Seeking Some Advice About Remote Access To A Server

tomdkat

Registered
Hi! I help a friend keep their Macs running in their office network. They have a Mac-mini they use as a database server and some iMacs connect to it, over the network, to access data, etc. They hired a vendor who needs access to the database on the database server machine. This vendor installed their application on the database server machine and desire to have remote access to the system, to monitor their application.

I'm opposed to this but people in the office keep allowing this vendor to have remote access to the database server. My main point of contention is this: I do not want remote access software running on the system 24x7. If the vendor needs access, at a particular time to troubleshoot something, that's fine. We manually establish remote access for them, they do their work, we terminate the connection, no more remote access is available until we coordinate the next time they need access again. What ends up happening is I see remote access software running on the server, idle, because it was left running from the last time they had someone else in the office install it and get it running.

So, considering this is the Mac OS X Server forum, I figured there would be some server system administrators here and I wanted your thoughts and advice about this situation.

Would you or do you allow remote access software to run 24x7 on your servers to allow vendors direct access, at their convenience?

Thanks in advance!

Peace...
 

DeltaMac

Tech
If the vendor requires 24/7 access to the server, and assuming that's part of their contract, then how does it make a difference what YOU want?
Unless you share in the management of the company, then it's really not your business.
If your friend has also hired you as a consultant, then you should be entitled to your opinion, but in the end, it's whatever agreement your friend has worked out as a business relationship with the vendor.
If the data is personal, or health, or financial data that should be protected because of government regulations, etc, and you feel certain the data is at risk of violating some such regulation, or your friend's business might be at risk because of the potential for exposure of private information, then what prevents you from telling your friend about your concerns?
 

Cheryl

Rosie Moderator
Staff member
Mod
If the vendor requires 24/7 access to the server, and assuming that's part of their contract, then how does it make a difference what YOU want?
Unless you share in the management of the company, then it's really not your business.
If your friend has also hired you as a consultant, then you should be entitled to your opinion, but in the end, it's whatever agreement your friend has worked out as a business relationship with the vendor.
If the data is personal, or health, or financial data that should be protected because of government regulations, etc, and you feel certain the data is at risk of violating some such regulation, or your friend's business might be at risk because of the potential for exposure of private information, then what prevents you from telling your friend about your concerns?
Ditto
 

tomdkat

Registered
If the vendor requires 24/7 access to the server, and assuming that's part of their contract, then how does it make a difference what YOU want?
Unless you share in the management of the company, then it's really not your business.
If your friend has also hired you as a consultant, then you should be entitled to your opinion, but in the end, it's whatever agreement your friend has worked out as a business relationship with the vendor.
If the data is personal, or health, or financial data that should be protected because of government regulations, etc, and you feel certain the data is at risk of violating some such regulation, or your friend's business might be at risk because of the potential for exposure of private information, then what prevents you from telling your friend about your concerns?
Thanks for the reply. :) Here's some more background info. Yes, the data is health data that should be protected. In this case, the vendor provides a service that requires them to have access to at least some of the health data. I have mixed feelings about that, as well, because of how everything got setup, etc. In any event, from what little I understand from the vendor about how their software functions, I don't believe their software requires _them_ to have remote access to the server, itself. I think they simply prefer it such that they can login and see what's going on with their application, if they detect some kind of disconnection on their end.

I've had a discussion with my friend about my remote access concerns and some additional concerns, for example the fact the installed their software to run as "root" vs running in an account created just for their software. There might be a technical reason for this, but the support rep I spoke with wasn't very helpful at all. In fact, it was pulling teeth just to get the name of the process that would be running. *sigh* So, given what little I know about their software, I'm not convinced it needs to run as "root". Also, I have no clue on how it accesses the database so far all I know, it could be accessing all kinds of data they really should have no access to.

The main reason I started this thread was to get feedback from other system administrators about allowing remote access software to be running 24/7 on a production server, to allow an external third party direct access to the server. I believe they are using a third party remote access/control application to enable them to access the server. I forget which one but it was similar to "GoToMyPC" (that kind of application). The real kicker is when the people at the office talk to the vendor's support rep, they follow the support rep's instructions without question. So, if the support rep instructs them to login to the server, download "blah blah" application, and run it so they can have access to the server, those instructions will be followed without question (and understandably so). It's just when the support issue is done, the remote access software remains running and I have no clue who or what would then have access to the server.

I'm not against the vendor being able to verify their software is running properly but I think there are other ways to do it. For example, if all they need to verify is the main process is actually running, they can leave instructions for me, the effective system administrator, to start the process, if it needs to be started. Having stated that, I'm not sure the business owner has any kind of documentation at all about the software running on the server.

When I get a chance, I'll have another discussion with my friend and see if there's a way we can get my concerns addressed.

Thanks again to you and to Cheryl for the replies! :)

Peace...
 

Cheryl

Rosie Moderator
Staff member
Mod
You have legitimate concerns and as the system admin, you need to site the government rules about protecting health care data along with personal data. The company is libel for any breach of information and you need to strongly voice those concerns.
Ask to see the software company’s contract/agreement. It might be time to have a good lawyer on your side to review the practices to make sure the data is being kept safe. An Internet security audit maybe needed.
 
Top