General discussion


Protection from internal employees

By Bhrdwh ·
Please provide me with list of Information, Tools for securing network & servers from inside (from our employees).

We are using NT 4.0 with Exchange 5.5 at present, with plans to migrate to 2003 AD/Exchange 2003 soon.

Internal security issues -
1. When a user logins to the domain controller, his password travels (data packets) over LAN ? so anyone using a Sniffer tool can capture it & read it. Can we prevent this at all?

2. It?s a common secret that NT Passwords can be hacked down using hacking tools (Lhopt etc) ? any prevention or intrusion detection systems available, so even if anyone runs those software & starts to probe the domain controller ? we can catch him before any passwords get revealed.

3. Any user in network can delete files/data from shared folders or VSS ? can we know who, when did that ? maintain logs?

4. We have a FTP Server being shown to outside world, anyone having ftp-user password can zip critical company data / info, put it on FTP server & download it at his home (or outside our network), can we maintain any logs (we already have IIS logs enabled).

5. We?re using Exchange 5.5 with Outlook 2000 clients & ASAP Enterprise Gateway for Antispam solution. Can we offer better protection for sending / receiving emails? Maybe encrypt emails, use PGP?

There may be more such issues I would have missed, please let me know about them & of course ways to stop or minimize them.
How do companies work on these fronts?

If we need to buy new software, tools, extra systems for implementing the above protection ? please let me know.

I want to implement & achieve the best internal security setup for our Office.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by Murray.wall In reply to Protection from internal ...

1) You can prevent the internal sniffers only by securing your network connections physically in an end to end solution or by implementing IPSec in hardware solution or a windows 200x solution. Still some data may be sniffed but very limited. Securing the internal network infrastructure though port security is one way of accompishing this.
2) Any user that authenticates to a domain controller that has a user account may have the ability to read the sam (Depending on how things are configured)Turning up logging on your domain controller with regards to security failures may help track this down, I have used this successfully before to track information.
3)Enabling auditing can track and maintain this information. You should enable the auditing Domain wide, and ensure your event viwerlogs can accomidate the size/load your servers are producing. Setup a test server and enable auditing, setup a share and delete some files and check the eventviewer, you can see what shows up. Here is a really good article relating to what I am talking about.
4) Your IIS Logs in relation to your NT Audit logs will tell you, it comes down to checking this information on a regular basis. You could secure your FTP Directory to only have certain perimssions (ACL and Network Access) to only allow certain write privlegaes from local users and will then stop people from copying local information to public Places. A security policy would/could be effective in this area.
5) Your answer depends on what you business requires. not every business requires end to end PKI, and levels of security should be implemented, If you are a bank a pki prob could be impleemented. If you are sending lots of public information, pgp may not be the answer as lots of people do not have PGP sigs. This is a business descision and not one I can answer with the information you have provided.

Collapse -

by Bhrdwh In reply to does not work. Please advice more on how to implement IPSec, we have only TCP/IP running with internal invalid IPs inside, protected by Firewall to our ISP.

Collapse -

by Murray.wall In reply to Protection from internal ...

Companies usually develop a strategy to identify what crtitial information systems they have and how best they can secure them. Policies implemented with fundemental security practicies usually is a first good cost effective step to getting more secure

Collapse -

by Lizzy In reply to Protection from internal ...

You should definitely do as the first answer suggested and institute auditing domain wide.

Enforce strong password rules on domain--longer passwords with mixed cases and must be unique for at least 12 month cycle with frequent changes.

Educate your users in the use of email. Do not allow attachments to be sent or recieved.

Strong user restrictions over the domain are a must in this instance where no downloads are allowed, no installations of software are allowed unless it is the administrator.

Make sure that the administrator account is not named administrator or admin and that it has a very strong password.

If you are worried about packet sniffers being installed on your network, you are either very paranoid or your data is highly classified and can be exploited for profit. You should definitely spend more on security if so, and approach it from within and also perhaps with a security contract specialist as well.

Collapse -

by Curacao_Dejavu In reply to Protection from internal ...

first I will have to redirect you to

i will just add some items to the other answers.

if the workstations are nt based, only admins can install software so there is less need to worry about that, if the systems are win98/me based , you have a problem.
In order to implement ipsec your workstations have to be w2k or xp.
In addition it would be wise to have a w2k domain since in the domain you can create a GPO (kind of a policy) domain wide for all communications to be secured via ipsec (incrypted).

reagrding 3: I think recheck your nt and shared permissions or upgrade to a version that works with the nt system (i had this problem in the past with some vendors).

4: in addition to use the logs and auditing you might consider to give the users a specific userid to log into the system insteadof using the anonymous one (i can not quite read which one you are using).

5. w2k has a service called "certifications services" in which you can create your domain based public and prived key. to use in your infrastructure.

so basicly with your migration plan , 2203 AD and exchange 5.5 your covered.


Related Discussions

Related Forums