Ask the Expert

Lockout previous network admin after layoff

Can you tell me what exactly can be done to lockout a previous Network Admin to ensure when we lay him off he will not be allowed a connection. Or what do you suggest to make sure he does not have access to our network?

    Requires Free Membership to View

"Until all is secure" is the part of your question that raises my security hackles. If you do not have any controls and procedures in place to control Network Admin accounts, and check for new accounts, you may have a difficult time in securing the network/systems. This needs to be dealt with before a layoff. Disabling accounts used by this admin could bring processes to a halt if they are under the authority of those accounts. Even if you can disable known accounts for this admin, there may be other accounts you are unaware of.

Some of the steps to consider will sound familiar, but many probably fail to use them for "simplicity" sake. Make sure Administrators are using separate admin accounts and not just adding admin to their regular user account. This requires an additional step when performing those admin type functions, but segregates the roles (we are dual personality all being admins and at the same time, some other lower sort of user). Make sure each network admin has their own dedicated accounts, so there are not shared admin accounts (beat all who share this account informally). On a regular basis check systems for new accounts that are admin equivalent and determine their legitimacy. The new admin account may indicate a backdoor account put there by the disgruntled or fearful employee. While centralization of administration is a good concept, remember that there must be more than one person involved in the process. The all knowing, all powerful single admin becomes a nightmare at time of separation, whether voluntary or involuntary.

Another method used is the idea of a superuser, or admin account being used only to set up the machine, and establish secondary admin roles with only the privileges needed for the functions. You could take that superuser account and require a multi part password, then requiring more than person to access, thereby needing some collusion if unauthorized actions are to be taken. The issue becomes one of practicality. You can tighten these controls to the point that it adds excessive overhead to normal operations.

This was first published in July 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: