A Rogue Admin

[Fattysharp]

I believe I have isolated a to rogue domain admin on my network targeting certain individual computers in the company.

I have been able to audit some key computers for the company, and have found him running scripts remotely to elevate local privledges on specific computers. Our sms remote control tool requires certain privledges raised in order for us to run it without permission being required. Since I am not an sms guru i can be certain if this is what he is doing. Does anyone know what privledges would need to be elevated to do this ?

I can not approach him on this since he would obviously deny it if it was true or not, but if it was true, he would then be able erase any log files that may point to wrong doing.

Right now, all i can do is gather information from a pc that he may be targeting. I have turned on windows auditing and have already 3 instances of him connecting to this pc in one day and raising specfic privledges remotely.

I have notified my management, but they will require proof and have asked me to investigate further. To make matters more questionable this admin has access to monitor any pc and the pc i mainly work is one that he has been connecting to remotely.

Any advice on how i can catch him in the act would be appreciated.

 

[covert24]

see if you can get the ip or MAC address from the computer he is running off of and then while in the act call security to that computer so that he has no where to run. I would suggest sending over someone high up in management so that they can fire him right on the spot.

 

[Tarrant64]

If there were any doubts about an admin about security he should be immediately stripped of all rights, and his account disabled. I understand that as an admin he may have other immediate ways of gaining access to computers, however if it is that big of an issue ensure that he has no access to it. I'm sure security can handle that.

Management needs to understand that sitting around waiting to catch him red handed may be too late for whatever he's managed to do. He should be able to understand if he is being questioned for his acts and stand back until the situation is cleared up.

Do you have any idea what exactly he's doing? Is he in a secluded area where he can't be supervised properly?

 

[SecPro]

Originally posted by: Tarrant64
If there were any doubts about an admin about security he should be immediately stripped of all rights, and his account disabled. I understand that as an admin he may have other immediate ways of gaining access to computers, however if it is that big of an issue ensure that he has no access to it. I'm sure security can handle that.

Management needs to understand that sitting around waiting to catch him red handed may be too late for whatever he's managed to do. He should be able to understand if he is being questioned for his acts and stand back until the situation is cleared up.

Do you have any idea what exactly he's doing? Is he in a secluded area where he can't be supervised properly?

+1

I completely agree with what is being said here. Security needs to get involved as does your legal and HR departments. If no one knows what this guy is up to, then shut him off. If someone needs to play Dick Tracy, then make sure someone who understands computer forensics is the person who does that. Your networking group can probably stand up some sniffers and start capturing network traffic.

You have no idea what this guy is doing. He could be accessing and offloading sensitive or personal info. I don't know because I don't know what business you're in. What I do know from the OP's post is that he's abusing admin privleges. Personally that's all I need to know. I wouldv'e already shut him down and walked him out the door.

 

[Fattysharp]

I also agree.

Unfortunately, I work for the canadian gov't in a very "its who you know" enviroment. I am only a desktop admin, and he is a domain admin. I see log files of him connecting to remotely computers he should not be, elevating rights. I am under the impression he is using sms remote, to monitor people working.

I can not prove he is, since there is no way i can monitor him. I have caught him connected to my pc by using a port sniffer and seeing his ip on connecting.

He works in a isolated office, and has physical disablities so anything that management does can get very sticky.

 

[Fattysharp]

I also agree.

Unfortunately, I work for the canadian gov't in a very "its who you know" enviroment. I am only a desktop admin, and he is a domain admin. I see log files of him connecting to remotely computers he should not be, elevating rights. I am under the impression he is using sms remote, to monitor people working.

I can not prove he is, since there is no way i can monitor him. I have caught him connected to my pc by using a port sniffer and seeing his ip on connecting.

He works in a isolated office, and has physical disablities so anything that management does can get very sticky.

 

[Zugzwang152]

Originally posted by: Fattysharp
I also agree.

Unfortunately, I work for the canadian gov't in a very "its who you know" enviroment. I am only a desktop admin, and he is a domain admin. I see log files of him connecting to remotely computers he should not be, elevating rights. I am under the impression he is using sms remote, to monitor people working.

I can not prove he is, since there is no way i can monitor him. I have caught him connected to my pc by using a port sniffer and seeing his ip on connecting.

He works in a isolated office, and has physical disablities so anything that management does can get very sticky.

Involve your security staff immediately. You can give them the detail that you can't post on the Internet, and they can take it from there. Where I work, the security staff would be responsible for involving HR and any other departments as necessary, but you may have different procedures there. If you're doing any intrusive investigating, I would also recommend getting approval from your management in writing, because that kind of stuff can come back and bite you in the ass as well.

It's very important, as SecPro says, that someone who is trained in forensics continue the investigation, because evidence needs to be obtained and preserved in a certain way in order for it to be allowed in to court in the event of legal action.