Security Basics mailing list archives

RE: Vendor wants remote control of our Servers and Workstations

From: "Michael Parker" <mparker () rim net>
Date: Thu, 6 Mar 2003 13:37:24 -0500

WOW!  I'm with you...even if the vendor has the best of intentions this
could cause a lot of trouble.  Admittedly you can secure the wazoo out
of this from a technological standpoint, but far more concerning would
be human equation.  You might want to hit them up with a ton of legal
documentation and liability insurance as well as make sure that they can
meet/excced the standards you hold for your own employees that "touch"
the servers in question.  Might not be a bad idea to talk to your legal
department about this.  Even if approved you might want to create a
strict policy outlining specifically what they can and can't do, and
recourse if they overstep their boundries.

Cheers,
Michael

-----Original Message-----
From: tony tony [mailto:tonytorri () yahoo com] 
Sent: March 5, 2003 10:17 PM
To: security-basics () securityfocus com
Subject: Vendor wants remote control of our Servers and Workstations


Folks

We have an outside vendor (StellarRAD) that wants to come into our
network (via
VPN) and use pcAnywhere to maintain his software on 5 production
servers. 
Vendor wants to also use a product like Blue Ocean to remotely control
our workstations to help users with software problems (ie software is
complex)or for trouble shooting.  Blue Ocean software allows
bi-directional file transfers and chat between the vendor and work
stations. 

I approve all tickets for firewall changes.  I told our firewall and
network people that this ticket just does not *smell right* and I will
conduct some research on the security issues.  As always, the
vendor/network/firewall people are putting the heat on to me to approve
the ticket ASAP. 

In your opinion what are all the security issues?  What should I
recommend as a more secure way for 1) the vendor to access the
StellarRAD production servers remotely and 2) help our users?  

=====
Tony Torri CISSP, CISA, CDP, CIA
Senior IS Security & Risk Manager
360.906.7893 (Work)
Northern Telecom LLP

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/

Current thread:

Vendor wants remote control of our Servers and Workstations tony tony (Mar 06)
- RE: Vendor wants remote control of our Servers and Workstations Patrick S. Harper - CISSP (Mar 07)
- RE: Vendor wants remote control of our Servers and Workstations Burton M. Strauss III (Mar 07)
- Re: Vendor wants remote control of our Servers and Workstations David M. Fetter (Mar 07)
- <Possible follow-ups>
- RE: Vendor wants remote control of our Servers and Workstations Michael Parker (Mar 07)
- Re: Vendor wants remote control of our Servers and Workstations James Lee Gromoll (Mar 07)
- RE: Vendor wants remote control of our Servers and Workstations John Brightwell (Mar 10)
  - RE: Vendor wants remote control of our Servers and Workstations Glenn English (Mar 11)
- RE: Vendor wants remote control of our Servers and Workstations Paul Carroll (Mar 17)