Thanks for some of the suggestions. We are beginning to test some of these applications. At the same time all classrooms now have security locks on them. This machine was not a laptop but a heavy mid-tower that sits along with all the other AV equipment in the classroom. I was two days late in locking down the computers. We are a professional school full of preachers, bishops, and theologians man. It pissed me off that someone feels good about stealing from us.
-----Original Message----- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Friday, February 20, 2009 2:32 PM To: NT System Admin Issues Subject: RE: Question You really should be also looking into lock-jack type software for your laptops. Here are the other issues from a hacking prospective: 1) They have an authenticated account and password to your network. Depending on the credentials they can use this to do all kinds of havoc: (Terminate the account immediately, and implicitly block them from access at the VPN termination point.) 2) As stated before record the Public IP of that user whose configured with autologon and vpn access and contact the ISP and then authorities to possibly locate the laptop. >From the hacking prespective I would look to use this from a free wireless network to do the remote hacking/survilleance, along with dumping of all credentials and data on said laptop to gain additional vectors into said companies network, to gain influence. If I can get an admin account I can impersonate anyone, and I can reconfigure the VPN software and gain access, and continue influence until I get whatever I want from the network, sell it to others for whatever I can get on the underground market, and the target organization/company probably be none the wiser. I understand this is higher education, but there is a lot of assets that an attacker can get there hands on, that is going to cause you pain. It's a trivial exercise to dump credentials on the machine, gain administrative access, connect back into said network and elevate. Plus the information either personal or workwise that is still available on the harddrive, which can be scrubbed via various utilities, can also prove with either more avenues for fraud, identity theft, and other malicious activites against any user of that computer for whatever reason. Or a more fun idea, have that PC on another busy part of the network and plant a keylogger on it, and have the keystrokes and recordingly of all the information processed on it sent back to the attacker, which would be really fun, and profitable. The real issue, that making things easy doesn't make them secure, and allowing things like autologon and auto connection to trusted networks and lax physical security brought about this situation in the first way. Food for thought from the evil side of the force :) Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, February 20, 2009 1:11 PM To: NT System Admin Issues Subject: Re: Question Let me get this straight: 1) The machine has been stolen 2) The machine is set for autologon 3) The machine also has VPN access 4) Whoever has possession of the stolen machine has Internet access, and 5) Therefore when the machine is turned on, it does its autologon, and connects to your network via its VPN facility. 6) You want to trace this machine, and find out who has possession of it If all of this is correct, seeking the MAC address is not useful. Instead, find out the public IP address of the machine by querying your VPN termination point, and consult with the owner of that address - that is, the ISP who is assigning it to their customers. They will be able to tell you, from their logs, who is using that IP address currently. Then you can call in the cops, and they can take it from there. Kurt On Fri, Feb 20, 2009 at 09:05, Vue, Za <z...@emory.edu> wrote: > It was a classroom machine so we set it to auto logon. The classroom account has no admin access. The machine has not been renamed either. > > -Z.V. > > -----Original Message----- > From: Vue, Za [mailto:z...@emory.edu] > Sent: Friday, February 20, 2009 12:01 PM > To: NT System Admin Issues > Subject: RE: Question > > Remember the stolen Dell? DNS entries are hardcoded on my machines, but IP addresses are released through DHCP. The machine showed up last night on my DNS server with a private IP. I tried to get some information about it but only got "TTL expired in transit" from the border router. > > If I can get a hold of the MAC I may be able to proceed further. > > -Z.V. > > -----Original Message----- > From: Christopher Bodnar [mailto:christopher_bod...@glic.com] > Sent: Friday, February 20, 2009 11:54 AM > To: NT System Admin Issues > Subject: RE: Question > > Can you outline the situation in more detail? Is this an internal client > of yours? Or are you talking about a remote client coming across the > Internet and hitting a DNS server in your DMZ? > > If this is all internal you can use the GETMAC resource kit utility. > > http://technet.microsoft.com/en-us/library/bb490913.aspx > > > > > > Chris Bodnar, MCSE > Sr. Systems Engineer > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: christopher_bod...@glic.com > Phone: 610-807-6459 > Fax: 610-807-6003 > > -----Original Message----- > From: Vue, Za [mailto:z...@emory.edu] > Sent: Friday, February 20, 2009 11:46 AM > To: NT System Admin Issues > Subject: RE: Question > > I did that already. No ARP found. > > -Z.V. > > -----Original Message----- > From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] > Sent: Friday, February 20, 2009 11:44 AM > To: NT System Admin Issues > Subject: Re: Question > > 1. Ping the address > > 2. In a command console, enter "arp -a" > -------------------------------------- > Richard McClary, Systems Administrator > ASPCA Knowledge Management > 1717 S Philo Rd, Ste 36, Urbana, IL 61802 > 217-337-9761 > http://www.aspca.org > > > "Vue, Za" <z...@emory.edu> wrote on 02/20/2009 10:37:09 AM: > >> Windows 2003 AD: >> >> A machine with a private IP address is using my DNS server for name >> resolution. How do I capture the MAC? >> >> -Z.V. >> >> This e-mail message (including any attachments) is for the sole use of >> the intended recipient(s) and may contain confidential and privileged >> information. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, distribution >> or copying of this message (including any attachments) is strictly >> prohibited. >> >> If you have received this message in error, please contact >> the sender by reply e-mail message and destroy all copies of the >> original message (including attachments). > >> >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ----------------------------------------- > This message, and any attachments to it, may contain information > that is privileged, confidential, and exempt from disclosure under > applicable law. If the reader of this message is not the intended > recipient, you are notified that any use, dissemination, > distribution, copying, or communication of this message is strictly > prohibited. If you have received this message in error, please > notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~