We classify 2 types of non-FTE's: Contractors and Consultants Contractors are, as you point out, in place of FTE's. They get our hardware, and more or less normal user access, just like FTE's.
Consultants are required to supply their own hardware, and are physically segmented off our network, onto an Internet-only VLAN. In no case do we ever publish internal resources outside, without using some form of VPN access -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: joe [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 12, 2004 10:12 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Managing accounts for 'outsiders' > > I read this post and then I read the responses and think > people are seeing > this different ways. So I will do my best to tie what I think > you may be > asking together and opine a bit (as usual). > > There is the case of normal contractors that come in and do > work, they could > be called agency employees for instance. Like myself, say I > do long term > consulting for company X, I come in daily just like any full > time employee > only I am expected to actually get work done. In this case I > would say the > outside person should be treated like a normal employee, you > have of course > locked down your HR and other systems that should only be accessed by > true-blue employees so giving them NOS access is not only > fine, but required > for them to work and interact with your real employees in any > meaningful > sense. > > As for the case of outside vendors who come in to support > very special or > specific things. Depending on the scope and the interaction > they have to > have with other internal employees I would give or not give > them access with > leaning towards not. The larger your company the more likely > someone has > added something to the forest or some trusting domain that > does not have > proper security. You can say you are locking people down to > working only on > specific servers but how confident are you that that is truly > the case. > Unless you have personally verified the security of every > single machine > that trusts IDs from the NOS domain, you better not say you > are confident. > So outside of checking every machine what is your method of > forcing someone > to only use a certain machine... If the answer is you specify > what machines > they can logon to on the user object, go back to the drawing > board, you > don't understand how authentication works in Windows and how > many different > ways that can be bypassed. > > If you let me on your network unhindered with my own machine > [1] and I have > a domain ID for your main authentication system I now have > access to look at > every single machine and thing that allows authenticated user > access or > everyone access. Again in a large company, you would be > shocked to find how > much is open like that. A lot of admins do not lock down file > shares from > allowing everyone / authenticated user access. A lot of > others will open > things up the minute some issue comes in that someone doesn't > understand so > they can get people to stop screaming, many of those never go back and > correct it. > > Every now and then if I had 3 or 4 spare minutes I used to just go to > network neighborhood and with a regular ID I would just start > clicking and > diving down and I don't think there was but a very small > handfull of times I > didn't randomly click my way into some share on some server > that I shouldn't > have been able to get into. I found engineering designs, I > found performance > reviews, I found MP3s and movies, heck once I even found porn. I would > always send a nice note to the admins and then usually a > global note saying, > people - security doesn't happen on its own. It didn't help. > > Your security is as good as your worst admin[2]. How good are > your admins? > Luckily you can contain that in buffer zones. You have a few > domain admins > who have access to the big stuff, they should all be great. > You then have > lower level admins who are server admins, they should still > be pretty good. > You then have your lowest rung of admins which are > workstation admins, they > should still be trustworthy but since you don't (or > shouldn't) be doing a > lot of workstation data sharing, don't have to be quite as up > on security > and what the settings are on the machines (though it is still > a good idea if > they are). > > So my response to your good question is... It depends. > > > joe > > > > [1] Or in fact, any machine that you do not control my > actions on so it > could be your own machine. > > [2] This could also be used to point out why you shouldn't > overload your > admins. An admin constantly running from one thing to the next is less > likely to be concerned about security than one who can take > their time to do > things correctly. It is a matter of priorities and the > natural priority of > anyone getting the crap kicked out of them every day or > constantly yelled at > is to shut those people up in the quickest way possible. > Whose fault is it > if an admin is that busy and not doing security correctly? I > can tell you if > something gets compromised, I will bet money everyone in charge will > determine it is the admin's fault. Most companies don't think > very well > especially when the management who caused the issue are the > ones trying to > sort out the root cause of any failures surrounding it. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Fugleberg, David A > Sent: Tuesday, May 11, 2004 11:14 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Managing accounts for 'outsiders' > > I'm curious what y'all do with those situations where you > have to manage > credentials for 'outsiders' - in other words, users from some business > partner, vendor, etc. who must have access to some resource > in your company. > For example, say you have some intranet web app that you make > available on > the Internet via ISA Server/reverse proxy. This works for > employees, but > soon some 'outsiders' (contractors, outsourced service > providers) need to > use it. > > Do you put them someplace in your existing AD so they can use > the same proxy > ? Do you set up an alternate way for them to get to the > resource ? What > steps do you take to ensure that those credentials are > restricted to the > resource you intend ? > > I'm a tad uncomfortable with people outside the organization > running around > with valid credentials to the internal NOS directory, but > maybe that's just > me. I realize it's a business decision, and that there's > hopefully some > level of trust in these individuals since they've been > contracted to perform > some service, but the more I can control it the better. > > Rants, flames, war stories are welcome (I can take it:). > Even more welcome > is some discussion of how you deal with external users in general, and > specific steps you take to protect your AD from misuse by them. > > Dave > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
