Answer the question
In order to leave comments, you need to log in
What to do when the system administrator is fired?
A question that every security guard faces at some point.
When an ordinary employee quits, everything is clear here, we block the account (UZ) and send it in peace.
When the system administrator is fired, the problem expands globally. Here's the first thing that came to mind:
Blocking the admin account;
Audit ActiveDirectory for undeclared KM with administrator rights;
Checking the gateway for new rules for remote users;
Checking pending jobs on servers and workstations.
Changing passwords on network equipment, changing passwords for typical accounts (eg root) on servers.
Withdrawal of tokens, verification of pin codes on tokens.
Who else has faced similar problems, and what steps have I missed to ensure information security?
Answer the question
In order to leave comments, you need to log in
I agree with demimurych and add that in Windows you can also very cleverly hide a lot of things ...
Here is a paranoid option: somewhere (for example) in the ceiling (above the ceiling tiles) there is a small nettop that is undocumented embedded in the network and a gprs modem is connected to it. Further, a command is sent to it remotely and, for example, through the X10 protocol via the mains or via Ethernet, a command runs to a slightly modified UPS to reset the working server, and there in the BIOS it is the first to boot via PXE (who will check this on the combat server? :)). Further, from the PXE server on the nettop, the working server loads the required OS, a little automation and voila - access is obtained back;)
It seems to me that it’s better not to quarrel with the administrator - if he wants (especially if there was time to prepare) - he can spoil a lot and thoroughly.
According to our legislation, a person must work for 2 weeks before leaving. I suggest you find a suitable specialist before that and make sure that he does not leave the old admin for these 2 weeks. (took over the experience).
If you use specific software for the creation / modification of which the admin himself had a hand in, then at least do not burn bridges, but say something like this: "If something is not clear to him, then come help, we will compensate you."
As I understand it, you are not friends with the system administrator ...
Send the system administrator on vacation for a week in Hawaii (where there is no Internet, and he will have no time, and in general - this is a bribe), during this time, hire NORMAL system administrators so that they quickly reconfigure everything. It is very important to change the "root" piece of iron (cisco or whatever you have looking into the network), and change it physically.
Even better, contact a security audit firm and ask them for a security guarantee. Let them get/change all passwords, etc.
And most importantly, the system administrator MUST work for his manager, which means that he should record all his actions (on security and access rights) and give reports. As soon as you notice that he (the system administrator) begins to “dark” and add functionality that he alone can manage, then FIRE IMMEDIATELY (!) - this person no longer wants to make you better, but wants to make himself “untouchable”.
As a last resort, hire two "mirror" employees - so that they can completely duplicate each other.
PS. And forgive me, Computer gods, that I am "draining" your main priests - but I've had enough, there is no urine!
the most ideal is to follow the path of transferring from the old admin to a new one with simultaneous verification, etc.
As a system administrator of NIX systems, I will say
that if I had root access to the server
and I have a desire to make something happen after my dismissal,
I will realize this desire.
Only a complete reinstallation of the system can prevent me.
The surest way is to hire the second administrator who will work in the future, let the old and new work together for a month or two, when the second one is aware of everything that happens in the server economy, then fire the old one.
Judging by the description, the current admin is still a worker ... there is probably no documentation, firing him without previously transferred cases, you risk data loss and work downtime ... and even a wonderful new admin will not be able to figure everything out right off the bat ... take the second one in a pair, you won’t be mistaken.
With a strong desire, I, as an admin, will find a way to leave you an Easter egg.
On the other hand, you need to change all accesses, up to ports where rdp and ssh.
Working the new with the old is the best way to go while you're looking for a place to hide the body.
Here in this book there is a good chapter on the topic "How to quit a sysadmin the right way."
The surest way to fire an admin is to give a box with his things at the entrance to the office and announce the dismissal, financially compensating for this kind of inconvenience.
Now attention to the question:
does the admin leave at will or do they want to leave him?
If we talk about the ways of dirty tricks and access to network resources, then you will have to study literally EVERYTHING. Because VPN clients or any other backconnect method, even from a client machine, will give the administrator access to the inside of the network, and then everything is much easier for him ...
Actually, you described the basic principles in the question, and then I recommend not to heat up the relationship. Because in fact, it will really protect itself from the evil dismissed administrator, it will result in your company a round sum.
and it is also very worth checking the schedulers on all servers, tk. you can perfectly do this from any rarely and little used server, for example, windows server + radius - in my last job, I never went to it.
In my opinion, it all starts with the expansion of staff. Further work begins in pairs, tasks are given in parallel. All this, of course, must be done loyally with a person (it can be a month, two by the way). Then at some point he comes to work and everything is reconfigured. Then the process of dismissal begins. The only true option. It all starts with the boss’s banal statement that we don’t have time to do the work - it’s time to expand the team.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question