Solved

Limit Access for remote user

Posted on 2006-10-19
3
145 Views
Last Modified: 2013-12-04
HI there
We are in the process of having a new warehouse system put in and the Company who are supplying the new system want to have remote access so that they can do software upgrades, troubleshooting etc.
We have assigned a VPN User name and password and a Windows user name and password.  The remote support worker said that he needed to be given administrative rights and put himself into the administrators group.
We have 2 main servers, a windows 2003 R2 server and a SQL 2005 server.  The software is installed on the SQL Server box and I think it is this box the remote supprt worker would need to access to.
What I am concerned about is that if this user is logging on remotely as an administrator for the domain he can do pretty much whatever he likes, including looking at company data files.
How can I give this user sufficient access to the SQL Server, so that he can install software and make changes to the server but limited or even no access to AD or data files?
0
Comment
Question by:boders67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 125 total points
ID: 17765779
is the box that he needs to get into a domain controller or a member server?
if it is a member server then all you have to do is give them a LOCAL account with admin rights and not a domain account.  That way they will not have access to AD at all.  You can then just put deny rights on any company data files for this account you give them.  BUT, since they are a local admin, they could always give themself ownership of the files/folders and give themselves rights.  But in that case it will be clear that they gave themselves rights (against your wishes).  As always, have them sign some type of legal document before giving them access to your network. See your corperate attorney so the wording of this document is correct.

0
 

Author Comment

by:boders67
ID: 17766092
Thanks for your answer.
The box he needs access to is also a domain controller.
0
 
LVL 16

Expert Comment

by:legalsrl
ID: 17772557
I have to agree with Mike on this one.....

Any support relationship is down to trust.......you have to trust him to act in the best interest of your business.

As Mike said, get a Non Disclosure Agreement in place and refuse him access until him complies with that (obviously unless you've got an immediate problem)

If the box is a domain controller, then he pretty much has access as much as he likes.......

What I would suggest if you are uneasy about it, then install VNC on the server and change his password so that he doesn't know it.   At least when you ring him, you give him a session password for VNC and you can watch what he is doing on the console.  Once he has finished the work you want carried out, then change the password back to something he doesn't know.

Obviously it's not very trusting, and hopefully that would develop over a period of time, but certainly get a Non Disclosure Agreement in place.

Cheers
Si
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question