Albert Widjaja
asked on
Best practice in Granting access to certain computer only for external contractor ?
Hi All,
Can anyone here please share some steps or process to create secure access for the 3rd party support team ?
Description:
I have created the support account called DOMAIN\AS-Support in my AD domain with the member of Domain user only.
I also have placed the support account above as the Local Administrator group in each domain joined application server (about 120 servers)
Access method:
The support team is then connect with SSL VPN using Juniper SSG, which means after the session authenticated, the support team is using the DOMAIN\AS-Support account to RDP to each of the application server they need to restart & update the software from their own PC at home or office.
The problem:
However, there is a security problem that my manager don't like, is that the DOMAIN\AS-Support domain account is capable of browsing and enumerating the shared folders in the File server and access them easily.
We do not want this to happens and would like to restrict DOMAIN\AS-Support only to RDP to the allocated server with no other access to any network resources.
How can I do that securely and the best way ?
I have tried to create local account in some of the Application server, so far with the Local account that is put into Local Adminisstrator group in each server, they can do their job properly, but the problem is that I must create the local account in all of the 120 server manually one by one ?
Can anyone here please share some steps or process to create secure access for the 3rd party support team ?
Description:
I have created the support account called DOMAIN\AS-Support in my AD domain with the member of Domain user only.
I also have placed the support account above as the Local Administrator group in each domain joined application server (about 120 servers)
Access method:
The support team is then connect with SSL VPN using Juniper SSG, which means after the session authenticated, the support team is using the DOMAIN\AS-Support account to RDP to each of the application server they need to restart & update the software from their own PC at home or office.
The problem:
However, there is a security problem that my manager don't like, is that the DOMAIN\AS-Support domain account is capable of browsing and enumerating the shared folders in the File server and access them easily.
We do not want this to happens and would like to restrict DOMAIN\AS-Support only to RDP to the allocated server with no other access to any network resources.
How can I do that securely and the best way ?
I have tried to create local account in some of the Application server, so far with the Local account that is put into Local Adminisstrator group in each server, they can do their job properly, but the problem is that I must create the local account in all of the 120 server manually one by one ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So is there any tools that the auditor use ?
ASKER
Thanks guys !
I suggest, that you do not create this account in the AD, create this account on each of the servers. ie. a script should help create the id on all the local servers. you might need to provide a higher level of access on each server so that they can restart and such. what do you think ?
ASKER
Yes, This is what I have just discovered, I already ask the network team to limit specific IP address that this DOMAIN\AS-Support account can connect to.
Due to the limitation of Juniper SSG cannot be joined to AD domain, I cannot limit the server in this AD attribute:
If only the Juniper SSG can be joined to AD domain then I can utilize it that way above marked.