Implementing OCK - One Click Kill
We as IT Administrators need a strong control over the physical and digital assets of the company. I've seen many instances where disgruntled ex-employees have locked their laptops because they were fired, deleted stuff from the internal SharePoint site they had access to, encrypted their drives with BitLocker to make it inaccessible, or leaking confidential sensitive company data. This usually happens within the timeframe they get a hint that they may be let off to the time their accounts are actually disabled. This happens because de-provisioning all accounts today takes a considerable amount of time, especially if you don't have SSO (Single Sign-On) in place.
So now the question is, how quickly can you disable an employee's access to all corporate sites/services to ensure security and prevent loss of data? Here's what we have at my company:
- Active Directory (AD) on Windows Server 2012 Domain Controllers
- Our production website based on PHP that uses AD to authenticate users
- Office 365 with Exchange Online, SharePoint Online, Lync Online which which uses DirSync to sync AD objects to the cloud
- PPTP/L2TP and SSTP based VPN for roaming users and site to site connectivity across branch offices worldwide to our HQ
- PowerShell Web Access (PSWA) enabled on the DC with an authorization rule that only allows me to use PSWA over HTTPS
- Windows 7 clients domain joined and always connected to our HQ (locally or via VPN)
- A smartphone (Windows Phone/iPhone/Android) with a javascript enabled browser that allows cookies and supports HTTPS
Next steps that I did was to publish the PSWA site to the public internet to make it accessible from anywhere on any browser. To do that, I put an IIS Web Server with a valid certificate issued by an external CA (not required, you can use self-signed too) in DMZ and published the PSWA site on a subdomain we owned. I then installed identity federation using Active Directory Federation Services (AFDS), created trust relationship and enabled SSO. I then changed the User Rights Assignment on the clients using Group Policy to allow domain administrators to shutdown the machine remotely.
Now all I have to do for OCK is to force shutdown the remote machine and reset/disable the account credentials in AD immediately. Access to all other sites/services will automatically be disabled. I have saved the scripts to shudown and disable accounts in the Drafts in my phone. It looks like this:
**shutdown -s -f -t 10 -m \**remotePC -c "Sorry, you have been fired and computer will shutdown in 10 seconds."
Disable-ADAccount -Identity userName
Now, all you need is a browser and an internet connection on any device. You can just edit the remotePC and userName parameters according to your needs and Submit it in the PowerShell session. Here's a screenshot of PSWA on my iPhone. You can now disable anybody's account sitting anywhere and force shutdown the laptop no matter which part of the world they are in. They can't login after restarting the PC because their account is already disabled! Cool, right?
For additional data protection assuming the disgruntled ex-employee takes away the hardware, you can have security measure like NTFS Permissions, EFS, BitLocker, AD-RMS and so on in place. We'll talk about that in probably another wiki article. If you don't want to expose the PSWA to the internet, you can use a VPN app on your phone and perform the same thing after connecting to the corporate network.
Let me know what you think about this - bricks and bouquets both welcomed. Cheers! :)
-Server Baba.