Solved

Securing sever 2008 R2 along with UC520 Cisco firewall

Posted on 2012-03-27
7
301 Views
Last Modified: 2012-04-02
I have been running this network for the past five years. Yesterday the new vice president of our company said we had to “turn our network over” to a Linux certified technician that flew into town. After giving him the network passwords, I informed the owner of our company about the passwords being given to the new vice president. She told me he should NOT have these and is changing everything in the network against the owner’s will. Now I am doing everything I can to try and secure the server. I have changed every user account password. Verified that all users belong to appporitate groups and elevated UAC. Last night in the event viewer, there were 1000’s of failed attempts to login through the web. This was done from multiple IP addresses. All my firewall rules were gone out of the firewall. I reset all the firewall rules up and attack was still happening. My question is: How can I stop this attack and secure my network? And can I track where this attack is coming from?
0
Comment
Question by:ryanva
  • 3
  • 3
7 Comments
 
LVL 17

Expert Comment

by:WORKS2011
Comment Utility
I'd be worried he created a new user admin account or changed them across the network, you can download PsPasswd to reset admin accounts throughout the network. It's a start.

I've downloaded BelArc (which some people don't recommend) but I've not had problems with it for the part you would use, it will give you admin accounts on the server and see when they were last accessed, ones you're not familur with I would disable. Remember they may be associated with a service so keep an eye on this. To be safe disable don't delete.

What type of firewall?
0
 
LVL 17

Expert Comment

by:WORKS2011
Comment Utility
sorry...I see you have a UC520 Cisco firewall.

Save the config (just in case) then wipe it out and start from scratch, don't just delete the rules reset everything config included this way you'll ensure remote access is not enabled or you didn't overlook something.

Regarding attacks, is this something you came across because you were looking and noticed it for the first time or its new and you've always monitored? Attacks can be common keeping them at bay can be a cat and mouse game, I usually track the ip down to see where its coming from, sometime they're not attacks and you'll find they're routers from a telecom or something like this. Are they user accounts or service accounts, can you provide more information about them?
0
 

Author Comment

by:ryanva
Comment Utility
Yeah we have done BelArc and everything looks good. I will try PsPasswd thanks.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 15

Expert Comment

by:The_Warlock
Comment Utility
Some questions about this....
1) These "attacks" that you speak of... Are there remote users accessing this network? If so, has the new VP changed or deleted config lines? Maybe these aren't attacks and simply authorized users attempting to access the corp. network but cannot due to changes in the FW.

2) You'll should have reviewed the running config and compared that with the startup config to see what changes actually took place or look in your logs.

3) What type of authentication are you using?

4) You can trace Ip's to owner's and or service providers.

These are some things to maybe consider. Also, its a general rule that executives (new VP) typically don't need nor will they ask for access to command line or configuration info on ANY network device. If something is needed and or requested, you can always print out the associated info for their viewing pleasure. In addition, you typically NEVER give any outside vendor complete access to your network. Its a security risk and usually leads to this type of trouble. Hope this helps.
0
 

Author Comment

by:ryanva
Comment Utility
@The_Warlock

1) These attacks were authentication failures with domain users and invalid accounts such as (console, admin, administrator, user, etc.). The network had been locked down and all ports to the outside other than SMTP to a mail filtering appliance had been shutdown in the firewall. The following day I was setting up a user to VPN in to be able to securly access out terminal server and when I went to add the VPN user in the CLI I saw that the entire firewall rule for the outside interface had been removed. Also the crypto key had been removed.

2) I did not think at the time to compare the running config and the startup config as my priority was locking the router down. A security audit was done on the router and all items were fixed.

3) Not sure what you are acking here? Windows or Cisco? Windows is kerberos, Cisco is the default

4) Every IP address that we are being hit by is different each time.

I definately understand the point of never giving out the access info. There was a clear understanding that another vendor was to perform a full systems and security audit and that I was to provide him with full access to the system. He also kept pressing saying that the owners should always have all of the admin passwords and trying to say that I wasn't doing my job since that had not been provided to them. I primarily deal with SMB's and have them in support contracts so that information is normally not provided unless they ask.

Some additional background:

The day that this guy came on he brought in 4 computers, (2) PC's, an iMac and a Mac server. These devices were approved by the president and authorization was given to allow access to the wireless network. I have no idea what is on any of these computers but believe that they may be being used to exploit security vunerabilities on the internal network for some unknown gain. I am working diligently to maintain security on the internal network which is my primary objective at the moment. Is there any way to see if any of his devices are carrying out attacks internally. I am concerned because everyday he is pushing harder to get me out of there and it seems obviuos that I am somehow standing in the way of whatever he is trying to do.
0
 
LVL 17

Accepted Solution

by:
WORKS2011 earned 500 total points
Comment Utility
Try Colasoft, you can download it here . I had to battle it out with someone like you're talking about and they were eventually terminated. This software will tell you nearly everything happening on the network. They have a good trial period too.
0
 

Author Closing Comment

by:ryanva
Comment Utility
The attacks have stopped. There wasn’t a for sure answer on what stopped them. Thanks for all the tips.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now