Remote Vendor Access
As a support provider, you may need to work with outside vendors to enable them to support your systems. To maintain system security while allowing vendors to perform authorized maintenance (especially on Windows systems), consider these recommendations.
Always Use AD
Create vendor accounts in AD, not on the local system. This will allow for more effective management and monitoring, as well as provide RDP access through the VPN. Be sure to create account names that won't cause collisions with UTLNs (e.g. "vendorname_systemname_vendor")
Group Vendor Accounts Together
Group third-party (including vendor) accounts together in one AD group so that you can easily run reports on them (expiration, usage, etc.)
Restrict Vendor Logon Rights
Restrict logon access in AD to only those machines that the vendor supports. (User account->Properties->Accounts tab->Log On To...)
Disable Vendor Accounts Until Needed
Create vendor accounts and assign the appropriate rights, but disable them in AD until and unless they are needed. This will prevent vendor access without your authorization or knowledge.
Use New Passwords for Each Maintenance Cycle
When you enable an account, set a new password and share it with the vendor. This will prevent e.g. ex-employees of the vendor from logging on with credentials they may have saved while on the job. This concern is especially relevant for systems with regulated or sensitive data.