Remote Vendor Access

As a support provider, you may need to work with outside vendors to enable them to support your systems. To maintain system security while allowing vendors to perform authorized maintenance (especially on Windows systems), consider these recommendations.

Always Use AD

Create vendor accounts in AD, not on the local system. This will allow for more effective management and monitoring, as well as provide RDP access through the VPN. Be sure to create account names that won't cause collisions with UTLNs (e.g. "vendorname_systemname_vendor")

Group Vendor Accounts Together

Group third-party (including vendor) accounts together in one AD group so that you can easily run reports on them (expiration, usage, etc.)

Restrict Vendor Logon Rights

Restrict logon access in AD to only those machines that the vendor supports. (User account->Properties->Accounts tab->Log On To...)

Disable Vendor Accounts Until Needed

Create vendor accounts and assign the appropriate rights, but disable them in AD until and unless they are needed. This will prevent vendor access without your authorization or knowledge.

Use New Passwords for Each Maintenance Cycle

When you enable an account, set a new password and share it with the vendor. This will prevent e.g. ex-employees of the vendor from logging on with credentials they may have saved while on the job. This concern is especially relevant for systems with regulated or sensitive data.

Report on Account Activity

Use AD to report on vendor account usage and examine any unexpected activity.

Disable and Remove Old Vendor Accounts

Disable and remove old vendor accounts that are no longer needed. This will prevent vendors from logging in when they shouldn't, and will prevent employees of the vendor from logging in without authorization.

Don't use a single account for all of a vendor's staff. 

Each member of the vendor's team should have their own account, which can then be compiled into an AD group.