Welcome to the Network Defense Simulator. In this scenario, you will apply fundamental identity and access management (IAM) controls to mitigate insider threats during the employee offboarding process. Learn to secure endpoints and restrict network access appropriately.
Network Scenario
You are operating as a Network Security Administrator within the core data center of an MNC. The enterprise network relies heavily on Linux jump servers (bastion hosts) to administrate backend databases and critical internal routing infrastructure.
HR has just issued an urgent notification: Alice, a senior systems engineer, has abruptly resigned. To prevent potential unauthorized lateral movement, data exfiltration, or retaliation, her access to all infrastructure must be instantly revoked in accordance with the defense-in-depth offboarding policy.
Traffic & Logs
The SIEM dashboard is tracking active sessions and account statuses for the primary jump server:
[09:12:01] auth.info sshd[14421]: Accepted publickey for alice from 10.0.50.22 port 54322 ssh2
[10:00:00] user.notice HR_SYS: User 'alice' status changed to TERMINATED.
[10:02:15] auth.warn IAM_AUDIT: Active VPN session detected for UID 1005 (alice).
[10:05:00] alert.crit SEC_OPS: Action required - Disable access for 'alice' on host jump-srv-01 immediately.
* Note: The firewall has temporarily blocked her VPN IP, but local account access on internal servers must still be locked.
Question
Oliver is a Linux security administrator at an MNC. An employee named Alice has resigned from his organization and Oliver wants to disable this user in Ubuntu. Which of the following commands can be used to accomplish this?
Hint: Look for the flag that stands for "Lock". Disabling an account involves altering the password hash in the /etc/shadow file.
Expert Analysis
1. What is happening in the network
An employee termination event triggers an immediate offboarding protocol. The network perimeter (firewall/VPN) and internal host systems (Linux servers) must be synchronized to revoke access and prevent an insider threat scenario.
2. Identify attack or behavior
Failure to lock the account leaves "orphan accounts" active. Attackers regularly scan networks for forgotten accounts, and former employees might attempt unauthorized access (via SSH or RDP) using leftover credentials, potentially deploying malware or exfiltrating data.
3. Why correct answer is correct
A. usermod -L alice is the correct command. The -L (Lock) flag modifies the user's password in the /etc/shadow file by placing an exclamation mark (!) in front of the encrypted password. This invalidates the password, effectively disabling password-based login for that network host.
4. Why others are wrong
B. usermod -J alice: There is no standard -J flag in the usermod utility.
C. usermod -K alice: The -K flag is not used for locking accounts.
D. usermod -M alice: The -m flag creates a home directory, while an uppercase -M is generally used with useradd to instruct the system not to create a home directory. It does not lock existing accounts.
5. Defensive action
As a Network Defender, host-based locking is only step one. A comprehensive defense-in-depth strategy requires:
Terminating active TCP/SSH connections (killall -u alice).
Revoking the user's VPN certificates on the edge firewall.
Disabling the user entity in the centralized directory (Active Directory/LDAP).
Monitoring IDS/IPS and firewall logs for post-termination access attempts from her known external IPs.
MINI LESSON: Defense-in-Depth IAM
Host security is directly tied to network security. Even if perimeter firewalls block an IP, an insider threat or an attacker pivoting inside the network can exploit unlocked local accounts. Always lock OS-level identities (usermod -L) and expire the account completely (chage -E 0 username) to prevent lateral movement.
Ready for the next scenario?
Master network traffic analysis, log review, and defense strategies.