You've got a huge problem on your hands there. First thing you have to udnerstand is that there isn't a system in the world that can't be hacked. BUT, there is a whole lot of sthings you can do to keep them out, and not allow it it to be too easy. I faced something simaler to your problems when I first took over at the company I'm with, not the least of which was there was no system security. Here's what I did to start solving it.
1: First, impliment NAT. This was kind of a stop gap measure for me, but it goes a long ways to solving the problem (you can't hit what you can't see). You might need a couple of external Ip addresses, and a router that can NAT (I'm assuming you have DSL or T1). Also, routers have some holes as well. You might want to turn off certain features (such as allowing someone from the outside to telnet into or beyond the router).
2: A firewall. Firewalls are expensive, and many depend on how many Servers/Workstations you're securing. Sonicwall makes a descent firewall for the money. Also, Check Point is good, and fairly cost effective. They also offer their software with a 30 day trial. It runs on Windows NT/2000 (never tried it on XP or 2003). It takes about an afternoons worth of work to get it installed and going. The beauty with a firewall is it lets you close ports easily, and allow just those ports in that you want in (or out). If you can't purchase a firewall, a good public source program is SNORT. it now runs in Windows. It's pretty good, though a pain to configure. I used it in conjuction with a program called IDScenter. If it hadn't been for the later, I'd never have gotten it running. Now SNORT is an Intrusion Detection System, and it doesn't really combat intruders, though it will log attempts. It also won't let you limit ports and such, but it is open source which means that there's almost certainly someone out there that has figured out a way to do jsut that, or is working on it.
3: Rename your Administrator account. This is an overlooked security item. Most hackers will go after the Administrator account. The idea here is to make something else the Administrator, and turn Administrator into a paper tiger with no real power (except maybe to be redirected to a honeypot).
4: Patches and service packs, the quickest and easiest way to fix problems. Stay current on them. An example of where administrators dropped the ball is the Code Red Virus. This was a known vulnerability, and the patch was out long before the virus hit. If you had the patch, you didn't have a problem.
5: Enforce passwords. Change passwords every 90 days or less. Windows server will let you set your passwords so they expire in X amount of time, have a minimum length, and even not allow them to use the same password X amount of times. One word of caution here. If you have any services on your system that require a password to run (Veritas Back up Exec as an example), you can hose that real easy by changing the password it runs under. also, educating your users helps. Make sure they don't do cute things like leave passwords laying around, or use passwords that aren't to easy to guess (initials plus DOB is the classic).
6: Permissions. Tighten them down. If Accounting doesn't need to have HR access, or vice versa, make sure they don't have permission to access each others stuff. Also, turn off services that don't need to be running.
7: Read constantly. Microsoft has some great stuff on system security. Perhaps the best site for learning security is
Security is a constantly changing field, and you have to stay on top of it. A book I highly recommend is Hacking Exposed. It will do a very good job of scaring the hell out of you, plus give you some tips and fixes. Get the latest edition. Another real good book for securing your ssytem is O'Reilly's Securing Windows NT/2000 servers for the Internet. It tells you in plain english how to really tighten them down, though in my opinion, you need to keep good notes of what you did. it's pretty easy to go turn something off that the book says to turn off, only to find out that you needed it to run some application (like payroll software).
8: Get an outside appraisal. After you've finished the basics, contract with a computer security company to do a security audit. This will tell you which holes you've missed, and etc.. We do security audits quarterly. A lot of this depends on how much you want to spend. Also, the guys who do the security audits are good for telling you how to improve things (do be careful, a lot of them just like selling hardware, so I'd get with a local user group and find out who's good in your area).
9: With Citrix, unless whoever has citrix client on their machine, there's a very good chance all they'll see is keystrokes, but still, that's no reason to ignore the basics.
10: Keep good backups. When all else fails, you'll need them.
Hope this helps. One last thing. Get a security policy in place and stick to it. To make this happen, you have to have buy in from the powers that be, so rope them in from the beginning. It will also help in the purchase of equipment and such. part of this is an education process. Most users think if they have a password, they are secure. Part of what we used to get our CEO to see things our way was to put it into dollars and sense (if we loose these servers, it may take this long to get them back up, which emans you have people getting paid, to do nothing. Over that course of time, you've lost this much money, not to mention damage that has been done to our data, reputation, etc.). I worked for FEMA before running sytems, and an old adage I rember is that in times of disaster 97% of all business will never reopen their doors. A collary to this is the longer it takes you to reopen your busienss, the less likely you will. This applies to ssytem recovery as well.
Rich
