Please read - my butt is on the line

michael.steiner · ‎09-21-2003

All,

This may seem inappropriate but my butt is on the line, so please read on.

I have 2 developers who have domain admin rights in a windows 2000 environment. I discovered on Friday that these 2 have been creating a VPN tunnel to another companies network and having several machines on that network interact with one of our machines on the internal network.

I escalated this issue to our collective supervisor. I know what his response was and I also know what mine was.

I can guarantee that there is going to be a big turf war over this one and so I seek your oppinions.

Does this have the potential to become a large security issue?

Thanks all.

jonwhitear · ‎09-21-2003

What does your organisation's security policy have to say on the matter?

In my experience, most organisations consider it a severe breach of conduct to allow unauthorised access to their information systems to a third party.

In other words, if this "other company" can access your network through the VPN, and this access has not been duly authorised, those dev guys should get fried.

ruckerdr · ‎09-23-2003

We restrict that access to ONLY our support staff who needs to be able to remotely connect to other sites. They are isolated on their own VLAN and could not compromise the corp network security. Also your Security Policy IS the single most important document you have to cover your butt on this one. If you don't have one, Schedule some meetings and make one. It is a tough task but there is plenty of documentation out there concerning the subject. Check out the standards and regulations located on the bottom of the site I am posting. Good Luck!

http://securityresponse.symantec.com/avcenter/security/Content/security.articles/corp.security.policy.html