hwtech
asked on
Contractor requesting domain administrator level account for implementation project on SQL server
We have a contractor who is working - and will continue to work on for a few months - installing a new SAGE accounting package on one of our SQL member servers. They have asked for a *domain administrator* level account if possible. My gut says no - but not sure the best option of giving them domain account credentials that will permit them to make changes to this SQL server application as needed.
Looking for the most secure means of providing them a domain account that will permit them to work on this installation project - but yet maintain proper security practices for this type request. They've been working on the project for a few months using another company employees account credentials (which has domain admin level privileges) - so not sure how best to handle this request.
Best advice appreciated -
Looking for the most secure means of providing them a domain account that will permit them to work on this installation project - but yet maintain proper security practices for this type request. They've been working on the project for a few months using another company employees account credentials (which has domain admin level privileges) - so not sure how best to handle this request.
Best advice appreciated -
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
They have asked for a *domain administrator* level account if possible.
Why? The contractor is just lazy and incompetent.
They've been working on the project for a few months using another company employees account credentials (which has domain admin level privileges) - so not sure how best to handle this request.
Terminate the staff member for giving out the keys to the kingdom and breaching security protocols.
Terminate the contractor for breaching security protocols.
Hire people who know what they're doing.
In a 50,000+ size company, you would only have a handful of domain admins and I see no reason why you couldn't get away with 5 or less. As for the application install, I can't speak to the requirements, but I can promise you domain admins is not one of them. This is a classic lazy persons request. Local server admins for the member server they're installing the application on to is all that is required. There could be some objects in AD they might need write access to, but again this can all be delegated.
<<There could be some objects in AD they might need write access to, but again this can all be delegated.>>
Which slows the process down and is why everything takes so long in a large company.
Perfect example, I'm working with a larger company moving some equipment, which will require a firewall change. Response was "I need at least a week to make a change because I have to log a change request for all departments to review". Yikes. A week to make a firewall change to open a port? Understandable to an extent, but not a great policy to have in place for getting things done (I have no idea why they have the policy in place).
So I guess I would say there is no right or wrong answer here. It's always a trade-off and would depend on a number of factors like the size of the environment, what it is the environment secures, how much you trust the consultant, how readily available current domain admins are, what policies you have in place, etc. With that said, with security the rule is to always land on the side of restricting access rather than granting it.
My last parting thought would be if you don't grant the right, then don't ding the consultant for falling behind on the project. For example, if the install requires a domain level user for the services to run the DB and they can't create the account, then it's going to take more time.
My .02.
Jim.
Which slows the process down and is why everything takes so long in a large company.
Perfect example, I'm working with a larger company moving some equipment, which will require a firewall change. Response was "I need at least a week to make a change because I have to log a change request for all departments to review". Yikes. A week to make a firewall change to open a port? Understandable to an extent, but not a great policy to have in place for getting things done (I have no idea why they have the policy in place).
So I guess I would say there is no right or wrong answer here. It's always a trade-off and would depend on a number of factors like the size of the environment, what it is the environment secures, how much you trust the consultant, how readily available current domain admins are, what policies you have in place, etc. With that said, with security the rule is to always land on the side of restricting access rather than granting it.
My last parting thought would be if you don't grant the right, then don't ding the consultant for falling behind on the project. For example, if the install requires a domain level user for the services to run the DB and they can't create the account, then it's going to take more time.
My .02.
Jim.
So I guess I would say there is no right or wrong answer here.
There is a right answer, you do not need domain admin level rights to install an application ... unless you don't actually have an administrator and no one is really looking after the AD environment properly. In which case anything probably goes.
<<In which case anything probably goes.>>
Lots of shades of gray in the world....
Jim.
Lots of shades of gray in the world....
Jim.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Everyone...some great feedback from everyone on this issue.
This is a bit tricky (politically) as the employee (actually a contractor) who permitted use of their domain admin credentials is pretty tight with the company owner. I've already had to bring to "light" the downloading/installing of some 3rd party screen capture utility onto this critical production SQL server - (explaining you don't know what these freebie utilities are packed with and you just don't do that on a critical LOB server) - but I'm not sure it resonated. (note we are a contractor as well to this customer - but SQL and this Sage install was under the mgmt of this other employee/contractor who permitted use of their domain admin credentials)
I think I'll suggest we start with local admin credentials - so as not to go at this hornets nest with a blow torch - and if he needs to do something requiring domain level permissions..he can get with the person whose credentials were being used earlier. I'm extremely reluctant to permit full domain access to this SAGE contractor. They're a well-known reputable company within this area but with the premium value placed on compromising vendor/MSP's networks who have remote access to customers networks - I'll explain I'm acting on a best-effort basis to properly adhere to some semblance of security in protecting the customers assets...and we'll see what that takes us.
Great answers and hate to divvy up the points between all as found all input of value - thank you.
This is a bit tricky (politically) as the employee (actually a contractor) who permitted use of their domain admin credentials is pretty tight with the company owner. I've already had to bring to "light" the downloading/installing of some 3rd party screen capture utility onto this critical production SQL server - (explaining you don't know what these freebie utilities are packed with and you just don't do that on a critical LOB server) - but I'm not sure it resonated. (note we are a contractor as well to this customer - but SQL and this Sage install was under the mgmt of this other employee/contractor who permitted use of their domain admin credentials)
I think I'll suggest we start with local admin credentials - so as not to go at this hornets nest with a blow torch - and if he needs to do something requiring domain level permissions..he can get with the person whose credentials were being used earlier. I'm extremely reluctant to permit full domain access to this SAGE contractor. They're a well-known reputable company within this area but with the premium value placed on compromising vendor/MSP's networks who have remote access to customers networks - I'll explain I'm acting on a best-effort basis to properly adhere to some semblance of security in protecting the customers assets...and we'll see what that takes us.
Great answers and hate to divvy up the points between all as found all input of value - thank you.
You can assign whatever points you wish - there is no upper boundary on points any more.
You can always change the domain admin password after they are gone.