Data Centers

User access policies for non-employees

Providing access for non-employees is a challenge in many regards. In this blog, IT pro Rick Vanover brings up some of the issues associated with this practice.

IT shops of any size have vendors, contractors or other people that may need some amount of access to systems on their network. There are a number of ways to manage the user account process of this need, and I’m out to see what TechRepublic members do to in this regard. Here are a few practices that I’ve come across:

Username identification: Some organizations make usernames like vendor.company in Windows Active Directory and other systems across the board to identify the company in the systems.

Enable on-demand: User accounts for non-employees would be disabled by default, and only enabled when access is needed.

Time limited account: Accounts would be created, but valid only for a fixed duration of time. This makes the validity of the account re-affirmed periodically or it will safely go into a disabled state if there is no follow-up from the user or requestor of the access. This is frequently done with contract employees or temps.

Escorted access: This can be where an employee has to escort the non-employee in all systems. This can be managing a WebEx session and passing control or literally sitting over the shoulder of the vendor or other individual.

Permission lockdown: This is where the accounts are provisioned explicitly with what is needed for the requested access.

Isolated networks or domains: In the case of Active Directory, a child domain can exist with user accounts of this class for larger networks. For larger environments, this may make large-scale permissions tasks easier.

These are just a few of the strategies that can be employed, and organizations may elect a combination of this and other practices to fit the requirements for access and parameters of security. Please share the ways you address access for non-employees.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

20 comments
cbader
cbader

Unfortunately for me everything is wide open and they expect everyone who needs access will get that access. Ive tried to make some pitches to increase the security on our LAN and my boss just doesnt want to deal with it, if anybody gets inconvenienced then its just not worth it. We have a company subleasing some space from us in our building. Their SEO guy (who was often hear very late after everybody had left) got arrested by the FBI on 44 counts of credit card fraud and identity theft. He was Russian and was transmitting the data back to someone in Russia. I thought that wouldve been a wake up call for my boss, not so much I guess.

spelunkdude
spelunkdude

We use a combination of things from Guest VLAN wireless access to VPN's with ACL lists and a combo of local accounts and domain accounts. It is really specific to each vendor and what is required and is quite a pain.

vworm83
vworm83

Any good suggestions for handling freelancers who need all types of access. They tend to have there own machines and come and go with the wind.

Craig_B
Craig_B

When I was in a larger company we did username ID, permission lockdown and timed accounts for internal machines. Remote access was limited. In a smaller company it's more enable on demand, escorted access.

Michael Kassner
Michael Kassner

I recommend to my clients that they have a strict policy that the only time foreign computers attach to the network is to gain Internet access that that's through a completely separate VLAN. That's even suspect in my book, but difficult to currently improve upon. If there is a need for access to the company network that's done on a company-provided computer with limited privileges setup for that individual. If that's not appropriate then the foreign computer needs to go through a major sanitizing process to make sure it's clean.

NickNielsen
NickNielsen

I have full user access to my customer's systems because I need that access on a daily basis; I also have admin access to selected PCs. Root access to servers is limited to specific tasks or situations and usually given through dedicated sudo or use-once accounts. I don't have access to all applications because I don't need it and I don't have Internet access through customer systems. If I need Internet access, I must use the public wireless (if available) or the 3G broadband in the laptop. Or I find the nearest Atlanta Bread Company... :)

bandman
bandman

I looked at VMPS for a while. I also thought about a multi-LAN wireless AP's which would route unknown users to an internet only segment. In the end, I haven't decided on anything. We don't get a ton of visitors yet, but at some point, I can see our traffic increasing, so I'm interested in what others have done. Good topic, thanks!

tech4me
tech4me

Get a security consultant to come in and do a presentation to your management (depending how much money your business has to throw around). Chances are someone who does this everyday can rattle off 100 reasons to secure your data and make a more convincing argument then you or I could. Sounds like your boss isn't in IT (or shouldn't be). If they won't listen to you, get someone else in to scare them and not only will you have more control over the companies data, but more respect and gratitude from management (read: $$$$)

s.butera
s.butera

Currently on the networks that I support, i've seen vendor specific accounts setup in AD. Not the best.But I didn't set it up that way.

jdavis
jdavis

That is pretty much what I do. I have guest VLANs set up on all my networks. The purpose of these are to limit the vendor / customer to the protocols necessary to establish a VPN connection back to their company's network. For various reasons I can't limit them by address, so I limit them by protocol. Our proxy servers require authentication so in general guests are not permitted internet access other than through their own facilities. In addition, the guest VLANs are private so that individual hosts are not permitted to communicate with other hosts on that same VLAN. We may have different customers on that segment at the same time, and in general our customers are competitors with each other. In this way I hope to limit our liability by preventing them from access to their competitor's machines. That is my general practice. Individual requirements may dictate exceptions, and often do.

dondalhover
dondalhover

We have a NAC solution and it is great except for the amount of Help Desk overload it creates for new users. In the beginning it was huge. But after a while, our average domain users were able to walk visitors through the login process.

tundraroamer
tundraroamer

Ha-ha We solved the problem by pointing out that the neighbors unsecured wireless is available for those vendors that need internet access from their laptops. Works great! No security issues for us at all. Until the neighbor finds out anyway.

DJohnson831
DJohnson831

Our contractors connect remotely ,so i setup a VPN profile that gives them access to specific systems

b4real
b4real

One of the issues that comes up is compliance and in some situations there are various ways to apply the regulations to the technology.

cbader
cbader

Ive thought about hiring an outside consultant to do some security audits and penetration testing to hopefully boost my case, but Im very doubtful my boss would go for it. My boss is the CTO and its all about the websites and what the developers want. I got bitched at because the developers were complaining about having to reboot their computers after updates were installed.

Michael Kassner
Michael Kassner

I like your setup. I just installed a new AP that allowed the user isolation you referred to. I'm a bit lucky here as well. I've a DSL line that is exclusively for Guests. It just isolates them more and I can keep track their movement and traffic.

Master G
Master G

I believe this is the most common: I usually create an account for the temp or contractor or consultant. Give that account access ONLY to the resources that temp will need- that way you don't need to monitor what they do on your network. Add to appropriate security groups. You usually get a time frame so set the account to disable when time frame expires. If it takes longer then you will get that call so enable it. Also check DHCP for those weird PC names so you know who is in your network - Simple as that.

bandman
bandman

in that I'm not currently bound by any obscure or esoteric regulations. That may always change in the future, but for now, I can bide my time and mull over the decision.

Editor's Picks