5

Possible Duplicate:
When a sysadmin leaves what extra precautions need to be taken?

We have some servers on two sites. We use Puppet to allow only SSH key (root denied) and authorize users to connect to each server by policy.

If someone leaves the company, I will just have to change something in Puppet to close the door. Send an email to the subcontractors and tell the news to avoid social engineering.

Have you got any other ideas?

Community
  • 1
hotips
  • 525
  • 6
  • 13
  • Also see the Question of the Week blog, regarding the duplicate: http://security.blogoverflow.com/2011/08/qotw-6-sysadmin-leaves/ – Iszi Apr 17 '12 at 17:40

1 Answers1

12

You should always:

  • Remove his/her SSH-Key
  • Change all passwords he knew
  • Lock all his/her accounts on all services
  • Give certain services extra attention, e.g. mail forwarding rules

Some other measures you should consider, depending on the circumstances, how much you trusted him or her and your resources:

  • Let another person with the same knowledge check if the leaving person installed any backdoors on workstations or servers.
  • Run routine scans for vulnerabilities you took as inexistent and which can be created on purpose in a short time, like SQL-Injection possibilities.
  • Check all workstations and servers he had access to physically for keyloggers and other malicious hardware.
  • Change the locks the person had keys to, you can't know if copies were made.

As a precaution it's good to synchronize HR with IT. Make sure that one person can de-activate all accounts at the moment the employee leaves his workstation to go meet with HR. At the very least change his passwords to stop him from accessing the network as he exits HR.

Community
  • 1
simt
  • 246
  • 2
  • 3
  • 6
    The only thing that I would add to the answer above is that even though the person being terminated may feel like they are getting the short end of the stick DON'T make their life harder by making them jump through hoops to get their vacation/sick pay, unemployment, letter of reccomendation, etc. You may also want to go over the fact that the legal fee's involved if any hacking occurs. I had a similar experience at my work and I pushed to make sure that the person leaving wasn't getting screwed with because I would be the one putting all of the pieces back together. Just be fair to everyone. – Brad Apr 17 '12 at 15:05
  • Insightful comment Brad. – Jim In Texas Apr 17 '12 at 15:32