Network Administration Trust

Forgive me if this is posted to the wrong group. I didn't know where
to post.

This could be a long story. For the moment let's cut to the bone.
I own this small company. We have a WAN. Offices in China. Citrix
connection to our offices and business in San Diego. Eight months ago
we hired a new System Administrator. Nice credentials, Christian,
personality, ambitious, articulate, and so forth.
There were a couple projects that never did get completed. And I
became restless, then apprehensive, and suspicious. I can't prove
anything. I'm starting to peel away into his territory. I have enough
savvy to get under the hood. To find out if he is trustworthy. It's
all trust. Honesty.

This fellow is chronically absent. Medical, family, emergencies. We've
allowed our System Administrator to access the company remotely to
take care of his chores. And I needed proof beyond him stating 'I
worked the whole night solving connection issues with China'. The
following day he'd be absent from our physical office.

One user complained he couldn't log into the system via Citrix.
Password issue. In the many years running Citrix we never had this
incident. He worked all night to fix it. I suggested during this
'crisis' he change the password on the server. And that fixed it. But
he knew this. And I thought a user to be unable to log in that the
user may have forgotten the password - or someone changed it.

This incident added to my pile of suspicions.

I learned from management this fellow works on the servers on the
weekend, remotely, to upkeep. He would swap out weekday hours for the
weekend hours. This weekend I shut the system down. I asked him
diplomatically if he finished the chores, and exactly what he did. He
said the usual; defrag, updates, reboots, and so forth. And this was
a lie. I had shut down the company's servers over the weekend.

I examined the event viewer. All the dates are intact in all the logs
except the Security Log. I wanted to look into the China time frame to
see if he was logged in remotely for those eight hours. When I
inspected the event viewer the only dates viewable were for a two day
spread in the beginning of January. There were no current entries.
Just those two days. No trail to prove China events, no trail to prove/
disprove the weekend incident. (Good move shutting the network down.)
Without the event viewer logs the company can't prove our System
Administrator is a 'security risk'. Is it possible he could have
disabled Security Log? That's the bottom line. We feel threatened.
Exposed. And need to proceed cautiously. This is so unfortunate.

In the Security Log I checked overwrite events to '50 days' and
increase the maximum log size. The System Administrator had checked
'Don't over write; clear log manually' in our almost empty Security
Log.

I applied the new changes. In a few minutes the Log became populated
with today's entries. All the other event viewer logs were running
normally except the Security. I'd appreciate any comments. I'm so
pained this demonstration of disloyalty. I need to advance with this
delicate issue wisely, correctly, and cautiously. Our company has a
System Administrator -that must are now very uncomfortable with -
everything is at stake...if this fellow is angry God knows what he
could do?

Sincerely
Chu