Link to home
Start Free TrialLog in
Avatar of ryanva
ryanva

asked on

Securing sever 2008 R2 along with UC520 Cisco firewall

I have been running this network for the past five years. Yesterday the new vice president of our company said we had to “turn our network over” to a Linux certified technician that flew into town. After giving him the network passwords, I informed the owner of our company about the passwords being given to the new vice president. She told me he should NOT have these and is changing everything in the network against the owner’s will. Now I am doing everything I can to try and secure the server. I have changed every user account password. Verified that all users belong to appporitate groups and elevated UAC. Last night in the event viewer, there were 1000’s of failed attempts to login through the web. This was done from multiple IP addresses. All my firewall rules were gone out of the firewall. I reset all the firewall rules up and attack was still happening. My question is: How can I stop this attack and secure my network? And can I track where this attack is coming from?
Avatar of WORKS2011
WORKS2011
Flag of United States of America image

I'd be worried he created a new user admin account or changed them across the network, you can download PsPasswd to reset admin accounts throughout the network. It's a start.

I've downloaded BelArc (which some people don't recommend) but I've not had problems with it for the part you would use, it will give you admin accounts on the server and see when they were last accessed, ones you're not familur with I would disable. Remember they may be associated with a service so keep an eye on this. To be safe disable don't delete.

What type of firewall?
sorry...I see you have a UC520 Cisco firewall.

Save the config (just in case) then wipe it out and start from scratch, don't just delete the rules reset everything config included this way you'll ensure remote access is not enabled or you didn't overlook something.

Regarding attacks, is this something you came across because you were looking and noticed it for the first time or its new and you've always monitored? Attacks can be common keeping them at bay can be a cat and mouse game, I usually track the ip down to see where its coming from, sometime they're not attacks and you'll find they're routers from a telecom or something like this. Are they user accounts or service accounts, can you provide more information about them?
Avatar of ryanva
ryanva

ASKER

Yeah we have done BelArc and everything looks good. I will try PsPasswd thanks.
Avatar of Robert Sutton Jr
Some questions about this....
1) These "attacks" that you speak of... Are there remote users accessing this network? If so, has the new VP changed or deleted config lines? Maybe these aren't attacks and simply authorized users attempting to access the corp. network but cannot due to changes in the FW.

2) You'll should have reviewed the running config and compared that with the startup config to see what changes actually took place or look in your logs.

3) What type of authentication are you using?

4) You can trace Ip's to owner's and or service providers.

These are some things to maybe consider. Also, its a general rule that executives (new VP) typically don't need nor will they ask for access to command line or configuration info on ANY network device. If something is needed and or requested, you can always print out the associated info for their viewing pleasure. In addition, you typically NEVER give any outside vendor complete access to your network. Its a security risk and usually leads to this type of trouble. Hope this helps.
Avatar of ryanva

ASKER

@The_Warlock

1) These attacks were authentication failures with domain users and invalid accounts such as (console, admin, administrator, user, etc.). The network had been locked down and all ports to the outside other than SMTP to a mail filtering appliance had been shutdown in the firewall. The following day I was setting up a user to VPN in to be able to securly access out terminal server and when I went to add the VPN user in the CLI I saw that the entire firewall rule for the outside interface had been removed. Also the crypto key had been removed.

2) I did not think at the time to compare the running config and the startup config as my priority was locking the router down. A security audit was done on the router and all items were fixed.

3) Not sure what you are acking here? Windows or Cisco? Windows is kerberos, Cisco is the default

4) Every IP address that we are being hit by is different each time.

I definately understand the point of never giving out the access info. There was a clear understanding that another vendor was to perform a full systems and security audit and that I was to provide him with full access to the system. He also kept pressing saying that the owners should always have all of the admin passwords and trying to say that I wasn't doing my job since that had not been provided to them. I primarily deal with SMB's and have them in support contracts so that information is normally not provided unless they ask.

Some additional background:

The day that this guy came on he brought in 4 computers, (2) PC's, an iMac and a Mac server. These devices were approved by the president and authorization was given to allow access to the wireless network. I have no idea what is on any of these computers but believe that they may be being used to exploit security vunerabilities on the internal network for some unknown gain. I am working diligently to maintain security on the internal network which is my primary objective at the moment. Is there any way to see if any of his devices are carrying out attacks internally. I am concerned because everyday he is pushing harder to get me out of there and it seems obviuos that I am somehow standing in the way of whatever he is trying to do.
ASKER CERTIFIED SOLUTION
Avatar of WORKS2011
WORKS2011
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ryanva

ASKER

The attacks have stopped. There wasn’t a for sure answer on what stopped them. Thanks for all the tips.