Unfortunately most vendors want some kind of remote control tool on the server upon which their product resides. This usually means that they not only want the ability access the desktop but they want admin rights.
Some of these vendors will only work with PC anywhere and only over a modem. Some will be a little flexible as to how they access their product. This also depends greatly on the product itself. You might not be able to completely disable their access to the desktop but you should restrict their access. Some ideas: 1. Give the vendor a local user account instead of a domain user account. 2. Never give a vendor a domain admin account. Use only local admin if admin rights are required. 3. Keep the account disabled unless the vendor asks to log on, this will prevent non authorized access by the vendor. 4. Make a policy that requires that a member of the IT staff be present for any vendor modifications. 5. Lock out the vendors ability to run all programs that are not related to product. 6. Create a mandatory policy for each vendor that locks down the desktop to only those tools and utilities they require. 7. Activate PC anywhere only when a vendor actually needs to dial in. Otherwise keep it in a disabled state. Keep in mind that anyone who has access to services remotely can start it in the last state that it was started in. (example the PC anywhere service can be started to server manager. If it was last started in host mode waiting for a phone call it will start in that mode). To this end, create a nonworking host mode (i.e. IPX if you don't un IPX) and start it in this mode before disabling it. 8. Have the vendor submit an acceptable usage document detailing what they can and cannot do on the system. 9. Have a vendor submit in writing everything that they did on your system and what changes they have made. 10. Run a system compare/registry compare utility and take before and after snapshots. Your best security measure in this case is awareness. In some cases there will be little you can do to limit a vendors access which is why you need to know when they are in your system and what they are going to be doing. You can do a lot to protect your systems, it just depends on how much work you are willing to put into it and how paranoid you want to be. -Kit >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED]] >>Sent: Wednesday, April 17, 2002 2:39 PM >>To: [EMAIL PROTECTED] >>Subject: Vendor Remote Access >> >> >>Our organization works with many third party vendors. >> >>If a deparment buys a new application from a vendor, it >>usually comes with >>support. This >>means they should be able to access the server remotely. >> >>Some require PCAnywhere to be installed on the server and can >>be accessed >>via dial-up systems(modem banks). >> >>We have plans to install VPN in the future. If we do get a >>VPN system. Don't >>the vendor >>still require some kind of remote control software to administer their >>application ? >> >>We just want them to administer their application and NOT >>operating system. >> >>Please let me know what you think ? >> >>Thanks, >>Jaime >>
