Penetration Testing mailing list archives
Re: Handling Sysads resignation/termination
From: intel96 <intel96 () bellsouth net>
Date: Wed, 03 Aug 2005 17:43:58 -0400
Irvin,Trying to determine if the sysadmin has installed anything in the network (information systems) is going to difficult especially if the network is VERY large. You best bet is to identify all the user accounts that the sysadmin had access to use and change the passwords. Without knowing your network it is hard to pinpoint all these accounts, but here is a rough list.
1. All administrator accounts (local and global) - or root-level accounts2. All accounts with administrator-level access (e.g. used for backup process, antivirus, etc.)
3. All application-level accounts that (e.g. MS SQL, etc.)4. Others accounts (routers, switches, etc.) if he/she had access to these devices.
Also do not forget to change any test accounts used that the sysadmin may know. This holds true for VPN and dial-in test accounts. I would also audit all accounts that are not assigned to a real person (that you cannot ID) or maintenance accounts for vendors. I remember a case where a sysadmin was terminated and create administrator-level accounts everywhere within the network and even installed Trojans that give him/her admin-level access each time the system was reboot or based on the time of day.. This was a MAJOR headache to fix, because of all the Trojans and hidden accounts. Also if you provide wireless services, which does not require authentication to the network, you should consider changing shared WEP keys.
You could also run a security scanner to determine if any Trojans are installed within the network or big security holes are present that this sysadmin could use to gain access. Lets not forget about physical access to the building. I have seen admins gain access to the buildings after they were terminated to inflect damage by stealing customer files and other data.
Well that is enough to worry you for now. Remember to sleep well tonight and not dream of about sysadmin gone bad (wait is that a video game...HA HA).
Intel96 Irvin Temp wrote:
I've been working as a security consultant for a financial company.a system administrator handling the several of the critical servers will be retiring. before he leave thecompany the management wants me to interview him andin "certify" that he did not leave any timebombs, malicious programs on the pcs.Since i have no experience in handling pre-termination of a systems administrator, i would appreciate youinsights and suggestions on how to go about this. Questions that needs to be asked. Steps to take to ensure that the systems are clean after his resignation.Thanks and God bless!__________________________________________________ Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Re: Handling Sysads resignation/termination, (continued)
- Re: Handling Sysads resignation/termination Thor (Hammer of God) (Aug 03)
- Re: Handling Sysads resignation/termination Michael Hammer (Aug 03)
- Re: Handling Sysads resignation/termination Thor (Hammer of God) (Aug 04)
- Re: Handling Sysads resignation/termination Michael Hammer (Aug 04)
- RE: Handling Sysads resignation/termination Erin Carroll (Aug 04)
- RE: Handling Sysads resignation/termination Solomon (Aug 03)
- RE: Handling Sysads resignation/termination Irvin Temp (Aug 04)
- Message not available
- RE: Handling Sysads resignation/termination Mark Teicher (Aug 04)
- Re: Handling Sysads resignation/termination Irvin Temp (Aug 04)