Locking down and monitoring the system

We had a member of our IT team leave, and now people are paranoid he is going to hack in and do damage, we did the regular things of changing every password in AD along wit local ones, I was wondering if there is anything I can do to make sure he didnt create other accounts that he could access, or is there a way to monitor what IP Addresses are accessing the servers,  Has anyone been in the situation before and if so , what steps didd you take to verify the security of your system ?
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
It's hard to be 100% sure, as someone with admin rights could install an "dial-home" tool that allows them access from the inside of your lan to an ourside ip he/she specified before leaving, basically a backdoor.
You should begin auditing your event log's, there are tools like GFI's SELM and Snare that can help automate the process of alerting you to certain event's. Password reset's are definatly step one, disabling that users PC and domain/vpn accounts are also essential. Look through his/her history files, event log's and emails for anything suspicious or out of place. You should also scan all servers and pc's with an antivirus solution, however that sometimes isn't enough. We had an admin use the Sony DRM cd to cloak his program, and we only found if fater scanning his PC with rootkit revealer... if it wasn't on his own pc, we may not of ever really seen it. http://xinn.org/Sony-DRM.html

You should also impliment an IDS system like Snort http://www.snort.org/

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.