As a system administrator, we are often given lists of individuals that have left the organization. For these individuals, we are requested to either deactivate their accounts or to delete them altogether depending on company policy. We are also asked to disable their access to email. Our check lists probably also include disabling their home drive share, and access to other resources in the organization where they might have a separate password. Organizations often have different processes and standards for terminated users.
What about terminating a systems administrator? Obviously, we need to do the same things for administrators that we do for normal users, but there are many other steps that we should take when it is a system administrator. As administrators, we have tremendous access because we have knowledge of so many different ways to get into the network and we have knowledge of so many different accounts. A terminated systems administrator is a huge potential risk to our organizational assets if they have ill will towards our company.
R. Ward Ralston, now a member of the Windows Server Division at Microsoft, and Wes Noonan, a well known security consultant and author, put together a check list a couple of years ago that is amazing in its depth. Ward did the large majority of the work and put together the initial list. Wes then added to it. I have tweaked it a bit here.
The first step is to realize that your organization should be concerned about the following areas when it comes to an administrator leaving the company. These concerns hold true if the administrator leaves voluntarily as well as if they leave under less than ideal conditions. The concerns are:
- Admin access to systems (including file shares, databases, email, etc)
- Destruction of data
- Theft of confidential data
- Publication of confidential data
- Web defacement or disruption
- Email disruption
- Physical access by terminated employee
- Emailing malicious content to susceptible users
- Network access disruption
Once the adminstrator is terminated, Ward and Wes agree that the first step is to immediately isolate the company network. I don’t necessarily agree with this drastic step, but it certainly makes sense. At the minimum, you certainly need to take many of these steps just to remove access for a former administrator while you take the many steps that follow later:
- Do not provide admin access to any systems once you receive notification of the termination. Basically, freeze admin access whereever possible and do not issue any new credentials until you have taken all of the steps in this entry
- Ask ISP to queue inbound mail if possible and not allow new email into the organization.
- Inform all employees of termination and issue new passwords beginning
immediately to all employees.
- Pull Internet connection on outside interface of router. This sounds drastic, but the idea here is that we are in extreme defensive mode and need to protect the company until we get the situation under complete control.
- Turn off and document any modem connections.
- Turn off and document any wireless access points.
- Change company domain account password with Network Solutions and other domain name vendors. Change the technical admin contact if necessary.
As the former administrator leaves the company, it is vital that you immediately obtain the former admin’s company property. If the former administrator does not have all of the company property on site, send somebody home with the former admin to pick up any property at the former admin’s home.
- Laptop/notebook computers
- Computers used for testing
- Cell phones
- IP phones (office and home)
- Portable hard drives
- Any documentation in print or electronic form
- Information on RAM key fobs
- Keys (electronic and physical)
- Smart cards
- Authentication key fobs
- Application source media
- Application key codes
- Any tapes or other backup media
- Company credit cards or phone cards
The next step is to gain control of the former admin’s work space.
- Disable former admin’s personal account in domain.
- Disable former admin’s remote access accounts on routers, firewalls, VPN servers, RAS servers, etc.
- Change the voice mail password for the former admin’s phone.
- Backup the former administrators desktop. Turn it off, and take it off the network. You may need this in the future for possible court actions. Even if you don’t think you need it, you may find out otherwise later when it is too late.
Now it is time to buckle down and complete the following check list steps as fast as you can and as completely as you can.
- Change web site access passwords. This, of course, includes OWA and OMA access.
- Rename the built-in domain admin account and change the password. You also should rename the local admin accounts on all servers and devices and change the passwords for these accounts as well. Don’t forget remote field office systems.
- Rename Schemaadmin account if active directory and change password.
- Change the AD restore password.
- Have all existing administrators change their passwords. It is possible that the former admin has dumped the hashes and might have already hacked the passwords.
- Change all switch, router and firewall passwords.
- Change all admin passwords on VPN and RAS devices.
- Review all router and firewall configuration attributes and filters against business requirements and clean up as necessary.
- Upgrade all exposed routers and firewalls to current firmware. Notify support vendors for these devices that the former admin is no longer part of the company and all access should be removed.
- Check for services or applications using former admin’s personal account.
- Change the phone system passwords and account names.
- Change Unix/Linux server root passwords if applicable.
- Change all server program access passwords.
- Change all service account passwords and verify service operation after changing the passwords.
- Validate all domain accounts (look for hidden backdoor accounts).
- Validate all local accounts on remote access devices.
- Change remote field office machine’s admin password.
- Check scheduled tasks on all servers and admin workstation for "timebomb" sabotage.
- Change antivirus admin accounts/passwords at all levels in the organization.
- Update antivirus and anti-spyware detectors and manually scan all servers.
- Isolate systems where spyware, trojans, or viruses are found. Remove all infections found. Check application source folders of the infected files for other related files. Preserve directory with winzip for future forensics before deleting. Infected systems should be formatted and rebuilt.
- Monitor all servers for 24 hours looking for programs "phoning home."
- Force all users to change their passwords.
- Change network device passwords (wireless, print servers, switches)
- Scan all systems (servers and desktops) and patch all servers for known exploits.
- Reconnect Internet, remote access systems, and "secured" wireless access points.
- Ask ISP to release email or ETRN.
- Change volume licensing account passwords.
- Contact all vendors and inform of employee’s termination ask for new account name and password where applicable.
- Analyze former admin’s desktop and test equipment for anomalies.
- Analyze switches for monitoring ports.
- Analyze backup records for evidence of data theft.
- Scan network for promiscuous cards that would indicate potential monitoring. Turn off promiscuous mode.
- Monitor and support user password problems on return to business.
The toughest part of system administrators that leave the company is that we have to place such high levels of trust in them while they work for our organizations. We would like to be able to extend that trust after they leave and believe that they will not take malicious actions against our organizations. However, it just isn’t in the best interests of the organization to hope that nothing happens and to not take action to prevent malicious activity.