• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

IT consultant getting fired what to do?

P

Pitbull

Limp Gawd
Joined
Aug 21, 2004
Messages
361
So the it consult is about to get fired, he ran the server for 7 years, knows them in and out, connects remotely. Basically the position of my predecessor was expended and i'm running the show now.
Here is what i have so far in terms of preparations.

Change VPN config/profile/password.
Change admin passwords on all servers
Delete his email/accounts on servers.
Change user passwords on domains and emails (in case he will try to log in as them)
Look for vnc servers/processes and check firewall/router port forwards for allowed connections. (i know some vnc services tunnel tru NAT without any issues these days. Is there a good way to find backdoors on windows and osx servers?)
Change alarm security codes (not just his but for all employees)
Ask for keys.
Ask to furnish all documentation/passwords (he will get paid for full month she he can write it all out)

Any other ideas to make this go smooth and avoid possible sabotage?
 
Make sure that on all external facing network gear that you go through the list of usernames and erase any not in use actively, and if you use RSA fobs that you retrieve it and or disable it right off the bat.

We had an instance once where the usernames were forgotten by a team no longer working with us, and the user was able to manipulate the switch (sadly yes)...
 
You may want to disable his accounts rather than delete them. You never know when you'll need to reference E-mails/files associated with a terminated employee.
 
Protoform-X said:
You may want to disable his accounts rather than delete them. You never know when you'll need to reference E-mails/files associated with a terminated employee.
Click to expand...

This. That's what I tell my clients to do when employees are no longer employed by the company, under favorable or no so favorable conditions.
 
i would log his IP/MAC address he uses to connect from home and add it to the firewall....the rest of the changes should deter a connection from anywhere else

of course im just a random guy on the internet with an opinion is all
 
Have him attend an all day meeting while you cut his accounts off. Then tell him to hit the road...
 
Protoform-X said:
You may want to disable his accounts rather than delete them. You never know when you'll need to reference E-mails/files associated with a terminated employee.
Click to expand...

This.

Also be careful when you change admin passwords. For windows use gpo to change local admin accounts. Also be sure to check what services use the admin accounts. You need to make sure you update them under the windows services to make sure they have the new credentials.

Make sure before hand everything is in the companies name. IE domains or other services in the consultants name. Also make sure you update the whois for any external domains. I'd forward the email he gets on an internal account to someone else for a while. Check email on external services to make sure they don't get sent to him as well.
 
If you really don't trust the guy, then every single windows password needs to be changed. That means local admin passwords, active directory recovery password, and all user passwords.

As an domain admin, it's trivial to obtain a copy of the SAM, which can be used to get all the user passwords.
 
I'd use the legal approach. Tell him it is highly illegal if he is caught accessing anything in the company after he leaves. Make sure he (and any ex-employee) knows that you will prosecute to the fullest extent of the law. Depending on what he does, it could be a felony which would ruin his life. Heck, if you scare him enough, he might help YOU change every password he knows.

There have been several threads about this on Slashdot over the years. Take a gander over there for some good suggestions too.
 
Valnar said:
I'd use the legal approach. Tell him it is highly illegal if he is caught accessing anything in the company after he leaves. Make sure he (and any ex-employee) knows that you will prosecute to the fullest extent of the law. Depending on what he does, it could be a felony which would ruin his life. Heck, if you scare him enough, he might help YOU change every password he knows.

There have been several threads about this on Slashdot over the years. Take a gander over there for some good suggestions too.
Click to expand...

This is the way to do it

Also change the admin passwords and if possible and its not too much of an issue get your external IP changed.

Make sure there are no Teamviwer / logmein installs on any PCs, make sure you know what every switch port terminates and what is connected to it. You don't want a hidden teamviewer PC in there.
 
While I understand and applaud the tight ideals and covering all bases, is this an outright firing or a termination of services?

I noticed the line about being paid for a full month to write/furnish documentation, that's the only reason I ask. Again I agree that all precautions should be taken, but it sounds rather amicable if they are willing to pay for a month of services after the fact.

The intimidation factor for messing with something after the fact should be enough to deter anything, but at the same time if you still need something out of him, intimidation probably isn't going to help the matter. In all honesty he could tell you to go screw yourself and walk out; even turn down the months worth of pay if he's feeling vindictive. That would leave you with an undocumented mess, from the sound of it.

Also you might want to do some recon and make sure those accounts you are changing passwords for aren't tied to any services/etc. Obviously not best practice in the first place, but some of the shit I've seen lately, better safe than sorry.
 
No matter how amicable the separation, if you want to CYA the most important thing will be to go over your internet gateways and wireless APs with a fine tooth comb.

Document that you did these things and mention the results. That way if something does happen, you can at least show that you performed due diligence on the most obvious openings.
 
When I take over from someone else the first thing I always do is warn management of two things. First that networks can be incredibly complicated things and it will be at least 6 mo before I'm comfortable knowing where all the landmines are on this one. And secondly the old IT guy CAN cause problems if he really wants to.

The reality is that if this guy makes the decision to become malicious and he is good at his job there is no way for you to 100% cover your bases. Even if you do get every single log on password etc changed he still knows your infrastructure better than you do. He will know where all the holes are and he knows how the company works.

Like Adam said your best bet is to work with him on this transition. Your less likely to push him into being mad enough to cause problems and more importantly you will have a much better idea of how he runs things to be able to deal with any disruptions he causes if for whatever reason he goes nuts.
 
Yeah. And as far as passwords / access, don't forget about SSH keyfiles and all that, and some scheduled jobs that may be set up to eg transfer files to an ftp server, with a script file that has the ftp username / password, etc.

Additionally, things like rndc keys for remote bind admin, database logins, web app logins, management system passwords,...
 
Create a failsafe administrative account using a different nomenclature.

We had an admin that was fired go the OWA site and logged in using the other admins IDs and locked out all of the other admins one night.

Was actually kind of funny. Everyone came into work and no one could access their PCs.
 
Thanks guys, Yeah his accounts will be disabled then after 6 or so months i will archive them. I really dont think anybody running a successful business would sabotage an ex client that paid every single penny to ruin his reputation. But he has been standoffish in the past about giving away passwords or upgrades (he'd come in and instal hardware/software without letting anybody know) so i'm just using precaution. I already planned on telling him all the legal repercussions and make him well aware that neither I or the company will take things lightly.
 
Well technically we are terminating his services (he collects money for not much of work) and now im here 9-5, so they get better bang for a buck from me, and i can fix all the little things while the infrastructure is humming along. If he (and he will) play i'm need here card he will get quoted with all the BS he has been doing behind the companys back.
 
SpaceHonkey said:
Have him attend an all day meeting while you cut his accounts off. Then tell him to hit the road...
Click to expand...

I have seen this before, sadly this happen to me once (first tier 2-3 job) Essentially we were so swamped with tier 1 stuff (Had 400 users and only 1 tier 1 guy) that I could not do my job and had to help him out.


Eventually I used this to let go someone at my last job and it does work well.
 
Pitbull said:
I really dont think anybody running a successful business would sabotage an ex client that paid every single penny to ruin his reputation. But he has been standoffish in the past about giving away passwords or upgrades (he'd come in and instal hardware/software without letting anybody know) so i'm just using precaution.
Click to expand...

Yeah, this doesn't sound so amicable anymore. If you ask me you should be grilling him as hard as possible for any glint of infrastructure nuances you can get him to give up. Unless you have it in ink that he HAS to provide documentation, he could hold it hostage, or simply refuse to do it. The only allure you have is cash.

This actually happened at my current position. Everything is custom, everything is just....so. Static IPs and routes even. They fired the guy before I got here, not even a diagram provided. Just walked out. I've been here ~4 months now, and I finally have a decent handle on what machine is doing what, and the utter mess that exists.

That could be really important to you trying to assume his role. If there is something that breaks for whatever reason and you have no documentation - god help you. I would absolutely be planning for this contingency and use the legal intimidation as a last resort, if only to get what you need out of him.
 
Why the hostile attitude toward the guy getting fired? Was there misconduct involved?

I'm all about CYA and security, but it seems to me you guys are assuming he will want to wreck shit after he is let go. A little decency and respect in these situations goes a long way, people don't like to be treated like units of production, to be used and discarded. Maybe I'm just crazy.
 
shiznit said:
Why the hostile attitude toward the guy getting fired? Was there misconduct involved?

I'm all about CYA and security, but it seems to me you guys are assuming he will want to wreck shit after he is let go. A little decency and respect in these situations goes a long way, people don't like to be treated like units of production, to be used and discarded. Maybe I'm just crazy.
Click to expand...

IT is a different breed given the necessary access requirements generally associated with the position. If the company is large enough, this expsure will be more localized. It's just good policy to revoke ALL access. With regular employees, it's as simple as collecting the keys and turning off an account. With IT, it goes a lot deeper.

If you're at a company in charge of IT, have a policy and guidelines in place for dealing with staffing changes, as far as a checklist. Be on top of your network's security and manage it accordingly. Regardless of reasons / conditions of leaving, once you're out, you're OUT. No mas.
 
damacus said:
IT is a different breed given the necessary access requirements generally associated with the position. If the company is large enough, this expsure will be more localized. It's just good policy to revoke ALL access. With regular employees, it's as simple as collecting the keys and turning off an account. With IT, it goes a lot deeper.

If you're at a company in charge of IT, have a policy and guidelines in place for dealing with staffing changes, as far as a checklist. Be on top of your network's security and manage it accordingly. Regardless of reasons / conditions of leaving, once you're out, you're OUT. No mas.
Click to expand...
Nothing you said justifies the hostility and legal threats and general disregard for decency. Would you like to be treated like shit the day you get fired and be spoken to as if you were about to carry out a nasty vendetta and commit felonies? I know I wouldn't, and I've been in IT for a while now. Maybe if we showed the guy who is about to lose his income and his means of putting food on the table some respect and compassion, just maybe, it won't even occur to him to make the transition difficult or sabotage your network or worse. Maybe he may even help you with the process to score some points in case a recruiter or a manager for a future job call you to ask about him. I'm not saying don't cut off his accounts, but there is no reason to stop treating him like a person.

Dale Carnegie should be required reading to enter the workforce.
 
Pitbull said:
Change VPN config/profile/password.
Click to expand...
yes
Change admin passwords on all servers
Click to expand...
yes and look for any local accounts on any internet facing servers and either disable or chnage those accounts too. also, system accounts for backup jobs or anything else, probably going to need to change those as well or at least disable remote access.
Delete his email/accounts on servers.
Click to expand...
i wouldnt, at least not without exporting it first.
Change user passwords on domains and emails (in case he will try to log in as them)
Look for vnc servers/processes and check firewall/router port forwards for allowed connections. (i know some vnc services tunnel tru NAT without any issues these days. Is there a good way to find backdoors on windows and osx servers?)
Click to expand...
there is a windows surveyor tool, i forget the name off hand. it isn't that great but isn't awful either. this sounds like a smallish shop though so manually seeing whats what will allow you to document at the same time.
Change alarm security codes (not just his but for all employees)
Ask for keys.
Click to expand...
sounds like a lot of hassle. if you do do this dont do it all at once.
Ask to furnish all documentation/passwords (he will get paid for full month she he can write it all out)
Click to expand...
hold your breath for that.
Any other ideas to make this go smooth and avoid possible sabotage?
Click to expand...
do your due diligence but most of the time people aren't huge douche bags. put it this way, if this dude wanted to fuck you from the sound of it there isn't anything you can do to prevent that since this guy more or less ran everything right?

make sure you establish a line of communication with the guy and make sure he knows you're just trying to do your job.
 
shiznit said:
Nothing you said justifies the hostility and legal threats and general disregard for decency. Would you like to be treated like shit the day you get fired and be spoken to as if you were about to carry out a nasty vendetta and commit felonies? I know I wouldn't, and I've been in IT for a while now. Maybe if we showed the guy who is about to lose his income and his means of putting food on the table some respect and compassion, just maybe, it won't even occur to him to make the transition difficult or sabotage your network or worse. Maybe he may even help you with the process to score some points in case a recruiter or a manager for a future job call you to ask about him. I'm not saying don't cut off his accounts, but there is no reason to stop treating him like a person.

Dale Carnegie should be required reading to enter the workforce.
Click to expand...
this, 100 times this.
 
shiznit said:
Nothing you said justifies the hostility and legal threats and general disregard for decency. Would you like to be treated like shit the day you get fired and be spoken to as if you were about to carry out a nasty vendetta and commit felonies? I know I wouldn't, and I've been in IT for a while now. Maybe if we showed the guy who is about to lose his income and his means of putting food on the table some respect and compassion, just maybe, it won't even occur to him to make the transition difficult or sabotage your network or worse. Maybe he may even help you with the process to score some points in case a recruiter or a manager for a future job call you to ask about him. I'm not saying don't cut off his accounts, but there is no reason to stop treating him like a person.

Dale Carnegie should be required reading to enter the workforce.
Click to expand...

Where did I say hostility and legal threats and the lack of decency were required or necessary? I'm saying that without justification to have access, there should be no access.
 
damacus said:
Where did I say hostility and legal threats and the lack of decency were required or necessary? I'm saying that without justification to have access, there should be no access.
Click to expand...

There was an odd feeling of hostility towards the person who was being let go but I don't think it was totally on your part.

Seriously though, there's a difference between getting fired and being layed off. Heck there's even a difference between getting fired (You stole from the company or caused us harm) and getting terminated. (You're not good at your job)

In my school work we constantly talk about never, ever, ever deleting a person's account especially in Active Directory. Always disable the account and reset the password if you need access to anything that person had access to, mainly Exchange email.
 
damacus said:
Where did I say hostility and legal threats and the lack of decency were required or necessary? I'm saying that without justification to have access, there should be no access.
Click to expand...
There was talk in the thread of threatening the person with legal consequences if he does not do what he is told, and other backhanded ways of handling the situation. I was not attributing the comments to you, I was commenting on the overall tone and suggesting that there is another, more respectable and honorable way of doing it.
 
57256088.jpg


I'd use your company card and buy one of these to wear for the next few days.

Forget about the network, think about your life :cool:

A guy went postal here in N Cali yesterday and shot everyone up because he thought he was about to get fired. An old lady in the parking lot wasn't even spared. She had her face smashed in and shot in the guts. This was in an HP parking lot.

So you as the direct replacement might be at the top of the list :(
 
shiznit said:
Nothing you said justifies the hostility and legal threats and general disregard for decency. Would you like to be treated like shit the day you get fired and be spoken to as if you were about to carry out a nasty vendetta and commit felonies?
Click to expand...

agreed. you should be cautious but without acusing him of something that hasnt happened. your attitude should equal his. if he starts being standoff-ish or stonewalls you, you can do the same. however if he hasnt done anything to warrant it, but you still treat him like a criminal, you might just cause him to do something he wouldnt have origionally thought of.

if im going to be acused of doing something sinister regardless, then i might as well go ahead and actually do it. im still being fired either way, and still being accused either way, so theres no reason not to be evil.

if im going to jail for murdering someone, i might as well actually kill the person.
 
ghost6303 said:
if im going to jail for murdering someone, i might as well actually kill the person.
Click to expand...

I don't think that statement is relevant to this situation. Anything he does would be escalation, he absolutely would have something to lose in this situation, versus being wrongfully accused, and a 'might as well' attitude. That said I agree with the rest of your post. Be civil and ask for what you need from him, have HR make the offer of paying him for another month for his services. If he rejects, you have the fail safes to CYA.

Let HR handle the bullshit. You're talking about taking his keys and stuff - why? I wouldn't even assume responsibility for this, I think your best bet is to distance yourself from firing/replacing him. Unless that is your duty for some backwards ass reason. The more you are involved in the firing process the more you are the enemy.

I'm still betting money he tells your company/you (by proxy) to go eff yourselves when he is terminated. Or claim the documentation you want is outside his normal scope of work, and he'll do it for $150/hr.

At this point I hope you have something to go on, otherwise once that tie is cut it's going to be hell and reflect on you if there is some elaborate problem that your predecessor fixed, and you don't have a damn clue.
 
OP

don't treat the person like a jerk off unless they deserved it. More than likely he/she found something better and is moving on. If they are getting canned, the signs where there way before especially if they were they for 7 years. Of course you would know that. :)

Firewalls can be configured to disallow traffic originating from external sources, whether internal sources are listening or not (VNC, RDP etc). Should be simple especially if the firewalls where configured with "deny all except" rules.

on the account

disable do not delete, if active directory, create a Disabled Account OU and move account to OU. Make sure to mark the day account was disabled on the account (description). Done.

If active directory,

change pwd of the Domain Admin and Enterprise Admin accounts. If the Admin used the Domain Admin account and renamed it, well rename it. Problem will arise with that if they used the domain admin accounts for services.
 
You should try stay on somewhat friendly terms during this process, because if there something in place you don't understand or know how to change, you might need his assistance on an hourly basis. If a client of mine treated me fairly and professionally even when cancelling my services, I'd do some transition documentation and I'd be happy to help them out down the road if they had some questions. If they were complete d-bags about it, I'd charge them triple rate.

Then again, I wouldn't be standoffish and withholding info in the first place, like it sounds like this guy is doing to some degree.
 
I think this thread has run its useful course, your all saying the same thing now.
 
jeez, the guy's a CONSULTANT. any job with the title "consultant" is presumed temporary. it sounds like he's been there long enough to expect some kind of severance but you're giving him that so he shouldn't have any problem at all. maybe make him sign a release to remind him of legal ramifications, disable his accounts, change admin passwords etc but you shouldn't need to go too far. like was said before, if the guy REALLY wants to misbehave he's going to.
 
You must log in or register to reply here.
Back
Top