Mar 14 2012

When Ex-Employees Attack: How IT Should Respond

An IT worker shares his horrifying experience after a former coworker wreaked havoc through a deactivated Exchange account.

As unfortunate as it is, there are times when employees and employers may part ways on less than amicable terms. Whether it’s a firing or a layoff, an unexpected dismissal is an instant recipe for hurt feelings, tense emotions and in some cases, vengeance.

Jay6111 warns his fellow IT pros of the dangers of not setting up a thorough data protection and authentication deactivation plan for dismissed employees in an article for the Spiceworks Community.

In his case, a recently dismissed employee was still able to access his e-mail account and send out damaging and embarrassing information about the CEO’s wife, as well as confidential information to competitors.

Read the tale in Jay’s own words below:

The day started something like this: A ticket comes across for deactivation of an employee. Let’s call him Ezekiel. Nothing new. I do all my checks to make sure Ezekiel was disabled in AD, blah, blah, blah — you know the routine. An hour later, my boss calls me down to the CEO’s office. He heads me off at the door.

Boss: “You disabled Ezekiel’s account, RIGHT?”

Me: “Of course. Why? What’s going on?”

He moves aside so I can enter the office where I see a room full of top executives, all displaying angry red faces, clutching several printed out documents.

Me: “Hey, everyone. What’s up?” (My voice comes out sounding like Alfalfa’s from “The Little Rascals.”)

Exec 1: “THIS is what’s up,” he says, throwing a small stack of papers into my chest.

A quick glance and I can tell the papers are printouts of emails directed to several inside and outside partners describing, in detail, certain actions of the CEO’s wife, along with proprietary information about the company. I check the sender. To my surprise, its Ezekiel, the very same user I disabled not more than two hours ago.

Boss: “Check the timestamp! Have we been hacked?” he asks, pointing to the top of the paper.

The timestamp showed it was sent out 15 minutes ago, which by everything I was ever taught or knew about being a Systems/Network Administrator was impossible… Or was it? From here, it’s just a bunch of raised voices yelling and talking over one another for the next 10 minutes with all eyes on me while I slowly back myself into a corner cowering like a beaten dog. I don’t have any answers for them but assure them I will get to the bottom of this as I walk out with my tail between my legs.

This happened despite the fact that Jay had deactivated the user’s Exchange account with Active Directory. Why? Because while the account is instantly disabled on the LAN, Microsoft allows access through Outlook Web Access for 15 minutes after the account is disabled. Again, Jay explains:

So, why 15 minutes — why don’t we just lower it? There’s a reason to the madness. Each time a user logs into OWA, it creates a storm of ASP packets to the server for authentication along with other things. This isn’t so bad if it’s only happening every 15 minutes, but lower this setting in a larger organization, and your phone starts ringing from users complaining about performance on Exchange or frequent disconnect notices. Microsoft chose 15 minutes as the happy medium between performance and security.

This episode is a valuable lesson to all IT workers. Coordination with stakeholders and the human resources department is critical to avoid data loss and embarrassing scenarios like Jay’s. That could mean establishing a set time window for disabling to-be-dismissed employee accounts or blocking Outlook Web Access for that specific user days before.

For more on this story, read the full account on the Spiceworks Community blog.