Recently we took over a new site, and as part of that we went about changing passwords for a number of key services and a few more additional items. This then became a discussion amongst my fellow MVPs about what do you change when you take over a site, I took it to task to put together a list of passwords and things to review when you take over a site.
Network Related Items
Firstly, secure the most recent backups of the servers. That way if anything goes amiss, you have something to compare it to. Then create a new Admin account with a password only you know as a temporary backdoor – delete it once you have completed all the following.
- Remove remote access programs, i.e. logmein, kaseya agents etc – this is to ensure that the previous IT guy can’t get in remotely.
- Document the firewall open ports – ensure you know what remote access is available to everyone who has a password for the network.
- Review all Domain Admin passwords and ensure that the passwords are changed and comply with complexity requirements.
- Force all users password changes – just in case the old IT guy knows some of the users passwords – this way you can be sure he does not masquerade as one of them and do anything malicious
- Service Accounts – review the services.msc and ascertain what accounts are used and by what – change all passwords and then monitor the services for problems.
- Backups – both the service account and any encryption passwords used to encrypt the backups – this will ensure that should he get hold of the backup drive from this point on, he can’t restore any data.
- Task Scheduler– review to see if there are scheduled tasks with accounts and reset passwords as needed.
- Your Antivirus Console – ensure you change passwords here for all admin functions. Be careful that some software such as Trend WFBS and OfficeScan have seperate passwords for the Admin console and the ability to unload/uninstall the client software.
- UPS console – change this as it gives someone the ability to shutdown your servers
- Email Notifications within programs – i.e. ShadowProtect/ImageManager, Backup programs etc – check them to ascertain what accounts they use for their notifications – change these to ensure that they can’t be compromised
- Multifunction devices – i.e. scanners that authenticate to the server will have some form of account – review and change as needed.
- Router/Firewall admin – this is a key one
- Alerts – where do they go – remove old external parties as this might provide him with additional knowledge of what is going on in the network after you take over.
- Email Mailboxes – check for forwarders that might send information to people offsite.
- Switches in the network – again, you want full control as soon as possible.
Other Non Network Related Issues
- Alarm systems codes – very often the IT guy had these so he could access the office out of hours – you need to ensure you get all keys and swipe cards back as well as changing/revoking his access. I’d even go so far as to speak to the Alarm Monitoring company to ensure that his name was added to a black list.
- ISP Login details for your internet connection or Internet control panel
- DNS / domain name registrars passwords – ensure they are redirected to yourself or your client as per your standard protocol
- External antispam passwords – for facilities such as ExchangeDefender, Trend IMHS etc.
- Cloud services passwords – what other cloud facilities do you use that the old guy could access?
What else would you add to this list? The goal is to ensure that you get full control of the network as quickly as possible.