Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

subcontractor access to network files

Status
Not open for further replies.

irbk

MIS
Oct 20, 2004
578
US
We are opening up a new office. In this office about 1/2 the people there will be our employees, on our domain, and have no problems accessing our network shares. The other 1/2 of the employees will be subcontractors. They won't be our employees, won't be using our company computers thus will not be on our domain, yet need access to the local network shares that our employees will have access too. We don't want the subcontractors to have access to any of our other network resources, such as file shares in other offices or our intranet site but our employees will need to have access to these things. We will be required to supply subcontractors access to the internet as well. Most of the network shares in our company default to "Domain Users" having access. How would you suggest I go about allowing subcontractors access to what they need (which overlaps with the local network shares our employees need) while keeping the rest of my network safe?

Thanks in advance
 
What do you think about adding a NAS that would have all the shares that subcontractors would need access to on it. You would use the AD integration capabilities of the NAS to allow single-signon for your users with their domain accounts, but you would additionally create some local accounts on the NAS to be used by subcontractors.

If you want to use your existing file servers, you'll have to overhaul all the permissions on your shares to limit access to specific security groups that don't include the subcontractors. Alternately, you could add an explicit DENY permission via NTFS to the root of any share that you don't want them to have access to.

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Not a horrible idea but I'd have to get the funds to purchase the NAS. Then there is also the issue of backing the NAS up, but that shouldn't be too hard. Can some NAS devices support both AD and local accounts? I've only used them for one or the other, never both.
 
Boss is not satisfied with the NAS idea. According to him there "has to be some way to do it through AD". Frankly I don't have time to go through all of our network shares on all of our servers and either remove domain users or add an explicit deny to a "subcontractor" group. I told him that if that's what he wanted to do he should go ahead and do it, I don't have the time right now.
 
All it would require would be to go to each share, add "Subcontractors Restricted" group to the Share permissions list, and click the Deny checkbox. You could delegate the task to a junior admin and it would take them 45 minutes tops across 5 servers...

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
average of 6 shares per server across 30 servers = 90 shares, plus group policy, plus IIS. If I had a junior admin I'd totally set them loose on it. Actually even if I had a junior admin I'd have them doing other things. It would be easier to deny them access to resources right at the switch at that point. Put the subcontractors all onto a specific VLan and not allow that VLAN access to the P2P VPN connection. The boss wanting to completely restructure AD for this is asinine. If he wants it done that way, he can do it. Until then I'm still attempting to find alternatives.
 
>will not be on our domain

Erm ... so they won't have AD accounts? So how, precisely, does your boss think AD can control access?
 
He wants to create AD accounts for all the subcontractors (which will end up with a bunch of inactive AD accounts after a while because while we will be told when a new subcontractor starts I can pretty much guarantee you that we won't be told when the subcontractors leave) then modify all of our network shares (and group policy and IIS) to remove Domain Users from the share and add a group like "ABC_Users" in it's place. Using Shack's suggestion above I said if he were going to touch every share anyway he would be better off doing a "Deny subcontractors" than trying to swap out "domain users".
 
To give them AD access without adding them as users to your domain, you'd have to throw up an extra VM as an AD server for a separate domain with trust and only give their global groups access to your shares... Or something like that.

Alternately you could force them to work via FTP connections to a server and provide them with local user accounts on that FTP server, even if the FTP server is domain-joined. The FTP server would not have to hold the files: you could configure the home directory for each user to be a specific share somewhere else on your network. That would meet the requirements without giving them any domain-level access rights.

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
That was my initial idea, set up a VM for a subcontractor domain with trust to our domain. Boss didn't like that idea either.
 
He's convinced that AD is set up "wrong" because of the prevalence of "domain users" being used everywhere and this is an excuse to "set it up right and if it would have been set up right from the beginning we wouldn't have to do this". So apparently your not supposed to use "domain users" anywhere that you want everyone on your network to be able to access files... at least according to him.
 
Sounds like the boss needs to come up with how to do it............... Sounds like PITA.
 
Agree, major PITA.

Besides I think it would be more secure to put the subcontractors onto a separate VLAN. Then we could give them domain accounts (which it seems like they are going to end up with anyway) however I could deny the subcontractor VLAN access to the VPN connection back to HQ. That way the subs can get at the local file share and the internet but can't get back to corporate HQ for any other internal services. That would likely be a heck of a lot easier than having to redo all of AD, which I don't feel is "wrong" to begin with.
 
I think the fact that your boss wants to use this situation to bring about security "best practices" is valid, but if he's going to succeed at doing that, he's obviously going to need to have your buy-in unless he wants to do it himself.

While the VLAN strategy is a valid one, I think that your boss is still hoping to alleviate the discomfort that your current security group arrangements are causing him. I guess some of this comes down to whether you guys are a good team with good communication. If you were, then he'd be able to get you on the same page about your priorities.

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Is it priorities or best technical option to pick? Sounded like the latter to me.
 
I think it's a bad idea in general. Access to network shares and sharing internet connection without domain accounts?
How about a compromise:
a) subcontractors use their own internet, no routing through your network
b) subcontractors have no access to your network shares - save one designated handover point
c) subcontractor access said handover point via a secured web interface with individual accounts. Kind of a sharepoint - just not via MS Sharepoint.

Just a thought. From your description, I would not like such a scenarion very much at all. Still, if you need it, make it as restrictive as possible and keep in mind that whatever you open up to non-domain members is sort of open to all. It's a giant security hole. Keep your network out of it and create some very restricted access point in a dmz.

“Knowledge is power. Information is liberating. Education is the premise of progress, in every society, in every family.” (Kofi Annan)
Oppose SOPA, PIPA, ACTA; measures to curb freedom of information under whatever name whatsoever.
 
makeitso said:
...
How about a compromise:
a) subcontractors use their own internet, no routing through your network
b) subcontractors have no access to your network shares - save one designated handover point
c) subcontractor access said handover point via a secured web interface with individual accounts. Kind of a sharepoint - just not via MS Sharepoint.
...

I agree that I don't like the situation. Unfortunately, contracting creates contractual obligations that I can't override.
a) Via the contract, we have to supply the subcontractors with internet access
b) Via the contract, we have to supply the subcontractors with a working location for file shares
c) as both employee and subcontractor will be working on the files a web interface (ie having to exchange files through upload and download) will be very inefficient and not tolerated by either

ShackDaddy said:
I think the fact that your boss wants to use this situation to bring about security "best practices" is valid...
Is using "Domain Users" as a security group to allow all domain users access to network resources not a "best practice"? I'd argue that the point of the domain users group is to allow all domain users access to network resources. I'm flexible though and a white paper from MS stating that it's not a best practice will sway my opinion.

ShackDaddy said:
...your boss is still hoping to alleviate the discomfort that your current security group arrangements are causing him...
Until we got notice that we were to have to allow subcontractors access to domain resources, the way security was set up was never a problem. He insists that we are not the only company in this situation and I'm sure he's correct. He also insists that their must be an "easy way" to do it through AD. Perhaps if we'd designed the network from the bottom up with the idea of having to allow subcontractors onto our network to access our network shares while not using company controlled computers, possibly there would be an easy way to do it in AD. Our network was not designed that way, nor do I think many networks are. Some of the point of a domain is to keep people not on your domain out of your domains resources. Honestly Shack, I think your idea of a domain integrated NAS with local accounts for the subcontractors is really the best idea.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top