When the Administrator walks...
We never like to see our co-workers leave. In most cases, though, we are are happy for them because they are going on to bigger and better things. But occasionally they are not leaving under their own power. And that is when things can get...well...messy. So before you are tasked with the job of putting it all back together, why not take a moment and prepare.
I have discovered that there are two types of administrators – those who are shepherds of the systems, guarding them, nurturing them, and returning them to their employers in better shape than they found them and those who are owners of the systems, jealously guarding them, babying them and only reluctantly returning them to their employers, usually when they are shown the door. It is this last group that will cause you the most pain and suffering and it is this last group who you have to prepare for, prevent against and stand watch over.
While there are a number of ways to get into a system after the fact (and we will briefly touch on some of them), if you can avoid having to use those tools, so much the better – for you, for the systems, and for your employers. The first step is make sure there are policies and procedures in place. Which means getting the Human Resources department involved at the beginning. Remember that HR is there primarily to protect the company, so anything that helps them in this mission is generally regarded as a good thing, especially if it includes the systems they have come to depend on.
When new people start, what sort of background checks are you running on your SysAdmin people? Is it a simple credit check? Should it be more, such as an NCIC (or your local equivalent)? What about contractors? Personally, I have always thought we should be bonded, given the incredible access to corporate information many of us have. When it is time to leave, what are the policies for departure? Is there a clause that will suspend or withhold the final paycheque if all of the pertinent data is not turned over – especially root passwords – upon termination. Are there penalty clauses in contracts for outsourced systems, or contractors?
How about indemnification from unlawful access for password recovery? If you are thinking your company is too small or you are just a cog in the machine and do not have to concern yourself with these issues, think again, because it could be you the General Counsel comes to. Remember, in many parts of the world, cracking a password or a system is illegal, even if you are being contracted to do it. There is enough case law against you. So make sure the protections exist before hand.
There are a myriad of other things you can include to ensure a smooth transition. One of the biggest of course is making sure that a team of trusted people know the root password(s) and it takes that team to change it. This requires more hardware and scripting skills, but is a much better way to maintain password security. Of course, once you set the root password you should forget it and have proper least access procedures, but we all know that in a shop of one or two, or two hundred, what is best practice is not always followed.
Which brings us to the systems. If you have more than one server, do yourself a favor and use a directory service. Whether it is NIS and its derivatives or LDAP, it will save you pain and suffering in the long run if you set it up now and fully document its installation, implementation, configuration and use. And then use it!
But, despite all of your best efforts and preparations, the day will come when the boss and a lawyer (or two) will be standing at your desk, with a writ, or a warrant, or a letter of authorization (or all of the above) and asking you to help clean up. And unless you really like digging through trash, this will become the worst day of your life, even if the task only takes a couple of minutes. I can categorically say, that other than browsing cache files, cracking systems is the least enjoyable part of my job. But sometimes you have to do it. And this is where you need the tools.
So what sort of tools do you need? Well, besides a screwdriver, with an assortment of screw bits (I keep a flat head, Phillips and a torx bit in common sizes), you might also want a knife and a a pair of pliers. You may need cable crimping tools too, depending on your department and your gear. You will also need some software. The hardware is for extraction. Depending on those policies you set up, it may be necessary to image off the primary disk prior to doing any cracking. And depending on the size and make up of your hardware, that might mean removing the disk from the case. Now we have come a long way in ten years, to the point were almost any system can be hooked up to an external terabyte, or larger standalone, USB disk, thus reducing the need to remove the core disk from the system, but there are some systems out there that are still in service that you cannot just hook up a disk. Know your policies in this area and do not let yourself be rushed. And document, document, document every step. This will help you when you get hauled into court to testify. (I would suggest that if you do not own a suit, if you find yourself being asked to do this sort of thing, that you make sure you can buy a suit...).
And then, there is the software. I am not going to go through the steps for cracking a system. Sorry, there are lots of sources out there and there are lots of ways to break the egg. Each situation is different but here are some general recommendations. First, make sure you have a LiveCD of your favourite distribution. Fedora, Ubuntu, even Knoppix have a number of tools already baked in that you will find you will need. If possible, write your LiveCD out to a USB stick and add additional packages so they are there when you need them and you will not have to rely on an external connection to the Internet. Depending on the system you are being asked to access, it is best to assume you will not have access to the outside world. So bring it with you. Second, it is good to have a handful of Window's tools, such as chntpw and others. There are a number of them available that all run on Linux for tasks such as mounting disks, accessing and changing the passwords, and accessing and changing the registry. And you should know how to use them. Finally, I cannot stress enough that you document, document, document and do not let yourself be rushed.
It is sad when our friends and co-workers leave us. But it does not have to be a catastrophe. Because at the end of the day, we still have to manage the systems, and if we cannot do that, we could well be the next to leave.
Follow up : For those who have an interest in this, here is a perfect case in point that I had forgotten about. Terry Childs held the city of San Francisco essentially hostage because he controlled the passwords to the routers and switches. He claims he was doing it as a service to the City. He is currently looking at a 5 year jail sentence, although he could be released shortly if time served is considered.
- Bruce Nikkel's Practical Forensic Imaging (No Starch Press)
- Transitioning to Python 3
- Progress on Privacy
- Linux Journal December 2016
- Stepping into Science
- CORSAIR's Carbide Air 740
- Tech Tip: Really Simple HTTP Server with Python
- Radio Free Linux
- Red Hat OpenStack Platform
- FutureVault Inc.'s FutureVault