The IT Manager is Leaving - What do I lockdown?

Obviously the physical security needs to be addressed, but after that...

Assuming you don't have a documented procedure for when employees leave (environment generic as you don't mention which platforms you run):

  1. Start with perimeter security. Change all passwords on any perimeter equipment like routers, firewalls, vpn's, etc... Then lock out any accounts the IT manager had, as well as review all of the remaining accounts for any that are no longer used, and any that don't belong (in case he added a secondary).
  2. Email - remove his account or at least disable logins to it depending on your company policy.
  3. Then go through your host security. All machines and directory services should have his account disabled and/or removed. (Removed is preferred, but you might need to audit them in case he has anything running that is valid under them first). Again, also review for any accounts that are no longer used, as well as any that don't belong. Disable/remove those as well. If you use ssh keys you should change them on admin/root accounts.
  4. Shared accounts, if you have any, should all have their passwords changed. You should also look at removing shared accounts or disabling interactive login on them as a general practice.
  5. Application accounts... don't forget to change passwords, or disable/remove accounts from all applications he had access to as well, starting with admin access accounts.
  6. Logging... make sure you have good logging in place for account usage and monitor it closely to look for any suspicious activity.
  7. Backups... make sure your backups are current, and secure (preferably offsite). Make sure you've done the same as above with your backup systems as far as accounts.
  8. Documents... try as much as you can to identify, request from him if possible, and copy somewhere secure, all of his documentation.
  9. If you have any services outsourced (email, spam filtering, hosting of any type, etc..), make sure to do all of the above that are appropriate with those services as well.

As you do all of this, document it, so that you have a procedure in place for future terminations.

Also, if you use any colocation services, make sure to have his name removed from the access list and ticket submission list. It'd be wise to do the same for any other vendors where he was the primary person handling, so that he can't cancel or mess with services you get from those vendors, and also so that vendors know who to contact for renewals, problems, etc... which can save you some headaches when something the IT manager didn't document happens.

I'm sure there's more I missed, but that's off the top of my head.


Don't forget physical security - make sure he can't get into any building - it's great that you're all over the network kit but if he can get to the data centre it's pointless.


We suspected that a disgruntled employee who was still in their notice period may have installed some remote-access programs, so we limited his logon account to work hours only, so that he couldn't remote in after-hours when nobody was around to do things (during work hours we could see his screen clearly so if he got up to mischief we would have known).

Turned out to be valuable, he had installed LogMeIn and did in fact attempt after-hours access.

(this was a small company network, no ACLs or fancy firewalls)


Also be carefull not to lockdown too much. I remember a situation where someone left and a day later it became apparent that some business critical software was actually running under his personal user account.