Problem solve Get help with specific problems with your technologies, process and projects.

Lockout previous network admin after layoff

Can you tell me what exactly can be done to lockout a previous Network Admin to ensure when we lay him off he will not be allowed a connection. Or what do you suggest to make sure he does not have access to our network?
"Until all is secure" is the part of your question that raises my security hackles. If you do not have any controls and procedures in place to control Network Admin accounts, and check for new accounts, you may have a difficult time in securing the network/systems. This needs to be dealt with before a layoff. Disabling accounts used by this admin could bring processes to a halt if they are under the authority of those accounts. Even if you can disable known accounts for this admin, there may be other accounts you are unaware of.

Some of the steps to consider will sound familiar, but many probably fail to use them for "simplicity" sake. Make sure Administrators are using separate admin accounts and not just adding admin to their regular user account. This requires an additional step when performing those admin type functions, but segregates the roles (we are dual personality all being admins and at the same time, some other lower sort of user). Make sure each network admin has their own dedicated accounts, so there are not shared admin accounts (beat all who share this account informally). On a regular basis check systems for new accounts that are admin equivalent and determine their legitimacy. The new admin account may indicate a backdoor account put there by the disgruntled or fearful employee. While centralization of administration is a good concept, remember that there must be more than one person involved in the process. The all knowing, all powerful single admin becomes a nightmare at time of separation, whether voluntary or involuntary.

Another method used is the idea of a superuser, or admin account being used only to set up the machine, and establish secondary admin roles with only the privileges needed for the functions. You could take that superuser account and require a multi part password, then requiring more than person to access, thereby needing some collusion if unauthorized actions are to be taken. The issue becomes one of practicality. You can tighten these controls to the point that it adds excessive overhead to normal operations.

This was last published in July 2003

Dig Deeper on Network Administration

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.