[yangtheman]

Proper exit procedure should have disabled all access from this ex-admin..., unless s/he had some sort of cron job or launched some process that would execute commands at certain time? I am very curious to know how it was done.

[redm]

That's all true, but in reality, we often count on the better nature of people, goodwill, for a proper break on both sides.

If someone is planning a malicious exit, it can be very hard to stop them depending on how "integrated" they are.

[weaksauce]

IT admin people have the keys to the building and pretty much all data at the end of the day. Trust is everything and reputation is extremely important. This will not go well for the ex-admin one way or another either by lawsuit or blacklisting.

[superflyguy]

Well, assuming he doesn't change his name and fake his employment history. Or just deny it. Or threaten to sue for libel if anyone claims it was him that did it. If it was me I'd claim they screwed up (restored a backup onto the backups, something like that, happens all the time) then blamed me. Let's be honest, they're more screwed than he is.

[idealogue]

And yet, they are often abused, underpaid, and treated as replaceable. The only surprise should be that this doesn't happen far more often.

[weaksauce]

At the core, IT people are usually seen as cost centers and not revenue generators. Not that I disagree with the business owners a lot of the time because IT is usually not the thing that makes a lot of companies money.

[Gibbon1]

Often people about to get fired knew long before that axe was coming. Making sure everything is properly backed up and secure is a better option and what you should be doing anyway.

[gumby]

So true. A former employer continues to share google docs with me -- not just updates to docs I had been using but new docs as well. I don't read them because they're no longer any of my business, but I haven't been able to stop it from happening.

[livingparadox]

If they're being added to a folder, you can remove your own permissions from the folder. At least if you have write access.

If they're sharing them individually with you... Then clearly they're not paying attention

[ars]

> should have disabled all access from this ex-admin

You can't. Not from an admin.

Same as how if you are rooted the only advice is to reinstall. It's simply impossible to reliably undo everything from inside the machine.

If you are a company, reimage the machine, then reinstall everything, and copy the code fresh from known good source control (and hope someone was watching source control that the admin did not check something in).

[_ph_]

Of course you can. The moment his account is deactivated, he should not be able to access any machine in the system. Unless of course, he installed proactively backdoors, which is a criminal offense, at least here in Germany. And with a proper setup, he should not get random remote access.

[ams6110]

Unless you have exceptionally good controls it's very hard to be sure there is not an SSH key sitting on some machine that would allow access and possible nefarious activity by a dishonest ex-administrator

[seanp2k2]

This is one of many great reasons to rotate them regularly in an automated way. e.g. https://derpops.bike/2014/06/07/ssh-key-rotation-with-ansibl... or update it in your master image / wherever it comes from if doing immutable system images for deployments.

edit: also, use a bastion host which has the keys on it and don't allow them to be removed / used from laptops directly.

[xorcist]

Let your Puppet/Ansible clear out all non-managed keys. If it's not in version control, you don't know who did what when. That's a nightmare as soon as you are more than two admins.

Also, the CA mode of OpenSSH is great. More people should use it. It's like PKI but sane.

[satsuma]

Dead man's switch? Embed a process somewhere to trip when an account is removed from AD/some other trigger.

[valuearb]

Bad employees know they are bad employees. Sometimes they plan ahead for the dismissal.

[throwaway2048]

A "proper exit procedure" designed and implemented by who exactly? And what if they go rouge?

This problem is not as simple as you are pretending it is

[funnyfacts365]

Once you turn rouge you'll never be rogue again.

[jlebrech]

timebomb?