Post reply

Securing Consultant Access

  • May 30, 2018 at 7:20 pm

    #406301

    https://i1.social.s-msft.com/Forums/RequestReduceContent/5d2be974688f5d08839c8067e53db4ab-d8ce051fe96957a4c1bcaf2cb75f082a.png); background-origin: padding-box; background-position-x: -58px; background-position-y: 0px; background-repeat: no-repeat; background-size: auto; border-bottom-color: rgb(118, 118, 118); border-bottom-style: none; border-bottom-width: 0px; border-image-outset: 0; border-image-repeat: stretch; border-image-slice: 100%; border-image-source: none; border-image-width: 1; border-left-color: rgb(118, 118, 118); border-left-style: none; border-left-width: 0px; border-right-color: rgb(118, 118, 118); border-right-style: none; border-right-width: 0px; border-top-color: rgb(118, 118, 118); border-top-style: none; border-top-width: 0px; font-family: "Segoe UI","Lucida Grande",Verdana,Arial,Helvetica,sans-serif; font-style: normal; font-weight: 400; height: 25px; list-style-type: none; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: invert; outline-style: none; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; width: 17px;" alt="You cannot vote on your own post" src="https://i1.social.s-msft.com/globalresources/Images/trans.gif?cver=0%0d%0a">

    0


    Hi, I am a network admin and sometimes SQL admin. I have been asked to allow a consultant to build a database reporting server on our network. He will VPN into our network through a Palo Alto firewall and use RDP to access a single non-domain server called "Reports." On this server, the consultant will have a local non-admin user account and db_owner access to SQL Server. From Reports, he will also be able to "connect" via SQL server to two other SQL servers (i.e., DB1 and DB2) so he can query and gather data. He will have a db_reader account on those servers.

    My question is, does anyone see any holes in this scheme? I have not allowed this type of external access before. The Palo Alto will do a good job with the VPN, but I want to make sure the consultant can't do anything else on the internal network except build a database on Reports and query/collect data on the DB1 and DB2 servers. 

    I worry that their systems may not be secure and could provide a channel into my network for the boogy man. Any advice is appreciated.

  • June 4, 2018 at 2:12 pm

    #1992898

    Are these all non-production servers? That would be my first concern.

    Sue

  • June 4, 2018 at 2:40 pm

    #1992901

    My only suggestion would be that you might want more granular permissions than db_reader depending on what's in the databases he'll be using.

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply