Network Administrator Leaving Company - Security Concerns

tropix
tropix used Ask the Experts™
on
We have a network administrator that will be let go.  We have a large network, 300 users, 4 sites, VPN, Microsoft 2000 servers, exchange server.

Please give me a list of security issues and concerns to look at and lock down before we let this gentleman go.

Thank You.

Let me know if need additional info, but a generic list of issues to look at would be good at least to get started.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Off the top of my head...

lock out his user account
give someone else access to his mailbox
change admin password
service account passwords
any other accounts he has access to
ensure any dial in or vpn accounts he had or has had access to are secured
keys, access codes to server rooms etc
ensure all staff are aware that he no longer works for the company
I'm assuming this will come as a shock to the chap but when the time comes do not let him back at a terminal unsupervised

Its always better to stay on good terms with ex admins you never know when you'll need to call them for help on an undocumented fix that only they know about. Assuming he's not getting the sack for negligence, misconduct etc (ie its downsizing, cost cutting etc) you may want to build something in to his package to keep him sweet (even little things like offering to forward personal emails to a new address)

N
In addition  to NacMacFeegle's suggestions, consider changing the following:

  VPN Keys for branch offices and employee laptops (disable his)
  Router passwords
  Desktop local administrator account passwords
  ALL e-mail accounts passwords (if accessible from the outside)
  Web server passwords

Good luck,

Jeff
Commented:
interesting... I'll have to keep up with comments on this one meThinks.

1) be friendly
1a) have person quick move private personal stuff elsewhere
1b) have person provide list of all admin passwords, and set up additional one for you/replacement
2) when person leaves, all prior IDs must be disabled, all admin passwords changed
2a) good idea to then make new ID for your/replacement ID upon departure of former support staff
3) Sit down with person, schedule regular meetings, to review all issues related to security, hopefully over a two week period
4) Have solid list made of all devices supported securely
5) Get a good map of topology of current networking, what is connected to what and how
6) Try to get management to agree to a few support dollars, to 'contract' for person to provide some minimal post-support over the phone for at least two weeks after departure
6a) At least ask person if they will support a handful of questions over phone if something should arise unexpectedly
7) Also address any physical security, such as for turning in keys, badges, managing closets
8) It is imperative for any company to always have good backup plan, know that someone should currently be available to step right in. Accidents happen.
8a) So make sure, if you can, to have two people stepping into this turnover role.
9) checkout and attend to any dialup issues in particular, remote control, and connections
10) decide up front that some of the admins prior duties may be better handled by someone not needing to have admin rights on everything, such as for backup/restore operations
10a) also audit processes should be separate - and secured from admins
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

Commented:
Also,

You may want to suggest an interim password change policy for users. Although not always a common practice it is possible for admins to have passwords for users they have supported directly. You may encourage all users he has supported to change there password. (if not all users in company)

Also Verify in W2k that the schema admins, Enterprise admins, and domain admins users have all of there password and potentially the usernames themselves changed.

On VPN applicances/Firewalls change all passwords, Shared Tunnel Keys. Verify that Remote access ports are not left open on VPN/Firewall devices pointing at random workstations, servers etc.

Obviously any modems/RAS accounts. (I guess since this is obvious we overlook it.

Also CHeck for local user accounts on Domain Member Servers. (if your unsure what its for at least disable it until someone screams. THen change the password.

Support account: Does he have licensing records in his name for the company or any vendor accounts does he have admin rights too? Shipping accounts etc-- Commonly everyone wants help setting up anything technical so he is the one who gets stuck setting it up. He then gives himself full admin rights on these accounts. More than likely.

*** Service accounts (Backup/Antivirus/ Cluster) all areas if not documented could bite you later.
Verify Antivirus Filtering has not been altered since or durring his dismisal. he could simply turn off antivirus filtering on exchange aware Anativirus apps.

Good Luck
Commented:
In addition:

You need to get the (Real - in case s/he renamed the admin account and created a bogus one for security) admin account password.  Logon as the admin and look at the admin group and priviledge high groups (ie. power users),  to ensure that additional admin accounts have not been created (disable these - after you get control of the admin account.

Make sure the account is not logon when you decided to let him go - the access token stays active while the user's is logon.

If backup tape password is used - get those passwords - for retrieving archived data.

Change Exchange passwords - look for accessiblity from the VPN (if you have it) and from across the Internet (secure these).

If you have Remote Access Server (get those passwords and secure them - to prevent dial-up access).

Ask group (high-level) managers to change their passwords (s/he might have set up those passwords for them - and because of their high level - password expiration may not have been implemented for those accounts).

Get the password to his PC - lockup this PC - until you are sure that you are in total control.  There will be no excuse about "it was documented and on my PC - someone must have deleted it......"

When you terminate - make sure that s/he cannot access any internal PC - simultaneously notifies any remote administrators (assistance) of his termination.  Have HR arrange to meet with the admin - secure major items from the list - while someone is advising him or her of the termination.  Provide escort for removal of personal items.

Look for unauthorized share folders - secure administrative shared folders to drives on servers.

It depends on the individual and the situation - find the best way to end the relationship admirably.  In my case the company had the same worry as you have, my boss knew me better he told them not to worry about any of it.  I cooperate with the outsourcing company fully.  I documented everything.  I gladly provided a complete password list and I completed my projects (even w/o pay on overtime) through to the last day.  It took about one month from the time I knew of the termination until I walked out the door.  How well do you know your admin personally?

Get passwords to devices that have passwords that s/he worked on:  PBX, video conferencing devices, routers, switches, UPS, printers/print servers, Remote access servers, VPN, certificate keys, ISP, domain administation if you have a registered Internet domain (prevents him/her to call and change the domain name causing Internet/eMail outages) anything that s/he had worked on and has a password - get the password and change it.  Don't forget to document your changes as you go in case you have to put them back to get things working (temporary) later.

Notify offline data storage company - customers if s/he provide customer supports.  



Commented:
Oh man good luck. I can send you an actual document I work with as I work for a computer security firm and we've done this a hundered times over. No matter what you'll always find something you didn't prepare for. Post an spam email account or your real one if you prefer and I'll shoot this over to you.
Just some notes...

1. don't lockout the account, but disable it instead
2. setup mail redirection in exchange to forward the email either to someone in senior management or to the new administrator
3. change all the administrator passwords for everything including Exchange, system services, windows, Hardware like switches, vpn router, firewalls...change any password he had access too, maybe even set all user accounts to ask to change password on next login
4. change front door locks, server room locks (or codes), alarm codes.
5. Disable any VPN accounts he has

Author

Commented:
xtropix@netscape.net - please email me the doc.

This is good stuff so far.

Commented:
Who are you, btw. My comments started out like you would be the replacement admin, then changed a little towards management type.

In review of some of above, I am grateful for

NacMacFeegle> Its always better to stay on good terms with ex admins

I see an important couple I missed, especially:
NacMacFeegle> ensure all staff are aware that he no longer works for the company
tropix> administrator that will be let go

Let me stick to that for now as it indicates among the worst of scenarios one may face. First, in my workplaces, I am abhorred that hardly ever do we know who is no longer working for company, or if we find out they are gone, just why they are gone. We may hear "for cause", but never the cause. So we have a real friendly environment, but no idea what you can be guilty of to lose ability to pay the mortgage. This kind of intimidation leads to too many insecurities, very bad overall for all, except maybe a couple company legal defense funds for doing wrongful terminations.

The not knowing who is gone, often goes along with not personally knowing the admin.  This leads to the most common exposure a company has to being intruded upon. A person can simply place call next week to your next-worst employee, and say: "I am calling to administer problem on your computer, please give me your password, and we can save time and fix the system to run better" This is the most popular way the bad_guy gets access, whether ex-employee, or someone with time on their hands, even from prison cell, to do some random dialing. Close that door!

The most common damage a company gets is from disgruntled employees, ex-employee or current. When disgruntled employee sees writing on wall, they can perhaps trick system into making priveleged program, or elevating rights to some user that rarely uses system. They can get password changed, but easier yet is the simple phone call "What is your password? I'll be needing you to change it in a few minutes for security reasons, I hope this does not inconvenience you too much, to help us fix the programs..."

> that will be let go

Now suppose it goes like here. At the right time, someone tells employee "bye, time is up". It can be a person at door not letting employee in at beginning of week, or waiting at door at end of week, or, I've seen where they are found at desk and marched promptly out the door. And I am not referring to having any cause, other than some budgetary mumbo jumbo.  The workplace disruption is so initially costly in hours, and tears, and fears, and loss of production, I have to wonder where such gestapos were bred?

While I think we need to ask why employee departing, let me give answer that covers a we do not need to know why. Modify as needed.

11) Give employee a two week notice. Their main job is turnover. Following that, keep them on rolls for two more weeks, tell them they only are expected to be available half the day, to be used as info resource for replacements, and the rest of the time they are free to use local computer (without rights) to enhance resume, and to use phones for calling other companies about job opportunities. Then another two weeks pay, not having to come to work, but to be near a phone for any questions. With this also do the next one

12) Announce the coming departure of the employee to staff and peers. Announce a nice luncheon for employee, on the clock, at some nice place to eat, for anyone wanting to be a well-wisher, friend, etc., and have the reorganization as friendly as possible. Don't let employee buy own lunch, and make sure the announcement is sufficiently in advance to count attendees for reservations.

While this is not always possible, we have to bear in mind that employee disgruntlement is the worst that can happen in terms of security that you can ever come up against. Deal with it now, or deal with it later.

I had new coworker once, who kept bragging, how he'd quit last job because people (boss) were so dumb, but thought they so smart, and would not let him do what he needed to make system run better. They insulted him. So once every week or so he'd access the old main computer, and have its drive reformatted or something, and laugh that they still don't know how to run their system despite how smart they think they are, and probably haven't a clue why it does not boot any more. I, uh, wasn't sure what to believe except, that it might be a good time to make my own passwords more complex, turn computer off when going to rest room, etc. Hmm, wonder now where that one ended up, I got into different workgroup shortly thereafter. Among the last words I remember from him were: "Next time you ask me for help I'll format your drive". Smiles and leaves, other people smile, liking the dude, and I... uh, maybe add another passwordie routine before I shutdown. Can't say that I miss him all that much.

In any case, first and foremost consider:

Answer: Deal with morale of employees when addressing security concerns.

Commented:
OOPS - almost forgot one major detail - Do not reassign the old administrator's to the new administrator w/o running a trojan or keystroke logger (spyware) scan.  If keystroke logger (spyware) are running - they can stealthly email new passwords to the old admin.

GNART

Commented:
Thanks.                                                                -[Good Fortune]-

Commented:
Someone thinked about the WEP Keys?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial