Re: Handling Sysads resignation/termination

[intel96 <intel96 () bellsouth net>]

Irvin,

Trying to determine if the sysadmin has installed anything in the 
network (information systems) is going to difficult especially if the 
network is VERY large.  You best bet is to identify all the user 
accounts that the sysadmin had access to use and change the passwords.  
Without knowing your network it is hard to pinpoint all these accounts, 
but here is a rough list.

1.  All administrator accounts (local and global) - or root-level accounts
2.  All accounts with administrator-level access (e.g. used for backup 
process, antivirus, etc.)
3.  All application-level accounts that  (e.g. MS SQL, etc.)
4.  Others accounts (routers, switches, etc.) if he/she had access to 
these devices.

Also do not forget to change any test accounts used that the sysadmin 
may know.  This holds true for VPN and dial-in test accounts.  I would 
also audit all accounts that are not assigned to a real person (that you 
cannot ID) or maintenance accounts for vendors.   I remember a case 
where a sysadmin was terminated and create administrator-level accounts 
everywhere within the network and even installed Trojans that give 
him/her admin-level access each time the system was reboot or based on 
the time of day..  This was a MAJOR headache to fix, because of all the 
Trojans and hidden accounts. 

Also if you provide wireless services, which does not require 
authentication to the network, you should consider changing shared WEP keys.

You could also run a security scanner to determine if any Trojans are 
installed within the network or big security holes are present that this 
sysadmin could use to gain access.  Lets not forget about physical 
access to the building.  I have seen admins gain access to the buildings 
after they were terminated to inflect damage by stealing customer files 
and other data.

Well that is enough to worry you for now.  Remember to sleep well 
tonight and not dream of about sysadmin gone bad (wait is that a video 
game...HA HA).

Intel96


Irvin Temp wrote:

> I've been working as a security consultant for a 
> financial company.
>
> a system administrator handling the several of the 
> critical servers will be retiring. before he leave the
>
> company the management wants me to interview him and
> in 
> "certify" that he did not leave any timebombs,
> malicious 
> programs on the pcs. 
>
> Since i have no experience in handling pre-termination
> of
> a systems administrator, i would appreciate you
> insights 
> and suggestions on how to go about this. 
>
> Questions that needs to be asked. Steps to take to 
> ensure that the systems are clean after his 
> resignation. 
>
>
> Thanks and God bless! 
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> ------------------------------------------------------------------------------
> FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
>
> Learn the hacker's secrets that compromise wireless LANs. Secure your
> WLAN by understanding these threats, available hacking tools and proven
> countermeasures. Defend your WLAN against man-in-the-Middle attacks and
> session hijacking, denial-of-service, rogue access points, identity
> thefts and MAC spoofing. Request your complimentary white paper at:
>
> http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
> -------------------------------------------------------------------------------
>
>
>  



------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------