What to do with persistant offending user?

Discussion in 'The Lounge - Off Topic' started by Pete01, Jan 10, 2006.

  1. Pete01

    Pete01 Kilobyte Poster

    492
    23
    42
    Here’s the scenario:

    We're rolling out XP gradually to all our users in our main UK office where I'm based (2nd line support). Being a pharmaceutical company we have very stringent rules and policies regarding installing non standard software. The machines are all locked down by policies anyway so this shouldn't be an issue……

    The top bod in our office- not the entire company but in our building has a penchant for bending the rules, we didn't know to what extent until the other day when I couldn't see his machine from our AV server when I was checking everyone was all up to date. I pinged him and he was there so I thought I'd better go and have a look. When I got to his machine he had all the stuff he wasn't supposed to have. Had it had just been a multicoloured mouse pointer and some jazzy time display and his own background and screensaver it wouldn't have been so bad.

    Apart from all that he was using utorrent a bittorrent filesharing client, and another one called emule and god knows what else.

    So I tell my boss who goes and gets his machine brings it down- we tell him off and ghost his machine.

    Next day we get a call- he can't use his machine it's 'broken' already we get it back to look at it and he's been doing who knows what to give himself admin rights and install all his stuff again. He's now starting to blame us for taking up too much of his time and demanding his laptop back ASAP. By looking at the security event log he's run a password cracker on his local admin account and started installing software- somewhere along the line it went pear shaped and it's re-image time again.

    After second reimage we're finishing up restoring all his PST files etc and he sends an email to my colleague appealing to us to just 'let him get on with his work and use the tools that he needs to reach the company's financial targets and keep the shareholders happy' and all this other violin stuff that for a moment almost made me cry /sob /sniff. Really trying to make us feel that we were hindering the growth of the company by doing what we were doing

    Being IT professionals we're pretty certain that downloading MP3's and movies are not contributing to keeping the shareholders happy and meeting the companies financial goals, neither is spending however long he spends circumventing all the policies we have that we even adhere to when we have local admin rights on our machines.

    I'm sure we'd all like to treat our work computers like they are our own and use the company bandwidth to download illegal pirate music and films, that is one thing but the main reason we have these policies being the security aspect he's aware of.

    This guy is knowingly and willfully completely disregarding the security of the network for his own selfish reasons, he knows exactly what he's doing and doesn't care. As I mentioned being a pharmaceutical company we have really strict procedures for all aspects of the way the company runs and the IT policies are very strong. When we have big company wide meetings he's the one standing on the podium telling us how vigilant we have to be about all the different SOPs (Standard Operating Procedures) and there he is using filesharing having cracked his admin account…

    He's had his laptop back again today after the second rebuild, after about 2 hours back with him we just checked his event log again- he's already cracked his admin account, my colleagues are joking that tomorrow it'll be my turn to wipe his machine and spend most of the day setting it up for him..

    The whole issue has been escalated up to top level management so hopefully he'll get the message soon- I just don't have time to spend a day on his machine tomorrow.
     
    Certifications: MCP (NT4) CCNA
    WIP: 70-669, Learning MSI packaging
  2. Pady

    Pady Nibble Poster

    85
    2
    29
    this guy sounds like a real piece of work. why not restrict his external bandwidth down to 1k which will help his downloading :)
     
    Certifications: A+, See Sig for HW Certs
    WIP: Network+ & MCP 70-270
  3. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    First of all, document everything. Secondly, there must be something in your IT use policy that states what happens if you continually misuse company equipment and bandwidth. Maybe your boss should contact the head of HR and ask what the formal response to this user should be.

    One of the reasons I stress that you document everything is that if this goes to some sort of hearing, you'll have to establish that he was going outside of normal use policy just to play and not because he's furthering the company's growth and so on.

    Bottom line is that he could eventually be sacked for such behavior. If he was surfing pr0n, he'd probably be gone already.
     
    Certifications: A+ and Network+
  4. wizard

    wizard Petabyte Poster

    5,767
    42
    174
    I'd do as tripwire said. Proceedings should have started against this user already, he has a flagrant disregard for your company's policy. If I were in charge and there wasn't all of this legislation about to protect employees, pardon my french, he would have been out on his arse at the first offence, just attempting password cracking would have had him out the door.
     
    Certifications: SIA DS Licence
    WIP: A+ 2009
  5. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,903
    186
    221
    Can't really add to what the others have said. Document and make sure that you are not the only person who's seen the logs.
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  6. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Dear me... this guy is a manager....
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  7. Pete01

    Pete01 Kilobyte Poster

    492
    23
    42
    We've saved all the security logs and got screens of his hard drive with all the stuff installed. He's one of these guys who thinks he's a step ahead of the IT dept by using things like window washer... :rolleyes:

    Apparently he's been playing this cat and mouse game with the dept for 7 years now. :blink

    If I have to re-image him tomorrow I'm not going to give him any special priority treatment just because of who he is.

    Thanks for the suggestions though.
     
    Certifications: MCP (NT4) CCNA
    WIP: 70-669, Learning MSI packaging
  8. arisen

    arisen Byte Poster

    243
    15
    46
    that was a cracking read! (no pun intended), who gives people like this a job? And furthermore, who should've sacked this guy by now and hasn't? :biggrin
     
    Certifications: BEng, PRINCE2, ITIL, Net+
    WIP: MSc, Linux+ 2009, RHCE
  9. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Seven Years??? :ohmy He must be the CEO's brother to have not gotten the boot by now. :tongue
     
    Certifications: A+ and Network+
  10. Pete01

    Pete01 Kilobyte Poster

    492
    23
    42
    That's about right- he's very very senior and I think considers himself untouchable
     
    Certifications: MCP (NT4) CCNA
    WIP: 70-669, Learning MSI packaging
  11. knightofnuada

    knightofnuada Nibble Poster

    80
    0
    9
    Like the others say, as long as you have documents of what he's had on his computer etc.

    I'd report him to his senior manager or to HR (And thankfully there are "whistle blower" guidelines which helps in Employee confidentially).

    He has essentially breached Company IT guidelines/ policies (Even my company has an IT policy against downloading illegal/ copyrighted software and it's only Head Office that has full internet access). Not only that, it's the implication of bad publicity for the company should he get caught with pirated files on a company computer ...

    EDIT: Tell the shareholders/ board what he's up to ... That should be sufficient!
     
    WIP: A+, Network +, CCNA
  12. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    Er - if he can crack an admin account in 2 hours you aren't doing something right. It should take a *lot* longer to do that!

    Not knowing the politics I would lock this guy down tight.

    Note that there are some known holes in GPOs - have a look at http://www.sysinternals.com/Blog/ under "Circumventing Group Policy as a Limited User"

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  13. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Hmmm a tough conundrum indeed. If he is that senior, I wouldn't be surprised if he is untouchable.

    Also, as far as I am aware bit-torrent relies on having two way communication because of the nature of the file sharing method. You might want to check your firewall because certain ports, about four in the 6xxx range need to be opened to incoming requests for it to work :eek:
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  14. Pete01

    Pete01 Kilobyte Poster

    492
    23
    42
    Our network admin is in one of the US offices at the moment so I'll ask him to look at the firewall thing, but I'm puzzled as to why MP3's etc can get through (and go out!).

    The password is an 8 character randomly generated alphanumeric one, it's the XP pro local admin password for his machine he's cracking, it's 'crackability' was determined by Microsoft when they released XP pro. We don't try and add any extra security layers to local admin passwords.

    I haven't got that far into 20-270 yet so I don't know much more than that about about XP pro local password security, I once used a tool called lophtcrack to get NT4 and some Win2k passwords that was pretty quick, I don't know which one he's using but the fact that he's using one at all is bad enough. He could well be using a bootable Linux disk that takes about 10 minutes to change any local password including reboots and scandisk. The first time round after the first rebuild he changed his local admin account password, put his domain account into the local admin group and created himself another local account with admin rights as well as the local admin.


    It's all being dealt with at the highest level and we've got it all documented, so hopefully it won't be going on for much longer. I'm not looking forward to the prospect of giving up my day to rebuild his machine again today :x
     
    Certifications: MCP (NT4) CCNA
    WIP: 70-669, Learning MSI packaging
  15. JonnyMX

    JonnyMX Petabyte Poster

    5,257
    220
    236
    Just be careful.

    I doubt that he has become senior just because he obeyed the rules. I'm assuming that he does actually contribute something to the company and you may find at the end of the line they aren't really interested in what he's doing to the PC.
    It's quite possible that his boss will get a glazed expression on his face when you say 'bandwidth' and not actually appreciate the seriousness of the situation.

    Just make sure you've got backup so it's not just between you and him.
     
    Certifications: MCT, MCTS, i-Net+, CIW CI, Prince2, MSP, MCSD
  16. Pete01

    Pete01 Kilobyte Poster

    492
    23
    42
    Certifications: MCP (NT4) CCNA
    WIP: 70-669, Learning MSI packaging
  17. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    Christ! Thats a hole and a half! :eek:

    Has this not been fixed with SP2 though?

    Where is this guy getting the copy of XP from?
     
  18. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Bittorrent maybe?

    As said before, document everything.

    Also, maybe you can find out exactly what he needs to do his work and give it to him. Make a special group for him in the domain and also a special "penalty box" gpo for him. Restrict everything not needed with this gpo down to the last icon that he sees.

    You might want to give a thought to increasing the password security if he's using a password cracker in 2 hours. Something along the lines of a 15 character password is much more secure. If he has a laptop then you might be able to take the cd-rom drive out too and also out of the pc that you give to him. Lock the bios with a password also to stop him changing it to being able to boot from usb too.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  19. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    I don't think the length or complexity of the local admin password makes any difference at all really. With a CD like ERD Commander, you can just use locksmith to pick a new password, it doesn't try a brute force guess method on the old one, it just removes it.

    Dunno how desperate this guy will be to regain control of the system assuming you lock the bios as suggested, but he may go to the lengths of taking the back off the PC and ressetting the CMOS in order to bypass the BIOS password as well.

    It does seem highly riduculous the trouble he's going too to bypass security just so he can leech movies etc... If nothing is done to prevent him from a boss point of view, maybe he will get sick of his PC getting re-imaged each day or so and give up the antics.

    Maybe it would be possible via GP or logon scripts to specifically sabotage the applications he's fond of re-installing each time. Somthing that's enough to break the install each logon by deleting specfic files etc... I'm sure he'd get sick of having to re-install at every logon
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  20. Pete01

    Pete01 Kilobyte Poster

    492
    23
    42
    Well, as an update I haven't had to re-image him yet today, so far he's added his domain account to the local admin group of the Machine (Event ID 636, source- security) and about 43 minutes later removed his domain account from the local admin group (event ID 637, source- security). No file sharing software has gone on there yet but he's emptied his system event log but left his security one intact which I've saved as a txt file to go with the rest of the evidence…

    He's trying very hard to cover his tracks, but unfortunately it's going to do him more harm than good when all the evidence is aired.

    When will people ever ever learn not to try and get one over on their IT department…..
     
    Certifications: MCP (NT4) CCNA
    WIP: 70-669, Learning MSI packaging

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.