Possible Security Leak

Archived from groups: microsoft.public.win2000.security (More info?)

Dear Pros,

I always get warning message from my DHCP server services and tell me that
the available IP is running low, I actually get this meesage from event log.
But after I check my DHCP leasing details I can always found at leat 8 to 10
un-identify PC, and the computer name which never exist in my company, with
the the identit information RAS? Is this meaning someone is connecting my
server from remote by RAS metho? If this answer is yes, how should I get the
connecting info? My company did not implement the VPN also we do not allow
user to connect to server after working hour (only normal mail services
available). So could this meaning someone is connecting to my server which
possible from the outsider?

We do have the problem with the previous IS employee, but he left our
company for a long time, the reason for me to said that is because he was
never stop to attact the company from time to time, by virus or mail bomb,
and always address himself as internal IS Dept. head. I caugh him few
times......................

So can please any one tell me how to invesgate this situation and how to
close possible the security leak hole.

Appreicate for the help in advance.

Snoopy
2 answers Last reply
More about possible security leak
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Snoopy wrote:
    > Dear Pros,
    >
    > I always get warning message from my DHCP server services and tell me that
    > the available IP is running low, I actually get this meesage from event log.
    > But after I check my DHCP leasing details I can always found at leat 8 to 10
    > un-identify PC, and the computer name which never exist in my company, with
    > the the identit information RAS? Is this meaning someone is connecting my
    > server from remote by RAS metho? If this answer is yes, how should I get the
    > connecting info? My company did not implement the VPN also we do not allow
    > user to connect to server after working hour (only normal mail services
    > available). So could this meaning someone is connecting to my server which
    > possible from the outsider?
    >
    > We do have the problem with the previous IS employee, but he left our
    > company for a long time, the reason for me to said that is because he was
    > never stop to attact the company from time to time, by virus or mail bomb,
    > and always address himself as internal IS Dept. head. I caugh him few
    > times......................
    >
    > So can please any one tell me how to invesgate this situation and how to
    > close possible the security leak hole.
    >
    > Appreicate for the help in advance.
    >
    > Snoopy

    I've had this on one PC which had an internal modem (it wasn't ever
    plugged into the phone line) - DHCP seemed to be allocating an address
    for this even though it wasn't actually being used. It was the only way
    in which this machine was any different to all the others - but it was
    clear which machine it was so the situation isn't totally similar to yours.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    It sounds like there is a remote access server somewhere on your network.
    This ex employee may have set one up or even a current employee may have set
    one up without authorization. Try to ping that computer name to see if you
    get a response and also ping all the addresses that are shown as being
    leased to that computer as one may be to the remote access server itself. If
    you can ping it, then you will have to go from there to try and track it
    down possibly by using the mac address to trace it to a port if you can
    query your switches for such. I would also scan your entire network with a
    network scanner such as Superscan 4 to see if you can find any unauthorized
    computers or devices such as a wireless access point. Supercan 4 [free from
    Foundstone] will give info that may be helpful about IP addresses it finds
    including the names of the computers or devices. Make sure this ex employee
    doe not have an active account and check the membership of all the
    administrator groups for the domain to make sure it is what is expected and
    change the administrator account for the domain. Also make sure that you are
    logging account logon events in Domain Controller Security policy as the
    security logs of the domain controllers may then provide some clues. ---
    Steve


    "Snoopy" <Snoopy@discussions.microsoft.com> wrote in message
    news:F7F0A1F9-AA64-4467-A418-BBD068BA996A@microsoft.com...
    > Dear Pros,
    >
    > I always get warning message from my DHCP server services and tell me that
    > the available IP is running low, I actually get this meesage from event
    > log.
    > But after I check my DHCP leasing details I can always found at leat 8 to
    > 10
    > un-identify PC, and the computer name which never exist in my company,
    > with
    > the the identit information RAS? Is this meaning someone is connecting my
    > server from remote by RAS metho? If this answer is yes, how should I get
    > the
    > connecting info? My company did not implement the VPN also we do not allow
    > user to connect to server after working hour (only normal mail services
    > available). So could this meaning someone is connecting to my server which
    > possible from the outsider?
    >
    > We do have the problem with the previous IS employee, but he left our
    > company for a long time, the reason for me to said that is because he was
    > never stop to attact the company from time to time, by virus or mail bomb,
    > and always address himself as internal IS Dept. head. I caugh him few
    > times......................
    >
    > So can please any one tell me how to invesgate this situation and how to
    > close possible the security leak hole.
    >
    > Appreicate for the help in advance.
    >
    > Snoopy
Ask a new question

Read More

Security Servers Windows