Virtual Machine Lockdown

Experts,
My company has been working with a group of developers from the Ukraine for several years.  We receive excellent service at a great rate but the downside to this is the company has been flagged by several different RBL's for virus activity over the years.  They immediately fix the issue and are removed from the RBL but it does seem they cant control the activity on their network.

To date, all worked performed by this group has been done outside of our production environment on platforms such as Azure.  The problem is the work is starting to ramp up and we are seeing increased bandwidth costs in our production environment.

Although this next question is against my better judgment, I am being challenged by my senior staff to come up with a solution to allow them access to work in our production environment (instead of azure) to avoid these extra bandwidth charges.

The ideal solution would be to give them access to a virtual machine or some kind of thin client solution via VPN connection and lock them down so hard they would only be able to run programs from the desktop.

Please let me know if you are aware of a lock down solution that can solve this problem.


thanks
John
hexvaderAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dipopoCommented:
With regards to lockdown mode, I have always noticed this with the "ESX(i) Hosts" on the other hand I have come across VM Security hardening as such as the below.

http://blogs.vmware.com/vsphere/2012/06/automate-the-hardening-of-your-virtual-machine-vmx-configurations.html

This can be used in conjunction with GPO/Local Policies or Network/firewall policies.
0
hexvaderAuthor Commented:
I should probably also mention we are using Microsoft for virtualization.
0
hexvaderAuthor Commented:
thanks for the reply Dipopo - I am aware of the ability to lock it down via Active Directory but I am looking for a third party out of the box solution ( if even available).
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

dipopoCommented:
0
McKnifeCommented:
Hi.

Let's get more detailed:
-what should they be able to do? What not?
What OS, what edition?
Applocker or software restriction policies (preferably appl. on enterprise/ultimate versions) is built-in and maybe just what you need. You could use it to whitelist apps they can use.
0
hexvaderAuthor Commented:
Ideally they will access our production environment via VPN.    I will work with my data center to lock down the VPN client to 1 external ip address that once connected will only be able to use port 3389 to remote desktop to a virtual machine.

Once the vpn connection is established and they log into the virtual machine, they will need to run certain tools from the desktop.  The process isn't hard - they basically open a software we created, give it some parameters and the software does all the work.  However, they need to be administrator's on server in order to perform the work.

They should be able to run these tools from the desktop and log on and off the server.
everything else from getting on the internet, transferring files and viruses, traversing the network, opening a command prompt ( or any other way of possibly exploring our production environment ) should be locked down.  

Currently we are creating our VM's using Microsoft server 2012
0
McKnifeCommented:
So what about applocker? Does your edition support it (are your VM OS' enterprise or ultimate editions or not)?
0
dipopoCommented:
Ok can they not configure the application with service accounts? and you can bypass adding them to RDP Sec Group at domain and add their domain account for only that server RDP access.
0
hexvaderAuthor Commented:
I am not familiar with Applocker but on first glance it does look interesting.  I will need to do a little more research.  Our Vm's will be server 2012 standard edition.  The virtual machine they access will not be on our corporate domain.  They will log into the Virtual machine with local admin rights and when they run the application software, the software will be pre- configured to access our production database.
0
McKnifeCommented:
Although it is nearly impossible to lockdown a local admin, applocker is the closest you can get to it. win2012 standard has applocker.
0
hexvaderAuthor Commented:
Yeah - i'm watching a youtube video on it now.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hexvaderAuthor Commented:
We ended up going with a Dell Wyce Thin Client.  It has a zero attack surface which kills the virus problem.  I gave credit to both experts for their answers
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Virtualization

From novice to tech pro — start learning today.