Multiple foreign domains within 'My network places'

  • Thread starter Thread starter test2005
  • Start date Start date
T

test2005

We have a bit of a weird problem. We have a Windows 2000 based domain
with W2k and XP clients. Over the last few days, I have noticed in 'my
network places' that there are 6 other domains listed that are nothing
to do with us. These domains are not accessible and error message
stating this comes up when you double click on them. However, this is
confusing to users and is potentially a security breach. I have no idea
of how to start troubleshooting this. Any suggestions anyone? Has
anyone seen this before?

Thanks.
 
I imagine there could be a workstation/laptop from another company on your
network. Sales staff don't care much for physical security so it could be
that they let one of their clients hook right up.

Use a packet analyzer program (such as Ethereal @ http://www.ethereal.com/)
to watch for browser announcements.

Under the "NetBIOS Datagram Service" portion of the packet you'll see a
"Destination name" field that will coorespond with the domain names you see
in My Network Places.

Inside that same packet you'll be able to determine the MAC address and IP
address of the machine announcing itself. If you have a managed switch
network then you'll be able to determine what port they are connected to and
so where in the building they are.


BIONICTHUMB
MCSE, MCSA:Messaging, A+, Net+
 
We have a bit of a weird problem. We have a Windows 2000 based domain
with W2k and XP clients. Over the last few days, I have noticed in 'my
network places' that there are 6 other domains listed that are nothing
to do with us. These domains are not accessible and error message
stating this comes up when you double click on them. However, this is
confusing to users and is potentially a security breach. I have no idea
of how to start troubleshooting this. Any suggestions anyone? Has
anyone seen this before?

Thanks.

This is an interesting problem. You need to know where these domains are
and how you can see them. The first thing that occurs to me is that someone
on your LAN (or WAN) has been creating domains for testing purposes.

Several years ago I worked for a company that was bought by a larger
company. When we were the smaller company, our whole network was in one
building, and when we wanted to test something, we would go to the sys
admins, get a box, load server software on it and create a domain.

After we were bought by the larger company we became part of a nation-wide
WAN and the national system administrators were always trying to crack down
on us and ban all test domains from the system. We finally had to
disconnect our test LANs from the company LAN, which meant that we couldn't
access them from our desks, which was a major pain.

So the question that I have is how can you even see these foreign domains?
What is the topology of your LAN? Do you know what everybody on your LAN is
doing? Are you part of a WAN? Are you seeing them over the internet
through a VPN? You are probably going to have to start disconnecting things
from the LAN to figure out how you are connected to them and where they are
coming from.

Todd
 
Thanks so much for the advice. Although I am MCSE, I dont really do
much outside maintaining servers and find much of this network stuff
quite baffling. I think you are definitely along the right lines here.
I am watching the fort while the infrastructure manager is away.
However, I believe before he went he did some fiddling on the network
which involved a DSL line and a wireless router being connected to a
switch that itself is connected to the network. I do not want to
interfere with his work while he is away, but I am concerned by this. I
do not understand though how a DSL connection to the main network would
cause just 6 specific domains to appear - if the network is connected
to the internet, you might think that thousands might appear. Any
thoughts?

In answer to Todd questions: Ethernet; not really but my (absent) boss
might; yes; we connect to an outside company via VPNS as our New Media
team have externally hosted servers - however the problem with other
domains happened only a few days ago, and we have had the VPN for
years;and yes I disconnected the Wireless router and the dsl line but
there was no change.

I also tried running Ethereal like the other guy kindly suggested, but
my network troubleshooting knowledge is sadly lacking to interpret the
data.

Thanks again for everyone who offered advice.
 
Thanks so much for the advice. Although I am MCSE, I dont really do
much outside maintaining servers and find much of this network stuff
quite baffling. I think you are definitely along the right lines here.
I am watching the fort while the infrastructure manager is away.
However, I believe before he went he did some fiddling on the network
which involved a DSL line and a wireless router being connected to a
switch that itself is connected to the network. I do not want to
interfere with his work while he is away, but I am concerned by this. I
do not understand though how a DSL connection to the main network would
cause just 6 specific domains to appear - if the network is connected
to the internet, you might think that thousands might appear. Any
thoughts?

In answer to Todd questions: Ethernet; not really but my (absent) boss
might; yes; we connect to an outside company via VPNS as our New Media
team have externally hosted servers - however the problem with other
domains happened only a few days ago, and we have had the VPN for
years;and yes I disconnected the Wireless router and the dsl line but
there was no change.

I also tried running Ethereal like the other guy kindly suggested, but
my network troubleshooting knowledge is sadly lacking to interpret the
data.

Thanks again for everyone who offered advice.
 
You may have a bigger problem than you think since this could be caused by
unauthorized users using your wireless router if the setup was not secured
by WEP or WAP. I assume you have access to a laptop with a wireless card, if
you are running XP, view wireless networks and see if yours comes up
unsecured, if it does secure it immediately or unplug it immediately from
your network otherwise your whole network security could be comprimised.

If your wireless router maintains a list of connected devices, verify if any
such connections do not belong to your organization. Now depending on your
dhcp server, you may also examine it to see if there any unknown machines
names or MAC addresses are registered. Same goes for your wins server if you
are using one.

Personally, I feel that wireless routers in an organization should be
contained within a separate dmz, just in case of a security breach. You
could allow restricted acces to the internet but require a vpn connection to
connect to the lan.

James
 
Hi. Thanks a lot for this, but I have since found out what happened.
The company hosting our external servers had screwed up by plugging us
on the same switch as other companies' domains, without isolating us on
a VLAN. They have now sorted it now. Thanks again to everyone who
offered advice.
 
Back
Top