jamieJamie Davis, VP Education, Product Management and Quality Control | Safe Systems

Picture this scenario: Your top lender was just terminated because she had been interviewing with the financial institution across the street. The management team fears she may try to log in after being let go to get information and contacts. They notify you, the network administrator, to disable all her accounts immediately. You do so but later find out she sent emails to potential clients from her email account even after it was disabled. How?

Disabling an account or changing a password will work on any new authentication attempts to Active Directory, however it will not end active sessions with that account. So if the employee is receiving emails on his or her phone or has an Outlook Web Access session open, there is a chance they can still use their email even after the account is disabled. The open window for this gap could be minutes, hours, or days as at some point the session will expire or time out ending the active session. If this is a concern there are a few options:

Use Active Sync to Wipe the Terminated User’s Phone

One strategy is to use Active Sync to wipe the terminated user’s phone. No one likes to wipe an employee’s personal device, but hopefully that employee signed off on this action when they agreed to have their personal phone receive company email.

Disable Logon Hours in Active Directory

Another step that can be taken is to disable all logon hours in Active Directory. Each user has logon hours that are set in their account information in Active Directory. Hopefully setting logon hours is already part of your institution’s onboarding process for new employees. Rescinding logon hours for all employee terminations would be a good practice for employee offboarding. By setting logon hours to zero, all active sessions the employee has with the email server should be terminated, eliminating their ability to continue using email after termination.

For most employees, this gap will never be an issue if left unaddressed. But since many people do not realize the gap is there, a small percentage of employees will be able to take advantage of the opportunity without anyone knowing. Adding logon hours to the employee termination process is a very easy step to avoid confusion and frustration in the event an employee tries to take advantage of the system.


  1. Jamie:

    What if the end use has been physically syncing with their PC and not using WebMail or active sync?

    Wiping will remove old information, but changing the log on hours will not remove any information that is currently stored on the device correct?

    What is your suggestion?

  2. Wiping will remove information currently on the device. Revoking logon hours will not allow the user to send or receive emails new emails.

    If the user has copied or synced information to another device, there is not any real options.

    For laptops or workstations, one option would be to disable USB ports if the machine is being taken out of the office. This would keep the employee from copying data off the machine. They could still email or upload to a cloud storage provider. I would recommend blocking Cloud Storage options at the firewall, but that will only disable access while the machine is in the office. Training, signed policies, and monitoring are your only other options.

    For a mobile device, there are some interesting applications available to address some of your concerns. Many of these applications fall under the popular MAM or Mobile Application Management heading of mobile device management (http://en.wikipedia.org/wiki/Mobile_application_management). To make a long story short, MAM in theory can allow employees to get corporate data on their phone but only in an app the company controls. Zix has an interesting take on this where they give you an email application on your phone but the email actually never lives on your phone. Therefore, at any time, email can be disabled and the phone no longer can view or access the email. I believe it has limited ability to copy or “sync” as well. Good Technologies is another company that focuses on this type of management. Safe Systems has not defined a recommended solution per se because the technology has really not settled down enough to know who the industry leaders will be and which methodology will win as far as how to manage mobile devices.

    I guess to answer your question, the article does not address the issue of data existing on other devices. To address that concern, it will be important to understand what kind of device is being protected and then address with the appropriate software, training, policies, and monitoring of policy adherence. Unfortunately, there is not a silver bullet answer to the question in my opinion. Hope this helps.

Comments are closed.