I've tried endless searches on "firing a sysadmin", "locking out an IT guy", etc., but nothing useful. So, I've compiled a list of things to examine when an IT guy goes AWOL and you need to lock them out, reclaim logins and check for holes.
- Firewall passwords & rules
- Router logins
- Switch logins
- VPN server login & configuration
- Domain Admin/root password
- Group Membership (Domain Admins, Schema Admins, Enterprise Admins, Built-in administrators, Exchange admins, root, wheel, etc.)
- Other domain admin accounts
- Service accounts (check Services logon list)
- User accounts (every employee should change password)
- Local admin accounts on client systems
- Hosting/DNS/Domain Name Services passwords
- Web hosting logins
- Registrar logins and contacts
- Managed DNS
- Exchange/mail servers
- Mailbox forwarding
- Routing groups
- Hosted spam filtering
- MS SQL/database accounts
- Auto-logins, i.e. kiosk systems
- Examine startup scripts and group policy
- Examine scheduled tasks, at or cron jobs
- Change wireless security key
- Change remote access accounts, i.e. GoToMeeting, TeamViewer, etc.
- Update 3rd party software passwords, i.e. anti-virus, backup, etc.
- Update 3rd party hosted software, i.e. Amazon S3, Salesforce, etc.
- Change vendor logins, i.e. CDW, Dell, Microsoft, Tigerdirect, etc.
- Remote system logins/wireless
- Check systems in the field for items above
- Check for keyloggers on all systems
- Phone system accounts and logins
- Change all voice mail pins
- Update building alarm security codes
- Contact for alarm company if the person is on the access list
- Update access information/logins at colocation facilities
That's what I came up with so far for a Windows-centric network. Anything you can add?
Post a Comment