Possible Security Leak

Toggle sidebar Toggle sidebar
S

Snoopy

Distinguished
Nov 20, 2001
90
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

Dear Pros,

I always get warning message from my DHCP server services and tell me that
the available IP is running low, I actually get this meesage from event log.
But after I check my DHCP leasing details I can always found at leat 8 to 10
un-identify PC, and the computer name which never exist in my company, with
the the identit information RAS? Is this meaning someone is connecting my
server from remote by RAS metho? If this answer is yes, how should I get the
connecting info? My company did not implement the VPN also we do not allow
user to connect to server after working hour (only normal mail services
available). So could this meaning someone is connecting to my server which
possible from the outsider?

We do have the problem with the previous IS employee, but he left our
company for a long time, the reason for me to said that is because he was
never stop to attact the company from time to time, by virus or mail bomb,
and always address himself as internal IS Dept. head. I caugh him few
times......................

So can please any one tell me how to invesgate this situation and how to
close possible the security leak hole.

Appreicate for the help in advance.

Snoopy
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Snoopy wrote:
> Dear Pros,
>
> I always get warning message from my DHCP server services and tell me that
> the available IP is running low, I actually get this meesage from event log.
> But after I check my DHCP leasing details I can always found at leat 8 to 10
> un-identify PC, and the computer name which never exist in my company, with
> the the identit information RAS? Is this meaning someone is connecting my
> server from remote by RAS metho? If this answer is yes, how should I get the
> connecting info? My company did not implement the VPN also we do not allow
> user to connect to server after working hour (only normal mail services
> available). So could this meaning someone is connecting to my server which
> possible from the outsider?
>
> We do have the problem with the previous IS employee, but he left our
> company for a long time, the reason for me to said that is because he was
> never stop to attact the company from time to time, by virus or mail bomb,
> and always address himself as internal IS Dept. head. I caugh him few
> times......................
>
> So can please any one tell me how to invesgate this situation and how to
> close possible the security leak hole.
>
> Appreicate for the help in advance.
>
> Snoopy

I've had this on one PC which had an internal modem (it wasn't ever
plugged into the phone line) - DHCP seemed to be allocating an address
for this even though it wasn't actually being used. It was the only way
in which this machine was any different to all the others - but it was
clear which machine it was so the situation isn't totally similar to yours.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

It sounds like there is a remote access server somewhere on your network.
This ex employee may have set one up or even a current employee may have set
one up without authorization. Try to ping that computer name to see if you
get a response and also ping all the addresses that are shown as being
leased to that computer as one may be to the remote access server itself. If
you can ping it, then you will have to go from there to try and track it
down possibly by using the mac address to trace it to a port if you can
query your switches for such. I would also scan your entire network with a
network scanner such as Superscan 4 to see if you can find any unauthorized
computers or devices such as a wireless access point. Supercan 4 [free from
Foundstone] will give info that may be helpful about IP addresses it finds
including the names of the computers or devices. Make sure this ex employee
doe not have an active account and check the membership of all the
administrator groups for the domain to make sure it is what is expected and
change the administrator account for the domain. Also make sure that you are
logging account logon events in Domain Controller Security policy as the
security logs of the domain controllers may then provide some clues. ---
Steve



"Snoopy" <Snoopy@discussions.microsoft.com> wrote in message
news:F7F0A1F9-AA64-4467-A418-BBD068BA996A@microsoft.com...
> Dear Pros,
>
> I always get warning message from my DHCP server services and tell me that
> the available IP is running low, I actually get this meesage from event
> log.
> But after I check my DHCP leasing details I can always found at leat 8 to
> 10
> un-identify PC, and the computer name which never exist in my company,
> with
> the the identit information RAS? Is this meaning someone is connecting my
> server from remote by RAS metho? If this answer is yes, how should I get
> the
> connecting info? My company did not implement the VPN also we do not allow
> user to connect to server after working hour (only normal mail services
> available). So could this meaning someone is connecting to my server which
> possible from the outsider?
>
> We do have the problem with the previous IS employee, but he left our
> company for a long time, the reason for me to said that is because he was
> never stop to attact the company from time to time, by virus or mail bomb,
> and always address himself as internal IS Dept. head. I caugh him few
> times......................
>
> So can please any one tell me how to invesgate this situation and how to
> close possible the security leak hole.
>
> Appreicate for the help in advance.
>
> Snoopy
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom