External Domain Accounts
-
I've setup three domain accounts for use by our ERP vendor, our PBX vendor and our MSP, so that they can do remote support on our servers. I'm paranoid about giving them access, as I don't feel vendors always take client security all that seriously, but they need remote access, especially when I'm on holiday, so what can I do. I initially created a Logmein account for them, so I can control access and log activity, but they hate that as they prefer to use their own Logmein/Teamviewer accounts, which I can understand. Unless I make it really simple for them, there's a high probability that I'll get called on holiday because they can't remember how to get access, so it's in my personal interest to let them use their own workflow to keep things simple and reliable for them.
Previously I'd disabled their domain accounts and only enabled them when I knew they wanted access. After they'd done what they needed to do, I'd disable the account. But this relied on me remembering to enable the accounts before I went on holiday. I could script this to make it easier. It wouldn't cover my sick-leave though, as I can't predict when I'm going to be sick. I could arrange for my colleague to run the script, but this adds a layer of complexity that increases the probability of failure. When the s**t hits the fan, the last thing you need is for the vendor to be unable to connect to solve the problem.
I was thinking of setting something up that e-mails me every time a vendor logs in to the domain. They're supposed to tell me whenever they connect, but they don't. Can anyone explain how I might achieve this?
Also, any general advice on managing vendor remote access to get the right balance between security and simplicity. Am I being too paranoid/controlling?
-
@Carnival-Boy said:
Also, any general advice on managing vendor remote access to get the right balance between security and simplicity. Am I being too paranoid/controlling?
Not at all. External vendors, for the most part, need to be tightly controlled. If you have a full time MSP that you trust and is part of your normal support, that's different, you'd treat them like internal staff. But for software or appliance vendors that only need access once in a great while and only for special things they should expect tight gateways controlling their access and no privacy.
-
I agree with @Reid-Cooper . Having been on the other side as the supporting MSP and not the day-to-day preventative maintenance guy, most of the guys I worked with didn't care. I did but they'd ask for people's passwords, grant users domain admin access at times (generally only local admin access for domain accounts but still), etc. Keep it locked down. Setup a script or means where you can have TWO separate people who can run this script. Each vendor gets their own script. Setting it up as a mapped drive, maybe, to these few files for these couple people, might be best. But keep it locked down, absolutely. If the MSP or vendor gets hacked, you don't want your @$$ on the line.
-
Many vendors, because their own networks have little of value on them, have very insecure networks too. So over-exposing yourself to them can be dangerous. Not all vendors, of course. But often you don't know what their network is like and if it is compromised and it gets access to your network you can be heavily exposed. This is where remote views are good, LogMeIn, TeamViewer or RDP, because they can't siphon data straight off of your network through them nor can a virus travel through them. The worst is having a direct VPN tunnel to a vendor. Massive exposure in both directions and if you have a VPN tunnel to them, chances are they have VPN tunnels to lots of clients at the same time. It's the digital equivalent to an unprotected orgy. Using VPNs between different companies is like a field day for malware.
-
What I discovered last week, after going on holiday and the office suffering what should have been a minor power-cut related server issue, is no matter how much I brief people and no matter how much I leave instructions, when something happens everyone panics and forgets everything I've told them.
One of my colleagues is supposed to be the "IT co-coordinator" when I'm on holiday, and will liaise with vendors to get support, and gets extra training and documentation from me on what to do in an emergency when I'm away. Only last week, during the emergency, he went around telling everyone he no longer does that role and hasn't done it for years, so couldn't help. This was news to me!
-
@Carnival-Boy said:
I was thinking of setting something up that e-mails me every time a vendor logs in to the domain. They're supposed to tell me whenever they connect, but they don't. Can anyone explain how I might achieve this?
You lot are useless
I waited all day for the answer and in the end sorted it myself.I create a new security group in AD and added the external users accounts to it.
I created a new GPO and added the new security group to it, and removed authenticated users from it.
I edited the GPO and under user config, windows settings, scripts, logon I added \server\netlogon\emaillogon.vbs
I wrote a vbs that e-mails me details of the logged on username and computer name.Now, whenever an external support guy logs on to any of our servers, I'll immediately know about it.
This is a decent start to solving my worries.
-
@Carnival-Boy said:
What I discovered last week, after going on holiday and the office suffering what should have been a minor power-cut related server issue, is no matter how much I brief people and no matter how much I leave instructions, when something happens everyone panics and forgets everything I've told them.
One of my colleagues is supposed to be the "IT co-coordinator" when I'm on holiday, and will liaise with vendors to get support, and gets extra training and documentation from me on what to do in an emergency when I'm away. Only last week, during the emergency, he went around telling everyone he no longer does that role and hasn't done it for years, so couldn't help. This was news to me!
Maybe you need an MSP that does monitoring and is in active communications with people. Instead of only being emergency on call they actually work while you are gone getting stuff done.
-
@Carnival-Boy we use LogMeIn and get emails at every connection.
-
@scottalanmiller said:
Maybe you need an MSP that does monitoring and is in active communications with people. Instead of only being emergency on call they actually work while you are gone getting stuff done.
Too expensive.
-
@scottalanmiller said:
@Carnival-Boy we use LogMeIn and get emails at every connection.
As far as I know, you can only configure e-mail alerts through the LogMeIn website. Since the vendors are using their own accounts, I don't have access to this. This is why I prefer to use my own LogMeIn account and give them login details. The other thing I could do with my own account is disable cached credentials, which is important since LogMeIn was vulnerable to Heartbleeed. I'm sure that vendors cache credentials - which should be a big no no.
-
If your vendor really can't act responsibly with the connection methods you want to employ, do you really want them as vendors?
-
Yes. Vendor relationships are always about compromise.
-
To get management on board, just point them at the Target system compromise last year. Attack vector - a vendor. If that doesn't scare them into giving least access and dealing with the 'pains' nothing will.
-
@scottalanmiller said:
@Carnival-Boy we use LogMeIn and get emails at every connection.
I can't actually figure out how to do this and it would be very useful. Would you mind letting me know? Is it under the 'Manage Altert Packages' in LogMeIn Central? I've setup a few alerts but can't see one that handles this.
