RE: [ActiveDir] Managing accounts for 'outsiders'

Tue, 11 May 2004 11:30:26 -0700 

I don't treat a 3rd party account in AD any differently from normal user accounts. 
They should be given the least privelege required to do their job, which will 
typically mean logon access is restricted to whatever server they are supporting. 
One personal annoyance is when admins set up generic AD accounts for 3rd party 
companies rather than following the best practice of setting up several specific 
accounts for the named support staff who need access to your network.

        -----Original Message----- 
        From: [EMAIL PROTECTED] on behalf of Fugleberg, David A 
        Sent: Tue 11/05/2004 16:14 
        To: [EMAIL PROTECTED] 
        Cc: 
        Subject: [ActiveDir] Managing accounts for 'outsiders'
        
        

        I'm curious what y'all do with those situations where you have to manage 
credentials for 'outsiders' - in other words, users from some business partner, 
vendor, etc. who must have access to some resource in your company.  For example, say 
you have some intranet web app that you make available on the Internet via ISA 
Server/reverse proxy.  This works for employees, but soon some 'outsiders' 
(contractors, outsourced service providers) need to use it.
        
        Do you put them someplace in your existing AD so they can use the same proxy ? 
 Do you set up an alternate way for them to get to the resource ?  What steps do you 
take to ensure that those credentials are restricted to the resource you intend ?
        
        I'm a tad uncomfortable with people outside the organization running around 
with valid credentials to the internal NOS directory, but maybe that's just me.  I 
realize it's a business decision, and that there's hopefully some level of trust in 
these individuals since they've been contracted to perform some service, but the more 
I can control it the better.
        
        Rants, flames, war stories are welcome (I can take it:).  Even more welcome is 
some discussion of how you deal with external users in general, and specific steps you 
take to protect your AD from misuse by them.
        
        Dave
        List info   : http://www.activedir.org/mail_list.htm
        List FAQ    : http://www.activedir.org/list_faq.htm
        List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

<<winmail.dat>>

Reply via email to