Employment termination, as well as taking aboard the new hires, is an ongoing process for every organization. People get fired, quit/resign, replacements are found – it’s a never-ending story. IT departments, among others, have to handle account deletions and other actions related to employee turnover.
In a perfect world, there would be a very specific check list for handling user account deletions, so cases like this wouldn’t be an issue. But ours is not a perfect world, so there’s always a time and a place for discussions and sharing of experience. For instance, we stumbled upon a thread on Spiceworks, in which several dozens of system administrators have told their – mostly unpleasant – stories. We summarized the thread, so you could get an overall impression and maybe learn a trick or two to implement at your workplace.
In the discussion, several proud sysadmins appeared bragging about how smooth the processes run for them. There’s always a document – a check list or a workflow of some sort. IT department gets diligently notified and has enough time to complete the task. An average check list for dealing with user terminations looks something like this:
- HR notifies IT department (a request is sent via email and raised as a helpdesk ticket)
- Account is disabled, password is reset and moved to a specific OU in Active Directory (it can be named “Quarantined”, “Firewall/security”, “To be exmerged”, etc.)
- Memberships and ERP access are removed
- User’s login is cleared from OWA to completely prevent access to the old email address
- Hardware register is checked and laptop or PC is retrieved back into stock
- Phone register is checked and deleted/reassigned
- Key card is retrieved and reassigned
Other popular practices include filling out and submitting a separation form, which has the following information: when to cut access, where to put equipment, what backups (to tape, DVD, etc.) are needed and whether an email should be forwarded to HR or a manager. Just reversing an on-boarding document can also be an easy way to handle the case. You should remember to archive emails in the ex-user’s mailbox as well as his or her files, but this can be done within 30 to 90 days, depending on the position.
Some IT pros recommend to always change the password first, whereas others argue that this will not solve the problem of remote access, because credentials are cached per system, not per user. You can only disable remote access immediately by moving the mailbox to a different server or doing an iisreset on the front end. This means, that it would be better (if not obligatory) for an IT administrator to know about a termination in advance and have some time on his hands. Normally, a policy states that IT should be notified about terminations immediately (if it’s an involuntary one) or as soon as the employee gives the notice. In case of a two weeks notice, access rights may be limited to some critical minimum, required to finish the work. An important thing practiced by many companies is setting time for account disabling (normally, it’s 4 PM of the last day of employment).
Another good security practice is to use PowerShell scripts, which can help complete some routine tasks: disable account, revoke access, audit assets, export mailbox to a PST file and many more. Some sysadmins develop and use scripts to change passwords and forward emails to HR confirming account deletion.
However, life’s no fairytale. Let’s look into the obstacles that sysadmins face regarding user deletion. The most popular complaint is that no one notifies IT. This means, there’s no helpdesk ticket, no email from HR or a manager – complete silence. Sometimes the news get to the department not sooner than an IT guy notices that a person has been missing for a while, and this while can be as long as six months. Other times, an IT guy hears something randomly from a co-worker and finds himself to be the last to know. What is the harm in that? Firstly, the ex-employee can still access the systems from home or mobile devices, erase emails and folders, steal data and – if he or she didn’t end on good terms with the company – use that data against the ex-employer. And this actually has happened on numerous occasions. It is a major security threat, and it may cause the organization reputational damage and financial losses from business continuity interruption as well as from a lawsuit.
To prevent this, a strict policy regarding user termination should be implemented in the company – and it shouldn’t fall exclusively on the shoulders of IT department. The crucial factor here is timing: the sooner the notification arrives, the better. You can use tips given in this article or come up with a form more suitable for your environment. Either way, disabling internal access is not enough: you shouldn’t forget to lock down the remote access.
For more tips, you can read the full thread on Spiceworks.
