External Domain Accounts

Reid Cooper

Many vendors, because their own networks have little of value on them, have very insecure networks too. So over-exposing yourself to them can be dangerous. Not all vendors, of course. But often you don't know what their network is like and if it is compromised and it gets access to your network you can be heavily exposed. This is where remote views are good, LogMeIn, TeamViewer or RDP, because they can't siphon data straight off of your network through them nor can a virus travel through them. The worst is having a direct VPN tunnel to a vendor. Massive exposure in both directions and if you have a VPN tunnel to them, chances are they have VPN tunnels to lots of clients at the same time. It's the digital equivalent to an unprotected orgy. Using VPNs between different companies is like a field day for malware.

Carnival Boy

What I discovered last week, after going on holiday and the office suffering what should have been a minor power-cut related server issue, is no matter how much I brief people and no matter how much I leave instructions, when something happens everyone panics and forgets everything I've told them.

One of my colleagues is supposed to be the "IT co-coordinator" when I'm on holiday, and will liaise with vendors to get support, and gets extra training and documentation from me on what to do in an emergency when I'm away. Only last week, during the emergency, he went around telling everyone he no longer does that role and hasn't done it for years, so couldn't help. This was news to me!

Carnival Boy

@Carnival-Boy said:

I was thinking of setting something up that e-mails me every time a vendor logs in to the domain. They're supposed to tell me whenever they connect, but they don't. Can anyone explain how I might achieve this?

You lot are useless I waited all day for the answer and in the end sorted it myself.

I create a new security group in AD and added the external users accounts to it.
I created a new GPO and added the new security group to it, and removed authenticated users from it.
I edited the GPO and under user config, windows settings, scripts, logon I added \server\netlogon\emaillogon.vbs
I wrote a vbs that e-mails me details of the logged on username and computer name.

Now, whenever an external support guy logs on to any of our servers, I'll immediately know about it.

This is a decent start to solving my worries.

scottalanmiller

@Carnival-Boy said:

What I discovered last week, after going on holiday and the office suffering what should have been a minor power-cut related server issue, is no matter how much I brief people and no matter how much I leave instructions, when something happens everyone panics and forgets everything I've told them.

One of my colleagues is supposed to be the "IT co-coordinator" when I'm on holiday, and will liaise with vendors to get support, and gets extra training and documentation from me on what to do in an emergency when I'm away. Only last week, during the emergency, he went around telling everyone he no longer does that role and hasn't done it for years, so couldn't help. This was news to me!

Maybe you need an MSP that does monitoring and is in active communications with people. Instead of only being emergency on call they actually work while you are gone getting stuff done.

scottalanmiller

@Carnival-Boy we use LogMeIn and get emails at every connection.

Carnival Boy

@scottalanmiller said:

Maybe you need an MSP that does monitoring and is in active communications with people. Instead of only being emergency on call they actually work while you are gone getting stuff done.

Too expensive.

Carnival Boy

@scottalanmiller said:

@Carnival-Boy we use LogMeIn and get emails at every connection.

As far as I know, you can only configure e-mail alerts through the LogMeIn website. Since the vendors are using their own accounts, I don't have access to this. This is why I prefer to use my own LogMeIn account and give them login details. The other thing I could do with my own account is disable cached credentials, which is important since LogMeIn was vulnerable to Heartbleeed. I'm sure that vendors cache credentials - which should be a big no no.

Dashrender

If your vendor really can't act responsibly with the connection methods you want to employ, do you really want them as vendors?

Carnival Boy

Yes. Vendor relationships are always about compromise.

Dashrender

To get management on board, just point them at the Target system compromise last year. Attack vector - a vendor. If that doesn't scare them into giving least access and dealing with the 'pains' nothing will.

Carnival Boy

@scottalanmiller said:

@Carnival-Boy we use LogMeIn and get emails at every connection.

I can't actually figure out how to do this and it would be very useful. Would you mind letting me know? Is it under the 'Manage Altert Packages' in LogMeIn Central? I've setup a few alerts but can't see one that handles this.