Hi, I am new to IT and having a problem of security. I have small windows server 2003 in a samll company. I have disabled Mr. "x" account, denied VPN access through dial-up tab in Active directory, removed his id from Administrators group and gave only users permissions to him. There is no VNC server running on the server. Mr. "X" is claiming that he is still able to log on to the system from ^Back Door^. Can anybody let me know that what are other possible ways to get in ti the network ?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Remote access 2
- Thread starter piyu75
- Start date
-
1
- #2
Make everyone change their passwords.
Change all passwords everywhere including services, firewalls, routers, switches etc.
Run a report to see which accounts remote access and delete the permission for anyone you see as suspect. Use
Simply change computer to \\DCName and then run user as table export and add dialin access.
Check servers and clients for remote control software, VNC, remote admin, pc anywhere. Ensure no pc has a vpn connection to his personal network - remember they're two way! If it connects out he can conect in.
Pay special attention to anything with a modem in it!
Also check local user accounts.
Iain
Change all passwords everywhere including services, firewalls, routers, switches etc.
Run a report to see which accounts remote access and delete the permission for anyone you see as suspect. Use
Simply change computer to \\DCName and then run user as table export and add dialin access.
Check servers and clients for remote control software, VNC, remote admin, pc anywhere. Ensure no pc has a vpn connection to his personal network - remember they're two way! If it connects out he can conect in.
Pay special attention to anything with a modem in it!
Also check local user accounts.
Iain
pgaliardo
MIS
- Nov 30, 2004
- 887
Did you change the administrator password? If Mr.X is a former administrator, he probably knows the password.
Also, I'm confused. First you say you disabled his account, but then you say he only has user permissions. Which is it? Is he an active user with user permissions, or is he completely disabled?
Also, I'm confused. First you say you disabled his account, but then you say he only has user permissions. Which is it? Is he an active user with user permissions, or is he completely disabled?
- Thread starter
- #4
pgaliardo:
Mr "X"'s account was member of Domain Admins and users group when it was active. I disabled his account and removed him from domain admin group leaving his disabled account as the member of users group. I also changed Administrator password on my server (win 2003). Today I forced everybody to change password in their next logon through active directory account tab.
Spirit: Thanks for your detailed reply. I will check all your points.
Server had Audit enabled for Account logon and Logon for success/Fail. I checked security log but there is no trace of Mr. "X" logging into the system. Although there were bunch of Anonymous User" successful logon events. Could those be him ?
Mr "X"'s account was member of Domain Admins and users group when it was active. I disabled his account and removed him from domain admin group leaving his disabled account as the member of users group. I also changed Administrator password on my server (win 2003). Today I forced everybody to change password in their next logon through active directory account tab.
Spirit: Thanks for your detailed reply. I will check all your points.
Server had Audit enabled for Account logon and Logon for success/Fail. I checked security log but there is no trace of Mr. "X" logging into the system. Although there were bunch of Anonymous User" successful logon events. Could those be him ?
Final thought you don't have a wireless lan do you?
Change the encryption keys on all of them. Ensure they (and your firewalls / routers for that matter) can only be admined from the local domain and not remotely from the internet.
I agree with Roadki11 on this one - and hope we're right - he's doing it to make himself feel like a big man!
You're doing the worst job an admin can do at the moment, changing all the passwords.
It means you'll have issues for the next few days while you do things like changing the Exchange Service Passwords, Backup Operator (Veritas etc.) passwords, SQL passwords. Do you host your own website, do not forget that?
Users fortgetting their new passwords but at the end of the day what your doing is good practice when any admin leaves.
Only you know your network, next time your having a sit down and a cup of tea sit and think if I wanted to come into this network I would do it by......
The anonymous thing have a look at which computer / server the request came from. Usually its just systems things doing system stuff.
Good luck in your new found role,
Iain
P.S. Welcome to tek-tips!![[wavey3]](/data/assets/smilies/wavey3.gif "[wavey3] [wavey3]")
Change the encryption keys on all of them. Ensure they (and your firewalls / routers for that matter) can only be admined from the local domain and not remotely from the internet.
I agree with Roadki11 on this one - and hope we're right - he's doing it to make himself feel like a big man!
You're doing the worst job an admin can do at the moment, changing all the passwords.
It means you'll have issues for the next few days while you do things like changing the Exchange Service Passwords, Backup Operator (Veritas etc.) passwords, SQL passwords. Do you host your own website, do not forget that?
Users fortgetting their new passwords but at the end of the day what your doing is good practice when any admin leaves.
Only you know your network, next time your having a sit down and a cup of tea sit and think if I wanted to come into this network I would do it by......
The anonymous thing have a look at which computer / server the request came from. Usually its just systems things doing system stuff.
Good luck in your new found role,
Iain
P.S. Welcome to tek-tips!
- Thread starter
- #7
I do not have wireless LAN at all. As you said because of changing password I happen to resetsomebody's password who does website maintenanace at web site broke. We fixed it at the end. How do I chnage exchnage service password ? Exchange is my weekest link. Is there any online reference that you guys can reccommend ?
-
1
- #8
There isn't gotomypc or logmein installed anywhere on the network is there? If so, he probably had set it up, so he would have the passwords to get in.
This would be an app installed on any machine. Uses port 80 so that you can connect from outside from any machine that has internet access.
Systems Administrator
This would be an app installed on any machine. Uses port 80 so that you can connect from outside from any machine that has internet access.
Systems Administrator
tookawhile
IS-IT--Management
Just an idea - ask him to prove his claim, create a text file with a message and ask him to tell you what it says.
And, if he's making his claims via email, print those emails and give a COPY to HR for his personnel record.
Keep the original printouts, and those emails, in case you have to prosecute.
I'm with tookawhile - have him prove it.
Pat Richard, MCSE MCSA:Messaging CNA
Want to know how email works? Read for yourself -
Keep the original printouts, and those emails, in case you have to prosecute.
I'm with tookawhile - have him prove it.
Pat Richard, MCSE MCSA:Messaging CNA
Want to know how email works? Read for yourself -
- Thread starter
- #11
Its little different here. He actually proved it by asking why his account is disabled. by that time he did not know that I am replacing him. then he said that he wasn't able to log on first but then he went thru "back door" and saw his account diabled. most likely he knows password of one of the three admin accounts in my domain. I did not get chance so far to check all those things that people wrote here but I will very soon.
- Status
Similar threads
- Locked
- Question
- Locked
- Question