Wednesday, January 25, 2012

Firing a SysAdmin

Recently I had to replace an IT guy who'd gone off the rails. Something odd about this profession seems to cause an unusually high number of them (say, compared to other engineers) to drop off the radar and partially or completely disappear. It usually happens in one of two ways, they start with sporadic attendance, rarely answering phone calls and e-mail, then completely disappearing, or just the latter and they entirely stop all communications, possibly even leaving the area. Hard to say if it's something psychologically different with SysAdmins (we can be quite an odd bunch) or if it's the pressure and culture that spawns the flight response...

I've tried endless searches on "firing a sysadmin", "locking out an IT guy", etc., but nothing useful. So, I've compiled a list of things to examine when an IT guy goes AWOL and you need to lock them out, reclaim logins and check for holes.

  • Firewall passwords & rules

  • Router logins

  • Switch logins

  • VPN server login & configuration

  • Domain Admin/root password

  • Group Membership (Domain Admins, Schema Admins, Enterprise Admins, Built-in administrators, Exchange admins, root, wheel, etc.)

  • Other domain admin accounts

  • Service accounts (check Services logon list)

  • User accounts (every employee should change password)

  • Local admin accounts on client systems

  • Hosting/DNS/Domain Name Services passwords

    • Web hosting logins

    • Registrar logins and contacts

    • Managed DNS



  • Exchange/mail servers

    • Mailbox forwarding

    • Routing groups

    • Hosted spam filtering



  • MS SQL/database accounts

  • Auto-logins, i.e. kiosk systems

  • Examine startup scripts and group policy

  • Examine scheduled tasks, at or cron jobs

  • Change wireless security key

  • Change remote access accounts, i.e. GoToMeeting, TeamViewer, etc.

  • Update 3rd party software passwords, i.e. anti-virus, backup, etc.

  • Update 3rd party hosted software, i.e. Amazon S3, Salesforce, etc.

  • Change vendor logins, i.e. CDW, Dell, Microsoft, Tigerdirect, etc.

  • Remote system logins/wireless

  • Check systems in the field for items above

  • Check for keyloggers on all systems

  • Phone system accounts and logins

    • Change all voice mail pins



  • Update building alarm security codes

    • Contact for alarm company if the person is on the access list



  • Update access information/logins at colocation facilities


That's what I came up with so far for a Windows-centric network. Anything you can add?

No comments:

Post a Comment