Please read - my butts on the line

michael.steiner · ‎09-21-2003

All,

This may seem inappropriate but my butt is on the line, so please read on.

I have 2 developers who have domain admin rights in a windows 2000 environment. I discovered on Friday that these 2 have been creating a VPN tunnel to another companies network and having several machines on that network interact with one of our machines on the internal network.

I escalated this issue to our collective supervisor. I know what his response was and I also know what mine was.

I can guarantee that there is going to be a big turf war over this one and so I seek your oppinions.

Does this have the potential to become a large security issue?

Thanks all.

osam · ‎09-21-2003

Let me first make sure I understand you correctly.

You are saying that two users inside your network who you have assigned administration privileges to windows 2000 servers inside your network, have initiated a VPN tunnel between your server(s) and outside unauthorized server(s). Am I correct?

Well, first of all. If you don't trust these users, how come giving them administration rights in your servers in the first place? There is nothing technically you can do except deleting their rights and then, your boss or whomever in charge, can question them legally. They may have done other stuff to the servers.

Your problem I see here is not a technical problem as much as a policy problem. Why giving them admin rights in the first place?

What I would suggest you to do is to revise all users rights on the server and strip whatever rights you see unnecessary from users who are not supposed to have them. And make sure you audit the changes and other activities taking place in the network to protect yourself.

If they were given the admin rights voluntarily by you without proper authorization. So, be prepared to answer questions on why you did that. If not, then, its not your fault, and you have only given them what you were asked (by your manager or whomever) to give.

I hope you find my answer helpful. Good luck!

jakew · ‎09-22-2003

Is this a large security issue? Almost certainly!

Questions to answer:

1. Do these developers need domain admin rights to do their job? If not, take them away.

2. Why are they creating the VPN tunnels? Is this to do their job effectively or for some other reason (i.e. gaming)? Make them justify it with a detailed technical explanation and explain why there is no other alternative.

3. Do you trust the other company?

4. Could your company's intellectual property or other sensitive data be compromised?

5. Do you have an IT policy in place that forbids this kind of activity? If not, write one and do your best to make sure it has teeth.

How to deal with the political issues in your company is another story. You should develop a thorough, _documented_ explanation of why this is no good along with an action plan and escalate this to your management or higher if necessary. You should also find some way to force these developers to explain themselves. Once you've escalated it, if you don't get the necessary support, at least you've done your due diligence.

ishah · ‎10-06-2003

Hi,

I agree with the previous comments but also consider in the real world management tend to want to facilitate rather than prevent so here is what I would suggest.

If machines on another network are interacting with your network the following is a positive suggestion that let's them work but allows security controls:

Is there an intermediate firewall

Is the Server on your site on a DMZ that is monitored for worms etc that might originate on the other network

Is the VPN tunnel locked down to only allow the traffic required - for example SQL traffic etc. or is it wide open.

Document how recent worms have attacked systems, perform a threat analysis and suggest the risks.

Technology that could help here is Cisco VPN Concentrators, Cisco IDS, PIX firewalls

Also - if all developers start doing this - what is going to happen to your network ?