Versions Compared

Version Old Version 12 New Version Current
Changes made by

Rebecca.Dewey

Rebecca.Dewey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

Remote

...

Vendor

...

Access

Image Added

Excerpt

As a support provider, you may need to work with outside vendors to enable them to support your systems. To maintain system security while allowing vendors to perform authorized maintenance (especially on Windows systems), consider these recommendations.

Div
Div
classgray_box2
Div
idlightgreenbg

Always Use AD

Create vendor accounts in AD, not on the local system. This will allow for more effective management and monitoring, as well as provide RDP access through the VPN. Be sure to create account names that won't cause collisions with UTLNs (e.g. "vendorname_systemname_vendor")

{div3} {div3:id=whitebg} h4. Group Vendor Accounts Together Group

Div
idwhitebg

Group Vendor Accounts Together

Group third-party

(including

vendor)

accounts

together

in

one

AD

group

so

that

you

can

easily

run

reports

on

them

(expiration,

usage,

etc.)

{div3} {div3:id=lightgreenbg} {float:right|margin=10}!restrict-ad-access.png|thumbnail!{float} h4. Restrict Vendor Logon Rights Restrict logon access in AD to only those machines that the vendor supports. (User

Div
idlightgreenbg

Restrict Vendor Logon Rights

Restrict logon access in AD to only those machines that the vendor supports. (User account->Properties->Accounts

tab->Log

On

To...)

\\ \\ \\ {div3} {div3:id=whitebg} h4. Disable Vendor Accounts Until Needed Create vendor accounts and assign the appropriate rights, but disable them in AD until and unless they are needed. This will prevent vendor access without your authorization or knowledge. {div3} {div3:id=lightgreenbg} h4. Use New Passwords for Each Maintenance Cycle When you enable an account, set a new password and share it with the vendor. This will prevent e.g. ex-employees of the vendor from logging on with credentials they may have saved while on the job. This concern is especially relevant for systems with regulated or sensitive data. {div3} {div3:id=whitebg} h4. Report on Account Activity Use AD to report on vendor account usage and examine any unexpected activity. {div3} {div3:id=lightgreenbg} h4. Disable and Remove Old Vendor Accounts Disable and remove old vendor accounts that are no longer needed. This will prevent vendors from logging in when they shouldn't, and will prevent employees of the vendor from logging in without authorization. {div3} {div2} {div}




Div
idwhitebg

Disable Vendor Accounts Until Needed

Create vendor accounts and assign the appropriate rights, but disable them in AD until and unless they are needed. This will prevent vendor access without your authorization or knowledge.

Div
idlightgreenbg

Use New Passwords for Each Maintenance Cycle

When you enable an account, set a new password and share it with the vendor. This will prevent e.g. ex-employees of the vendor from logging on with credentials they may have saved while on the job. This concern is especially relevant for systems with regulated or sensitive data.

Div
idwhitebg

Report on Account Activity

Use AD to report on vendor account usage and examine any unexpected activity.

Div
idlightgreenbg

Disable and Remove Old Vendor Accounts

Disable and remove old vendor accounts that are no longer needed. This will prevent vendors from logging in when they shouldn't, and will prevent employees of the vendor from logging in without authorization.

Don't use a single account for all of a vendor's staff. 

Each member of the vendor's team should have their own account, which can then be compiled into an AD group.