IT shops of any size have vendors, contractors or other people that may need some amount of access to systems on their network. There are a number of ways to manage the user account process of this need, and I’m out to see what TechRepublic members do to in this regard. Here are a few practices that I’ve come across:
Username identification: Some organizations make usernames like vendor.company in Windows Active Directory and other systems across the board to identify the company in the systems.
Enable on-demand: User accounts for non-employees would be disabled by default, and only enabled when access is needed.
Time limited account: Accounts would be created, but valid only for a fixed duration of time. This makes the validity of the account re-affirmed periodically or it will safely go into a disabled state if there is no follow-up from the user or requestor of the access. This is frequently done with contract employees or temps.
Escorted access: This can be where an employee has to escort the non-employee in all systems. This can be managing a WebEx session and passing control or literally sitting over the shoulder of the vendor or other individual.
Permission lockdown: This is where the accounts are provisioned explicitly with what is needed for the requested access.
Isolated networks or domains: In the case of Active Directory, a child domain can exist with user accounts of this class for larger networks. For larger environments, this may make large-scale permissions tasks easier.
These are just a few of the strategies that can be employed, and organizations may elect a combination of this and other practices to fit the requirements for access and parameters of security. Please share the ways you address access for non-employees.