.

[Article]-RichM Takes the Field

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Nov 29, 2006 12:59 am

[Article]-RichM Takes the Field

In this first installment of RichM's journal of his daunting new job, he tackles dirt, warez, nmap and a dubious decision by the previous admin.

RichM Takes the Field

Don
CISSP, MCSE, CSTA, Security+ SME
<<

LSOChris

Post Wed Nov 29, 2006 5:59 pm

Re: [Article]-RichM Takes the Field

ahhh sounds like a rough first month.  You may want to do a FULL Nmap scan 1-65535 to catch any ports that shouldnt be open like trojans and backdoors which sounds like could be a realistic scenario on your network.

all you showed was the Class C, can we assume thats all the computers you have?  are  you running Active Directory? alot of locking down can be done with Group Policy.  I know you probably have to be a bit vague about the network setup but can you say what OS's you are dealing with? 2k, XP, 2k Server, 2k3 Server?

You may want to consider creating a baseline OS (master disk, whatever you want to call it) and image all of the machines on your network.  its a significant amount of work at first but will save you time later because you'll know that all your machines on your network have the same configuration and when/if a machine is compromised its easy to get that box up an running.

I can help you with that if thats something you want to take on.
<<

linuxstarved

EH-Net Columnist
EH-Net Columnist

Posts: 49

Joined: Sat Sep 23, 2006 9:55 am

Post Thu Nov 30, 2006 8:53 am

Re: [Article]-RichM Takes the Field

all you showed was the Class C, can we assume thats all the computers you have?

I did show a Class C, however that may not necessarily be the case :)

are  you running Active Directory?


We are running AD, sadly it is in mixed mode while we show the dinosaur severs the door, should be fully integrated within the next few months.  I am EXTREMELY eager to lock the servers down using group policy

I know you probably have to be a bit vague about the network setup but can you say what OS's you are dealing with? 2k, XP, 2k Server, 2k3 Server?

I am vague with something things (network class for example) so I can be detailed with other things.  We are running Windows Server 2003 R2, and Exchange 2003 (of course there are those NT boxes which are being phased out)

You may want to consider creating a baseline OS (master disk, whatever you want to call it) and image all of the machines on your network.

Chris, you read my mind :)  I am not willing to concede my network to someone else's effort (or lack there of) I am planning on creating a "golden image", which is locked down, free of unnecessary services, and uses efficient software as opposed to bloatware ex. foxit http://www.foxitsoftware.com/downloads/

its a significant amount of work at first but will save you time later because you'll know that all your machines on your network have the same configuration and when/if a machine is compromised its easy to get that box up an running.

I couldn't have said it any better myself, there is a tremendous amount of piece of mind that comes with all that work

I can help you with that if thats something you want to take on.


I have read your posts in the past, and am thrilled that you have taken interest in my column. I am open to any and all suggestions, this task is somewhat overwhelming and I think that this column and everyone's feedback will help to give it focus.
<<

psychorugger

Newbie
Newbie

Posts: 12

Joined: Tue Dec 05, 2006 10:57 am

Location: DC, Maryland

Post Tue Dec 05, 2006 5:24 pm

Re: [Article]-RichM Takes the Field

This sounds like a similar project that I did about 5 or 6 years ago.  Sounds interesting.  I think I'll keep watching this one.

I like the idea of ghosting the images and pushing back out.  What kind of budget do you have to work with?  Are thin clients or virtualization an option?  That might help a little.
IAM, IEM, RWSP, CPTS
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Fri Dec 08, 2006 8:18 am

Re: [Article]-RichM Takes the Field

I feel your pain RichM as I have been there too. I found that if the network is not too large you should try not to use DHCP. With DHCP users feel its ok to bring in there personal laptops and that’s when the viruses and Trojans join the network. I also found running ethereal (wireshark) for a baseline is a very good idea. A lot of networks I have had to clean up had crazy network traffic running wild and it's a good idea to understand where you started and where you are later in the game. One of the networks I fixed about 5 years ago was on a single T-1 with about 20 clients. The complaint was slow speed.... Well after removing about 4 hubs daisy chained and installing anti-virus on all the computers I also found that I need to see all the traffic on the network to see where the bottle neck was. I was able with a packet sniffer to see 5 client computers where listening to internet radio and a lot of others where running p2p network software. I ended up having to work with the owner or the business to explain what was good for the network and what had to go. Finley I got them thin-clients and since then they where able to down grade the full T-1 to a fractional T-1 because on the new clean network they where not using all the bandwidth. It just goes to show you that a clean network can & dose cost less to maintain and run than an un-maintained mess of a network. I wish you good luck and keep the story going.

Slimjim100
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

linuxstarved

EH-Net Columnist
EH-Net Columnist

Posts: 49

Joined: Sat Sep 23, 2006 9:55 am

Post Wed Dec 13, 2006 4:45 pm

Re: [Article]-RichM Takes the Field

Psychorugger,

What kind of budget do you have to work with?  Are thin clients or virtualization an option?  That might help a little.

Unfortunately, getting the budget for a few new servers and a much needed upgrade to 2003 (server and Exchange) has used up the budget for the foreseeable future.  It is frustrating but also forces me to be resourceful.  Yesterday I received a survey asking about the infosec tools that I had and used.  Every item on the list was commercial and I had to laugh at the end of the survey I hadn’t check a single box, except of course “none of the above”

I would love to get thin clients, as far as I’m concerned the less control a user has over “their” machine the happier I am.  The idea of having all data stored centrally excites me but for now that will not be an option.  I have looked at virtualization, but as of right now I have bigger fish to fry, thanks for your enthusiasm, hope you continue to enjoy the column.

Slimjim100,

I also found running ethereal (wireshark) for a baseline is a very good idea. A lot of networks I have had to clean up had crazy network traffic running wild and it's a good idea to understand where you started and where you are later in the game.

I love wireshark, I can’t say enough good things about.  Glad you mentioned it, great app.

I was able with a packet sniffer to see 5 client computers where listening to internet radio and a lot of others where running p2p network software.

What a surprise, any chance the owner was one of the guilty parties? 

I wish you good luck and keep the story going.

Thank you very much, I will do my best.
<<

LSOChris

Post Wed Dec 13, 2006 5:26 pm

Re: [Article]-RichM Takes the Field

with group policy on 2003 server you can lock down the boxes pretty well.  that should help you out a bit if you have users that are doing things they shouldnt on the network.
<<

psychorugger

Newbie
Newbie

Posts: 12

Joined: Tue Dec 05, 2006 10:57 am

Location: DC, Maryland

Post Thu Dec 14, 2006 6:29 pm

Re: [Article]-RichM Takes the Field

I agree with Chris, lock those dudes down with group policy, and if you do have DHCP, or if it's large enough to worry about, you can lock that down with DHCP by Reservations.  It's a little more overhead to administer DHCP, but it keeps this users from bringing in their home computers and connecting up.  The other solution I can think of is NAC with the switches, but I don't know if you have the right equipment or time for that.

SlimJim's idea is good too though if it is a small environment.  I can't remember, but I think Cain will run through and grab all of the MAC addresses for you though, but then so will a lot of other tools.

Is there some kind of web content proxy with AV or something in place or that can be implemented that you're looking at rolling?  I'm guessing and hoping that the mail piece is already there, and in somewhat decent shape.

Nice work and keep us in formed.  I'm either having a brainstorm or brainfart, I'm not sure which yet, but I'm enjoying the post, and get frustrated with these guys at the same time.  I can setup a lab if you need someone to help test ideas though.

SlimJim,

I feel you on the company you were talking about.  I had one similar that was cross platform 'nix, NT4, and Mac with everything (including workstations) on public ip addresses behind a commercial ISDN line... Yeah, not fun.

Keep up the good work guys.
Last edited by psychorugger on Fri Dec 15, 2006 9:39 am, edited 1 time in total.
IAM, IEM, RWSP, CPTS

Return to RichM

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software