*** Contractor Security ... TeamViewer -> Windows 10 -> Windows Server 2012 ***

Unless if you are going to be watching the TeamViewer sesssion while he's working then yes.  He can upload/download files via TeamViewer or he may be able to download from the cloud (online drive).

I am recording videos of all TeamViewer sessions, whether I am there or not.  But aside from this, what else can I do to increase security?

Try disabling the file transfer option, VPN connection, etc.

The instruction below is old and I haven't checked if the same options are available in the newer version but they should.  

1. Go to TeamViewer Option Window > Security tab.
2. Find Access Control under the section Rules for connection to this computer. Choose Custom Settings from dropdown menu.
3. Configure button will appear right below the Custom Settings option displaying the Access Control Detail Window.
4. Here you can choose and set your access settings to a remote access user, such as:   View screen, Remote control, File transfer,  VPN connection, Partner can disable local input, Partner can control local TeamViewer
5. Click OK button to apply settings.

https://softwaretutor.wordpress.com/2010/05/28/customizing-teamviewer-setting-to-prevent-unwanted-remote-access/

But it still wouldn't stop the viewer to download via webrowser, network share to another machine or rdp, etc.  It all comes down to trust at this point.

If you are able to isolate the W10 account used to not have file access to tne server and vice versa, only files located at the W10 machine can be transferred via TeamViewer. You ahould also make sure rdpclip cannot be run, to disable copy&paste via RDP.
But blocking TV file transfer is certainly the best option.

Qlemo - RE: If you are able to isolate the W10 account used to not have file access to tne server and vice versa, only files located at the W10 machine can be transferred via TeamViewer. You ahould also make sure rdpclip cannot be run, to disable copy&paste via RDP.
-> How can I do this?

Wayne - RE: Try disabling the file transfer option, VPN connection, etc.  But it still wouldn't stop the viewer to download via webrowser, network share to another machine or rdp, etc.
-> I may be able to disable TeamViewer file transfer and VPN, but why can't I stop TeamViewer to download via web browser?  The contractor is only able to access the server via TeamViewer to my Windows 10 computer which RDPs to the server.

"The contractor is only able to access the server via TeamViewer to my Windows 10 computer which RDPs to the server. "

Will the contractor have administrator credentials in case he gets locked out?  If yes, he will have access to your whole network.  Most contractors I have dealt with who require server access overnight normally also require admin credentials in case they have to restart the machine or get locked out.

Also, if the servers or your W10 machine can access the internet then possibilities are endless.  They can download a 3rd party FTP server/client, download from a cloud storage, etc.

RE: Will the contractor have administrator credentials in case he gets locked out?
Do you mean if the contractor know my administrator password for my Windows 10 computer?

Does he have administrator access to the server (domain admin credentials).

He has administrator access to the server but only via using TeamViewer to my Window 10 computer and then RDP to the server.

You should also "From a firewall or gateway" restrict ports in like FTP or SFTP.  That way you can control what the server itself can have downloaded to it.

You can disable the ability to copy/paste between the host server & the windows 10 client pc by enabling this policy on the server:
Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Devices and Resource Redirection \ Do not allow clipboard redirection

I would test to make sure the policy is working as intended before allowing the contractor to connect, however.

Restricting is difficult. The contractor has the privileges of the W10 account used on that W10 machine, and the RDP account privileges on the server. If the server account has file access to the W10 machine, they can copy to and from W10.
So you need to consider both accounts and machines used. If the contractor knows the credentials, it is getting even more difficult. And you cannot really protect as you have to allow for some exchange of data, be it plain text via clipboard, some data like log files, or whatsoever. You cannot limit on the size of files.

Everyone here can advise on disabling this and that but how much do you want to disable?  For every single thing you disable they can find another way to work around it.

It's hard to protect anything once you give the contractor administrator access to a server which in turn have full access to any machine on your network.  In the end of the day it comes  down to trust and we normally work with only a handful of trusted contractors we have history with.  That's the bottom line.

True but you have to put a reasonable amount of controls in...  Trust but restrict where it makes sense to secure assets.

Assume every point the asker is asking, and I am the consultant logged in to one of your servers under domain admin account.  What's your recommendation to achieve that goal?

You don't need admin as a contractor to complete the job.  You need an account with the access to do what is contracted and nothing more.

"He has administrator access to the server but only via using TeamViewer to my Window 10 computer and then RDP to the server."

We don't know what the contractor will be doing and some of the contractors I hired require administrator access.  Do you create specific account and access for each contractor you have on hand?  How do we help the asker achieve his goal?  What do you recommend?

Yes, if you care about the security of your system and data. Security is hard...  It takes diligence and often takes a lot of go-arounds to get it right but it is the right thing to do.  Every security assessment / pen test I have been involved with I fight the same argument....  Same thing holds true: Principal of least privilege or consequences will result.

-D-

Let's see what the question author has to say on these comments...

I understand that you want to provide access on a need to know basis but the question still remain.  How would you accomplish what he's asking because he's not asking for much.  Just restrict FTP and file transfer from anywhere.

If you block Internet access, have no gateway and prevent Teamviewer drag and drop it would be very difficult to accomplish downloading and installing anything.

You have a good weekend as well.

TO DO:
1) On Windows Server 2012, from a firewall or gateway restrict ports for FTP and SFTP - bock ports 21 and 22 in and out.  Which ports are for SFTP?
2) Any outgoing Internet transfers could be blocked in GPO for the user the contractor is using preventing access to anything outside the customer network - How do I do this?
3) Block file transfer in Teamviewer settings - how do I do this?

Will 1 to 3 block all of the following?
- copy and pasting from Windows Server 2012 to an outside server or websites
- uploading to an outside server or websites from Windows Server 2012
- copy and pasting from Windows Server 2012 to Windows 10 via TeamViewer
- prevent data uploaded from Windows Server 2012 and Windows 10 to an outside server or websites

Thank you Wayne and John!