Securing third-party access to your corporate network
-
I have a number of suppliers, MSPs and consultants who require remote access to our servers for maintenance and support purposes. I issue them with a unique LogMeIn user account under our corporate LMI central account and I issue them with a unique Active Directory user account. Currently, I set the password for them, which doesn't expire, and let them know what it is. I normally send the user names by e-mail and the passwords by SMS, rather than sending both together.
I also run a logon and logoff script on the servers that e-mails me every time anyone logs on or logs off a server, so I can keep an eye on what they are doing. I ask them to let me know when they are going to access our systems, so if I get an e-mail saying they have logged on and I am not expecting it, they get a phone call off me asking what they are doing.
Our MSP uses their own LMI account, rather than one of ours, which is a lot more convenient for them, and I am ok with this. As an MSP security should be a priority for them. Other people with access to our network include software providers. I know from my own experience working for a software house in my youth that client security often isn't a priority at all.
I am not sure that I can do anything other than trust them and hope for the best. If I let them set their own password they are likely to use our company name, or Password123, or use the same password for ALL their clients. They may store our account details in a spreadsheet on a consultant's unsecure laptop. I am not going to be told if one of their employees, with access to our network, is sacked in bad circumstances - exposing us to a risk of malicious damage by the ex-employee. When we sack an employee we delete their account, but our external people have one account for their whole company, which they are likely to share - I'm effectively setting up a company account for them rather than an individual user account.
I think I might be better off letting them set their own passwords, and having those passwords expire every 3 or 6 months.
Should I be doing more to protect our network?
Should I be agreeing some rules with them about how they store our account details? And if so, should I be auditing them, and if so, how?
How do you handle these situations?
-
@Carnival-Boy said:
How do you handle these situations?
With Two Factor Authentication. Personally I like Duo Security. https://www.duosecurity.com/
-
LogMeIn supports two-factor authentication. It doesn't work where a third-party company has one user account for multiple support staff. I could get around that by setting up separate accounts for each and every support staff, but that means more AD accounts and more LMI accounts to manage.
It also adds an extra burden on the third-party company. As well as annoying them, this might end up slowing down their support response. I have to find a compromise between ease-of-use and security and I'm not sure where 2FA fits into that.
-
Yeah, I understand your concerns, however having a code that changes every 30 seconds gives me a lot of peace of mind.
-
I never give vendors direct access to the network. They have to use their tools like team viewer etc. They do not get or know any creditnals and someone monitors them the whole time they are working on the server.
-
I don't have the resources to do that, sadly.
-
@Carnival-Boy said:
I don't have the resources to do that, sadly.
You mean you don't have management's support to do that. They clearly don't seem concerned about their security, at least as much as you are.
-
@Carnival-Boy said:
... but that means more AD accounts and more LMI accounts to manage.
Why would you need multiple AD accounts? Sure more LMI, but all the LMI accounts should be able to use the same AD account, not that you really want that either. Do your supporting companies notify you every time they bring in a new person or a person is no longer employed there? If not it's possible that your usernames and passwords are walking out the door with those leaving employees.
-
@Dashrender said:
You mean you don't have management's support to do that. They clearly don't seem concerned about their security, at least as much as you are.
I am management
I didn't phrase my reply correctly. I should have said I'm not as concerned about security as @thecreativeone91 is.
I'm concerned enough to start a thread on MangoLassi to challenge existing practices, but not yet concerned enough to change them.
-
@Dashrender said:
If not it's possible that your usernames and passwords are walking out the door with those leaving employees.
This is probably my biggest concern because a few years ago I was indirectly involved in a case where a disgruntled MSP's ex-employee logged onto a client's network and caused some damage. That ended up with the ex-employee going to prison. Not a nice situation.
At the moment, I can't protect against that happening to me.
For a while I disabled the AD accounts of our third-parties and required them to contact me when they needed access. I then enabled their account. When they were done I disabled their accounts again. This worked ok, but I couldn't do this when I was on holiday - which is more often than not the time when they need access. So I abandoned that policy.
-
@Carnival-Boy said:
@Dashrender said:
If not it's possible that your usernames and passwords are walking out the door with those leaving employees.
This is probably my biggest concern because a few years ago I was indirectly involved in a case where a disgruntled MSP's ex-employee logged onto a client's network and caused some damage. That ended up with the ex-employee going to prison. Not a nice situation.
At the moment, I can't protect against that happening to me.
For a while I disabled the AD accounts of our third-parties and required them to contact me when they needed access. I then enabled their account. When they were done I disabled their accounts again. This worked ok, but I couldn't do this when I was on holiday - which is more often than not the time when they need access. So I abandoned that policy.
Why not just open them while you are on holiday, then close them down again when not?
-
Yes, I did that for a while. It doesn't cover me when I'm off sick, or when I simply forget to enable them.
A powershell script and a scheduled task would help me here though.
-
I like your style.
When I have needed to allow third party access in the past, it was via AD authentication on a Citrix portal with an RDP "app" straight to the server with the vendors software on it. They had local admin rights on the server. -
@nadnerB said:
I like your style.
When I have needed to allow third party access in the past, it was via AD authentication on a Citrix portal with an RDP "app" straight to the server with the vendors software on it. They had local admin rights on the server.That is a good idea... hadn't thought of doing it that way before.
-
We do much of the same, but normally issue user accounts, not company accounts, and we never know what the password is so that if we need to accuse someone of something we have as assumption that their were responsible for the access. As long as we know the passwords, we are responsible for their actions too, which we don't want.
-
I was setting up a few external access accounts this week. Other than using UIDs in a different range we treat them basically like any staff or contractor. They get access via our normal methods (Jump station in this case) and access only to what they need from there. We know when they log on or off, what they access, etc.
-
@Carnival-Boy said:
@Dashrender said:
If not it's possible that your usernames and passwords are walking out the door with those leaving employees.
This is probably my biggest concern because a few years ago I was indirectly involved in a case where a disgruntled MSP's ex-employee logged onto a client's network and caused some damage. That ended up with the ex-employee going to prison. Not a nice situation.
At the moment, I can't protect against that happening to me.
For a while I disabled the AD accounts of our third-parties and required them to contact me when they needed access. I then enabled their account. When they were done I disabled their accounts again. This worked ok, but I couldn't do this when I was on holiday - which is more often than not the time when they need access. So I abandoned that policy.
With LMI, for example, accounts are free. Why use company accounts there when individual is more secure? Then you have accountability and the MSP and you have the ability to granularly cut off people when they quit or are fired or even if they just change job role and no longer need access?
I assume the AD licenses for the users is too expensive and that's why you are using a single CAL for multiple users rather than separate?
-
@Carnival-Boy said:
LogMeIn supports two-factor authentication. It doesn't work where a third-party company has one user account for multiple support staff. I could get around that by setting up separate accounts for each and every support staff, but that means more AD accounts and more LMI accounts to manage.
Security takes overheard, unfortunately.
-
@scottalanmiller said:
I assume the AD licenses for the users is too expensive and that's why you are using a single CAL for multiple users rather than separate?
Disabled accounts don't need CALs so you could just enable the one for the person that will be doing the work that time and save some on cals.
-
@thecreativeone91 said:
Disabled accounts don't need CALs so you could just enable the one for the person that will be doing the work that time and save some on cals.
True, although that makes for a huge pain if you need regular, semi-regular or access during unpredictable times.