Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Securing sever 2008 R2 along with UC520 Cisco firewall

Posted on 2012-03-27
Last Modified: 2012-04-02
I have been running this network for the past five years. Yesterday the new vice president of our company said we had to “turn our network over” to a Linux certified technician that flew into town. After giving him the network passwords, I informed the owner of our company about the passwords being given to the new vice president. She told me he should NOT have these and is changing everything in the network against the owner’s will. Now I am doing everything I can to try and secure the server. I have changed every user account password. Verified that all users belong to appporitate groups and elevated UAC. Last night in the event viewer, there were 1000’s of failed attempts to login through the web. This was done from multiple IP addresses. All my firewall rules were gone out of the firewall. I reset all the firewall rules up and attack was still happening. My question is: How can I stop this attack and secure my network? And can I track where this attack is coming from?
Question by:ryanva
  • 3
  • 3
LVL 17

Expert Comment

ID: 37775012
I'd be worried he created a new user admin account or changed them across the network, you can download PsPasswd to reset admin accounts throughout the network. It's a start.

I've downloaded BelArc (which some people don't recommend) but I've not had problems with it for the part you would use, it will give you admin accounts on the server and see when they were last accessed, ones you're not familur with I would disable. Remember they may be associated with a service so keep an eye on this. To be safe disable don't delete.

What type of firewall?
LVL 17

Expert Comment

ID: 37775024
sorry...I see you have a UC520 Cisco firewall.

Save the config (just in case) then wipe it out and start from scratch, don't just delete the rules reset everything config included this way you'll ensure remote access is not enabled or you didn't overlook something.

Regarding attacks, is this something you came across because you were looking and noticed it for the first time or its new and you've always monitored? Attacks can be common keeping them at bay can be a cat and mouse game, I usually track the ip down to see where its coming from, sometime they're not attacks and you'll find they're routers from a telecom or something like this. Are they user accounts or service accounts, can you provide more information about them?

Author Comment

ID: 37775025
Yeah we have done BelArc and everything looks good. I will try PsPasswd thanks.
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 37777413
Some questions about this....
1) These "attacks" that you speak of... Are there remote users accessing this network? If so, has the new VP changed or deleted config lines? Maybe these aren't attacks and simply authorized users attempting to access the corp. network but cannot due to changes in the FW.

2) You'll should have reviewed the running config and compared that with the startup config to see what changes actually took place or look in your logs.

3) What type of authentication are you using?

4) You can trace Ip's to owner's and or service providers.

These are some things to maybe consider. Also, its a general rule that executives (new VP) typically don't need nor will they ask for access to command line or configuration info on ANY network device. If something is needed and or requested, you can always print out the associated info for their viewing pleasure. In addition, you typically NEVER give any outside vendor complete access to your network. Its a security risk and usually leads to this type of trouble. Hope this helps.

Author Comment

ID: 37777933

1) These attacks were authentication failures with domain users and invalid accounts such as (console, admin, administrator, user, etc.). The network had been locked down and all ports to the outside other than SMTP to a mail filtering appliance had been shutdown in the firewall. The following day I was setting up a user to VPN in to be able to securly access out terminal server and when I went to add the VPN user in the CLI I saw that the entire firewall rule for the outside interface had been removed. Also the crypto key had been removed.

2) I did not think at the time to compare the running config and the startup config as my priority was locking the router down. A security audit was done on the router and all items were fixed.

3) Not sure what you are acking here? Windows or Cisco? Windows is kerberos, Cisco is the default

4) Every IP address that we are being hit by is different each time.

I definately understand the point of never giving out the access info. There was a clear understanding that another vendor was to perform a full systems and security audit and that I was to provide him with full access to the system. He also kept pressing saying that the owners should always have all of the admin passwords and trying to say that I wasn't doing my job since that had not been provided to them. I primarily deal with SMB's and have them in support contracts so that information is normally not provided unless they ask.

Some additional background:

The day that this guy came on he brought in 4 computers, (2) PC's, an iMac and a Mac server. These devices were approved by the president and authorization was given to allow access to the wireless network. I have no idea what is on any of these computers but believe that they may be being used to exploit security vunerabilities on the internal network for some unknown gain. I am working diligently to maintain security on the internal network which is my primary objective at the moment. Is there any way to see if any of his devices are carrying out attacks internally. I am concerned because everyday he is pushing harder to get me out of there and it seems obviuos that I am somehow standing in the way of whatever he is trying to do.
LVL 17

Accepted Solution

WORKS2011 earned 500 total points
ID: 37778818
Try Colasoft, you can download it here . I had to battle it out with someone like you're talking about and they were eventually terminated. This software will tell you nearly everything happening on the network. They have a good trial period too.

Author Closing Comment

ID: 37797298
The attacks have stopped. There wasn’t a for sure answer on what stopped them. Thanks for all the tips.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to setup 3 isps on a redundant mode? 3 33
Cisco 3560 Switch with Multiple Gateways 10 74
What Cisco IOS has CBAC support? 4 20
WLC and radius 4 7
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question