How to fire an IT administrator?

If you just started to think about replacing your IT administrator at the time when you need to do it it’s over. Too late. Remember those articles that you’ve read about the dangers of inside threats? They are talking about this situation. In fact, this one is even worse. The majority of articles written about threats posed by insiders talk about regular employees. In the information security zone an admin is not a regular employee. Your only choice is to resort to the first option below.

The task of offboarding administrators should be planned well ahead; around the time they are hired. In the majority of cases the employment is based on mutual trust and reputation. People change jobs naturally and nothing bad happens. The other argument goes that it’s not much to hide or not much to lose here. But when the leak or break happens it happens loudly, painfully, costly and untimely. It is usually not much better when it happens quietly and nobody seems to notice.

What is so special about administrators?

Administrators leave behind booby traps and back doors, time bombs and open holes. None of those hazards were created with foul intentions. All were implemented to move the business faster, make operations cheaper or let the best talent work more efficiently. That hole in the firewall? That was for remote employees so they could work any time from anywhere. How about that back door? It was a backup to recover from failed hardware. What’s that time bomb? That was a scheduler for document review automation workflow.

Administrators just happen to know all these shortcuts to where information lives and to how it dies. Where you see a friendly blinking router an admin sees a green light to open a back end database.

A typical employee has one account. Albeit one with some complex authorization rules with groups and roles to access services or data. It’s not that easy to manage all of that and also to offboard people cleanly. Sometimes even regular employees use shared accounts, especially to external resources like financial or other B2B portals. However, locking this one main login takes care of the majority of unauthorized access. Yes, companies often forget to do do even that when an employee leaves the organization. But offboarding an administrator brings the problem on a completely different level.

An administrator has a personal network account like everybody else. In addition to that they use a lot of privileged accounts that do not belong to any physical (or natural, like European GDPR calls them) person. In many cases these accounts are not even handled by the central user directory. These are local root or administrator accounts, router or printer logins, database schema or application pool owners that only computers use (but anyone who knows can use them too), special software administrators, service FTP accounts to move backups around and many others. Do you have an issue tracking system on the network? Guess who knows the credentials of the account it uses to connect to its internal database.

Solutions.

1

Be Nice

Option number one is be nice to your IT staff. In general, you should be nice to everybody, but especially to your employees and even more especially to the IT administrators. Explain the situation and let them leave on their terms. Separation is a natural part of the business. Everybody should understand that. Actually, you should combine this option with all the other options offered below. It never hurts.

2

Use Two

Option number two is to use two administrators instead of one, hoping they’ll watch each other and record what they do in the hope that it will be harder for them to conspire together. This thinking is actually a fallacy mainly given here to illustrate that there is no simple way out. First, nothing precludes a single admin from doing something alone hiding it from the other one. Second, the “bad” admin would most likely depart from the protocol with the best intentions to help the business while fixing some process and allowing some employee to continue working.

3

Privileged Account Access Automation

Option number three is to use automation to track and to provide access for privileged accounts and for configurations of the company servers. In short, the automation software should discover privileged accounts on the network, lock down orphaned accounts, reset credentials for the useful accounts, and provide access to the network resources when needed ideally without even exposing the passwords to the administrators who use them. This approach gives hope that access to these distributed resources is concentrated in a single place.

Privileged Account Access Automation Principles

Let’s talk about the principles of the access automation in more detail.

1

Discovery

The automation software should continuously scan the network for the appearance of new devices and new local accounts on these devices: Someone created an account for FTP access. Someone else set up a printer and forgot to reset the printer admin password (who even knew that printers have passwords). The automation software will discover these accounts and register them in the system.

2

Automated Password Reset.

The automation software should continuously reset passwords for privileged accounts everywhere on the network. The same process should update application configuration and scripts with the new passwords in case these scripts could not get this information themselves (more about that later). This way, nobody would know how to login anywhere unless by looking for the credentials in one central location. Lock this one central location and it will lock all scattered privileged accounts. One more positive side effect is that the same process would reset default factory passwords that come with the majority of IoT devices.

3

Password Vault

Since nobody knows any passwords anymore, an admin with certain permissions could use the automation software to get convenient (ideally WEB based) access for the password, keys or certificates when needed.

4

Access Accounts without Exposing the Password or Key

When applicable the admins can access the system without even looking at the password. The automation software could open a computer screen for the authorized admin authenticated in one single place without actually disclosing the password or a key to the final destination.

5

Session Recording and Monitoring

While providing access to the destination account the automation system could optionally record the whole session to help future investigation. In addition to that, the automation software could restrict commands executed on the server based on the configured policies. This way, an IT administrator could outsource some of the regular activities to a remote contractor without heavy sacrifices in overall network security.

6

API for Scripts and Application

Scripts and applications, like regular network users, require account credentials to get access to the information and services. The typical approach is to hardcode passwords into the scripts and application configuration files. This makes it very hard to ever update the password because it breaks unknown numbers of automation code on the network. Instead, both scripts and the applications should get the actual password, key or certificates from the access automation software when needed.

Summary

Mutual trust and professionalism should be a guiding principle in relationships between a company and an IT stuff. Privileged account and access management software helps to cleanly separate functions of a business and IT administration. It allows administrators to efficiently perform their activities, engage external contractors while keeping company digital assets and services under corporate supervision.

About us

Xton Access Manager is an agentless, cross-platform privileged access management solution with unlimited licensing model built from the ground up with an enterprise feature set. Simple to implement, without your typical enterprise cost and effort.

Xton Access Manager is now available for download. Please fill out this form to receive a download link to get started today, even on your current desktop or laptop. Documentation is available to help or you can email or call us to request a trial extension, discuss questions and share your feedback. We would love to talk to you.