We have an issue with a client's software company. They purchased a large piece of software that they run their entire business through. It is accessible both internally and externally. It runs on a dedicated server (2008 Standard Server and SQL), and the internal application for the office uses a .net application. It uses IIS for the public facing portals. Their patients connect to it to view personal account information through a web portal, and the doctors can connect to it remotely to see their schedule, business metrics, etc.
The problem is we have discovered that the software company has built in a back door to their software. They have a super user account, which my clients admin account cannot disable or even see. After the software company admitted they had this back door, which they say is only for support purposes, they say there is no way they can disable themselves from having access to it. My client is not only concerned about their sensitive patient data, but there have even been issues with that software companys techs logging in a changing things, causing problems.
The client has asked for some way they can block the software company, and only allow their patients and doctors to access the system remotely. They already have a Sonicwall router.
Therefore, I ask you for solutions that would allow the client to block the software company. I would imagine a firewall could be configured to block all outside access, except for specifc IP addresses, which could work for doctors, but the patients would come from any number of dynamic IP addresses, so I'm not sure if someone has a solution there. Or how about a double authentication system; where people from the outside have to have permission at the router level, then if authenticated, they could access the IIS side of the program? Or any other ideas you might have....
Thanks for all your help in advance!