http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx...what do you do with his or her account? Recently this question came up -- someone was asking for guidance on how to handle this very situation. And, as often happens, the question was more about process and policy than anything to do with the technicalen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx#1113484Thu, 31 May 2007 22:15:15 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1113484Arie de Haan<p>Hi Steve,</p> <p>Totally agree, also it is easy to set the expiration of an account in AD, if it is to be used by hired personel for a specific time. So you don't have to think of it yourself all the time. User can't logon-&gt; time to renew the contract ;)</p> http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx#1113875Thu, 31 May 2007 23:32:43 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1113875Christian<p>Hi Steve,</p> <p>like always - good points. Just two comments I would like to add:</p> <p>1) &quot;for S/MIME there is no backup&quot;. Well, I hope you agree that if this is the case the company had some knowledge-free consultants. PKIs - including the Microsoft one - have best practices on how to backup and recover keys and there is typically no dependecny to the user object. Especially in comparison to EFS it is much more likely - like you sad - to have some non-managed EFS encryption happen than to have people using S/Mime without central policies and repositories.</p> <p>2) To me there is an additional question I try to find a good answer when saying goodby to an employee - it's the mailbox. It starts very easy that you have to take care the account is moved away from all distribution lists because of the annoying internal NDRs when disabled but it gets much more complicated regarding incoming mails. One can say it is best practice that all the communication partners receive an &quot;account unkown&quot; but maybe there are better solutions than this? In addition, what about mail enabled password resets the biz unit has to do on service subscriptions or other web services the account was responsible for... should a collegue watch the incoming mail? Can this be combined with privacy?</p> <p>Thanks,</p> <p>Christian </p> http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx#1117021Fri, 01 Jun 2007 10:06:32 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1117021AdamV<p>The user mailbox is always an issue. Good client care indicates that some sort of out-of-office reply is warranted such as &quot;John no longer works, here, please contact Mary instead via &lt;email&gt; or &lt;telephone number&gt;...&quot;</p> <p>Once the account is disabled, OOF no longer works natively on Exchange.</p> <p>So, what to do?</p> <p>a) create a new user account called &quot;John OOF&quot; which is a member of no security groups except those used to DENY access to things (such as UsersWithNoInteractiveLogonRightsAnywhere). Remove John's SMTP address(es) (and prevent RUS updates) and add them to this new account instead. There could be licensing implications of this of course - you now have an extra Exchange mailbox</p> <p>b) create a Distribution List which goes to a sink account which is periodically or continuously emptied, add SMTP addresses for all users who leave, and make the text more generic - &quot;The person you are trying to reach is no longer with the company. Please call our main office on &lt;X&gt; and we will connect you to an appropriate person.&quot;</p> <p>c) do the OOF with a rule on your edge mail filtering device instead</p> <p>d) Treat left users just like non-existent users and NDR them, but customise with a telephone number to contact - this helps real people and does not simply create more spam to your info@ addresses when NDRing for accounts which never existed.</p> <p>e) if you have a clear usage policy covering owenership of their data post-termination and there is no overriding jurisdictional issue with privacy (as there would be in Germany for example) then you could use a one-member-DL to redirect mail to their replacement member of staff</p> <p>Of course, you only want an OOF message there for a short interim period (1 week - 6 months) which will depend on the person's role / importance and how quickly they left (has a handover been done or were they marched out for stealing paperclips?).</p> http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx#1134319Sun, 03 Jun 2007 16:04:54 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1134319RobK<p>Don't forget external providers that aren't federated with your directory. &nbsp;For example you ought to pull someone's MSDN account when they terminate! &nbsp;Or, someone in your finance department may have access with a payroll outsourcer you need to delete.</p> http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx#1210731Mon, 11 Jun 2007 02:29:04 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1210731Alessandro "jekil" Tanasi blog<p>Why DoS and DDoS attacks are the plague of the InternetHackers use evasive manuevering to escape detectionMitigate the effects of a DDoS attackDraft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems</p> http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx#1897578Wed, 05 Sep 2007 01:14:46 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1897578Steve Riley on Security<p>Recently in the newsgroups ( news:microsoft.public.security , to be specific) the question of password</p>