Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Handling Sysads resignation/termination
From: intel96 <intel96 () bellsouth net>
Date: Wed, 03 Aug 2005 17:43:58 -0400

Irvin,

Trying to determine if the sysadmin has installed anything in the network (information systems) is going to difficult especially if the network is VERY large. You best bet is to identify all the user accounts that the sysadmin had access to use and change the passwords. Without knowing your network it is hard to pinpoint all these accounts, but here is a rough list.

1.  All administrator accounts (local and global) - or root-level accounts
2. All accounts with administrator-level access (e.g. used for backup process, antivirus, etc.)
3.  All application-level accounts that  (e.g. MS SQL, etc.)
4. Others accounts (routers, switches, etc.) if he/she had access to these devices.

Also do not forget to change any test accounts used that the sysadmin may know. This holds true for VPN and dial-in test accounts. I would also audit all accounts that are not assigned to a real person (that you cannot ID) or maintenance accounts for vendors. I remember a case where a sysadmin was terminated and create administrator-level accounts everywhere within the network and even installed Trojans that give him/her admin-level access each time the system was reboot or based on the time of day.. This was a MAJOR headache to fix, because of all the Trojans and hidden accounts. Also if you provide wireless services, which does not require authentication to the network, you should consider changing shared WEP keys.

You could also run a security scanner to determine if any Trojans are installed within the network or big security holes are present that this sysadmin could use to gain access. Lets not forget about physical access to the building. I have seen admins gain access to the buildings after they were terminated to inflect damage by stealing customer files and other data.

Well that is enough to worry you for now. Remember to sleep well tonight and not dream of about sysadmin gone bad (wait is that a video game...HA HA).

Intel96


Irvin Temp wrote:

I've been working as a security consultant for a financial company.

a system administrator handling the several of the critical servers will be retiring. before he leave the

company the management wants me to interview him and
in "certify" that he did not leave any timebombs, malicious programs on the pcs.
Since i have no experience in handling pre-termination
of
a systems administrator, i would appreciate you
insights and suggestions on how to go about this. Questions that needs to be asked. Steps to take to ensure that the systems are clean after his resignation.

Thanks and God bless!
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------





------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault