Avatar of Pau Lo
Pau Lo

asked on 

administrator leaver process

I was just having a quick read through this article:
 https://www.infosecurity-magazine.com/news/it-administrator-sentenced-for/
Clearly an “administrator” leaving a company brings with it more challenges and possible remediation's than a standard user from a security/risk perspective. Do you have any specific checklists and best practices you follow when someone with detailed knowledge of your network/infrastructure leaves? I suspect there are a lot more checks on your list then just disabling a single AD user account.
I have noticed in account audits before credentials for administrative accounts have sometimes not been changed for a significant period of time (years) – are exempt from expiry policies etc, and are sometimes known by multiple officers.
As an network/security admin yourself, assuming your individual AD account(s) are disabled once you leave employment, what other accounts do you typically have knowledge of that could be used to regain remote access into your former employers network? Or other techniques you could use to regain access? So we can look into possibilities for protecting those areas as well if a knowledgeable senior administrator leaves. We need some form of checklist, especially for protecting 'remote access' opportunities for former administrators.

Windows OSActive DirectoryNetwork ManagementSecurity

Avatar of undefined
Last Comment
Robert
ASKER CERTIFIED SOLUTION
Avatar of William Fulks
William Fulks
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

Reading between the lines, do you think that would have been an AD / domain account they used to cause their chaos/revenge?

I don't work in the operational side of IT but is it still fairly common practice to have administrative/powerful accounts whereby multiple users know the password - and if so for what reasons?
SOLUTION
Avatar of ste5an
ste5an
Flag of Germany image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Pau Lo
Pau Lo

ASKER

Token-based 2FA.

Yes it does highlight deficiencies in their remote access controls and general access management, I did wonder if it was some form of 'break glass' account that had been exempt from MFA and other restrictions placed on the standard user accounts like password expiry, as it suggested their individual domain accounts had been disabled, but they had regained access via some other 'administrative' account.
SOLUTION
Avatar of Hello There
Hello There

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
Avatar of ste5an
ste5an
Flag of Germany image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
Avatar of Robert
Robert
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Pau Lo
Pau Lo

ASKER

Endpoint devices such as Firewalls and Routers etc should be the first place to change once you have disabled the users account as a lot of them are not AD integrated and have their own set of accounts.

In your environment are such devices 'manageable' off site/remotely, without first authenticating in your domain?
Avatar of Robert
Robert
Flag of United States of America image

Typically no but it depends on the sites requirements. I usually lock them down that you have to be on the lan interface to mange them however that doesn't mean all devices are that way. 
Windows OS
Windows OS

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo