I've been contacted by two partners in a small professional firm. They are concerned about their other partner and want to take some steps to be absolutely sure that the company's data and systems are safe from "any eventuality."
They have one server (Windows 2003) that's used as a file and print server (all important files are on the server), Exchange 2003 Server, and it runs a few applications that make up their financial system. I don't know much more than that about their setup because I haven't had a chance to go in yet. The two guys I'm dealing with don't want to let the other partner know they have someone looking at their systems, so I need to minimize the footprints I leave while doing anything.
One thing I realize I need to get up to speed on is physical to virtual tools. I'll want to convert the server to a VM that I could then bring up somewhere else. If the legal stuff gets ugly, they might lose access to the building, or if it gets really bad, the other guy might take off with the server.
So far, the things I'm planning on are:
Go in and make notes on the server hardware and software configuration, with the goal of being able to re-create the server from scratch if necessary.
As part of the above, make sure they have all the original installation disks or files and make copies of them
Do a bunch of backups:
- make a copy of all their shared files
- figure out how to back up the data from their financial applications
- backup the mailboxes, convert them to PSTs
- backup and ghost the entire machine.
The reason for the first three backups is that I want them to have access to files and their application data outside of an image of the server in case they need to find something quickly. I can't set up recurring jobs for this, but I might end up going in every week or so to do a new full backup and maybe once a month doing another backup of files/databases/mailboxes.
Until I look at their accounts, I'm not sure exactly what I'll do, but I'll either create another Admin account, or make the partners' accounts Admins or something like that - the idea being to have some account(s) the other partner doesn't know about be an admin.
Verify that their PCs are all set up to store files on the server.
Look for anything the other partner might have had installed that could compromise the systems. Based on what I've been told, this isn't very likely, which is good because I'm not sure where I'd start looking for malware...
My question is: am I missing anything important? What other things would anyone suggest doing?
Personally I wouldn't get involved with this. What if the 2 that are contacting you are the ones that will be causing the issues? Also if things go bad and you lose their data because you missed a hole somewhere expect the first two partners to go after you for that one as well + number 3 for being cut out.
Anyway though my points:
VM the entire server, should the box go missing you can just bring it back up on a new one. You'll have to figure out how frequently you want this done.
Secure and re-do all the remote access. Reduce the foot print as much as you can to things only you control, password the router to something only you know the PW to so no one else can open it up.
Can you put another off domain box in somewhere locally, ideally in a location only you have access to. Then backup everything to this box into a write only share. If the box is physically safe then no one but you has access to the data on it to delete it. This can be your real time backup.
Here are a few bullet points off the top of my head:
MOST IMPORTANTLY: Document EVERYTHING between you and the other two partners - EVERYTHING. Get everything signed. Keep extremely detailed logs of everything you do, when you visited, telephone conversations (including time), the lot. I've heard of consulting firms being taken to the cleaners in situations like this. The excluded partner gets wind of what's going on, and then initiates legal proceedings against the other partners. Guess who ends up in the firing line? You. Can you prove you were authorized to access their systems? Is the permission of 2 or 3 partners enough to authorize this type of engagement? And if you don't end up as the victim in this scenario, you can bet your sweet ass you'll be dragged through the courts to validate or deny claims made by one party or the other. And cases like this can drag on for years.
Remove Domain Admin privs. A lot of small firms like this traditionally hand out Domain Admin privs like candy. Cut this back as far as possible.
Look into an online backup solution. This would save you the weekly visit to the site, and you know the data is residing somewhere off-site, secured, without lots of potential questions of "who's this guy in every week?" from the oblivious partner. Of course, this would be contingent on a decent internet pipe to the world.
As you mentioned, move the potential IP sitting on peoples workstations to the server. Best approach to this is Folder Redirection through GPO. This is more of a general good-practice issue than a critical issue to this case
Ensure you have remote access (depending on hardware, this may just be a case of enabling the HTTP interface for internet IPs) to the router for the office/building. If you get a call along the lines of "ALL HELL HAS BROKEN LOOSE!" you may want the option of shutting their connectivity down. This would stop any malicious acts via Terminal Services, Citrix etc.
Secure the Customer Database. Set a scheduled task to copy this data (and it is the lifeblood of any organisation) to an obscure location. It's not uncommon in this situation, when it hits the fan, for the customer database to suddenly vanish, leaving the business on its knees.
Don't forget any license keys. Install media means nothing when you're stuck at a licensing prompt. And in whose name are the keys held/registered (or name on the invoice)? The company's? One of the partners?