The IT Manager may be leaving, and it's possible that the parting of ways may not be completely civil. I wouldn't really expect any malice but just in case, what do I check, change or lock down?
Examples:
Obviously the physical security needs to be addressed, but after that...
Assuming you don't have a documented procedure for when employees leave (environment generic as you don't mention which platforms you run):
As you do all of this, document it, so that you have a procedure in place for future terminations.
Also, if you use any colocation services, make sure to have his name removed from the access list and ticket submission list. It'd be wise to do the same for any other vendors where he was the primary person handling, so that he can't cancel or mess with services you get from those vendors, and also so that vendors know who to contact for renewals, problems, etc... which can save you some headaches when something the IT manager didn't document happens.
I'm sure there's more I missed, but that's off the top of my head.
Don't forget physical security - make sure he can't get into any building - it's great that you're all over the network kit but if he can get to the data centre it's pointless.
We suspected that a disgruntled employee who was still in their notice period may have installed some remote-access programs, so we limited his logon account to work hours only, so that he couldn't remote in after-hours when nobody was around to do things (during work hours we could see his screen clearly so if he got up to mischief we would have known).
Turned out to be valuable, he had installed LogMeIn and did in fact attempt after-hours access.
(this was a small company network, no ACLs or fancy firewalls)
Also be carefull not to lockdown too much. I remember a situation where someone left and a day later it became apparent that some business critical software was actually running under his personal user account.
Just to add - also make sure you've got auditing of failed and successful logins - bunch of failures for an account followed by success could equal hacking. You might also make everyone else change their passwords too if the IT Manager was involved in password settings. Don't forget database passwords too and you may want to scrub his/her email account for secure information. I'd also put access checks on any confidential information/databases, and disallow him/her to perform system/database backups.
Hope this helps.
Make sure too, before you let this individual go, to understand that things can and will go down, or be problematic until you replace that individual. I would hope that you won't blame them for everything that goes down just because you assume/know it wont be a good parting of ways, or think they are hacking you somehow because the toilet overflowed.
Hopefully that scenario sounds preposterous to you. But it is a true story from my last job that now the owner is trying to sue me for sabotage (basically because I quit and they aren't willing to actually pay anyone the market rate to replace me) and cyber crimes such as hacking and internet racketeering.
Bottom line is, evaluate the "why" for the reason of their dismissal. If it is anything other than economical needs, I suggest you refine your hiring procedures so that you can hire a more professional individual in which, by profession, needs to be reliable and trustworthy with business mission critical and usually confidential information and who can install proper security procedures that everyone must follow.
One way to know as you are interviewing is how well they are interviewing you and your business in return. Liability (As in what the company thinks the IT Manager can be held at fault for should something go wrong- usually would be in a contract) and overall network security is one of the 3 top things on any proper IT manager/CTO's mind when coming in to interview for a job.
Change all admin passwords (servers, routers, switches, remore access, firewalls) Remove all firewall rules for remote access for the IT manager. If you are using security tokens, disassociate the IT manager's token(s) from all access. Remove TACACS access (if you use this).
Make sure to do these changes with the IT manager in a conference room or otherwise under physical control, so s/he can't observe the process. While reading a poassword as it's being typed on a keyboard is non-trivial (not hard, just not trivial), if this needs to be repeated, there's a higher risk of teh password being gleaned.
If possible, change locks. If keys can be replicated (and in short, they can), this will stop the IT manager from gaining physical access afterwards. Disable any passcard you cannot account for (not only card(s) you know have been issued to the IT manager).
If you have multiple incoming phone lines, check ALL of them, to make sure no unknown devices are attached to them.
Check the firewall policies
Change the admin password and check for accounts that are no more in use.
Revoke his/her certificates
Backup his/her workstation and format it.
Use checksum controls for the important files on your servers and put an IDS to a span port in your rack for while.
Just my 2cts.
Check for extra accounts, too. He could easily add a new account once he knows he's leaving. Or even soon after he arrived.
It depends how paranoid you are. Some people go to the extent - if its bad enough - of replacing all keys and locks. Another reason to be nice to sys admins ;)
All the aformentioned advice is good - another one is even possibly getting all users to change their passwords (and if Windows) enforce the complex password policy.
Also - if you've ever done remote support, or setup a remote office / client (ie. another site) - get them to change their passwords too.
Don't forget to blow out any extranet type accounts that he might have on behalf of your company. These are often overlooked and often the cause of much grief post-mortem.
Might (along the "I'm ultra-paranoid" track) want to also notify your sales reps for different vendors that you work with in case he tried to contact someone there .
If he had any control of your company web-hosting,
Weaknesses in this area can impact based on the way your hosting is done,
My company let a developer go not too long ago and it was a similar situation. He knew much of the system and it was of the utmost importance to ensure he was cut off the second he was informed of his dismissal. Asides from the advice given above I also used Spectre Pro to monitor all his work for the 2 weeks prior to his leaving: network activity (IO), chat windows, emails, screenshots every 2 minutes, etc. It was probably overkill and I never even looked at any of it because he left on good terms. It was good insurance though.
The two keys things to manage immediately are:
Physical access - if you have an electronic system, revoke his card. If your locks are all physical, either ensure that any keys issued to him are returned, or if you are really concerned about mischief, change the locks to critical areas.
Remote access - ensure that VPN/Citrix/other remote access account of this admin are disabled. Hopefully you are not allowing remote logins with shared accounts; if you are, change the passwords on all of them. Also be sure to disable his AD/NIS/LDAP account.
This just covers the obvious however; there is always the possibility for example that he has installed a couple of modems in the server rooms, with console cables into key network devices/servers. Once you have done the initial lock down, you probably want his replacement to do a full sweep of the infrastructure to A) make sure the documentation is up to date and B) highlight anything that looks odd.
At a previous job at a smaller company, the sysadmin being let go knew a lot of other employee's passwords. The morning he was let go, we set the "user must change password" property on anyone's Active Directory account that had remote access.
This may not be feasible everywhere, but may be prudent depending on the situation.
I would recommend following procedures:
This should cover most of the possible access options. Review all security relevant information in the following weeks, so that you can ensure no option was left "open".
Make all staff aware that this employee is leaving so that they aernt as vulnerable to telephone social-hacking attempts.
He already knows how the system works and whats there. So he wouldnt need too much info in order to get back in if he desired.
If I left to day under less-than-desirable circumstances I believe that I could call up staff, which I have to do from time to time anyway, and find out enough info to get back into the system.
Maybe I would give an existing domain user admin privileges (before leaving). I could phone up this user and have him/her reveal her password to me.
The only way to be totally safe in the case of servers, is the same way you ensure that a hacked box is clean: reinstall. Thanks to puppet (or some other configuration management system) reinstalling servers and getting them to a specific state can be quite quick and automated.
