Monitoring external vendors connecting to our domain

I have a number of vendors and consultants who work for us and as a result require access to our servers. Often times, they require remote access. Generally I prefer to give them a LogMeIn user account under our main account, so that I can view and control access. They can then log in to LMI and select from a list of servers that I have provided access to. Sometimes they prefer to use their own LMI or Teamviewer account, which I may be OK with.

I’m not comfortable about providing so many external people with administrator access to our servers, but it’s often necessary. One thing that helps is being notified when they have logged on.

The first thing I did was to change the audit settings in LMI to e-mail every time a user logs on (or fails to log on) to LMI.

The second thing I did was create a logon script that e-mails me every time these external users log on to any server. To do this I created an AD group called ‘External Users’ and add all the vendors and consultants to this group (each vendor has his own AD account).

Then, I created a new group policy to apply my logon script (which I saved in the netlogon folder) to this group. You specify the script under User Configuration > Policies > Windows Settings > Scripts > Logon. I also added a seperate script for Logoff, although this should really be the same script but with a different parameter (you can specify parameters within Group Policy. I aplied this group policy to the ‘External Users’ AD group.

Now, whenever they log on, I get an e-mail. This works great. It took me a while to realise that, by default, Windows 2012 server (and Windows 8 clients) have a five minute delay before running scripts. To overcome this limitation, I create an AD group called ‘Windows 2012 Servers’ and added all my 2012 servers to it. I then created a new group policy called ‘Windows 2012 Servers’ and changed the setting for Computer > Policies > Administrative Templates > System > Group Policy > Configure Logon Script Delay from ‘Not Configured’ to 1 minute. Now the logon script will e-mail after a minute when the external logs on to a Windows 2012 server.

One problem I have is that external users don’t always bother to log off. So I am not notified the next time they use the server, which might be a few days later, because they are still logged on to their original session. A quick and dirty way to overcome this is to force them to logoff. Run the command line qwinsta /server:MyServer. This will display any logged on users. Make a note of the ID of that session and type rwinsta /server:MyServer to log them off. This will work regardless of whether they are using RDP or are logged on to the console (it will tell you which).

 

Leave a Reply

Your email address will not be published. Required fields are marked *