In the State of Calfornia we're seeing that CPA firms are being mandated by their Insurance companies to have a confidentiality clause in their managed services contracts. When it comes to allowing remote access by support personnel there's a couple of cardinal rules to live by
- Never give them your real password. If you are like most folks, you have passwords that are variations of main passwords. So if you go give them your REAL password, be prepared to reset it and never use that variation again. I went in and set the password to a real sucky one for a temporary basis and then reset it back to the long strong one when done.
- Always set up an account with admin rights that you will offer up to remote technicians that is not your main admin account, not the built in admin account, and one that you only enable for them and then disable once they've hopped off the box. Reset the password on that one as well. You want to ensure that you leave accountability in your log files. I have a disabled admin account called “Msoft”. With a password that I invarably forget what I've set it so I just reset it to what I need.
- If you are like me and don't set up straight TS access to the web and only do VPN, they do have other ways to 'get on' your box. If you don't feel comfortable with offering up TS or VPN credentials, they can use things like an remote Office Live meeting session.. it's a little bit awkward and icky for them, but if you are not comfortable, just say so as they do have options. But at a minumum, if you do give a technician a username and password on the system, the minute you are done, reset the password, disable the account.
- When troubleshooting a mobility issue and you attempt to test a connection over a non SSL connection JUST FOR TESTING PURPOSES… remind yourself that you have a router between you and the outside world… a router that has port 80 closed…..yup… I was attempting to do a non SSL connection to port 80 and 80 wasn't open to use for debugging purposes.
- So when the support guy told me to delete the user account and set it back up again…. I sort of went … uh… hmmm….that's MY account that I'd have to be setting back up again… how about I try a couple of things offline and get back to you? Bottom line, if something goes beyond what you want to rip out at this time, don't be afraid to stop the process and try more things on your own. They'll give you a phone number and an SRX to start the case up again with.