How can I secure my remote box/user?

I'm going to outsource some development work to a stranger. I would like to run down my setup and what I've done thus far to take some precautionary measures. I'm hoping you all can provide me with some more advice, gotchas, or things to consider.

Server is running Windows 7 Ultimate.
I'm behind a Linksys router.
I have installed the free version of AVG anti-virus software.
The developer remoting into the server will have 'user' privileges and will require a username & password.
I'm using the free DynDNS service and client application to manage a static url for access.
Default Windows security settings on: firewall, uac, etc.
Other PC on the network is password protected.
Source code environment will be in a sandbox: no live connection strings, data, or ftp ability. I will be tasked with QA and releasing new software.

How is this setup? What would you have done differently? What, if anything should I do differently to protect my machine and network?

Thanks.

Mike

Posted 2009-09-01T16:21:40.810

Reputation: 273

Answers

Depending on the skill of the "stranger", you cannot really be sure of anything. I'd either mirror his session and keep a watch on what he does, record the screen (how long is he going ot be working on this?). However, the best approach would be to create a virtual environment "sandbox" so he can play around and do his development work. Or have him do the development on his own machine and when he's done, he should hand off the work to you and you deploy it to the production machine.

J Sidhu

Posted 2009-09-01T16:21:40.810

Reputation: 606

Maybe you can expand a bit on the virtual environment? Or mirroring the session? – Mike – 2009-09-01T17:06:57.770

Virtual Environment - try running vmware server, virtualbox, xen etc. restrict the user in the virtual environment so you can take snapshots regularly (if you need to revert back for something).

Mirroring a session - all depends on your setup. But VNC may help? Or perhaps using some other display mirror driver? – J Sidhu – 2009-09-01T20:38:57.937

Also, keep an eye on the connections established before and after the work is finished. You dont want him running a backdoor service. Use netstat or other network security tools. I would also enocurage an IDS (Intrusion Detection System) so you can catalog which files, if any, get changed. I think this is a must if you want to allow a stranger into your system. – J Sidhu – 2009-09-01T20:42:03.000

Thanks - I'm going to look into vmware server now as well as vpn/rdp. – Mike – 2009-09-01T22:53:33.077

I would recommend running a separate computer (virtual or physical), and redirect incoming connection to this box. If the incoming connections are to be shared between you and the developer, it might be worth having a separate DSL connection, or a different IP address. Password protection might not be enough. If you really want to be secure, I would put the developer's computer on a separate network connection inside as well. If you want to share files between your other computers and the developer's PC, you could have a dual connection on THE computer/server which shares the files, as well as the developer's PC.

Another thing you could do is to change the actual IP and netmask of the developer's computer, so the IP of the router and the developer's computer are very close to each other, like 192.168.1.12 (router) and 192.168.1.13 (developer's). Then, force a netmask or 255.255.255.252, for example. This means that from his PC, the developer can only reach the router, nothing else. Make sure the developer cannot change such configuration, if he ever finds out about this. I know, this is "security through obscurity", but every bit helps.

jfmessier

Posted 2009-09-01T16:21:40.810

Reputation: 2 530

The OP asked how to secure the system FROM the developer, not form the world. So the second part of your answer does not apply. – J Sidhu – 2009-09-01T20:40:10.087