We are a medical environment and very often we received the requests by vendors to give access to the servers for support services.
What do you do to allow vendor hat wishes to access the corporate servers for support services?. Typically, we were planning to do some form of SSL VPN and RDP into the servers, but before that we conduct initial assessment such as vendor is not using personal device, AV/Security solution is present and up to date, OS is updated.
Share your ideas please.
I’d do it through a jumpbox rather than direct to server
We don’t allow vendors unsupervised access to systems. They have to submit a request and we work with a tech to schedule their connection. Vendor connects to tech PC, tech connects to server so vendor can work on behalf of tech while they watch and ensure nothing crazy is happening.
I’ve had to boot a few vendors off before when they done stuff like trying to mass change the registry permissions to troubleshoot one key.
I’d start with making certain they are 100% HIPAA compliant. And that they know what that means.
Have you considered a remote desktop solution like VNC Connect from RealVNC? It gives you a secure, all-in-one tool for remote device access. It’s much more secure than RDP (no need for firewall reconfiguring or port forwarding when using cloud connectivity) and it’s easier to set up than a VPN. With an Enterprise subscription, you have a choice between both cloud and direct connections.
There’s also other security features like end-to-end 256-bit AES encryption, advanced MFA options, granular access control and more. It supports HIPAA compliance too and RealVNC already work with other leading healthcare and medical providers, such as the NHS, Fujifilm, and the Southern Ohio Medical Center.
There’s also a 14 day trial: Remote Medical Device Access - RealVNC®
Are you bound by CMMC?
This is the way. Also, you have to adhere to HIPAA so 2-factor/MFA also required.