From: intel96 (intel96@bellsouth.net)
Date: Wed Aug 03 2005 - 17:43:58 EDT
Irvin,
Trying to determine if the sysadmin has installed anything in the
network (information systems) is going to difficult especially if the
network is VERY large. You best bet is to identify all the user
accounts that the sysadmin had access to use and change the passwords.
Without knowing your network it is hard to pinpoint all these accounts,
but here is a rough list.
1. All administrator accounts (local and global) - or root-level accounts
2. All accounts with administrator-level access (e.g. used for backup
process, antivirus, etc.)
3. All application-level accounts that (e.g. MS SQL, etc.)
4. Others accounts (routers, switches, etc.) if he/she had access to
these devices.
Also do not forget to change any test accounts used that the sysadmin
may know. This holds true for VPN and dial-in test accounts. I would
also audit all accounts that are not assigned to a real person (that you
cannot ID) or maintenance accounts for vendors. I remember a case
where a sysadmin was terminated and create administrator-level accounts
everywhere within the network and even installed Trojans that give
him/her admin-level access each time the system was reboot or based on
the time of day.. This was a MAJOR headache to fix, because of all the
Trojans and hidden accounts.
Also if you provide wireless services, which does not require
authentication to the network, you should consider changing shared WEP keys.
You could also run a security scanner to determine if any Trojans are
installed within the network or big security holes are present that this
sysadmin could use to gain access. Lets not forget about physical
access to the building. I have seen admins gain access to the buildings
after they were terminated to inflect damage by stealing customer files
and other data.
Well that is enough to worry you for now. Remember to sleep well
tonight and not dream of about sysadmin gone bad (wait is that a video
game...HA HA).
Intel96
Irvin Temp wrote:
>I've been working as a security consultant for a
>financial company.
>
>a system administrator handling the several of the
>critical servers will be retiring. before he leave the
>
>company the management wants me to interview him and
>in
>"certify" that he did not leave any timebombs,
>malicious
>programs on the pcs.
>
>Since i have no experience in handling pre-termination
>of
>a systems administrator, i would appreciate you
>insights
>and suggestions on how to go about this.
>
>Questions that needs to be asked. Steps to take to
>ensure that the systems are clean after his
>resignation.
>
>
>Thanks and God bless!
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>------------------------------------------------------------------------------
>FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
>
>Learn the hacker's secrets that compromise wireless LANs. Secure your
>WLAN by understanding these threats, available hacking tools and proven
>countermeasures. Defend your WLAN against man-in-the-Middle attacks and
>session hijacking, denial-of-service, rogue access points, identity
>thefts and MAC spoofing. Request your complimentary white paper at:
>
>http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
>-------------------------------------------------------------------------------
>
>
>
>
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:41 EDT