[ale] Network security question

James P. Kinney III jkinney at localnetsolutions.com
Mon Apr 2 20:14:01 EDT 2007 

On Mon, 2007-04-02 at 19:38 -0400, Mark Wright wrote:
> Hi folks,
> 
> 
> I have a problem my boss dumped in my lap.  He is going to let go our
> network admin because he is dishonest.  He is also pretty good and has
> bragged about how he hacked his former employer (hp) for mischief when
> he was terminated.  My boss wants me to tell him what he should do
> before he fires this guy to make sure this guy can't disrupt our
> business after he's gone.  We don't know that he will but my boss
> thinks so.
> 
> 
> The office is in Chicago (me in Woodstock).  There are about 5 windows
> 03 servers and 5 AIX, a Cisco router and a Cisco firewall.  My boss is
> not worried about the AIX as that is our expertise.  One of the
> windows boxes hosts RDP and one is a webserver using Cold Fusion.
> Those are the ones he worries about.  He had trouble before when he
> tried to change the Cold Fusion password.  The web site stopped
> working so he is afraid to do that even though he knows he needs to.

The password will need to be changed simultaneously for both the server
and all the applications running from it. Create new users first on the
server then create the new users in the web applications. This should be
done initially offline and tested using the site mockup. Once the
dismissal occurs, drop in the new app configs with the new users and
restart.
> 
> 
> I suggested to him that all the account passwords should be changed on
> every box for every user and possibly disable email ports on any
> system that doesn't need email.  I was wondering about root kits that
> may have been left behind or code that could email out the new
> passwords in a week or so.
> 
I agree on the total password change. And disable ALL ports not KNOWN to
be used. Don't leave something open because you _think_ it is used.
> 
> I know there are some excellent security experts out there.  Any tips
> would be greatly appreciated.


All systems will have to be scanned just before and again just after the
dismissal. There needs to be a "shadow admin" brought on immediately to
start the security sweeps. Once the dismissal occurs, the shadow becomes
the real admin.

There will need to be some serious penetration testing done just prior
to the dismissal (think same day). Basically, the systems will need to
be locked down and secure first. Once that is done, the exiting admin
has their passwords locked off on all machines.

This is a seriously no fun process. The only potential upside to this is
the ones that brag about past exploits are not very dangerous. They
typically did "something" with some script-kiddie tools (bad enough but
manageable.).

> 
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list