Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Best practice in Granting access to certain computer only for external contractor ?

Posted on 2016-08-30
8
Medium Priority
?
129 Views
Last Modified: 2016-09-11
Hi All,

Can anyone here please share some steps or process to create secure access for the 3rd party support team ?

Description:
I have created the support account called DOMAIN\AS-Support in my AD domain with the member of Domain user only.
I also have placed the support account above as the Local Administrator group in each domain joined application server (about 120 servers)

Access method:
The support team is then connect with SSL VPN using Juniper SSG, which means after the session authenticated, the support team is using the DOMAIN\AS-Support account to RDP to each of the application server they need to restart & update the software from their own PC at home or office.

The problem:
However, there is a security problem that my manager don't like, is that the DOMAIN\AS-Support domain account is capable of browsing and enumerating the shared folders in the File server and access them easily.

We do not want this to happens and would like to restrict DOMAIN\AS-Support only to RDP to the allocated server with no other access to any network resources.

How can I do that securely and the best way ?

I have tried to create local account in some of the Application server, so far with the Local account that is put into Local Adminisstrator group in each server, they can do their job properly, but the problem is that I must create the local account in all of the 120 server manually one by one ?
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 37

Accepted Solution

by:
bbao earned 1000 total points
ID: 41775865
> the DOMAIN\AS-Support domain account is capable of browsing and enumerating the shared folders in the File server and access them easily.

then you need another team to audit what this team does remotely... hehe

be aware for some systems having  sensitive information, the auditors need to be onsite instead of remote access, and NDA is also a must. being audited is not an excuse to break rules and policy, otherwise you will lose credits in the audit report. :)

> We do not want this to happens and would like to restrict DOMAIN\AS-Support only to RDP to the allocated server with no other access to any network resources.

it is better than simply giving uncontrolled access. for accessing more sensitive business info, see my previous point.

> I must create the local account in all of the 120 server manually one by one?

you may run a script to create these local accounts if you:

1. can remotely access the computers using REXEC, a way to run commands on remote Windows computers.

2. you have grabbed all computer names in a plain text file. this will be a source for running a batch to retrieve computer names for repeated jobs such as creating a local account.
0
 
LVL 22

Assisted Solution

by:robocat
robocat earned 1000 total points
ID: 41776144
Using firewall rules on the juniper SSG, you could limit the network protocol for the VPN session to RDP only and a group of selected servers only.

This still allows the account DOMAIN\AS-Support to access the file shares when they are logged on to those servers, so you need to restrict the permissions for that account. E.g. by using explicit deny rules on sensitive folders. This is normal permission management as you would do for any kind of user.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41776162
Thanks Robo,

Yes, This is what I have just discovered, I already ask the network team to limit specific IP address that this DOMAIN\AS-Support account can connect to.

Due to the limitation of Juniper SSG cannot be joined to AD domain, I cannot limit the server in this AD attribute: Logon To
If only the Juniper SSG can be joined to AD domain then I can utilize it that way above marked.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 22

Assisted Solution

by:robocat
robocat earned 1000 total points
ID: 41776493
You need to look at the firewall rules in the juniper SSG, not on the server.

The VPN will also use some kind of local authentication on the SSG. Specific firewall rules can be created for this VPN user. This can be done entirely independent from the AD user.
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 1000 total points
ID: 41776516
one of the best practices: the human auditors' access to the shared folders should be machine audited at NTFS level. :)
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41777130
So is there any tools that the auditor use ?
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 41793610
Thanks guys !
0
 

Expert Comment

by:Ajai D Silva
ID: 41793702
I suggest, that you do not create this account in the AD, create this account on each of the servers. ie. a script should help create the id on all the local servers.  you might need to provide a higher level of access on each server so that they can restart and such. what do you think ?
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question