Securing sever 2008 R2 along with UC520 Cisco firewall

I have been running this network for the past five years. Yesterday the new vice president of our company said we had to “turn our network over” to a Linux certified technician that flew into town. After giving him the network passwords, I informed the owner of our company about the passwords being given to the new vice president. She told me he should NOT have these and is changing everything in the network against the owner’s will. Now I am doing everything I can to try and secure the server. I have changed every user account password. Verified that all users belong to appporitate groups and elevated UAC. Last night in the event viewer, there were 1000’s of failed attempts to login through the web. This was done from multiple IP addresses. All my firewall rules were gone out of the firewall. I reset all the firewall rules up and attack was still happening. My question is: How can I stop this attack and secure my network? And can I track where this attack is coming from?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WORKS2011Austin Tech CompanyCommented:
I'd be worried he created a new user admin account or changed them across the network, you can download PsPasswd to reset admin accounts throughout the network. It's a start.

I've downloaded BelArc (which some people don't recommend) but I've not had problems with it for the part you would use, it will give you admin accounts on the server and see when they were last accessed, ones you're not familur with I would disable. Remember they may be associated with a service so keep an eye on this. To be safe disable don't delete.

What type of firewall?
WORKS2011Austin Tech CompanyCommented:
sorry...I see you have a UC520 Cisco firewall.

Save the config (just in case) then wipe it out and start from scratch, don't just delete the rules reset everything config included this way you'll ensure remote access is not enabled or you didn't overlook something.

Regarding attacks, is this something you came across because you were looking and noticed it for the first time or its new and you've always monitored? Attacks can be common keeping them at bay can be a cat and mouse game, I usually track the ip down to see where its coming from, sometime they're not attacks and you'll find they're routers from a telecom or something like this. Are they user accounts or service accounts, can you provide more information about them?
ryanvaAuthor Commented:
Yeah we have done BelArc and everything looks good. I will try PsPasswd thanks.
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Robert Sutton JrSenior Network ManagerCommented:
Some questions about this....
1) These "attacks" that you speak of... Are there remote users accessing this network? If so, has the new VP changed or deleted config lines? Maybe these aren't attacks and simply authorized users attempting to access the corp. network but cannot due to changes in the FW.

2) You'll should have reviewed the running config and compared that with the startup config to see what changes actually took place or look in your logs.

3) What type of authentication are you using?

4) You can trace Ip's to owner's and or service providers.

These are some things to maybe consider. Also, its a general rule that executives (new VP) typically don't need nor will they ask for access to command line or configuration info on ANY network device. If something is needed and or requested, you can always print out the associated info for their viewing pleasure. In addition, you typically NEVER give any outside vendor complete access to your network. Its a security risk and usually leads to this type of trouble. Hope this helps.
ryanvaAuthor Commented:

1) These attacks were authentication failures with domain users and invalid accounts such as (console, admin, administrator, user, etc.). The network had been locked down and all ports to the outside other than SMTP to a mail filtering appliance had been shutdown in the firewall. The following day I was setting up a user to VPN in to be able to securly access out terminal server and when I went to add the VPN user in the CLI I saw that the entire firewall rule for the outside interface had been removed. Also the crypto key had been removed.

2) I did not think at the time to compare the running config and the startup config as my priority was locking the router down. A security audit was done on the router and all items were fixed.

3) Not sure what you are acking here? Windows or Cisco? Windows is kerberos, Cisco is the default

4) Every IP address that we are being hit by is different each time.

I definately understand the point of never giving out the access info. There was a clear understanding that another vendor was to perform a full systems and security audit and that I was to provide him with full access to the system. He also kept pressing saying that the owners should always have all of the admin passwords and trying to say that I wasn't doing my job since that had not been provided to them. I primarily deal with SMB's and have them in support contracts so that information is normally not provided unless they ask.

Some additional background:

The day that this guy came on he brought in 4 computers, (2) PC's, an iMac and a Mac server. These devices were approved by the president and authorization was given to allow access to the wireless network. I have no idea what is on any of these computers but believe that they may be being used to exploit security vunerabilities on the internal network for some unknown gain. I am working diligently to maintain security on the internal network which is my primary objective at the moment. Is there any way to see if any of his devices are carrying out attacks internally. I am concerned because everyday he is pushing harder to get me out of there and it seems obviuos that I am somehow standing in the way of whatever he is trying to do.
WORKS2011Austin Tech CompanyCommented:
Try Colasoft, you can download it here . I had to battle it out with someone like you're talking about and they were eventually terminated. This software will tell you nearly everything happening on the network. They have a good trial period too.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ryanvaAuthor Commented:
The attacks have stopped. There wasn’t a for sure answer on what stopped them. Thanks for all the tips.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.