Link to home
Start Free TrialLog in
Avatar of Clifford Jenkins
Clifford JenkinsFlag for United States of America

asked on

Creating a Vendor Admin user

Hello,

Are there any best practices out there when it comes to granting a vendor an 'admin level' domain user login in a HIPAA environment, that will either have it expire, not require a change in password, or other features?
Avatar of John
John
Flag of Canada image

You have to decide what you want. If the vendor is temporary, have it expire. If not temporary, require them to change passwords every 30 days.

Monitor the account (if it is ever signed on).

There is no standard practice for this.
Avatar of Clifford Jenkins

ASKER

I apologize, let me try to be clearer.  What Security Groups should I allow and not allow to vendors?
They would be in the admin security group.
Avatar of David Johnson, CD
you might want to restrict the vendor for accessing any location that PI data is stored
The answer depends. What is the exact scope of what they need admin access to? And will they be requiring remote access to the system in question? Remember the idea of least privilege.

You want to provide them admin access to as little as possible. So ideally the server they need admin access to is NOT a domain controller. But yes, you should make the password expire every 90 days. It's not a defined standard, but would be a solid practice. But you do also need a way to be sure that the vendor could not just steal data.
Avatar of btan
btan

vendor for permanent onsite support should be given access in the user directory (for e.g. AD), otherwise it should be on demand access which expires on a concurred period of engagement onsite. For remote access, outside the organization, I do not advocate such use case otherwise the VPN and and list of exposed system for administrative should be audited and not unnecessarily expose the sensitive backend system like database or sharpoint. There should be 2FA instead of relying of username and password only. Suggest that you can review for centralized privileged identity mgmt. technology to oversight the vendor administrative access (kinda of "CCTV" the traffic access to the system). You may check out OD-PM
to control and monitor the commands super-users can run based on their role and task at hand. The solution reduces the usage of privileged rights within an enterprise and enforces least privilege policies for superuser rights.
@ https://www.cyberark.com/products/privileged-account-security-solution/on-demand-privileges-manager/
If it is for temporary local administrator rights on servers, I would deploy LAPS
https://www.microsoft.com/en-us/download/details.aspx?id=46899

Basically, you extend the schema and local administrators passwords are saved into the secure attribute in Active Directory. You can delegate this to a group etc.
You use a tool supplied by installation to read the password from AD and the password changes according to schedule/manual from an installed agent.

Whatever you do do not give them Domain Admins/Administrator rights on domain controllers even temporarily. With this right, you can copy all password hashes and do offline rainbow table lookup
If think the Vendor is a hacker, you probably should not give them access.

I find, from experience, that vendors can safely be provided access, and then the access removed when done.
I find, from experience, that vendors can safely be provided access, and then the access removed when done.
  • Then one day all your servers are encrypted and no-one knows who did it.
  • Then one day customer list is stolen and no-one knows who did it.
  • Then one day your license keys are available on PirateBay and no-one knows who did it.
  • Etc. Etc. Etc.

Whatever you do do not give them Domain Admins/Administrator rights on domain controllers even temporarily. With this right, you can copy all password hashes and do offline rainbow table lookup
I understand the technical point you are making, but my vendors are acquaintances or colleagues who do not wreck things.

Your world is obviously very different to my world.
If you work in enterprise environments with tens of thousands of employees and hundreds of IT personnel from difference vendors, you cannot know everyone let alone trust them.
Bye All.
SOLUTION
Avatar of masnrock
masnrock
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Shaun, while I do get your point, the big difference lies in the resources that those companies have. And there is also no clarification on how maintenance is supposed to work. Nor did the OP actually point out if the vendor is actually responsible for the server OR just needs to make some changes to it for their application to work. These are all bits that can affect the answer. That is also why so many things differ based on organizational size, and you see as businesses grow, they have to make their processes more mature. Even HIPAA will tell you that if possible and feasible to do certain things. Naturally, if you don't do certain things, you have to be able to back it up. (This leads to the point that we agree on doing a job properly if you're getting paid to do it, even if our views differ)
Let's agree to disagree.
If I was working in a small "Mom and pop" business I would not give any external/temporary person the Wifi password let alone the DA credentials.
can you not document there requirements and create an account more appropriate, e.g. admin rights on the specific server/databases they will working on? we have many 3rd parties VPN in for support maintenance but never in a million years would they get domain admin rights. And yes access is either end dated or disabled immediately once they have done their work.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just to share in my environment, there is strict policy to comply so for vendor network access, minimally they would have to pass the 802.1x NAC baseline policy, otherwise stay quarantine and most of the time they are issued the organisation official machine (clean from sensitive data) to do the admin stuff required. In cases where vendor has to use their machine to access the system because of specialised tools to do the work, they will need their machine be verified of certain baseline setting based on the organisation policy.

Same goes for the authentication which enforced them to be 2FA capable for remote admin access or if they are given any form of administrative rights. There is need for central oversight for such admin access and log to be piped to a SOC hence a single trusted tunnel is identified to be the only route which then traffic will be routed through a jump host that proxy the access to the backend system. Hence the suggestion for the Privileged Access Mgmt soln to oversight all administration. Will be good to augment the GPO setting too. An access matrix is also required for regular security review as part of the overall account management.

As a whole, insider threats is another challenge and the vendor access for due diligence action to be taken need to be verified automatically as manual review is not working out right and adequately..
Okay, I'll shed a little more light. I work for a multiple site medical facility.  

The vendor is one that will be extracting ePHI from our EMR/EHR and transferring it into their application.  They have signed a HIPAA Business Associate Agreement (BAA) with us already. Working with Active Directory (AD), I'm trying to utilize the principle of least privileges, yet still give them enough access.

At the same time, I'm trying to create a policy/procedure that is followed for each vendor going forward.

I know how in previous businesses, vendors talk clients into just handing over the Domain Administrator password. However, I know that now, this does not need to be done.  I'm appreciating all the input, feedback and ideas.
This sounds like a migration project where they only access to the application and its data, not admin rights to the server or domain. Vendors usually try to talk clients into handing over domain admin credentials, but that doesn't mean that there's a justification for doing so. How exactly are the records stored?

Without knowing the structure of everything, we cannot fairly answer your questions in terms of group membership. What could we tell you aside from avoiding putting them in Domain Admins?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Some great suggestions and feedback.  Long story short, due to what was being asked and requested, they got the basic Domain User, and their solution was able to work with that.

btan, mansrock, pma111, and Shaun, all awesome stuff.  I do realize that there are infinite different scenarios. Being in medical again and nearly 1/3 of my career in it, security has definitely become more of an issue.