UnderGround Forums
 

ITGround >> Preparing IT Infrastructure for FTE termination?


7/15/10 6:12 PM
Ignore | Quote | Vote Down | Vote Up
Q_Nine
2 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 2/23/02
Posts: 3066
 
I've got an opportunity to do a little consulting work to identify and possibly clean up any potential back-doors left by their current IT Director.

They want to look at letting him go, but with such authority throughout the environment, they don't want to give him a chance to cause any damage once he's left.

I'm going over a few areas I'd need to concentrate on in my head and I'm wondering if I'm missing anything obvious?

- Produce lists for review of active user/service accounts within domain.
- Obtain Root access and validate accounts on all Network/VIOP/MDS switches or firewall/vpn hosts throughout the environment.
- Produce lists of local Administrative accounts on both workstation and servers.
- Review enterprise firewall for any host or ports allowances that might not fit clients need or look suspicious.

They aren't doing anything outrageous here so it should be pretty straight forward. Since they are using LDAP for most everything besides ESX and their infrastructure hardware, I should catch most everything by just pulling data out of AD.

With that said what I am I missing here? Anything come to mind?

Also, I’ve got a few choices here with an hourly rates or a flat fee. I’m not really sure what’s fair to them or me. As long as I get a little cooperation I can’t imagine it taking me too long. Perhaps a bit longer if I have to do it under this guy’s nose. Ideas?

Let me know what you guys think.
7/15/10 7:45 PM
Ignore | Quote | Vote Down | Vote Up
gitbox
2 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 5/13/08
Posts: 526
If the guy sucks bad enough that you can do all that without him knowing, odds are there are no backdoors.
7/16/10 1:21 AM
Ignore | Quote | Vote Down | Vote Up
Road Warrior Fin
14 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 27147
 From the Network Engineer side?

Secure exterior (VPN access and Firewall Rules) - Understand how the VPN authentication is working, what it is and how their politices are implemented to logon.  You do realize there are a lot of lazy folks out there that may have created a few "groups" to which many have access to a single VPN account.  (Seen it plenty of times).

The Firewall rules would be the secondary thing to check out although if they were smart enough to install a reverse backdoor (RATs) So, I doubt you'll find anything on that.

Find out how Wireless Auth/Wireless access works.  If its WPA2 on radius tied to AD - make sure to comb those AD accounts.  You will need to get with HR to finecomb those AD accounts, when in doubt, disable, don't delete.  If you are not sure, someone will end up calling the help desk.  If its WEP or WPA2 PSK, you'll have a painful process of making everyone change over and who would be responsible for it, local IT staff won't work with you if you start creating more work out of thin air for them.  You also need to know exactly who his "buddy buddies" were.

I would also try to get with accounting to find out what property is company property - Make sure that his phone, laptop, usb key, etcs., ALL PROPERTY is accounting for.  Accouting will know everything that he owns, has or is using company resources or money for.

VOIP or traditional phone system?  Make sure that you have a phone guy check it all out, he may have some root access to that and can cause major havor deleting voicemails, creating false prompts, social engineering, etc., - Something that should not be overlooked.

Beat him to the punch - see if you can monitor him a week before and find out what IP addresses he may remote in from including his mobile device.  Having flags pop up when those IP addresses try to connect post haste will be very tangible evidence in the event of corporate tampering does happen.  Monitor connections at night, and suspicious traffic, etc.,

Now the hard part but what I would REALLY fine comb even though it is an invasion of privacy (but its on corporate time and equipment)

Fucking fine comb his exchange account - know what you want to search for, know what he may want.  You'd be surprised at how many people may throw their password to him to get problems fixed especially the incompetent c-level types.

Fine comb the shit outta of his PC and/or ANY computers he would touch on a normal basis.

Oh - for AD - I would recommend a system-wide password change.

Use NMAP to scan every single device in that network (an overnight task most likely) and anything that offers telnet, ssh, 80, 443 needs to be looked at a little more closely.

As much as it pains me to say this : if he was good and knew tricks there may be a point in which you really can't stop him BUT - I think the most important task of this job will actually be to write a proper SOW and clearly state what you are doing and that you can't give the company a 100% but ensure that they debrief him on legalities regarding laws related to what could result if he does tamper.
7/16/10 1:22 AM
Ignore | Quote | Vote Down | Vote Up
Road Warrior Fin
14 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 27148
 fuck my grammar and spelling too
7/16/10 10:28 AM
Ignore | Quote | Vote Down | Vote Up
Q_Nine
2 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 2/23/02
Posts: 3068
That's perfect Fin. Great suggestions. Thanks!

Reply Post

You must log in to post a reply. Click here to login.