Re: SBS 2003 Server.. Outside/internet users obtaining DHCP lease?

On Apr 5, 8:54 pm, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>
wrote:
antari6675 wrote:
On Apr 5, 8:24 pm, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>
wrote:
antari6675 wrote:
On Apr 5, 7:35 pm, "Bill Sanderson"
<bill_sander...@xxxxxxxxxxxxxxxxx> wrote:
I'm trying to understand your evidence: How do you get "canada"
from a machine name and a mac address?

I would look at the security logs as well.

"antari6675" <stevem6...@xxxxxxxxx> wrote in message

news:e11f7405-8264-4aec-a193-6d2e868bb92f@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Apr 5, 6:54 pm, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>
wrote:

antari6675 wrote:
Hi,

Ive been running our sbs 2003 server for a year now and in the
last 3 days Ive noticed that someone from outsite our network is
obtaining a DHCP lease on our server. He's not looking at files,
his user id is not created , nor is his client computer. He
simply is grabbing a IP addy thru the DHCP and using our internet
connection as a proxy?

Question is.. How can this happen?

Unauthorized wired or wireless connection, or perhaps even VPN.
VPN is easier to determine from logs.

Somebody just plugging in is a little harder. Have you has any
'visitors' to
your site who may have brought their laptop with them?

Thank you in advance

Antari6675

--
/kj

No wireless capabilies on the network.

We are located in Michigan.. and of the two that connected, one was
in Canada.
The only way I detected the lease was in the DHCP addressleases.

10.10.10.x namexxxxx 4/10/2008 and a mac addy.

It was over the internet for sure. We are a small company, and I
have the ability to check all plug in connection.

I will have to check the VPN logs. I am by no means an expert at
sbs 2003.- Hide quoted text -

- Show quoted text -

My appologies...

The name of the client computer had a company url addy in it, and I
traced that to canada.

Like I said, im not very clear on all this.. But where exactly would
these logs be? I have been looking at all the logs that I can find,
and cant find any instance of the occurance. I have a feeling im not
looking at the right ones.

I think you're going to have to provide us with your refrences. Is
the 10. address from your SBS DHCP scope?

Do you have a two nic SBS with ISA? How are you tracing your physical
connections?

Why do you feel it was 'over the Internet'. Aleady having an
Internet IP, a VPN or RRAS connection would (might) need a local
address from your DHCP server. Do you have VPN enabled and open on
your firewall?

--
/kj- Hide quoted text -

- Show quoted text -

Excluded IP ady 10.10.10.1    10.10.10.9
pool  10.10.10.1 to 10.10.10.254

Yes one day it was 10.10.10.15    I removed it from the Lease list and
the next day it was 10.10.10.17

------------------

Yes Two Cards...

One to the ISP
One to the local network
------------------------------------

The name of the client attached was DJONES.trimag1.com   What made me
discover the connection was trimag1 showed up in the MS windows
network list of domains. Clicking on it took me to a login prompt to
trimag1.com

----------------------------------------------

I have VPN enabled, that is how I administer the server from home. I
connect to the server thru the remote web workplace login.
-----------------------

Hope this fills in the blanks..
Thank you again.

ISA? Yes or No?

So the trimag1 domain name regsitered on your network is meaningfull, but
not conclusive.

Usually, RRAS and VPN preallocate addresses from DHCP when they start
(normally 5 -or 6). These are kept until RRAS restarts. So, it's not likely
to be up at .15 and .17, but still possible - you should check the source
for this, but as I recall when RRAS(VPN) registeres it for the VPN
connection no MAC address is provide to DHCP.

That leaves a direct network connection or internet connection sharing
(disabled by group policy) or the like.

Not really sure when you say you connect with RWW / VPN. RWW is a RDP type
connection, not a VPN one. If you are only using RWW, you don't need VPN.

So, how can you be assured that an unauthorized wired connection has not
been made? (This is a common problem for SMBs)

--
/kj- Hide quoted text -

- Show quoted text -

I believe ISA is not installed

As far as an unauthorized connection.. The area of installation is 8
offices, And I checked each network outlet personally, disconected all
computers and the trimag was still accessable. It is in a one story
office building, and the wire could not be taped into with out my
knowledge.


As for VPN and RWW I may have mispoken. I use RWW from my home to
connect. I was in the middle of reading about VPN. I believe its not
enabled on the server.


The type of connection from the trimag was listed as DHCP.. I dont
think I mentioned that before.
.

Relevant Pages

  • Re: OT By a mile in parts comments on Viet Nam
    ... check bank accouts etc etc whilst away but is safe to do so over wireless and using the hotel network.. ... you should regard your connection as insecure and use some ... form of encryption to protect your passwords and privacy. ... My recommendation would be to set up a VPN endpoint in the UK that you ...
    (uk.comp.sys.mac)
  • Re: OT By a mile in parts comments on Viet Nam
    ... compared with the risks already inherent in the average hotel network. ... you should regard your connection as insecure and use some ... form of encryption to protect your passwords and privacy. ... My recommendation would be to set up a VPN endpoint in the UK that you ...
    (uk.comp.sys.mac)
  • Re: Remote Client Configuration
    ... > remote computer to SBS 2003 domain via VPN connection after the remote ... > connection when user logon to the remote computer. ... I dont think that the Network Configuration website would work to connect to ... "The Small Business Server Network Configuration Wizard ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN issues on SBS2003 with ISA 2004 installed
    ... I had to create a VPN connection using the network connection wizard on ... Based on our work above, it seems the problem in client side, so I suggest ...
    (microsoft.public.windows.server.sbs)
  • RE: VPNs - Firewalls and Security
    ... we turned off sysopt connection permit ipsec and then added the ... VPN connections. ... VPN's - Firewall's and Security ... You had configured that vpn users access internal network, ...
    (Security-Basics)
Loading