WOW! I'm with you...even if the vendor has the best of intentions this could cause a lot of trouble. Admittedly you can secure the wazoo out of this from a technological standpoint, but far more concerning would be human equation. You might want to hit them up with a ton of legal documentation and liability insurance as well as make sure that they can meet/excced the standards you hold for your own employees that "touch" the servers in question. Might not be a bad idea to talk to your legal department about this. Even if approved you might want to create a strict policy outlining specifically what they can and can't do, and recourse if they overstep their boundries.
Cheers, Michael -----Original Message----- From: tony tony [mailto:[EMAIL PROTECTED] Sent: March 5, 2003 10:17 PM To: [EMAIL PROTECTED] Subject: Vendor wants remote control of our Servers and Workstations Folks We have an outside vendor (StellarRAD) that wants to come into our network (via VPN) and use pcAnywhere to maintain his software on 5 production servers. Vendor wants to also use a product like Blue Ocean to remotely control our workstations to help users with software problems (ie software is complex)or for trouble shooting. Blue Ocean software allows bi-directional file transfers and chat between the vendor and work stations. I approve all tickets for firewall changes. I told our firewall and network people that this ticket just does not *smell right* and I will conduct some research on the security issues. As always, the vendor/network/firewall people are putting the heat on to me to approve the ticket ASAP. In your opinion what are all the security issues? What should I recommend as a more secure way for 1) the vendor to access the StellarRAD production servers remotely and 2) help our users? ===== Tony Torri CISSP, CISA, CDP, CIA Senior IS Security & Risk Manager 360.906.7893 (Work) Northern Telecom LLP __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
