My LAN is protected enough?

[Michael]

Hello,

I'm Michael and i like to test security of my pc and network often, i never had troubles so i never need to post something ->until today

my problem is:

I manage a little LAN formed by a win2008 server for database+ storage connected to the internet and some xp clients.

Last week someone succeeded to delete lot of documents on the server, (no problems we had backups) i can't understand how he could enter to the local network trough internet. -> He could logon to the lan with guest account that can manage some files, but only through our clients(i thought)

The server now is disconnected from internet (so clients cannot connect too) until i'll find

how is possible to do logon into the lan from the internet -> i'm not a god with backtrack but i was able to find some secutity problems of some 'old' op systems, like xp and resolve that. But on win server 2008 i can't see any access. I'd like to repeat the intrusion to know how is possible and wich is the better way to prevent that

i hope that someone could help me to find where could i access to my local network through the internet (without install any program/service to the server )

I'm using VmWare with same version of OS on my pc to test that. 1 server 1 client connected and BT out of the lan

Regards

Michael

[lupin]

How could you have been hacked from the Internet? Wow, theres just too many ways to mention.

And anyway, I don't think you need to reproduce the attack, you need to perform an Incident Investigation and close up the holes you find.

The first thing Id examine is whether any of your systems is/was contactable directly from the Internet. Did you have a Firewall in place, and if so what ports/systems were unfiltered in the firewall, were your systems using NAT, and if so was any port forwarding in place. If you were using neither Firewall filtering nor NAT, then thats the first thing you want to fix. Make sure only required services are available from the Internet, and make sure any required services are hardened, patched and tested to confirm that they are not vulnerable.

The next most likely possibility is client side attacks. Opening a bad email, visiting a bad/compromised web site, opening a bad document could all be possible ways to get a client system (or a server system too if you are using it for client style operations) infected by malware. System patching (including third party applications) and a good auto protecting AV program is what you want here. Something like Secunia Personal software Inspector (or the Enterprise equivalent as appropriate) is good for determining whether your systems are appropriately patched. Its way easier than you think to get infected in this way - I have managed to get one of my test VMs compromised without even trying, and that is with close to zero contact with the big bad Internet.

Other possibilities are infection by a local file infector virus (copied from USB/CD/etc) or regular old local unauthorised access by a person.

[trellis]

Simple answer: no. It's a PEBKAC 9 times out of 10. Secure your users first, then your boxes.

[hhmatt]

Secure your users first

Easier said than done.

[Michael]

First of all thanx for the replies.

If i understood properly the most likely possibility is something like a backdoor installed in the pcs and not a direct attack at the server.

On clients and server is installed the symatec antivirus.

I'll do a complete scan on every pc.

Thanx