Hi, I am a network admin and sometimes SQL admin. I have been asked to allow a consultant to build a database reporting server on our network. He will VPN into our network through a Palo Alto firewall and use RDP to access a single non-domain server called "Reports." A firewall rule will control this access. On the Reports server, the consultant will log in with a non-admin account, but have db-owner rights to SQL Server. He will use SQL Server to connect with two other SQL Servers on the network with read-only permissions. Does anyone see any holes in this scheme? I want to make sure the consultant can't do anything else on the internal network except build a database on Reports and query/collect data on the two other SQL servers. I don't have much control over the security configuration of the consultants computer. Should I go so far as to isolate the Reports server on a Palo Alto controlled subnet? Any suggestions are appreciated.
... View more