I read this post and then I read the responses and think people are seeing this different ways. So I will do my best to tie what I think you may be asking together and opine a bit (as usual).
There is the case of normal contractors that come in and do work, they could be called agency employees for instance. Like myself, say I do long term consulting for company X, I come in daily just like any full time employee only I am expected to actually get work done. In this case I would say the outside person should be treated like a normal employee, you have of course locked down your HR and other systems that should only be accessed by true-blue employees so giving them NOS access is not only fine, but required for them to work and interact with your real employees in any meaningful sense. As for the case of outside vendors who come in to support very special or specific things. Depending on the scope and the interaction they have to have with other internal employees I would give or not give them access with leaning towards not. The larger your company the more likely someone has added something to the forest or some trusting domain that does not have proper security. You can say you are locking people down to working only on specific servers but how confident are you that that is truly the case. Unless you have personally verified the security of every single machine that trusts IDs from the NOS domain, you better not say you are confident. So outside of checking every machine what is your method of forcing someone to only use a certain machine... If the answer is you specify what machines they can logon to on the user object, go back to the drawing board, you don't understand how authentication works in Windows and how many different ways that can be bypassed. If you let me on your network unhindered with my own machine [1] and I have a domain ID for your main authentication system I now have access to look at every single machine and thing that allows authenticated user access or everyone access. Again in a large company, you would be shocked to find how much is open like that. A lot of admins do not lock down file shares from allowing everyone / authenticated user access. A lot of others will open things up the minute some issue comes in that someone doesn't understand so they can get people to stop screaming, many of those never go back and correct it. Every now and then if I had 3 or 4 spare minutes I used to just go to network neighborhood and with a regular ID I would just start clicking and diving down and I don't think there was but a very small handfull of times I didn't randomly click my way into some share on some server that I shouldn't have been able to get into. I found engineering designs, I found performance reviews, I found MP3s and movies, heck once I even found porn. I would always send a nice note to the admins and then usually a global note saying, people - security doesn't happen on its own. It didn't help. Your security is as good as your worst admin[2]. How good are your admins? Luckily you can contain that in buffer zones. You have a few domain admins who have access to the big stuff, they should all be great. You then have lower level admins who are server admins, they should still be pretty good. You then have your lowest rung of admins which are workstation admins, they should still be trustworthy but since you don't (or shouldn't) be doing a lot of workstation data sharing, don't have to be quite as up on security and what the settings are on the machines (though it is still a good idea if they are). So my response to your good question is... It depends. joe [1] Or in fact, any machine that you do not control my actions on so it could be your own machine. [2] This could also be used to point out why you shouldn't overload your admins. An admin constantly running from one thing to the next is less likely to be concerned about security than one who can take their time to do things correctly. It is a matter of priorities and the natural priority of anyone getting the crap kicked out of them every day or constantly yelled at is to shut those people up in the quickest way possible. Whose fault is it if an admin is that busy and not doing security correctly? I can tell you if something gets compromised, I will bet money everyone in charge will determine it is the admin's fault. Most companies don't think very well especially when the management who caused the issue are the ones trying to sort out the root cause of any failures surrounding it. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Tuesday, May 11, 2004 11:14 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Managing accounts for 'outsiders' I'm curious what y'all do with those situations where you have to manage credentials for 'outsiders' - in other words, users from some business partner, vendor, etc. who must have access to some resource in your company. For example, say you have some intranet web app that you make available on the Internet via ISA Server/reverse proxy. This works for employees, but soon some 'outsiders' (contractors, outsourced service providers) need to use it. Do you put them someplace in your existing AD so they can use the same proxy ? Do you set up an alternate way for them to get to the resource ? What steps do you take to ensure that those credentials are restricted to the resource you intend ? I'm a tad uncomfortable with people outside the organization running around with valid credentials to the internal NOS directory, but maybe that's just me. I realize it's a business decision, and that there's hopefully some level of trust in these individuals since they've been contracted to perform some service, but the more I can control it the better. Rants, flames, war stories are welcome (I can take it:). Even more welcome is some discussion of how you deal with external users in general, and specific steps you take to protect your AD from misuse by them. Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
