Solved

Limit Access for remote user

Posted on 2006-10-19
3
142 Views
Last Modified: 2013-12-04
HI there
We are in the process of having a new warehouse system put in and the Company who are supplying the new system want to have remote access so that they can do software upgrades, troubleshooting etc.
We have assigned a VPN User name and password and a Windows user name and password.  The remote support worker said that he needed to be given administrative rights and put himself into the administrators group.
We have 2 main servers, a windows 2003 R2 server and a SQL 2005 server.  The software is installed on the SQL Server box and I think it is this box the remote supprt worker would need to access to.
What I am concerned about is that if this user is logging on remotely as an administrator for the domain he can do pretty much whatever he likes, including looking at company data files.
How can I give this user sufficient access to the SQL Server, so that he can install software and make changes to the server but limited or even no access to AD or data files?
0
Comment
Question by:boders67
3 Comments
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 125 total points
ID: 17765779
is the box that he needs to get into a domain controller or a member server?
if it is a member server then all you have to do is give them a LOCAL account with admin rights and not a domain account.  That way they will not have access to AD at all.  You can then just put deny rights on any company data files for this account you give them.  BUT, since they are a local admin, they could always give themself ownership of the files/folders and give themselves rights.  But in that case it will be clear that they gave themselves rights (against your wishes).  As always, have them sign some type of legal document before giving them access to your network. See your corperate attorney so the wording of this document is correct.

0
 

Author Comment

by:boders67
ID: 17766092
Thanks for your answer.
The box he needs access to is also a domain controller.
0
 
LVL 16

Expert Comment

by:legalsrl
ID: 17772557
I have to agree with Mike on this one.....

Any support relationship is down to trust.......you have to trust him to act in the best interest of your business.

As Mike said, get a Non Disclosure Agreement in place and refuse him access until him complies with that (obviously unless you've got an immediate problem)

If the box is a domain controller, then he pretty much has access as much as he likes.......

What I would suggest if you are uneasy about it, then install VNC on the server and change his password so that he doesn't know it.   At least when you ring him, you give him a session password for VNC and you can watch what he is doing on the console.  Once he has finished the work you want carried out, then change the password back to something he doesn't know.

Obviously it's not very trusting, and hopefully that would develop over a period of time, but certainly get a Non Disclosure Agreement in place.

Cheers
Si
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question