Educause Security Discussion mailing list archives

Re: Vendor Server Access

From: Alex Keller <alkeller () SFSU EDU>
Date: Fri, 24 Sep 2010 08:55:31 -0700

where possible we try to avoid giving vendors direct access to our
servers. in the cases where there is a legitimate need for
troubleshooting purposes we encourage the use of remote assistance tools
that allow us to control the  duration of the session. if the vendor
needs consistent access over time, we typically require them to formally
document why they need this level of access and have them sign a form
that basically says they are going to follow all the rules and not do
anything stupid/malicious. after the paperwork clears they will be
granted a VPN and server logon account. i recommend some sort of
documented review of these accounts to make sure they don't live on
indefinitely.

best,
alex keller

-- 
Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu



On 9/24/2010 8:37 AM, Abreu, Jose A wrote:


We are in the process of setting up new guidelines on how vendors
access our servers as well as application owners.  Can you share any
insight on how your institution is handling this?

 

*Jose Abreu*

University of Miami

(Voice) 305.284.5213 (Fax) 305-284-5213

Current thread:

Vendor Server Access Abreu, Jose A (Sep 24)
- Re: Vendor Server Access Julian Y. Koh (Sep 24)
- Re: Vendor Server Access Alex Keller (Sep 24)
- Re: Vendor Server Access Greene, Chip (Sep 24)
- Re: Vendor Server Access Jeff Kell (Sep 24)
  - Re: Vendor Server Access Bradley, Stephen W. Mr. (Sep 26)
- Re: Vendor Server Access Hugh Burley (Sep 24)