Termination of any employee is a difficult process, but terminating a system administrator can add

several layers of complexity. SDGblue can help your organization be ready for these trying, tense,
and often time-sensitive situations. A system administrator has an intimate knowledge of your
company’s data and systems. To guide you in severing the ties between your organization and your
system administrator, SDGblue has provided a checklist of items that you should consider
during your termination process. This list should be viewed as complementary to your internal
employee termination process and unique to the system administrator position.

The “Onsite Checklist” below is only a guide, is not comprehensive, and in no way claims to be the
full system administrator termination checklist for your organization. Also, many of the individual
items in the checklist can be completed internally but the complexity and potential for unexpected
challenges justifies a hands-on approach. SDGblue strongly advises your organization to have an
onsite technical presence. Should you need more in-depth advice, please call us at 859.263.7344 so
that we may help you develop a complete employee termination process.

Onsite Checklist
1. Perform full system backups of critical systems. This may require additional resources, and
an internal resource should validate the critical servers. An image backup of the servers to a
portable hard drive device would give you the ability to make full backups very quickly and
allow for storage of the images offsite.
2. Disable the Active Directory User account(s).
3. Disable/change passwords for any other identified user accounts or authentication
methods, i.e. vendors, contractors, partners.
4. Disable any other remote access identified in infrastructure audit. Some examples are
below:
a. VPN access into network
b. VPN access to any of the firewalls (main or branches)
c. RDP into servers
d. VNC into servers or workstations (check firewalls to see if this exists).
e. Dial-in access to any systems
f. Call home software, i.e. Gotomypc, which could be loaded on any server or
workstation
g. Any KVM devices with IP capabilities
h. Any SSID’s on wireless that do not depend on Active Directory Authentication
i. Any iLO or DRAC or similar hardware management ports or boards in any
servers
j. Any UPS network management cards
k. Any environmental monitor devices with IP access
l. Outlook web access
m. Cellular phones with access to synchronize email
n. Managed VPN network
5. Re-route email, phone, Track IT and any other identified communication to the
identified staff.
6. Change physical access methods at the main location and branches, i.e. key code access
on the doors, key locks changed, access cards revoked, alarm codes changed.
7. Notify staff of the termination.
 8. Notify all third parties identified in DR/BCP documentation of staff change, and provide
contact information for the new contact. An example list is below:
a. DNS hosting
b. MX records for the email server
c. ISP
d. Managed VPN
e. Telephone systems vendor or vendors
f. Website hosting
g. SSL Certificate Providers
h. All software vendors/volume licensing vendors
i. Alarm company
9. Change administrative access.
10. Audit System Administrator workstation for beaconing or “call home” software such as
GotoMyPC.
11. Audit Active Directory for all administrative level access. Change passwords for all user
objects with administrative access.
12. (Optional) Audit network devices for beaconing, or call home software.
13. (Optional) Audit network for rogue Access Points and unauthorized wireless access.
14. Audit network edge devices to identify any remote access allowed into or through devices
directly attached to the internet or indirectly attached through firewall rules.
15. Audit wireless networks for SSID’s that do not require Active Directory authentication.

Questions you need to ask:

1. Do you need to secure the workstation from a forensic standpoint? Is your organization
interested in substantiating or investigating any activities that may have been performed on
or from the system administrator’s workstation?
2. Who will be given administrative privileges or will this be shared with additional staff? If to
be shared, you need to identify those staff members and their levels of access to IT systems.
3. Where should phone calls and emails directed to the System Administrator be routed
immediately after termination?
4. Where should Track IT ticket information requests and problem reports directed to the
System Administrator by routed immediately after termination?
5. Do you have a password list for all IT systems, vendors and devices?
6. Is the network equipment physically secured?
7. Who will be the technical contact and System Administrator in the interim or has a
replacement already been identified?
8. Have you also followed any internal employee termination processes?
9. Have you performed an audit of major purchases over the last 12 months?

Should you have any questions about this list or need additional resources, please contact
SDGblue at 859.263.7344.