11-08
We have a user who works remotely from another site that had the domain admin password.  She disjoined the domain on her laptop several months ago.  She's decided to hold hostage proprietary information from the company and is not responding to requests for the company data.  She still VPN's in to the main site for email and to access file shares.  We need to regain access to her computer so the company can have access to the information she is holding hostage.

We can no longer access her admin share as she has disjoined the domain and she has changed the local admin password on her computer.  We are ready to let this employee go, but it is critical that we retrieve the company data off of her computer prior to terminating her.

Is there any way that we can still access the data on her computer via VPN if she is still connected to our site?  She is using Windows XP and we are using Windows 2003 Servers.
0
Comment
Question by:DataDudes
  • 6
  • 2
  • 2
  • +1
12 Comments
 
LVL 12

Expert Comment

by:michaelgoldsmith
ID: 22716349
Theoretically you can access her PC while she is connected to the VPN. If you know her IP address you may be able to access the c$ share, but if she was an IT professional (since she has the domain admin password) she probably has the laptop locked down.

Make sure you put some VNC program on all of your laptops so you can get to them when they are connected to the internet.

I need to ponder this question some more.
0
 
LVL 5

Expert Comment

by:NutrientMS
ID: 22716376
You will need to have some local username and password for the computer.  Just try \\<VPN IP ADDY OF CLIENT>\

see if there are any shares available
if not try \c$ and try lots of passwords

I would personally recommend that someone collects the laptop of the user in a supprise move the day of / before you terminate their employment.  Once you retreive the laptop, use something like heirens boot cd to change the local admin password and gain access back into the laptop.

Cheers.
0
 
LVL 18

Expert Comment

by:Johnjces
ID: 22717797
I concur that without a password for the c$ admin share, you are well, up the creek.

Your company needs to have security and or the police head to her home to physically retrieve the laptop. In most jurisdictions she has already committed a crime.

In Arizona one of the violations would  be 13-2316. Computer tampering; venue; forfeiture; classification. I don't know where you live, but if in the US the police should provide a "civil standby" to keep the peace while your company's property is retrieved. They can't force it unless you charge her with theft.

DISCLAIMER: I am not an attorney. Seek counsel or the police before doing anything. But there are laws to help you here.

John
0
 
LVL 12

Expert Comment

by:michaelgoldsmith
ID: 22720169
Sounds like it may be her personal laptop, Johnjces. She just has proprietary information on it from using it at work. Hopefully the security and company policies account for this.
0
 
LVL 2

Author Comment

by:DataDudes
ID: 22721362
Yes, it was a personal laptop.  If I try to access the C$ share over VPN, a prompt for username/password pops up.  The username is greyed out with "DELL\Guest" and password is blank.  I assume the guest account is disabled, since I don't believe any computers ship with it enabled.  I doubt it, but is there possibly any way to run a script that could force that computer to rejoin the domain on connection to the VPN?

Other ideas?

Thanks
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 18

Expert Comment

by:Johnjces
ID: 22721457
Ahh...

She is still committing a crime at least in AZ by withholding the proprietary information that belongs to others which is contained on her personal laptop.

Sorry... a case for company owned laptops. AND if you try to get into her personal PC to get to even your company owned info, you may also be breaking a law. You have a catch 22.

Seek counsel.

John

0
 
LVL 12

Expert Comment

by:michaelgoldsmith
ID: 22723284
Have you tried cracking the password with software?
0
 
LVL 12

Accepted Solution

by:
michaelgoldsmith earned 500 total points
ID: 22723634
I spoke to a security specialist and we have come to the following conclusions:

1. If the employee has NOT been fired, and does NOT know that she is going to be fired then your best bet is going to be to try to dupe her into giving you access to the laptop. Our ultimate scenario would be to tell her that you have had a security or virus breach, and that you are updating (or giving out) antivirus software on every computer that connects to the network. Tell her that you need to connect to her laptop to "push" the new software package out and install it (as per protocol, ie: she can not do it herself because you need to sign-off on the installation). Once you get the laptop, get the info off it, delete it, etc. If she resists, threaten her with dismissal.

2. If all else fails, you can send her an email with a keystroke logger. Theoretically, when she is connected to the vpn you should be able to view her keystrokes and maybe get the password you need.
0
 
LVL 2

Author Comment

by:DataDudes
ID: 22727858
we have Trend Micro antivirus on the comptuer, are there keystroke loggers that would not set off alarms?

one other thought i had, is there a way to get a logon script or something to process when connecting via VPN?
0
 
LVL 12

Expert Comment

by:michaelgoldsmith
ID: 22730111
Nothing I know of. Make it seem like you need to upgrade Trend Micro to a newer version and get control of the laptop.
0
 
LVL 12

Expert Comment

by:michaelgoldsmith
ID: 23307210
I believe that my answer was valid and researched via a security specialist.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now