When a systems administrator leaves a company's employ (voluntary or not) there are quite a number of concerns they should have, things to check up on and changes to make.
 

Corporate concerns at such a point have to deal with a variety of issues, such as:

  • Admin access to systems
  • Destruction of data
  • Publicized confidential data
  • Web defacement
  • Email disruption
  • Physical access by terminated employee
  • Emailing malicious content to susceptible users
     

Below is a remediation checklist that may not be nearly exhaustive, but it's a start!

  1. DO NOT GIVE THE ADMIN ACCESS TO ANY SYSTEMS after he has been notified about termination of employment.
  2. Ask your ISP to queue inbound mail if possible.
  3. Inform all employees of this termination and require new passwords beginning immediately.
  4. Pull the Internet connection on the outside interface of the router.
  5. Turn off and document any modem connections.
  6. Turn off and document any wireless access points.
  7. Change the company domain account password with Network Solutions.
    Change admin contact information if necessary.

    At this point you have isolated the corporate systems from the individual physically.
    Now the hard work starts.
     
  8. Make a forensic backup of the admin's personal PC (ghost, DD) and seal it.
    Even if you don't think you need it, you may find out otherwise later, when it is too late.
  9. Change web site access password.
  10. Rename Domain Admin account and change the password.
  11. Rename Schema Admin account of Active Directory and change the password.
  12. Change the AD Restore password if applicable.
  13. Rename remote domain admin accounts and change their passwords.
  14. Change firewall passwords.
  15. Review all firewall configuration attributes and filters against business requirements and clean up as necessary.
  16. Upgrade the firewall to current firmware level.
  17. Change passwords on all routers.
  18. Check for services or applications using the previous admin's personal account.
  19. Disable the previous admin's personal account in the domain.
  20. Disable previous admin's personal remote access accounts on firewall or other VPN, RAS server, etc.
  21. Change phone system, voicemail admin account passwords.
  22. Change Unix server root password if applicable.
  23. Change all server program access passwords.
  24. Change all service account passwords and verify service operation functioning again.
  25. Validate all domain accounts (look for hidden backdoor accounts).
  26. Validate all local accounts on remote access devices.
  27. Change member server and NT/2000 client machine admin passwords on all systems.
  28. Change remote field office machine's admin password.
  29. Check scheduled tasks on all servers and the admin workstation for "timebomb" sabotage.
  30. Scan servers with a Trojan detector.
  31. Implement current antivirus software with current definitions and scan all systems.
  32. Isolate systems where Trojans or viruses are found. Remove the Trojans with antivirus software.
    Check source folder of quarantined file for other related files.
    Preserve directory with WinZip for future forensics before deleting it.
    Trojaned systems should be formatted and rebuild.
    A compromise solution is to install ZoneAlarm on the infected/cleaned system and run it for 24 hours looking for programs "phoning home". If it is found to be clear, Zonealarm can be disabled or tuned to allow normal access and left in place.
  33. Assign all users a new password. Plan and implement distribution strategy for new passwords.
  34. Change network device passwords (wireless, print servers, switches).
  35. Patch exposed servers for known exploits (if not already done!).
  36. Reconnect Internet, remote access systems, and "secured" wireless access points.
  37. Ask ISP to release email or ETRN.
  38. Change antivirus admin account/password.
  39. Collect and catalog backup media.
  40. Search for any equipment not reported/accounted for.
  41. Cancel corporate credit/phone cards known to termed employee.
  42. Change volume licensing account passwords.
  43. Contact all vendors and inform of employee's termination.
    Ask for new account name and password where applicable.
  44. Analyze admin's hardware and servers for anomalies. Ghost image?
  45. Analyze switches for monitoring ports.
  46. Analyze backup records for evidence of data theft.
  47. Scan network for promiscuous cards.
  48. Patch internal servers for known exploits.
  49. Patch client machines for known exploits.
  50. Monitor and support user password problems on return to business.
  51. ...