Advice on allowing third party onto our managed network

Hi Experts,
one of our clients is asking for us to allow an independent review of the network, by a 3rd party ..they are reviewing costs, performance  etc. This may or may not lead to them moving on however, I just wanted some advice please.
The client has approx 20 workstations, an onsite server (that is due to be phased out) they have office 365 and rds to the azure cloud.
They have asked for the following, we can supply it but I was going to add a disclaimer and also tell them that we need to know when the 3rd party is off the server.
Should we create a restricted user in the first instance.  

Admin access: Please provide the admin username and password to be able to review the Windows Server set up.
Firewalls and routers: Please provide the unique username and password to allow review of remote connectivity.

Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


In this situation, you can't really give them a restricted user, as that will (probably) not work for them.

However, it is possible they do something that causes a problem while logged in with high level (admin) access.

I always have the client sign a disclaimer, saying that they accept the risk and any costs associated with any issues created with giving the admin access, and I always create a new, separate, admin user for this purpose, and if they won't sign, I have an email at least setting out the risks - no idea how effective that would be, as I have not had a problem so far, but better than nothing I hope.

I also like to be sure there is a good backup before they do anything (should have this anyway, but just saying).

You can also give it a go to ask for what they will do on the network, and certainly ask for a copy of the report so that you can review and address anything they find.  The third-party may (probably will) say that this is proprietary / intellectual property and that you can't have their work plan, but I would also advise a client to ensure that they can choose to seek professional advice on any report provided to them, which covers giving it to me - its all a bit of a game sometimes to be fair.

I also like to have a friendly competitor review my client networks, and I do this for them too on a regular basis.  Keeps us all on our toes, and I know I can trust them.  The clients agree to this in our standard terms.

Hope that helps,


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You have no choice but to give them access to what they ask for!

Best thing would be to invite them to site an observe what they do and have access to!

Rather than just give them total access!

Is this a company which current client may migrate to e.g you lose the business

Not sure what is in the terms of your current contract!
I think Alan's answer is mostly spot on. As already mentioned, you'll have to comply with what your customer requested. However, create a separate user with the access requested. As far as the firewall, you could get away with a user that has read only access, but should be able to access everything (this one is about semantics, access to review and access to change are two different matters entirely). When you provide the information, be sure to explain what you've done and the reasoning (this covers you in case something comes up).

The difference would be that I would broaden out the risk acceptance to the client accepting risk and costs associated with the third parties having access beyond that of a normal user in general. This covers you in cases where they might not quite have full admin rights, but can still make some system changes. Ideally there is some sort of audit logging going on (in addition to the normal advantages, this also will help you with evidence in case that third party does truly screw something up).
unrealone1Author Commented:
Great thankyou
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Hardware

From novice to tech pro — start learning today.