Tech

Guides

Business Applications ▪ Database Management ▪ Disaster Recovery ▪ Enterprise Servers & Storage ▪ IT Security ▪ Java ▪ Microsoft Office Suite ▪ Network Admin ▪ Open Source ▪ SMB ▪ SOA ▪ Tech Management ▪ Software/Web Development ▪ Windows Server ▪ Wireless Tech

Business Applications TechGuides

Use access policies for non-employees

By Rick Vanover, Special to ZDNet Asia
Sunday, August 16, 2009 11:06 PM

IT shops of any size have vendors, contractors or other people that may need some amount of access to systems on their network.

There are a number of ways to manage the user account process of this need, and I'm out to see what TechRepublic members do to in this regard. Here are a few practices that I've come across:

Username identification: Some organizations make usernames like vendor.company in Windows Active Directory and other systems across the board to identify the company in the systems.

Enable on-demand: User accounts for non-employees would be disabled by default, and only enabled when access is needed.

Time limited account: Accounts would be created, but valid only for a fixed duration of time. This makes the validity of the account re-affirmed periodically or it will safely go into a disabled state if there is no follow-up from the user or requester of the access. This is frequently done with contract employees or temps.

Escorted access: This can be where an employee has to escort the non-employee in all systems. This can be managing a WebEx session and passing control or literally sitting over the shoulder of the vendor or other individual.

Permission lockdown: This is where the accounts are provisioned explicitly with what is needed for the requested access.

Isolated networks or domains: In the case of Active Directory, a child domain can exist with user accounts of this class for larger networks. For larger environments, this may make large-scale permissions tasks easier.

These are just a few of the strategies that can be employed, and organizations may elect a combination of this and other practices to fit the requirements for access and parameters of security. Please share the ways you address access for non-employees.

Rick Vanover is a systems administrator for Safelite AutoGlass in Columbus, Ohio. Rick has over 12 years IT experience and focuses on virtualization, Windows-based server administration, and system hardware.