VPN Security Issue

I have a pretty severe security issue at my office.

What the previous IT guy did was setup a Windows Server 2003 PC with two NICS. One for the internal network, one for the external and basically made the server a router. Worked great...didn't have any issues (actually, I wasn't in charge of the network then and I didn't care what he did ). After he left, I finally convinced the powers that be that we needed a real server to run all our apps on and store important docs, files etc. Installed the new server and implemented a domain a couple weeks ago. No real issues. I never did put that 'router pc' on the domain as I didn't see a need to.

Now comes the real issue. One of the other guys in my office setup a series of VPN users so that the customers we couldn't connect to with PC Anywhere to support, could VPN to us and we could use VNC to connect to them and take care of their issues. Worked fine. However, last week, this same guy in my office left one of our customers connected to the VPN. This particular customer decided he'd look around our network and see what he could get into. Low and behold, he could traverse our domain controller with ease. Not good. I have since disabled all the VPN users and told that guy if he sets up another one, I'll kill him.

My question is, what can I do so that we can still use the VPN connection(s) for supporting those customers, but have them so they don't have access to our entire network? I've tried locking down the users, but I seem to be missing something as, not matter what I do, they still have full access. I've also tried putting the 'router pc' on the domain, but having issues getting it to work (PC is a pile of ****). I've also started looking into a VPN firewall. The Sonicwall TZ 150 to be specific. Wondering if anyone else has had any experience with that piece of equipment and wondered if that would solve my problem.

Thanks in advance for any ideas.

 

I haven't used that Sonicwall myself. I'm kind of hoping someone with more Domain Controller experience will chime in here pretty soon.

When you said he could traverse your domain controller what exactly did you mean by that? What exactly can he access?

Did you actually set him up as a member of the Servers domain? Or you just have him connected at the TCP/IP level and his computer is still just a Peer-to-Peer type of configuration?

I can lab some stuff with 2000 and 2003 server and Windows 2000 and XP here. I've set up domain controllers and worked with them a "little" bit.

If all you need to do is access their PC's remotely with VNC or such it seems like if you got some kind of VPN Server you may be able to set up some more policies governing what they are able to access. You might even want to set some kind of limits on how long (or what days/hours) they can be connected via VPN.

I would think that if you put someone on an unrestricted VPN, you basically just gave them the same rights as anyone else physically connected to your office network. At least anyone that plugged in a PC or Laptop, even if they were not a member of the domain (didn't have to logon to the domain). This might be a red flag in your network in general.

If he was allowed to set up VPN service... the next person *could* be allowed to set up wireless access points. Next thing you know you've got Rogue access to your network.

 

By 'traverse the domain controller', they basically had full access to all the directories as if they were an administrator. They could add, edit and delete files at will.

 

joedog321, I'm not qualified to give you everything you need for this problem. Some things that others will need to know that will help them help you;
*Is the new DC a 2003 Server as well?
*Do the VPN users need to access any data/apps on the the DC? or do you only
need to be able to connect to them?
*Do you have the VPN users set up as individual users on the DC, or have them
in a GROUP, ie: "VPN users "? (This would be best.)
*Does your DC machine use the "router PC" for external connections(Internet)
or does it have it's own connection?

One of your problems is a NTFS and or Share permission problem, sounds like you have checked this, but may be missing the "inherited permissions" from the parent folder(s) and or "drive" permissions (C:, D: etc) Hope this helps some, more experienced help will be coming

 

What seemed strange to me was that they would even let them log onto the domain at all. If all they need to do is "be accessed" by VNC for you to help them you only need IP level access for them and limited ports. If you could have a small subnet of those desktops that need to access the customers and only let them on that subnet...

I tried 2003 Server, as in accessing it from Windows XP Pro, and I had trouble accessing file shares. I had to give an administrator username and password to even get to see the shares. That was XP Pro without joining the domain at all. (Even to join a domain, you have to have an administrator username/password to do it.)

Hmmmm...

 

Could you give some detail on what you have tried and what sort of user accounts (domain or local, what group memberships, etc.)

 

1st off, thanks everyone for the responses.

Answers to everyone's questions:

* Yes, the CD is a 2003 server as well.
* Some VPN users will need access to the network (office personnel), but as for our customers, they do not and should not need access to the network. The connection is only so we can use VNC or Remote Desktop to support them.
* I do not have the VPN users on the DC at all. Just on the PC that is functioning as our gateway/firewall.
* The DC does use the 'router PC' as it's internet connection.

As for what I've looked into for users, groups etc:
* The VPN users are all part of the 'VPN Group' group that the other IT guy setup (again, I walked into this mess ). That VPN Group isn't even on the DC. It's just a local group on the 'router PC'. The only users that are on both PCs are my user and the administrator user. The login and passwords are the same on both PCs.
* Originally, the VPN users were part of the 'users' local group on that PC. I have since removed them from that group and added them to the 'VPN Group'.
* I played around with some of the settings in Local Security Settings, but nothing seemed to work.

I know it something dumb that I'm missing. The unfortunate thing is I just don't have a ton of time each day to dedicate to this because of my normal job function is to support our customers. I just got nominated to install the new server and support our office people too .

 

Welcome to I.T. as soon as you show an aptitude for something that noone else around has an aptitude for it becomes part of your job. Getting paid more for it is the real trick. My last company gig was a Broadband Cable Internet Provider. They had been one of the companies outsourced to Excite@home and @home had managed their ISP department for them. @home was the 2nd ISP outsource company that they had used. Both went bankrupt. They took the I.T. / ISP function internal this time around via another company ... which I went to work for. Ground floor opportunity so to speak. I started as a Tech Support/Sales phone agent. I was pretty quickly asked if I could manage Unix and Linux Servers and Networking stuff. It took me another around 4 - 6 months to ask for and get a pay raise from around 30,000 up to 45,000 a year. (It should have been more than that actually!)

Um back on your deal there... What's the VPN Server? I'm guessing that's in the Windows box you call "Router PC ". And does loggin on to the VPN automatically put them logged on to that Domain Controller?

Does that DC act as a stand alone DC or is it a BDC (Backup Domain Controller) for the same Network Domain as the other one?

What I'm getting at is, is there a way that they can connect to a VPN Server without being a member of any VPN Group or Domain at all?