Question : Security Responses

I'm having some trouble coming up with all the parts of the solution for this scenario. I've got some, which I'll explain at the end of this post, but if anybody would be willing to help, it would be greatly appreciated!

Consider the following scenario. You get an alert from the IDS telling you that somebody is trying to connect repeatedly to port 3389 of the computer at 192.168.2.124. While you are sitting at the computer, the mouse pointer starts moving by itself. Please evaluate this scenario and explain the correct response including the following:

Describe what your mental approach to these events should be.
Explain what you should do to isolate the affected computer.
After the computer is isolated, describe what should be investigated next.
List people who should be notified.
Describe what you could learn by a subsequent review of the firewall and IDS logs.

Now, I'm thinking the mental approach would be obvious. To stay calm. Most companies should have a standard procedure for handling things like this, so just stay calm and follow procedure. Right?

For isolating the computer, I think that would depend on how large the network is. It wouldn't just be a matter of "unplugging" that particular computer or removing it from the network. There should be a way to temporarily, I don't know, bypass it and let the rest of the network continue to function normally. Right?

Then, after it is isolated, I'm thinking that if they were trying to get through on port 3389, I would just block that port and only open it for legitimate business with other computers in my network. But I don't know if it is that easy.

As far as the people that should be notified, I'm assuming in this scenario, I'm already the system administrator and other than the IT department head, I'm not sure who else would need to be notified. Maybe the employees so that if they see something like this happening on their computers, they would know to contact IT. Of course, you'd think, something like this happening, we'd beef up security automatically.

I think what could be learned by a subsequent review would be the fact that maybe our firewall wasn't so strong afterall and that the security would need to be analyzed more often.

I know these are very general answers so I'm looking for some more details to support what I'm trying to say. Or someone to tell me that I'm totally on the wrong track. LOL

Thanks for any help!!

Answer : Security Responses

Describe what your mental approach to these events should be.
>Well first reaction would be to determine if this is a legitimate connection or not....is it an Admin who recieved a request for remote assistance from the user, did the user send it to someone, or is this someone trying to remote onto a computer for which they are not authorized or invited ? It would really depend on your standard practices and policies....for using remote desktop.

Explain what you should do to isolate the affected computer.
>If the connection is determined to be malicious....first thing I would do is unplug the ethernet cord from the network.

After the computer is isolated, describe what should be investigated next.
>Security event log would be a good start.....also check to see if there is any remote control type software installed. (VNC, DameWare, LogmeIn) If so, who installed it ?....you can check security tab on program files, and the user who installed it will be explicitly shown in the list. If no commercial remoting software is listed in Add/Remove Proggies..., I would do a full virus scan to see if there is a trojan of some sorts.

List people who should be notified.
>IT Department, and management. All security incidents should be logged and kept track of...either electronically or paper trail ..or both.

Describe what you could learn by a subsequent review of the firewall and IDS logs.
>All connections comming from outside of the firewall, at the time of the incident...IP Addresses, and ISP providers their using to connect.

A group policy object could be applied to disable remote desktop, or remote assistance on all machines in your domain or just a specific OU.

PS: ....Remote assistance isn't something you can "hack". It requires the user's intervention to work, and is generally regarded as a pain in the @ss....not a great solution for remote helpdesk type stuff. So in all likelyhood, if a person recieved a remote assistance invitation, the user who uses that machine must have sent it to them. Defer back to your companies policies on that.

Random Solutions

Compatibility of Netgear DG824M ADSL Wireless Router with Motorola 4100 Surfboard Cable Modem

SBS 2003 Remote Web Workplace - File Transfer

why can i not connect xp sp2 pc to domain?

Astersk one second silence audio problem

NW ADMIN will not open in WIN2K

Active Directory Administration

networking two computers through hub win98 and win2000

How to configure my net ?

Ports required for domain authentication

How can I slve my laptop hard drive?