Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

IT Guy Fired: Anything to worry about?

Melrose

Melrose

Suspended
Original poster
Dec 12, 2007
7,806
399
So today the more-or-less IT guy was fired where I work; he's not a wizard at IT by any means, but he did have a pretty good knowledge of how all that stuff works - as well as remote access from home to his computer and the network at work.

He quit under rather trying circumstances today, and in discussions with my immediate boss there may be some possibility of Remote Reprisal.

What steps do we have to take to make sure he can't come in by some backdoor later and mess around? Passwords on our websites have been changed, etc, but what about remote access?

TIA :)
 
Last edited:
Depending on the size and complexity of your company's infrastructure i advice you to consider hiring professional help.

He could have several remote control installations like teamviewer, logmein, remote desktop, VPN connections...etc etc.

You will need to disable his user account, access token, change domain service accounts, local and domain admin accounts, force your users to change their passwords, look through firewall logs to block his ip addresses, and shut down and unplug his PC's and administrative server (jump server with all his tools and stuff) Secure and backup of your data. Implement policies for certain programs and tighten your firewall security until you have the basics under control.
 
Right now, try the following regarding your router:

- Password changed.

- All ports blocked until you know what they can do / enable.

On his computer, look for programs for remote access such as LogMeIn, GoToMyPC, etc. Delete them. You will need an Admin password to do so.

You mentioned that you chanced all your passwords. Well, let's check:

- Log in passwords (Mac is easy. PC you usually have user, admin and set administrator.)

- E-mail (official or other that may be on your computer).

- Log in for remote file shares.

- Log in for remote servers. You mentioned web, so maybe this is done.

- Log in for any remote PayPal type accounts.

- Log in for any web servers such as Go Daddy type services.

Thanks all I can think of off the top of my head.



EDIT:

KasperH said:
Depending on the size and complexity of your company's infrastructure i advice you to consider hiring professional help.
Click to expand...
Or this! :)
 
KasperH said:
Depending on the size and complexity of your company's infrastructure i advice you to consider hiring professional help.

He could have several remote control installations like teamviewer, logmein, remote desktop, VPN connections...etc etc.

You will need to disable his user account, access token, change domain service accounts, local and domain admin accounts, force your users to change their passwords, look through firewall logs to block his ip addresses, and shut down and unplug his PC's and administrative server (jump server with all his tools and stuff) Secure and backup of your data. Implement policies for certain programs and tighten your firewall security until you have the basics under control.
Click to expand...

sushi said:
Right now, try the following regarding your router:

- Password changed.

- All ports blocked until you know what they can do / enable.

On his computer, look for programs for remote access such as LogMeIn, GoToMyPC, etc. Delete them. You will need an Admin password to do so.

You mentioned that you chanced all your passwords. Well, let's check:

- Log in passwords (Mac is easy. PC you usually have user, admin and set administrator.)

- E-mail (official or other that may be on your computer).

- Log in for remote file shares.

- Log in for remote servers. You mentioned web, so maybe this is done.

- Log in for any remote PayPal type accounts.

- Log in for any web servers such as Go Daddy type services.

Thanks all I can think of off the top of my head.
Click to expand...

I greatly appreciate this help - it's far more than I would have known.

He does have VPN (or did), I think. He used the Terminal for a few things, and in his Apps there was no evidence of any remote access software, but he could have simply run them from a different folder, correct? He did use Apple RemoteDesktop to manage the computers in the building. The company runs a bit low on knowledge in the tech arena; if he accesses our system using a VPN or whatnot on his computer, is shutting that down enough for the time being?

We just migrated our sites to GoDaddy, and I'm not sure if this authentication has been changed or not. As far as I know, he still has at least FTP access to the server, so I'll check on that. Except for a few computers, the whole building is Mac.
 
Out and out reprisal would be a certain kiss-of-death for this person to get another job as a sysadmin. So in this economy, no matter how trying the circumstances, I would hope for professional behavior.

FWIW under these circumstances you shouldn't just change your website passwords, but all user passwords in the building. A malicious BOFH would be able to use any user password they happen to know as a "hook."

B
 
In addition to the good advice already given, I strongly suggest someone monitor the entire system, activity logs et al, for at least another ten days. There is no substitute for supreme vigilance at this juncture. While it's in his best interest not to retaliate, he may not be thinking rationally.

Good Luck.
 
Thanks again for the help - it doesn't help that I'm the only one there that knows much of anything about this sort if thing, so I'll kind of have to teach myself as I go about checking server logs and stuff.

I tried to log in to his Admin software from his computer but he had shut it all down, and given his penchant for it sharing much info at all for stuff like this it might be tricky to actually get in there to begin with.

-aggie- said:
You said he was fired, but then you said he quit?
Click to expand...

He's ranted before about quitting but they've talked him down. This time the boss said "good luck... Get your stuff and leave."
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back