topic Re: External access question in General Topics

External access question

tsheldon — Thu, 31 May 2018 22:50:56 GMT

Hi, I am a network admin and sometimes SQL admin. I have been asked to allow a consultant to build a database reporting server on our network. He will VPN into our network through a Palo Alto firewall and use RDP to access a single non-domain server called "Reports." A firewall rule will control this access. On the Reports server, the consultant will log in with a non-admin account, but have db-owner rights to SQL Server. He will use SQL Server to connect with two other SQL Servers on the network with read-only permissions.

Does anyone see any holes in this scheme? I want to make sure the consultant can't do anything else on the internal network except build a database on Reports and query/collect data on the two other SQL servers. I don't have much control over the security configuration of the consultants computer. Should I go so far as to isolate the Reports server on a Palo Alto controlled subnet?

Any suggestions are appreciated.

Re: External access question

OtakarKlier — Fri, 01 Jun 2018 00:36:35 GMT

Hello,

Sounds like a good plan. I would even try to microsegment that server into its own zone. You could even get crazier and have them have their own VPN profile, but that is overkill.

Regards,

Re: External access question

RobinClayton — Fri, 01 Jun 2018 09:22:42 GMT

I would put the reports server in it's own ZONE (or your DMZ at a push) and only allow the required traffic from that ZONE to the SQL server on the production network.

Rob

Re: External access question

tsheldon — Mon, 04 Jun 2018 20:12:20 GMT

Thanks Otakar and Robin,

It's reassuring to hear your positive feedback on this design. I will also create the zone...first time zone for me, but I should be able to follow the design of a similar zone already in place.

Thanks!