• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 546
  • Last Modified:

sbs2008

Hi

Not sure how to phrase the question, but I cannot be the first in this situation?
I am taking over supporting an sbs2008 x64bit server based network because
My client is unhappy about my predecessor's performance  
Basically I need to secure the server/network and want to check all the avenues by which they may try to create malicious damage or indeed lock me (and/or my clients) out of the network?

For those with any morals (assuming we are in the majority) there is no issue about outstanding payment for work done
0
cpmcomputers
Asked:
cpmcomputers
  • 7
  • 4
1 Solution
 
Syed Mutahir AliTechnology ConsultantCommented:
Well what I can think off :

a) Change the router / firewall password straight away
b) Change the SBS Network Administrator Password via the SBS Console
c) Change all user passwords too
d) If you have a firewall, then only allow RDP access from a trusted Public IP source

We had this issue once and we configured a watchguard firewall to allow rdp traffic from one public ip only and then monitored if we are having requests from somewhere else too

Before any of the above, take a full backup to a external storage ;
You can also export all your mailboxes to psts on a separate drive
Copy over any data to another storage and secure it

Once you have made a backup, then start changing passwords across the board, from Admins to all users

1st thing to do is to change the router / firewall password, check for policies on the firewall to make sure there is nothing they have created which may allow them to be part of the network


0
 
Syed Mutahir AliTechnology ConsultantCommented:
what router / firewall they use ?
How many users?
are you supporting them remotely or are you on-site ?

0
 
cpmcomputersAuthor Commented:
Thanks for your input - all useful stuff that I have followed

what I was really after was is there simple way to "audit" how external users can access a sbs2008 server
and how I can log/ prevent those connections?

Seems the answer as with most things microsoft is NO ?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Syed Mutahir AliTechnology ConsultantCommented:
Well if you have control over your firewall and if it offers a traffic monitor / syslog you may well be able to see what traffic is entering and from where

on the server itself you can use netstat -na | more
to check which foreign IPs are making connection to your server

You can check your event viewer
http://www.windowsecurity.com/articles/Logon-Types.html

Logon Type 0 = System Only
Logon Type 1 = unknown
Logon Type 2 = Interactive Logon
Logon Type 3 = Network
Logon Type 4 = Batch
Logon Type 5 = Service
Logon Type 6 = (proxy logon)
Logon Type 7 = Unlock Workstation
Logon Type 8 = Network Clear Text
Logon Type 9 = New Credentials
Logon Type 10 = Remote Interactive (Windows XP and newer operating systems only).
Logon Type 11 = Cached Interactive

Also, if all passwords are changed then you are safe in the sense that if they would attempt you would be able to see there IP address and requests for 3389 and being denied on the server ; you can then check your event logs and match the time / date with the logon type to make sure it was this ip which was being rejected.
0
 
Syed Mutahir AliTechnology ConsultantCommented:
check your windows security event log too
0
 
cpmcomputersAuthor Commented:
thanks for this
I have (so far) changed the external Ip address of the server via the isp (they are monitoring/logging traffic on the new and old connections)
changed all user passwords
disabled all unused user accounts
changed the firewall password
disabled any unrequired inbound ports

Despite the change in the external ip address, the offender was still apparently able to get onto the server (It logged me off as a result of their connection)? Not sure how this is possible but It would appear the leakage was possibly as a result of a Kaseya agent (remote monitoring software) not sure if this issues some kind of dynamic dns back to an external host?

However, I will monitor the server over next 24 hrs and come back to you.





0
 
Syed Mutahir AliTechnology ConsultantCommented:
Yes, uninstall all programs they may have installed like kaseya agent, teamviewer, logmein and others ;
You can also threaten them of a legal action as once the contract has been cancelled from the customer with valid reasons they have no right to access the boxes, they were paid for everything they did and the customer wasn't happy, so now they have NO right whatsoever ;
What firewall / router do you have ?
0
 
cpmcomputersAuthor Commented:
Uninstalled the agent - this seems to have done the trick
Fully agree with your comments re access

I have just taken on supporting this client so configuration is not really where I want it to be
The network uses a netgear router as its default gateway and the single sbs2008 server sits inside the network on a single NIC. The firewall on the server is not enabled?

I am new to sbs2008 but am totally familiar with SBS2003 My usual configuration would be to have two nic's (one on an external ip connected to the router and one on the internal lan with the Microsoft ISA sitting between them as a firewall.

It appears Microsoft have removed ISA from SBS2008 -seems a retro step to me?
Would be interested in your thoughts about how I could tighten (some might say - introduce !) security
0
 
Syed Mutahir AliTechnology ConsultantCommented:
It is not recommended to have dual nics on SBS 2008

http://blogs.technet.com/sbs/archive/2008/09/16/sbs-2008-supported-networking-topology.aspx
What I would suggest is to implement a WatchGuard X20E firewall ; upgrade it to the latest XTM OS 11.2 and then first lock down everything and then create allow rules depending on your requirements ; I have recently used it with Watchguard System Manager and very impressive.
Look out for some accounts in your AD which you think are suspicious and disable them (do not delete) and see if they are effecting your services or anything to narrow down.
But I think you are good now as you have changed the external ip address, also check in your dns host (public dns) if the other company made any other records ;
you can use mxtoolbox to do a portscan on your domain too.
A watchguard x20e with 2years utm subscription would cost around £500, i think
0
 
cpmcomputersAuthor Commented:
Thanks for the advice and assistance
I will put this as a (preferred) option to my client (their chequebook not mine).

Is there any merit in enabling the sbs2008 firewall in the recommended configuration - looks like it would cause more trouble than its worth?
0
 
Syed Mutahir AliTechnology ConsultantCommented:
Well, I have always switched it off whenever I do SBS or windows 2008 server installs ;

I always recommend a good firewall on the perimeter and then block all and allow on requirement

Watchguard provides good utm subscription, which gives you smtp, http, https proxy and web content filtering too

have a look at draytek products, especially draytek 2950, draytek 5510 they are very good and robust too with a robust firewall but watchguard is a bit better in the sense that it has a neat interface for configuring policies ;

I would suggest to recommend as critical for the client to get a firewall, www.broadbandbuyer.co.uk and get a watchguard x20e
how many users you have at this site ? number of pcs ?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now