Security Issues

[reynolwi]

Ok... Im not sure whether i need to post here or in WinXP Pro forum, but here is what i have.

I have a user that likes to hack appearently. I have no idea what program(s) he is using to find the enterprise admins password but he is doing it somehow. We require complex passwords and i have it set for a min of 7 chars, and it has to have uppercase and alpha-numeric charecters to be accepted by AD. He keeps admitting he isnt doing it, but ive come in before and saw where an enterprise admin was still logged into his workstation and it hung on logging off cause of software he installed a while a ago that appearntly didnt come all the way off when i uninstalled it so it now hangs with that stupid message saying the program is still running or that stupid crap. He shoulda made sure it logged off before he left, but thats beside the point.

What can i do to find out what he is using on the computer cause its got to be installed or something. He keeps saying he isnt doing it and the admin accounts he is accessing i cant disable because thats what they use to login everyday. Any suggestions? And yes, he is being handled, but being related to the big man i dont think he is gonna be fired.

So im stuck. I need some suggestions cause i want to prevent this.

Wm. Reynolds
RRWDS | TxPSS

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -
Network Error:
Hit any user to continue

 

[schtek]

you could set a gpo to ban the .exe/prog he is running on his work station!!

Stand up wherever you are, go to the nearest window and yell as loud as you can, 'I'm mad as hell, and I'm not going to take it anymore.'

http://www.schtek.co.uk

 

[reynolwi]

But im not sure what he is running. I cant find anything that just sticks out when im looking thru processes. I have SysInternals Process Explorer and im constantly looking at it trying find what he is using.

Im probably gonna wipe the drive clean and re-install windows xp pro, i just need to lock the computer down extremely well. Any suggestions?

Wm. Reynolds
RRWDS | TxPSS

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -
Network Error:
Hit any user to continue

 

[monsterjta]

As far as identifying the applications he has installed on his workstation, I might suggest running some type of discovery program. I have used Belarc Advisor in the past with good results.

http://www.belarc.com/free_download.html

How about wrenching up the security logging on his PC with a GPO? You may also want to expand his log size so that you can retrieve history for at least a couple weeks.

Hope This Helps,

Good Luck!

(Enamoration by Automation)

 

[yencoj]

Tough spot to be in. I like the idea of re-imaging his PC to get it back to ground zero. What I'd do next is dump his registry after the image so you have a baseline. You can use regedit to do it remotely. Once you suspect he is up to no-good or whenever, run the dump utility again and look to see was has changed--as long as the programs he may be using is loaded to the registry you should be able to find traces of it. You may have to google quite a bit to to truly ID the program--but you will have a fighting chance to see what it is and how it loads to the registry. With that knowledge you should be able to write a specific GPO blocking the registry from be configured that way again!

Giving your admin accounts really hard passwords is worthwhile too. Mine for example is 15 characters with numbers and isnt really a word. I have a compound word that doesnt exist, like "duplextelevision87" crackers have a hard time with that... also locking an account after 3-4 attempts is good practice--say for like 10 minutes. it would take days to crack

 

[reynolwi]

I need to create a gpo for his account i know. I need some suggestions though for what kinda restrictions i need to put in place and i'm seriously thinking of making my administrators start logging in with restrictive accounts instead of accounts with administrative privilages all the time. Make like 1 or 2 accounts with full admin privilages and use them only when needed.

Wm. Reynolds
RRWDS | TxPSS

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -
Network Error:
Hit any user to continue

 

[monsterjta]

The idea of using regular user accounts for daily use is good. I would also create an account for each administrator, with the necessary access to get their job done. Nobody should be logging in with an administrator account by default. This is unnecessary.

As well, auditing will be easier to monitor. I would also suggest create a logon script in these cases. One that you can attach to a user account when needed. Essentially, the script would write events to a file and message you whenever access events occur. This can be very handy in a situation where you might need evidence to prove access violations.

Hope This Helps,

Good Luck!

(Enamoration by Automation)

 

[schtek]

look at microsofts supplied gpo's there is a stanard client and a high restricted use it on him then unlock a few of the restrictions as you/he requires you will soon find out what he needs to run that your not happy..agree with above for events on top of it!!!

Stand up wherever you are, go to the nearest window and yell as loud as you can, 'I'm mad as hell, and I'm not going to take it anymore.'

http://www.schtek.co.uk

 

[58sniper]

There is seldom a technological solution for a behavioral problem" - Ed Crowley

Belarc Advisor can't be used in a corporate environment. It's a violation of their licensing.

Wipe the machine, make him a user on it and NOTHING HIGHER. A Power User can self elevate to a local admin, given the right tools. Implement GPOs that chop off access to everything like the RUN command, Control Panel, and all the options in IE. Change the boot options so he can't boot off of anything but the hard drive & password protect the BIOS.

Stick a copy of the companies Usage Policy in front of him. If it happens again, fire him.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[reynolwi]

Ah yea... I really just want to take him out back and beat him then bury him in a nice big hole. Can't, but wish i could. Hes releated to the boss so i dont think anything is gonna happen to him.

Ive password protected the bios, and i think im gonna stick C: as the first boot drive so it skips floppy and the dvd and then do some moding on a gpo.

Wm. Reynolds
RRWDS | TxPSS

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -
Network Error:
Hit any user to continue

 

[ArizonaGeek]

Well here is what I would do, some of these guys have some good ideas so I'll throw a few more out to ya. Password protecting the BIO's is ok but you should also turn off booting to a CD rom (you can GPO them from even using it which aint a bad idea) and block them from using a USB key or other device. Set him as user (Like Pat said above, block him from downloading, run, control panel, task manager, block local login, etc heck you can even make the "C" drive read only)

The reality of it is, if he really wants access to something he can get it. If I can boot to a CD or USB key, there isnt a GPO out there that can stop me after that point. They may slow me down but not stop me from undoing all the GPO's. You have to stop him from getting to anything beyond his own PC.

Anything that doesn't need to be shared on your network, unshare it, shore up NT permissions on your network (how many rogue groups does he have membership to that have permissions to other areas?) just start slowly removing his permissions, I'd start with your servers and work your way to the desktop.

He can do whatever he wants to the PC, worst case you'll have to reinstall the OS. Do it once then create a Ghost image, throw it on DVD or large USB key and if he gets smart again ghost his machine. After you do it a few times in a week he'll get the idea. A USB key Ghost image takes literally less than 5 minutes to reinstall an XP machine with Office '03 and all the updates and will fit on a 4 gig memory key. About 10-15 minutes to re'os from a DVD image.

He can go out for lunch and come back to a new OS'ed machine. Whoever said there's nothing worse than a woman scorn never made a network admin mad!

Cheers
Rob