To reduce your exposure, you should have a documented plan when your Domino Administrator leaves. Especially, if it is on bad terms. This is one of those items that you should do, sooner rather than later.
To assist you with this, there are some things that IBM recommends that you secure, shown below. I have added some comments, in parenthesis, but this list should be used as a guideline. Your environment will probably require more items.
- Ensure that you have access to the Domino Certifier ID file and password. (This is the step that scares me the most. Without those two files . . .)
- Lock out the Administrator's Notes ID.
- Obtain the Administrator's workstations.
- Secure physical access to the Domino servers.
- Disable the Administrator's remote access to the network, and disable their accounts at the operating-system level.
- Change any operating-system-level passwords on other accounts that this person may have known.
- Add the Administrator to a Deny Access group in the Domino Directory.
- If the Administrator knew the password to any administrator-level accounts, these accounts should be added to the Deny Access group as well. Depending on the ID, this may cause users not to have access to their mail.
- Alternatively, you can enable password checking and force all users to change their passwords. This would allow current users to maintain access, but leave the Administrator with an old password that is no longer valid. (If you do not have password checking enabled, some people may complain about Notes performance when it is enabled. There is a bit of overhead involved as the client and server compare passwords)
- Monitor and audit for any strange Domino or network activity. (This is very important, especially if the Admin left on less than happy terms)
You can't remove the Administrator's name from the Domino Directory until you have audited the agents on the server. If the Admin has signed any agents, and his/her name is not in the Domino Directory, the agents will, most likely, fail to run. But by having the Administrator's name in the Deny Access group, s/he will not have access to the environment. Provided there are no other backdoors.
Link: Securing a Domino environment when an administrator is leaving
Technorati tag: SnTT Show-n-Tell Thursday
Comment posted by Keith Brooks09/11/2008 09:01:30 AM
To get around teh Agents, I highly recommend RPRWyatt's (www.rprwyatt.com) Essential Agent Master tool to not only see which ones are wrong, but fix it as well.
Join The WebLog Revolution at BlogSphere.net