We've recently taken over IT support for a small company, which runs a SBS 2011 server, the previous IT provider has not taken this well.
There were a couple of remote access/monitoring programs which had been installed;
Remote Utilities Host
These have all been removed and the server has been restarted.
There were also two administrator accounts, which were in use, which I have changed the password for both. The built-in administrator account was also active, which again I have changed the password for.
I've removed access to the RDP port , RWW, and the only open ports are port 25, and also HTTPS (443). The router is a draytek router.
The previous IT support, is still claiming that they have access to the server, and also that it is reporting status to them. However, I've been through the entire program list and can see nothing there (despite sending screenshots of the program list, apparently I'm stupid to not be able to see the program which should 'have been removed').
I'm concerned that despite all the precautions taken, that it is still possible for remote access to be occurring in some way (the other party has sent a screenshot to prove this - although this could be an old screenshot) - so will go through the user PC's to make sure that there is no remote access there.
My questions is two-fold;
1) I've attached screenshots of the entire program list and the scheduled task list, can you see anything which could be reporting back?
2) How can I be sure that remote access to the server is not possible?
Any advice on how to secure this further would be gratefully received, as the 3rd party is casting aspersions and I want to make sure that we've covered all bases here.
Thanks a lot.