Re: Possible Security Leak
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/19/05
- Next message: Steven L Umbach: "Re: Using 802.1x w/ PEAP w/ Windows 2000 Pro"
- Previous message: Roger Abell: "Re: File permissons"
- In reply to: Snoopy: "Possible Security Leak"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Feb 2005 19:30:34 -0600
It sounds like there is a remote access server somewhere on your network.
This ex employee may have set one up or even a current employee may have set
one up without authorization. Try to ping that computer name to see if you
get a response and also ping all the addresses that are shown as being
leased to that computer as one may be to the remote access server itself. If
you can ping it, then you will have to go from there to try and track it
down possibly by using the mac address to trace it to a port if you can
query your switches for such. I would also scan your entire network with a
network scanner such as Superscan 4 to see if you can find any unauthorized
computers or devices such as a wireless access point. Supercan 4 [free from
Foundstone] will give info that may be helpful about IP addresses it finds
including the names of the computers or devices. Make sure this ex employee
doe not have an active account and check the membership of all the
administrator groups for the domain to make sure it is what is expected and
change the administrator account for the domain. Also make sure that you are
logging account logon events in Domain Controller Security policy as the
security logs of the domain controllers may then provide some clues. ---
Steve
"Snoopy" <Snoopy@discussions.microsoft.com> wrote in message
news:F7F0A1F9-AA64-4467-A418-BBD068BA996A@microsoft.com...
> Dear Pros,
>
> I always get warning message from my DHCP server services and tell me that
> the available IP is running low, I actually get this meesage from event
> log.
> But after I check my DHCP leasing details I can always found at leat 8 to
> 10
> un-identify PC, and the computer name which never exist in my company,
> with
> the the identit information RAS? Is this meaning someone is connecting my
> server from remote by RAS metho? If this answer is yes, how should I get
> the
> connecting info? My company did not implement the VPN also we do not allow
> user to connect to server after working hour (only normal mail services
> available). So could this meaning someone is connecting to my server which
> possible from the outsider?
>
> We do have the problem with the previous IS employee, but he left our
> company for a long time, the reason for me to said that is because he was
> never stop to attact the company from time to time, by virus or mail bomb,
> and always address himself as internal IS Dept. head. I caugh him few
> times......................
>
> So can please any one tell me how to invesgate this situation and how to
> close possible the security leak hole.
>
> Appreicate for the help in advance.
>
> Snoopy
- Next message: Steven L Umbach: "Re: Using 802.1x w/ PEAP w/ Windows 2000 Pro"
- Previous message: Roger Abell: "Re: File permissons"
- In reply to: Snoopy: "Possible Security Leak"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
