We help IT Professionals succeed at work.

Contractor requesting domain administrator level account for implementation project on SQL server

High Priority
130 Views
Last Modified: 2019-09-03
We have a contractor who is working - and will continue to work on for a few months - installing a new SAGE accounting package on one of our SQL member servers.  They have asked for a *domain administrator* level account if possible. My gut says no - but not sure the best option of giving them domain account credentials that will permit them to make changes to this SQL server application as needed.

Looking for the most secure means of providing them a domain account that will permit them to work on this installation project - but yet maintain proper security practices for this type request. They've been working on the project for a few months using another company employees account credentials (which has domain admin level privileges) - so not sure how best to handle this request.  

Best advice appreciated -
Comment
Watch Question

SeanSystem Engineer
CERTIFIED EXPERT
Commented:
they shouldn't need domain admin. Just local admin to the server they are doing the install on and their account added to SQL for the proper database. There is no need for them to be domain admin.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Our servers do not have a local admin.  We ourselves are consultants. I do not see any big issue if the consultant is competent.

You can always change the domain admin password after they are gone.
CERTIFIED EXPERT
Commented:
Of course, the contractors are not examined and company secrets may be at risk. To give them domain admin rights is very dangerous. Did they sign NDA? Does such NDA prevent them from steeling sensitive data?  They will see the accounting data at least... and they can see much more as domain admins...

They should be able to install the package as local admins, then these local admin accounts may be disabled and company will load the data and use the software.

The problem is in successive support. No software package works 100% correctly and to investigate possible bugs and requests will need some access to the data etc. etc.  Each such application should be monitored during the life time to prevent possible problems. Which in turn may rise the question: Do you need the Sage accounting under such conditions? Did you know the package requires domain admin rights for contractors? Is it mentioned in the sales agreement?

Of course, contractors can teach company admins in the test environment and company admins will then do the job in production environment. Everything is about trusting the people, their professionality and also about the company rules and policies.

Just to show how stupid can be these rules see my story:
Our client does not allow us (developers) to connect to the production data when problem occurs.
Our Client manager which does understand the application but not the data background can communicate to the client IT person, this person does know nothing about the application...
If the problem occurs end-user asks company IT person for help. This person asks our Client manager and helpdesk ticket is created. Our developer needs to look at the data so some query is designed and posted to the Client manager, then to Client IT and after several days the query result is returned. The developer finds the data were obtained from a wrong server or the logs provided are not the correct ones... and the process is repeated for several other days.  The final fix of the original problem is ready in a few weeks instead of a few hours. Is it OK?  

We as developers are tending to fix each problem immediately the client can have different view, e.g. each developer or contractor is a potential spy.

So you have to weigh all the aspects of the decision whether to give domain admin access to contractors or not...
LearnctxEngineer
CERTIFIED EXPERT

Commented:
They have asked for a *domain administrator* level account if possible.

Why? The contractor is just lazy and incompetent.

They've been working on the project for a few months using another company employees account credentials (which has domain admin level privileges) - so not sure how best to handle this request.  

Terminate the staff member for giving out the keys to the kingdom and breaching security protocols.
Terminate the contractor for breaching security protocols.
Hire people who know what they're doing.

In a 50,000+ size company, you would only have a handful of domain admins and I see no reason why you couldn't get away with 5 or less. As for the application install, I can't speak to the requirements, but I can promise you domain admins is not one of them. This is a classic lazy persons request. Local server admins for the member server they're installing the application on to is all that is required. There could be some objects in AD they might need write access to, but again this can all be delegated.
Jim Dettman (EE MVE)President / Owner
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2017

Commented:
<<There could be some objects in AD they might need write access to, but again this can all be delegated.>>

  Which slows the process down and is why everything takes so long in a large company.

  Perfect example, I'm working with a larger company moving some equipment, which will require a firewall change.   Response was "I need at least a week to make a change because I have to log a change request for all departments to review".   Yikes.  A week to make a firewall change to open a port?   Understandable to an extent, but not a great policy to have in place for getting things done (I have no idea why they have the policy in place).

 So I guess I would say there is no right or wrong answer here.  It's always a trade-off and would depend on a number of factors like the size of the environment, what it is the environment secures, how much you trust the consultant, how readily available current domain admins are, what policies you have in place, etc.   With that said, with security the rule is to always land on the side of restricting access rather than granting it.

My last parting thought would be if you don't grant the right, then don't ding the consultant for falling behind on the project.  For example, if the install requires a domain level user for the services to run the DB and they can't create the account, then it's going to take more time.

My .02.
Jim.
LearnctxEngineer
CERTIFIED EXPERT

Commented:
So I guess I would say there is no right or wrong answer here.

There is a right answer, you do not need domain admin level rights to install an application ... unless you don't actually have an administrator and no one is really looking after the AD environment properly. In which case anything probably goes.
Jim Dettman (EE MVE)President / Owner
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2017

Commented:
<<In which case anything probably goes.>>

 Lots of shades of gray in the world....

Jim.
David ToddSenior Database Administrator
CERTIFIED EXPERT
Commented:
Hi,

I echo the local admin on the machine(s) in question. What they need in AD they can ask the Domain Admins to do for them ie create accounts as needed. And it's better if the existing Domain Admins do this as then it will get done the way that the existing Admins will recognise later.

Needing that level of access speaks to either the other clients they have worked with, or their competence.

But they should never have 'borrowed' an existing account for any reason.

And politically, it depends who their 'sponsor' is - if it is a fairly lax C level exec then things might get tricky. In an ideal world, their sponsor would be signing off on the access request. But a security-lax CEO might just verbally say give them whatever they ask for.

It helps some if the AD stuff they ask for you can give it to them about as quick as if they did it themselves, heading off that argument. And as others have pointed out, it is difficult to then later restrict their privileges if the account is going to be their on-going maintenance account.

HTH
  David

Author

Commented:
Thanks Everyone...some great feedback from everyone on this issue.

This is a bit tricky (politically) as the employee (actually a contractor) who permitted use of their domain admin credentials is pretty tight with the company owner.  I've already had to bring to "light" the downloading/installing of some 3rd party screen capture utility onto this critical production SQL server  - (explaining you don't know what these freebie utilities are packed with and you just don't do that on a critical LOB server) - but I'm not sure it resonated. (note we are a contractor as well to this customer - but SQL and this Sage install was under the mgmt of this other employee/contractor who permitted use of their domain admin credentials)

I think I'll suggest we start with local admin credentials - so as not to go at this hornets nest with a blow torch -  and if he needs to do something requiring domain level permissions..he can get with the person whose credentials were being used earlier. I'm extremely reluctant to permit full domain access to this SAGE contractor. They're a well-known reputable company within this area but with the premium value placed on compromising vendor/MSP's networks who have remote access to customers networks - I'll explain I'm acting on a best-effort basis to properly adhere to some semblance of security in protecting the customers assets...and we'll see what that takes us.

Great answers and hate to divvy up the points between all as found all input of value - thank you.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can assign whatever points you wish - there is no upper boundary on points any more.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.