• United States

E-provisioning true stories reminder

Apr 28, 20033 mins
Access ControlEnterprise Applications

* E-provisioning tales: Be very afraid

There are only a few days left to enter Business Layers’ “Most Absurd Stories in Provisioning” 2003 contest, so head over to the contest’s Web site (link below) and tell your story. Business Layers is offering up prizes of a portable DVD player, a GameCube or a Diamond RIO multimedia player to the winners, but you only have until the end of the month to enter.

To give you an idea of what contest organizer Sharon Tolpin is looking for, here’s an early entry:


My colleague left the company two years ago. When he went the remote IDSN line and modem dial-in numbers were not changed. The administrator account (which he used) was not changed, and his own user account was not deleted. The building gate and door codes including the alarm codes were not changed. In those two years, I have frequently seen him on the system via modem dial in to our Citrix servers logged in as the Administrator.

I leave the company tomorrow. Even though I handed my notice in four weeks ago, I still have full access to the entire system from the payroll software to the spreadsheet with a list of every username and password on it. I have had access to a writable CD-ROM drive and blank disks to make copies of such information as router configurations, phone numbers and more.

I built and maintained every server in the company and configured every router and switch. At any time I could have made changes to any of them without question from anyone. Keep in mind I am not the manager I am just a member of staff.

No passwords have been changed, my account has not been deleted and I will be able to dial in whenever I like, log in as any user I want (thanks to my handy spreadsheet), and do whatever I want.

I looked after all Internet and e-mail access so I can do whatever I want with that, too, should the mood take me.

For the past four weeks I have also had keys to all our server rooms and the buildings they are located in. At any time I could have had copies made, for back-up purposes of course.

So after tomorrow when I have left I know that nothing here will change and that at any time I could log in and do whatever I want without anyone knowing about it. After all, I have made sure that all remote connections are not logged by any of our servers.


Maybe it’s time you looked into a deprovisioning solution, eh?