1

We have a physical machine serving databases and websites. We want to contract a consultant for this planned migration from the older physical Windows machine to an up to date brand new Virtual Machine.

Obviously the contractor will need an account with privileges to make this happen. In this case, I trust them but, at the same time, what if I don't trust them or don't know enough about them to entirely trust them? I was looking for the best practices when this happen (you don't know if you trust the contractor). What if they put a backdoor ? Or by mistake or just without knowing, do something that could later compromise the new machine?

My question: What are the best practices to prepare a security plan when hiring an external contractor to do stuff at our site requiring an account with privileges?

I found this answer : Best practice for providing server admin contractor with root access (on CentOS)? but it was targeting a Linux Flavor, and is possibly dated. I like the suggestion of setting a Statement of Work, which I will consider, but was looking for technical solutions too.

marsisalie
  • 377
  • 1
  • 3
  • 7

1 Answers1

1

Some generic tips if your target is more Windows; as your question don't state wich OS you are using.

  • Create for the contractor a account for him only. If an local admin for the new and old server it's best.

  • If you need to create him an Active Directory account, then make the account LOGON too right for only those two VMs. You can set a expiration date too on the account.

  • Create in advance the new VM to prevent to have to give him the access to your VM infracstructure.

  • Any VPN account you could create for him, make him allow only to go to the two VMs for his job.

  • Hire a firm or someone that got a good reputation. Don't be lowball on that matter. A firm with a good reputation would not want to loose their reputations for a possible breach they might have caused you.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48